Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 14:15
Behavioral task
behavioral1
Sample
f00291fcb561b5bbccda65ac996f0fb0_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
f00291fcb561b5bbccda65ac996f0fb0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
f00291fcb561b5bbccda65ac996f0fb0_NeikiAnalytics.exe
-
Size
384KB
-
MD5
f00291fcb561b5bbccda65ac996f0fb0
-
SHA1
48ba9bd0e6728decf8b6d639285840210340d7f4
-
SHA256
67dd4c4f806d3723a20ed5b13c8072cd79b404adb0fb60fbdee5c9a38d9b2ee3
-
SHA512
30430ee615fff0548063f278bc4a736debb5b38a09373de3b35df014eb2892274fca0dcce6e0586a2cde42af3252313771ff213992e3d91cc2a731c066cbbc12
-
SSDEEP
6144:0S4PthEP2pui6yYPaIGckpyWO63t5YNpui6yYPaIGcky0PVd68LwYwI+8mkUr1G/:F4PLE+pV6yYPI3cpV6yYPZ0PVdvcY9+y
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Hdlpneli.exeJieagojp.exeKiodmn32.exeMbedga32.exeAfkknogn.exeKcejco32.exeFhcpgmjf.exeChagok32.exeAomifecf.exeEdhjqc32.exeIjegcm32.exeLmpkadnm.exeDekhneap.exeDjklmo32.exeOkchnk32.exeGfmojenc.exeFlceckoj.exeHhdhon32.exeAnfmjhmd.exeHdmoohbo.exePkhoae32.exeQbimoo32.exeBldgdago.exePcbmka32.exeGiqkkf32.exePcagphom.exeMnphmkji.exeHpofii32.exeEjbbmnnb.exeFimodc32.exeHodgkc32.exeHfklhhcl.exeIkndgg32.exeNjghbl32.exeMidfokpm.exeAmaqjp32.exeDmalne32.exeKmaopfjm.exeMnmdme32.exeOjmcld32.exeIbicnh32.exeMffjcopi.exeGdafnpqh.exeFkopnh32.exeHbgmcnhf.exeIbjjhn32.exeBgpgng32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdlpneli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jieagojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kiodmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbedga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afkknogn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcejco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhcpgmjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chagok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aomifecf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edhjqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijegcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmpkadnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dekhneap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djklmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okchnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfmojenc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flceckoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhdhon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anfmjhmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdmoohbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkhoae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbimoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bldgdago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcbmka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Giqkkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcagphom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mnphmkji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpofii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejbbmnnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hodgkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfklhhcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikndgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njghbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Midfokpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amaqjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmalne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmaopfjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmdme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojmcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibicnh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mffjcopi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdafnpqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkopnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbgmcnhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibjjhn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgpgng32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Lalcng32.exe family_berbew C:\Windows\SysWOW64\Liggbi32.exe family_berbew C:\Windows\SysWOW64\Ldmlpbbj.exe family_berbew C:\Windows\SysWOW64\Laalifad.exe family_berbew C:\Windows\SysWOW64\Lkiqbl32.exe family_berbew C:\Windows\SysWOW64\Lnhmng32.exe family_berbew C:\Windows\SysWOW64\Ldaeka32.exe family_berbew C:\Windows\SysWOW64\Lphfpbdi.exe family_berbew C:\Windows\SysWOW64\Lgbnmm32.exe family_berbew C:\Windows\SysWOW64\Mciobn32.exe family_berbew C:\Windows\SysWOW64\Mjcgohig.exe family_berbew C:\Windows\SysWOW64\Mdiklqhm.exe family_berbew C:\Windows\SysWOW64\Mpolqa32.exe family_berbew C:\Windows\SysWOW64\Mgidml32.exe family_berbew C:\Windows\SysWOW64\Mncmjfmk.exe family_berbew C:\Windows\SysWOW64\Mpaifalo.exe family_berbew C:\Windows\SysWOW64\Mcpebmkb.exe family_berbew C:\Windows\SysWOW64\Mcbahlip.exe family_berbew C:\Windows\SysWOW64\Nacbfdao.exe family_berbew C:\Windows\SysWOW64\Ngpjnkpf.exe family_berbew C:\Windows\SysWOW64\Nafokcol.exe family_berbew C:\Windows\SysWOW64\Ngcgcjnc.exe family_berbew C:\Windows\SysWOW64\Nbhkac32.exe family_berbew C:\Windows\SysWOW64\Ngedij32.exe family_berbew C:\Windows\SysWOW64\Nnolfdcn.exe family_berbew C:\Windows\SysWOW64\Nggqoj32.exe family_berbew C:\Windows\SysWOW64\Nnaikd32.exe family_berbew C:\Windows\SysWOW64\Okeieh32.exe family_berbew C:\Windows\SysWOW64\Odnnnnfe.exe family_berbew C:\Windows\SysWOW64\Ogljjiei.exe family_berbew C:\Windows\SysWOW64\Occkojkm.exe family_berbew C:\Windows\SysWOW64\Ojmcld32.exe family_berbew C:\Windows\SysWOW64\Odgqdlnj.exe family_berbew C:\Windows\SysWOW64\Peqcjkfp.exe family_berbew C:\Windows\SysWOW64\Agffge32.exe family_berbew C:\Windows\SysWOW64\Acmflf32.exe family_berbew C:\Windows\SysWOW64\Blpnib32.exe family_berbew C:\Windows\SysWOW64\Bblckl32.exe family_berbew C:\Windows\SysWOW64\Bbnpqk32.exe family_berbew C:\Windows\SysWOW64\Cojjqlpk.exe family_berbew C:\Windows\SysWOW64\Elppfmoo.exe family_berbew C:\Windows\SysWOW64\Ehnglm32.exe family_berbew C:\Windows\SysWOW64\Fdialn32.exe family_berbew C:\Windows\SysWOW64\Fbnafb32.exe family_berbew C:\Windows\SysWOW64\Fdnjgmle.exe family_berbew C:\Windows\SysWOW64\Gkkojgao.exe family_berbew C:\Windows\SysWOW64\Hcmgfbhd.exe family_berbew C:\Windows\SysWOW64\Hbbdholl.exe family_berbew C:\Windows\SysWOW64\Hioiji32.exe family_berbew C:\Windows\SysWOW64\Hoiafcic.exe family_berbew C:\Windows\SysWOW64\Ifefimom.exe family_berbew C:\Windows\SysWOW64\Ilghlc32.exe family_berbew C:\Windows\SysWOW64\Ipdqba32.exe family_berbew C:\Windows\SysWOW64\Jfaedkdp.exe family_berbew C:\Windows\SysWOW64\Jbhfjljd.exe family_berbew C:\Windows\SysWOW64\Kboljk32.exe family_berbew C:\Windows\SysWOW64\Kdeoemeg.exe family_berbew C:\Windows\SysWOW64\Kmncnb32.exe family_berbew C:\Windows\SysWOW64\Liddbc32.exe family_berbew C:\Windows\SysWOW64\Lmbmibhb.exe family_berbew C:\Windows\SysWOW64\Lepncd32.exe family_berbew C:\Windows\SysWOW64\Mgagbf32.exe family_berbew C:\Windows\SysWOW64\Migjoaaf.exe family_berbew C:\Windows\SysWOW64\Neeqea32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Lalcng32.exeLiggbi32.exeLdmlpbbj.exeLaalifad.exeLkiqbl32.exeLnhmng32.exeLdaeka32.exeLphfpbdi.exeLgbnmm32.exeMciobn32.exeMjcgohig.exeMdiklqhm.exeMpolqa32.exeMgidml32.exeMncmjfmk.exeMpaifalo.exeMcpebmkb.exeMcbahlip.exeNacbfdao.exeNgpjnkpf.exeNafokcol.exeNgcgcjnc.exeNbhkac32.exeNgedij32.exeNnolfdcn.exeNggqoj32.exeNnaikd32.exeOkeieh32.exeOdnnnnfe.exeOgljjiei.exeOcckojkm.exeOjmcld32.exeOdbgim32.exeOkloegjl.exeOnklabip.exeOqihnn32.exeOcgdji32.exeOkolkg32.exeOnmhgb32.exeOdgqdlnj.exePjdilcla.exePbkamqmd.exePeimil32.exePghieg32.exePnbbbabh.exePbmncp32.exePeljol32.exePkfblfab.exePndohaqe.exePcagphom.exePkhoae32.exePnfkma32.exePeqcjkfp.exePnihcq32.exePagdol32.exeQcepkg32.exeQjpiha32.exeQajadlja.exeQchmagie.exeQloebdig.exeQbimoo32.exeAgffge32.exeAnpncp32.exeAcmflf32.exepid process 2692 Lalcng32.exe 3704 Liggbi32.exe 1108 Ldmlpbbj.exe 4720 Laalifad.exe 1520 Lkiqbl32.exe 624 Lnhmng32.exe 2924 Ldaeka32.exe 3664 Lphfpbdi.exe 2220 Lgbnmm32.exe 4028 Mciobn32.exe 4092 Mjcgohig.exe 4312 Mdiklqhm.exe 4636 Mpolqa32.exe 2212 Mgidml32.exe 1660 Mncmjfmk.exe 4416 Mpaifalo.exe 4492 Mcpebmkb.exe 4992 Mcbahlip.exe 1656 Nacbfdao.exe 3596 Ngpjnkpf.exe 900 Nafokcol.exe 1364 Ngcgcjnc.exe 3544 Nbhkac32.exe 4580 Ngedij32.exe 2440 Nnolfdcn.exe 3684 Nggqoj32.exe 4284 Nnaikd32.exe 3036 Okeieh32.exe 1208 Odnnnnfe.exe 1552 Ogljjiei.exe 4344 Occkojkm.exe 4224 Ojmcld32.exe 1512 Odbgim32.exe 4244 Okloegjl.exe 1992 Onklabip.exe 4216 Oqihnn32.exe 1832 Ocgdji32.exe 3244 Okolkg32.exe 864 Onmhgb32.exe 1904 Odgqdlnj.exe 3488 Pjdilcla.exe 1508 Pbkamqmd.exe 4944 Peimil32.exe 448 Pghieg32.exe 1460 Pnbbbabh.exe 1932 Pbmncp32.exe 3476 Peljol32.exe 2652 Pkfblfab.exe 776 Pndohaqe.exe 4752 Pcagphom.exe 1960 Pkhoae32.exe 3260 Pnfkma32.exe 1388 Peqcjkfp.exe 4352 Pnihcq32.exe 4600 Pagdol32.exe 4408 Qcepkg32.exe 4340 Qjpiha32.exe 3232 Qajadlja.exe 5076 Qchmagie.exe 400 Qloebdig.exe 3580 Qbimoo32.exe 2088 Agffge32.exe 1196 Anpncp32.exe 4540 Acmflf32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ikbnacmd.exeLldfjh32.exeHnfjbdmk.exeIloidijb.exeEcjhcg32.exeCndikf32.exeDbllbibl.exeJgogbgei.exeLjgpkonp.exePoomegpf.exeFhcpgmjf.exeMenjdbgj.exeGbdoof32.exeHcblpdgg.exeLgjijmin.exeJeaikh32.exeBmpcfdmg.exeKelalp32.exeHgnoki32.exeNhkikq32.exeAanbhp32.exeBnpppgdj.exeLlbidimc.exeCikglnkj.exeHkeaqi32.exeJlpkba32.exePfhfan32.exeCjkjpgfi.exeNgmpcn32.exeCmiflbel.exeHhnbpb32.exePcpikkge.exeGgbook32.exeOqhacgdh.exeEjlbhh32.exeEefhjc32.exeGdhmnlcj.exeCoknoaic.exeDfjpfj32.exeIfjodl32.exeHhlejcpm.exePlbfdekd.exeEglgbdep.exeQcepkg32.exeIcnpmp32.exeAomifecf.exedescription ioc process File created C:\Windows\SysWOW64\Bgpmhl32.dll Ikbnacmd.exe File opened for modification C:\Windows\SysWOW64\Lfjjga32.exe Lldfjh32.exe File created C:\Windows\SysWOW64\Oilbhkaa.dll Hnfjbdmk.exe File created C:\Windows\SysWOW64\Idfaefkd.exe Iloidijb.exe File created C:\Windows\SysWOW64\Hicakqhn.dll File created C:\Windows\SysWOW64\Fhglla32.dll Ecjhcg32.exe File opened for modification C:\Windows\SysWOW64\Afbgkl32.exe File created C:\Windows\SysWOW64\Ndkqipob.dll Cndikf32.exe File created C:\Windows\SysWOW64\Gfqnichl.dll File created C:\Windows\SysWOW64\Acankf32.dll File opened for modification C:\Windows\SysWOW64\Dekhneap.exe Dbllbibl.exe File created C:\Windows\SysWOW64\Ejjlbppk.dll Jgogbgei.exe File created C:\Windows\SysWOW64\Kejocggj.dll Ljgpkonp.exe File created C:\Windows\SysWOW64\Jlgkbp32.dll Poomegpf.exe File opened for modification C:\Windows\SysWOW64\Bkaobnio.exe File created C:\Windows\SysWOW64\Angdnk32.dll File created C:\Windows\SysWOW64\Fkalchij.exe Fhcpgmjf.exe File created C:\Windows\SysWOW64\Lemphdgj.dll Menjdbgj.exe File created C:\Windows\SysWOW64\Bpcelk32.dll Gbdoof32.exe File opened for modification C:\Windows\SysWOW64\Hkicaahi.exe Hcblpdgg.exe File created C:\Windows\SysWOW64\Ljhefhha.exe Lgjijmin.exe File created C:\Windows\SysWOW64\Hohahelb.dll File created C:\Windows\SysWOW64\Jimekgff.exe Jeaikh32.exe File created C:\Windows\SysWOW64\Beglgani.exe Bmpcfdmg.exe File opened for modification C:\Windows\SysWOW64\Kpbfii32.exe Kelalp32.exe File created C:\Windows\SysWOW64\Becnaq32.dll Hgnoki32.exe File created C:\Windows\SysWOW64\Elcgieob.dll Nhkikq32.exe File opened for modification C:\Windows\SysWOW64\Alcfei32.exe Aanbhp32.exe File created C:\Windows\SysWOW64\Eklikcef.dll File created C:\Windows\SysWOW64\Banllbdn.exe Bnpppgdj.exe File created C:\Windows\SysWOW64\Lpneegel.exe Llbidimc.exe File created C:\Windows\SysWOW64\Cabomkll.exe Cikglnkj.exe File created C:\Windows\SysWOW64\Hjpcoo32.dll Hkeaqi32.exe File created C:\Windows\SysWOW64\Ichqihli.dll File opened for modification C:\Windows\SysWOW64\Jcgbco32.exe Jlpkba32.exe File created C:\Windows\SysWOW64\Pqmjog32.exe Pfhfan32.exe File created C:\Windows\SysWOW64\Cmiflbel.exe Cjkjpgfi.exe File created C:\Windows\SysWOW64\Jomdjhoo.dll Ngmpcn32.exe File opened for modification C:\Windows\SysWOW64\Omfekbdh.exe File created C:\Windows\SysWOW64\Kdqjac32.dll Cmiflbel.exe File created C:\Windows\SysWOW64\Hgjbkhen.dll Hhnbpb32.exe File created C:\Windows\SysWOW64\Abgiapmj.dll Pcpikkge.exe File created C:\Windows\SysWOW64\Giqkkf32.exe Ggbook32.exe File opened for modification C:\Windows\SysWOW64\Ojaelm32.exe Oqhacgdh.exe File opened for modification C:\Windows\SysWOW64\Emkndc32.exe Ejlbhh32.exe File created C:\Windows\SysWOW64\Flpmagqi.exe File created C:\Windows\SysWOW64\Ilgonc32.dll File created C:\Windows\SysWOW64\Enfhldel.dll File created C:\Windows\SysWOW64\Ehedfo32.exe Eefhjc32.exe File opened for modification C:\Windows\SysWOW64\Hmdlmg32.exe File created C:\Windows\SysWOW64\Ahfmpnql.exe File opened for modification C:\Windows\SysWOW64\Ekjded32.exe File created C:\Windows\SysWOW64\Gmoeoidl.exe Gdhmnlcj.exe File opened for modification C:\Windows\SysWOW64\Dfefkkqp.exe Coknoaic.exe File opened for modification C:\Windows\SysWOW64\Dmdhcddh.exe Dfjpfj32.exe File created C:\Windows\SysWOW64\Papambbb.dll File created C:\Windows\SysWOW64\Bncfnnbj.dll Ifjodl32.exe File created C:\Windows\SysWOW64\Hninbj32.exe Hhlejcpm.exe File opened for modification C:\Windows\SysWOW64\Pmcclm32.exe Plbfdekd.exe File created C:\Windows\SysWOW64\Emeoooml.exe Eglgbdep.exe File created C:\Windows\SysWOW64\Dcjdilmf.dll File created C:\Windows\SysWOW64\Qjpiha32.exe Qcepkg32.exe File opened for modification C:\Windows\SysWOW64\Ieolehop.exe Icnpmp32.exe File created C:\Windows\SysWOW64\Klinjgke.dll Aomifecf.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 4244 4296 -
Modifies registry class 64 IoCs
Processes:
Cglgjeci.exeHhdhon32.exeMblcnj32.exeCoknoaic.exeGfgjgo32.exeBcebhoii.exeCgndoeag.exeLdgccb32.exeJmknaell.exeOocddono.exeDfmcfp32.exeLndagg32.exeAaqgek32.exeDekhneap.exeEcefqnel.exeFmjaphek.exeIkbnacmd.exeImdgqfbd.exeEecdjmfi.exeCjecpkcg.exePahilmoc.exeGkoiefmj.exeKbbokdlk.exeAqkpeopg.exeKikame32.exeMmnldp32.exeBgehcmmm.exePefhlaie.exeDfoiaj32.exeMcbahlip.exePkfblfab.exeDlijfneg.exeOdnnnnfe.exeEifhdd32.exeMnphmkji.exeClnjjpod.exeAcnlgp32.exeAnfmjhmd.exeHkbdki32.exeOeaoab32.exeFdialn32.exeAhchda32.exeBppfmigl.exeAjcdnd32.exeLjgpkonp.exeCfcjfk32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmpdfl32.dll" Cglgjeci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hhdhon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mblcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Coknoaic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gfgjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bcebhoii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cgndoeag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ldgccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cagdge32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jmknaell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oocddono.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfmcfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lndagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehmok32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aaqgek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dekhneap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ecefqnel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmjaphek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpmhl32.dll" Ikbnacmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Imdgqfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eecdjmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icland32.dll" Cjecpkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pahilmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhkbjd32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkoiefmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbbokdlk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aqkpeopg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kikame32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mmnldp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bgehcmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pefhlaie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfoiaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mcbahlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkfblfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcfmgfde.dll" Dlijfneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcomgibl.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Odnnnnfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeifngp.dll" Eifhdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhmmpnk.dll" Mnphmkji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eajbghaq.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Clnjjpod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll" Acnlgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Anfmjhmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkbdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oeaoab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fdialn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahchda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bppfmigl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajcdnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ljgpkonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccledea.dll" Cfcjfk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f00291fcb561b5bbccda65ac996f0fb0_NeikiAnalytics.exeLalcng32.exeLiggbi32.exeLdmlpbbj.exeLaalifad.exeLkiqbl32.exeLnhmng32.exeLdaeka32.exeLphfpbdi.exeLgbnmm32.exeMciobn32.exeMjcgohig.exeMdiklqhm.exeMpolqa32.exeMgidml32.exeMncmjfmk.exeMpaifalo.exeMcpebmkb.exeMcbahlip.exeNacbfdao.exeNgpjnkpf.exeNafokcol.exedescription pid process target process PID 4676 wrote to memory of 2692 4676 f00291fcb561b5bbccda65ac996f0fb0_NeikiAnalytics.exe Lalcng32.exe PID 4676 wrote to memory of 2692 4676 f00291fcb561b5bbccda65ac996f0fb0_NeikiAnalytics.exe Lalcng32.exe PID 4676 wrote to memory of 2692 4676 f00291fcb561b5bbccda65ac996f0fb0_NeikiAnalytics.exe Lalcng32.exe PID 2692 wrote to memory of 3704 2692 Lalcng32.exe Liggbi32.exe PID 2692 wrote to memory of 3704 2692 Lalcng32.exe Liggbi32.exe PID 2692 wrote to memory of 3704 2692 Lalcng32.exe Liggbi32.exe PID 3704 wrote to memory of 1108 3704 Liggbi32.exe Ldmlpbbj.exe PID 3704 wrote to memory of 1108 3704 Liggbi32.exe Ldmlpbbj.exe PID 3704 wrote to memory of 1108 3704 Liggbi32.exe Ldmlpbbj.exe PID 1108 wrote to memory of 4720 1108 Ldmlpbbj.exe Laalifad.exe PID 1108 wrote to memory of 4720 1108 Ldmlpbbj.exe Laalifad.exe PID 1108 wrote to memory of 4720 1108 Ldmlpbbj.exe Laalifad.exe PID 4720 wrote to memory of 1520 4720 Laalifad.exe Lkiqbl32.exe PID 4720 wrote to memory of 1520 4720 Laalifad.exe Lkiqbl32.exe PID 4720 wrote to memory of 1520 4720 Laalifad.exe Lkiqbl32.exe PID 1520 wrote to memory of 624 1520 Lkiqbl32.exe Lnhmng32.exe PID 1520 wrote to memory of 624 1520 Lkiqbl32.exe Lnhmng32.exe PID 1520 wrote to memory of 624 1520 Lkiqbl32.exe Lnhmng32.exe PID 624 wrote to memory of 2924 624 Lnhmng32.exe Ldaeka32.exe PID 624 wrote to memory of 2924 624 Lnhmng32.exe Ldaeka32.exe PID 624 wrote to memory of 2924 624 Lnhmng32.exe Ldaeka32.exe PID 2924 wrote to memory of 3664 2924 Ldaeka32.exe Lphfpbdi.exe PID 2924 wrote to memory of 3664 2924 Ldaeka32.exe Lphfpbdi.exe PID 2924 wrote to memory of 3664 2924 Ldaeka32.exe Lphfpbdi.exe PID 3664 wrote to memory of 2220 3664 Lphfpbdi.exe Lgbnmm32.exe PID 3664 wrote to memory of 2220 3664 Lphfpbdi.exe Lgbnmm32.exe PID 3664 wrote to memory of 2220 3664 Lphfpbdi.exe Lgbnmm32.exe PID 2220 wrote to memory of 4028 2220 Lgbnmm32.exe Mciobn32.exe PID 2220 wrote to memory of 4028 2220 Lgbnmm32.exe Mciobn32.exe PID 2220 wrote to memory of 4028 2220 Lgbnmm32.exe Mciobn32.exe PID 4028 wrote to memory of 4092 4028 Mciobn32.exe Mjcgohig.exe PID 4028 wrote to memory of 4092 4028 Mciobn32.exe Mjcgohig.exe PID 4028 wrote to memory of 4092 4028 Mciobn32.exe Mjcgohig.exe PID 4092 wrote to memory of 4312 4092 Mjcgohig.exe Mdiklqhm.exe PID 4092 wrote to memory of 4312 4092 Mjcgohig.exe Mdiklqhm.exe PID 4092 wrote to memory of 4312 4092 Mjcgohig.exe Mdiklqhm.exe PID 4312 wrote to memory of 4636 4312 Mdiklqhm.exe Mpolqa32.exe PID 4312 wrote to memory of 4636 4312 Mdiklqhm.exe Mpolqa32.exe PID 4312 wrote to memory of 4636 4312 Mdiklqhm.exe Mpolqa32.exe PID 4636 wrote to memory of 2212 4636 Mpolqa32.exe Mgidml32.exe PID 4636 wrote to memory of 2212 4636 Mpolqa32.exe Mgidml32.exe PID 4636 wrote to memory of 2212 4636 Mpolqa32.exe Mgidml32.exe PID 2212 wrote to memory of 1660 2212 Mgidml32.exe Mncmjfmk.exe PID 2212 wrote to memory of 1660 2212 Mgidml32.exe Mncmjfmk.exe PID 2212 wrote to memory of 1660 2212 Mgidml32.exe Mncmjfmk.exe PID 1660 wrote to memory of 4416 1660 Mncmjfmk.exe Mpaifalo.exe PID 1660 wrote to memory of 4416 1660 Mncmjfmk.exe Mpaifalo.exe PID 1660 wrote to memory of 4416 1660 Mncmjfmk.exe Mpaifalo.exe PID 4416 wrote to memory of 4492 4416 Mpaifalo.exe Mcpebmkb.exe PID 4416 wrote to memory of 4492 4416 Mpaifalo.exe Mcpebmkb.exe PID 4416 wrote to memory of 4492 4416 Mpaifalo.exe Mcpebmkb.exe PID 4492 wrote to memory of 4992 4492 Mcpebmkb.exe Mcbahlip.exe PID 4492 wrote to memory of 4992 4492 Mcpebmkb.exe Mcbahlip.exe PID 4492 wrote to memory of 4992 4492 Mcpebmkb.exe Mcbahlip.exe PID 4992 wrote to memory of 1656 4992 Mcbahlip.exe Nacbfdao.exe PID 4992 wrote to memory of 1656 4992 Mcbahlip.exe Nacbfdao.exe PID 4992 wrote to memory of 1656 4992 Mcbahlip.exe Nacbfdao.exe PID 1656 wrote to memory of 3596 1656 Nacbfdao.exe Ngpjnkpf.exe PID 1656 wrote to memory of 3596 1656 Nacbfdao.exe Ngpjnkpf.exe PID 1656 wrote to memory of 3596 1656 Nacbfdao.exe Ngpjnkpf.exe PID 3596 wrote to memory of 900 3596 Ngpjnkpf.exe Nafokcol.exe PID 3596 wrote to memory of 900 3596 Ngpjnkpf.exe Nafokcol.exe PID 3596 wrote to memory of 900 3596 Ngpjnkpf.exe Nafokcol.exe PID 900 wrote to memory of 1364 900 Nafokcol.exe Ngcgcjnc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f00291fcb561b5bbccda65ac996f0fb0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\f00291fcb561b5bbccda65ac996f0fb0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe23⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe24⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe25⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe26⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe27⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe28⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe29⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:1208 -
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe31⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe32⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe34⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe35⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe36⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe37⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe38⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe39⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe40⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe41⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe42⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe43⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe44⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe45⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe46⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe47⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe48⤵
- Executes dropped EXE
PID:3476 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe50⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe53⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe54⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe55⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe56⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4408 -
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe58⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe59⤵
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe60⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe61⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe63⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe64⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe65⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe66⤵PID:3028
-
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe67⤵
- Modifies registry class
PID:4372 -
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe68⤵PID:4744
-
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe69⤵PID:676
-
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe70⤵PID:3200
-
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe71⤵PID:2664
-
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe72⤵PID:456
-
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe73⤵PID:4660
-
C:\Windows\SysWOW64\Aniajnnn.exeC:\Windows\system32\Aniajnnn.exe74⤵PID:3776
-
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe75⤵PID:3660
-
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe76⤵PID:2948
-
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe77⤵PID:1900
-
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe78⤵PID:1072
-
C:\Windows\SysWOW64\Blpnib32.exeC:\Windows\system32\Blpnib32.exe79⤵PID:1792
-
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe80⤵PID:2376
-
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe81⤵PID:732
-
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe82⤵PID:2956
-
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe83⤵PID:3040
-
C:\Windows\SysWOW64\Bldgdago.exeC:\Windows\system32\Bldgdago.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2704 -
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe85⤵PID:3520
-
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe86⤵PID:4568
-
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe87⤵PID:372
-
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe88⤵PID:1924
-
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe89⤵PID:3888
-
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe90⤵PID:3884
-
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe91⤵PID:3856
-
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe92⤵PID:3356
-
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe93⤵PID:5164
-
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe94⤵PID:5204
-
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe95⤵PID:5248
-
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe96⤵PID:5284
-
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe97⤵
- Modifies registry class
PID:5328 -
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe98⤵PID:5372
-
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe99⤵PID:5416
-
C:\Windows\SysWOW64\Ckcgkldl.exeC:\Windows\system32\Ckcgkldl.exe100⤵PID:5464
-
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe101⤵PID:5520
-
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe102⤵PID:5568
-
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe103⤵PID:5620
-
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe104⤵PID:5684
-
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe105⤵
- Drops file in System32 directory
PID:5756 -
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5796 -
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe107⤵PID:5852
-
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe108⤵PID:5924
-
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe109⤵PID:5992
-
C:\Windows\SysWOW64\Ddpeoafg.exeC:\Windows\system32\Ddpeoafg.exe110⤵PID:6048
-
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe111⤵PID:6092
-
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe112⤵PID:6140
-
C:\Windows\SysWOW64\Dbaemi32.exeC:\Windows\system32\Dbaemi32.exe113⤵PID:5152
-
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe114⤵PID:5224
-
C:\Windows\SysWOW64\Dhnnep32.exeC:\Windows\system32\Dhnnep32.exe115⤵PID:5296
-
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe116⤵
- Modifies registry class
PID:5400 -
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe117⤵PID:5488
-
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe118⤵PID:5560
-
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe119⤵PID:5616
-
C:\Windows\SysWOW64\Dllfkn32.exeC:\Windows\system32\Dllfkn32.exe120⤵PID:5736
-
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe121⤵PID:5824
-
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe122⤵PID:5920
-
C:\Windows\SysWOW64\Dhbgqohi.exeC:\Windows\system32\Dhbgqohi.exe123⤵PID:6032
-
C:\Windows\SysWOW64\Eolpmi32.exeC:\Windows\system32\Eolpmi32.exe124⤵PID:6120
-
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe125⤵PID:5160
-
C:\Windows\SysWOW64\Eefhjc32.exeC:\Windows\system32\Eefhjc32.exe126⤵
- Drops file in System32 directory
PID:5276 -
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe127⤵PID:5448
-
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe128⤵PID:5648
-
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe129⤵
- Drops file in System32 directory
PID:5880 -
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe130⤵PID:6008
-
C:\Windows\SysWOW64\Ehgqln32.exeC:\Windows\system32\Ehgqln32.exe131⤵PID:5128
-
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe132⤵PID:5380
-
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe133⤵PID:5732
-
C:\Windows\SysWOW64\Eapedd32.exeC:\Windows\system32\Eapedd32.exe134⤵PID:5964
-
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe135⤵PID:6116
-
C:\Windows\SysWOW64\Ehimanbq.exeC:\Windows\system32\Ehimanbq.exe136⤵PID:5432
-
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe137⤵PID:5820
-
C:\Windows\SysWOW64\Eocenh32.exeC:\Windows\system32\Eocenh32.exe138⤵PID:116
-
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe139⤵PID:5644
-
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe140⤵PID:5196
-
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe141⤵PID:6040
-
C:\Windows\SysWOW64\Elgfgl32.exeC:\Windows\system32\Elgfgl32.exe142⤵PID:6184
-
C:\Windows\SysWOW64\Eofbch32.exeC:\Windows\system32\Eofbch32.exe143⤵PID:6220
-
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe144⤵PID:6276
-
C:\Windows\SysWOW64\Eepjpb32.exeC:\Windows\system32\Eepjpb32.exe145⤵PID:6320
-
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe146⤵PID:6364
-
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe147⤵PID:6408
-
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe148⤵PID:6452
-
C:\Windows\SysWOW64\Fdegandp.exeC:\Windows\system32\Fdegandp.exe149⤵PID:6504
-
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe150⤵PID:6568
-
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6612 -
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe152⤵PID:6660
-
C:\Windows\SysWOW64\Faihkbci.exeC:\Windows\system32\Faihkbci.exe153⤵PID:6708
-
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe154⤵PID:6748
-
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe155⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6784 -
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe156⤵PID:6840
-
C:\Windows\SysWOW64\Fomhdg32.exeC:\Windows\system32\Fomhdg32.exe157⤵PID:6884
-
C:\Windows\SysWOW64\Fakdpb32.exeC:\Windows\system32\Fakdpb32.exe158⤵PID:6924
-
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe159⤵
- Modifies registry class
PID:6972 -
C:\Windows\SysWOW64\Flqimk32.exeC:\Windows\system32\Flqimk32.exe160⤵PID:7012
-
C:\Windows\SysWOW64\Fooeif32.exeC:\Windows\system32\Fooeif32.exe161⤵PID:7052
-
C:\Windows\SysWOW64\Fbnafb32.exeC:\Windows\system32\Fbnafb32.exe162⤵PID:7096
-
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe163⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7140 -
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe164⤵PID:6104
-
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe165⤵PID:6196
-
C:\Windows\SysWOW64\Gfngap32.exeC:\Windows\system32\Gfngap32.exe166⤵PID:5564
-
C:\Windows\SysWOW64\Gkkojgao.exeC:\Windows\system32\Gkkojgao.exe167⤵PID:6284
-
C:\Windows\SysWOW64\Gbdgfa32.exeC:\Windows\system32\Gbdgfa32.exe168⤵PID:6348
-
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe169⤵PID:6420
-
C:\Windows\SysWOW64\Gdeqhl32.exeC:\Windows\system32\Gdeqhl32.exe170⤵PID:6484
-
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe171⤵PID:6600
-
C:\Windows\SysWOW64\Gkoiefmj.exeC:\Windows\system32\Gkoiefmj.exe172⤵
- Modifies registry class
PID:6656 -
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe173⤵PID:6732
-
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe174⤵PID:6800
-
C:\Windows\SysWOW64\Gdhmnlcj.exeC:\Windows\system32\Gdhmnlcj.exe175⤵
- Drops file in System32 directory
PID:6860 -
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe176⤵PID:6940
-
C:\Windows\SysWOW64\Gkaejf32.exeC:\Windows\system32\Gkaejf32.exe177⤵PID:7004
-
C:\Windows\SysWOW64\Gcimkc32.exeC:\Windows\system32\Gcimkc32.exe178⤵PID:7072
-
C:\Windows\SysWOW64\Gfgjgo32.exeC:\Windows\system32\Gfgjgo32.exe179⤵
- Modifies registry class
PID:7156 -
C:\Windows\SysWOW64\Hiefcj32.exeC:\Windows\system32\Hiefcj32.exe180⤵PID:6212
-
C:\Windows\SysWOW64\Hkdbpe32.exeC:\Windows\system32\Hkdbpe32.exe181⤵PID:6260
-
C:\Windows\SysWOW64\Hckjacjg.exeC:\Windows\system32\Hckjacjg.exe182⤵PID:6360
-
C:\Windows\SysWOW64\Hbnjmp32.exeC:\Windows\system32\Hbnjmp32.exe183⤵PID:6492
-
C:\Windows\SysWOW64\Helfik32.exeC:\Windows\system32\Helfik32.exe184⤵PID:6648
-
C:\Windows\SysWOW64\Hmcojh32.exeC:\Windows\system32\Hmcojh32.exe185⤵PID:6744
-
C:\Windows\SysWOW64\Hobkfd32.exeC:\Windows\system32\Hobkfd32.exe186⤵PID:6880
-
C:\Windows\SysWOW64\Hcmgfbhd.exeC:\Windows\system32\Hcmgfbhd.exe187⤵PID:6996
-
C:\Windows\SysWOW64\Hijooifk.exeC:\Windows\system32\Hijooifk.exe188⤵PID:7128
-
C:\Windows\SysWOW64\Hodgkc32.exeC:\Windows\system32\Hodgkc32.exe189⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6172 -
C:\Windows\SysWOW64\Hbbdholl.exeC:\Windows\system32\Hbbdholl.exe190⤵PID:6352
-
C:\Windows\SysWOW64\Himldi32.exeC:\Windows\system32\Himldi32.exe191⤵PID:6532
-
C:\Windows\SysWOW64\Hkkhqd32.exeC:\Windows\system32\Hkkhqd32.exe192⤵PID:6700
-
C:\Windows\SysWOW64\Hofdacke.exeC:\Windows\system32\Hofdacke.exe193⤵PID:6912
-
C:\Windows\SysWOW64\Hbeqmoji.exeC:\Windows\system32\Hbeqmoji.exe194⤵PID:7060
-
C:\Windows\SysWOW64\Hecmijim.exeC:\Windows\system32\Hecmijim.exe195⤵PID:6960
-
C:\Windows\SysWOW64\Hioiji32.exeC:\Windows\system32\Hioiji32.exe196⤵PID:6460
-
C:\Windows\SysWOW64\Hoiafcic.exeC:\Windows\system32\Hoiafcic.exe197⤵PID:6816
-
C:\Windows\SysWOW64\Hbgmcnhf.exeC:\Windows\system32\Hbgmcnhf.exe198⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5904 -
C:\Windows\SysWOW64\Iefioj32.exeC:\Windows\system32\Iefioj32.exe199⤵PID:6716
-
C:\Windows\SysWOW64\Iiaephpc.exeC:\Windows\system32\Iiaephpc.exe200⤵PID:6676
-
C:\Windows\SysWOW64\Immapg32.exeC:\Windows\system32\Immapg32.exe201⤵PID:6668
-
C:\Windows\SysWOW64\Ipknlb32.exeC:\Windows\system32\Ipknlb32.exe202⤵PID:7192
-
C:\Windows\SysWOW64\Ibjjhn32.exeC:\Windows\system32\Ibjjhn32.exe203⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7236 -
C:\Windows\SysWOW64\Ifefimom.exeC:\Windows\system32\Ifefimom.exe204⤵PID:7284
-
C:\Windows\SysWOW64\Iicbehnq.exeC:\Windows\system32\Iicbehnq.exe205⤵PID:7328
-
C:\Windows\SysWOW64\Ikbnacmd.exeC:\Windows\system32\Ikbnacmd.exe206⤵
- Drops file in System32 directory
- Modifies registry class
PID:7368 -
C:\Windows\SysWOW64\Ipnjab32.exeC:\Windows\system32\Ipnjab32.exe207⤵PID:7416
-
C:\Windows\SysWOW64\Iblfnn32.exeC:\Windows\system32\Iblfnn32.exe208⤵PID:7452
-
C:\Windows\SysWOW64\Ifgbnlmj.exeC:\Windows\system32\Ifgbnlmj.exe209⤵PID:7496
-
C:\Windows\SysWOW64\Iifokh32.exeC:\Windows\system32\Iifokh32.exe210⤵PID:7544
-
C:\Windows\SysWOW64\Imakkfdg.exeC:\Windows\system32\Imakkfdg.exe211⤵PID:7592
-
C:\Windows\SysWOW64\Ippggbck.exeC:\Windows\system32\Ippggbck.exe212⤵PID:7640
-
C:\Windows\SysWOW64\Ickchq32.exeC:\Windows\system32\Ickchq32.exe213⤵PID:7688
-
C:\Windows\SysWOW64\Ifjodl32.exeC:\Windows\system32\Ifjodl32.exe214⤵
- Drops file in System32 directory
PID:7736 -
C:\Windows\SysWOW64\Iemppiab.exeC:\Windows\system32\Iemppiab.exe215⤵PID:7780
-
C:\Windows\SysWOW64\Imdgqfbd.exeC:\Windows\system32\Imdgqfbd.exe216⤵
- Modifies registry class
PID:7820 -
C:\Windows\SysWOW64\Ilghlc32.exeC:\Windows\system32\Ilghlc32.exe217⤵PID:7864
-
C:\Windows\SysWOW64\Icnpmp32.exeC:\Windows\system32\Icnpmp32.exe218⤵
- Drops file in System32 directory
PID:7920 -
C:\Windows\SysWOW64\Ieolehop.exeC:\Windows\system32\Ieolehop.exe219⤵PID:7984
-
C:\Windows\SysWOW64\Iikhfg32.exeC:\Windows\system32\Iikhfg32.exe220⤵PID:8020
-
C:\Windows\SysWOW64\Imfdff32.exeC:\Windows\system32\Imfdff32.exe221⤵PID:8068
-
C:\Windows\SysWOW64\Ipdqba32.exeC:\Windows\system32\Ipdqba32.exe222⤵PID:8116
-
C:\Windows\SysWOW64\Ibcmom32.exeC:\Windows\system32\Ibcmom32.exe223⤵PID:8156
-
C:\Windows\SysWOW64\Jeaikh32.exeC:\Windows\system32\Jeaikh32.exe224⤵
- Drops file in System32 directory
PID:7188 -
C:\Windows\SysWOW64\Jimekgff.exeC:\Windows\system32\Jimekgff.exe225⤵PID:7228
-
C:\Windows\SysWOW64\Jmhale32.exeC:\Windows\system32\Jmhale32.exe226⤵PID:7312
-
C:\Windows\SysWOW64\Jcbihpel.exeC:\Windows\system32\Jcbihpel.exe227⤵PID:7400
-
C:\Windows\SysWOW64\Jbeidl32.exeC:\Windows\system32\Jbeidl32.exe228⤵PID:7444
-
C:\Windows\SysWOW64\Jfaedkdp.exeC:\Windows\system32\Jfaedkdp.exe229⤵PID:5352
-
C:\Windows\SysWOW64\Jmknaell.exeC:\Windows\system32\Jmknaell.exe230⤵
- Modifies registry class
PID:7552 -
C:\Windows\SysWOW64\Jpijnqkp.exeC:\Windows\system32\Jpijnqkp.exe231⤵PID:7580
-
C:\Windows\SysWOW64\Jbhfjljd.exeC:\Windows\system32\Jbhfjljd.exe232⤵PID:7648
-
C:\Windows\SysWOW64\Jefbfgig.exeC:\Windows\system32\Jefbfgig.exe233⤵PID:7720
-
C:\Windows\SysWOW64\Jianff32.exeC:\Windows\system32\Jianff32.exe234⤵PID:7788
-
C:\Windows\SysWOW64\Jlpkba32.exeC:\Windows\system32\Jlpkba32.exe235⤵
- Drops file in System32 directory
PID:7848 -
C:\Windows\SysWOW64\Jcgbco32.exeC:\Windows\system32\Jcgbco32.exe236⤵PID:7932
-
C:\Windows\SysWOW64\Jehokgge.exeC:\Windows\system32\Jehokgge.exe237⤵PID:8004
-
C:\Windows\SysWOW64\Jmpgldhg.exeC:\Windows\system32\Jmpgldhg.exe238⤵PID:8064
-
C:\Windows\SysWOW64\Jlbgha32.exeC:\Windows\system32\Jlbgha32.exe239⤵PID:8100
-
C:\Windows\SysWOW64\Jcioiood.exeC:\Windows\system32\Jcioiood.exe240⤵PID:8184
-
C:\Windows\SysWOW64\Jblpek32.exeC:\Windows\system32\Jblpek32.exe241⤵PID:7256
-
C:\Windows\SysWOW64\Jeklag32.exeC:\Windows\system32\Jeklag32.exe242⤵PID:7376