Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 23:15
Behavioral task
behavioral1
Sample
091a253dc2e199661855b39fd9c6ab70_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
091a253dc2e199661855b39fd9c6ab70_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
091a253dc2e199661855b39fd9c6ab70_NeikiAnalytics.exe
-
Size
161KB
-
MD5
091a253dc2e199661855b39fd9c6ab70
-
SHA1
98011a41c732d0b772b46b03145639f4687c69f7
-
SHA256
fa77164de2d7bdd01847ac14610df03ab5b731483ce3686ca95b11598e289ace
-
SHA512
ea9835532d759ebaf1849f28b0fe0ed328bdb9864f6bff1bf8d89b6cf0ed0be8540ec066341f548b44a2559b0899eeca85903b98255b28f523ee9304a4edc855
-
SSDEEP
3072:Wb7gOo4BDQ6Zh3hrW8jgBkCVwtCJXeex7rrIRZK8K8/kvV:WcO9Zh3pW4gBkCVwtmeetrIyRV
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jfhlejnh.exeDmjocp32.exeLfealaol.exeInainbcn.exePhbhcmjl.exeIgigla32.exeFhdohp32.exeNeccpd32.exeGofkje32.exeFdfmlhna.exeHbbmmi32.exeLlbidimc.exeAihaoqlp.exeHginecde.exePonfka32.exeNpfkgjdn.exeEhkclgmb.exe091a253dc2e199661855b39fd9c6ab70_NeikiAnalytics.exeEhfcfb32.exeIdahjg32.exePgioqq32.exeQcbfakec.exeEaqdegaj.exeLbngllob.exeMhafeb32.exeJmbdbd32.exeGhniielm.exeMoaogand.exeElbhjp32.exeIngpmmgm.exeKkconn32.exeOodcdb32.exeNnjlpo32.exeHhiajmod.exeGkdhjknm.exeKgmcce32.exePgllfp32.exeFolaiqng.exeLijlof32.exeOdhifjkg.exeOanfen32.exeAhdged32.exeKpeiioac.exeNgbpidjh.exeAfnnnd32.exeBbgeno32.exeInqbclob.exeAcocaf32.exeBeihma32.exeDaediilg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfhlejnh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfealaol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inainbcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phbhcmjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igigla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhdohp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neccpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gofkje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdfmlhna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbbmmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llbidimc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aihaoqlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hginecde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ponfka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npfkgjdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehkclgmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 091a253dc2e199661855b39fd9c6ab70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehfcfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idahjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgioqq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcbfakec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaqdegaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbngllob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhafeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmbdbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghniielm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Moaogand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elbhjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ingpmmgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkconn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oodcdb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjlpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhiajmod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkconn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfkgjdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkdhjknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgmcce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgllfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Folaiqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lijlof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odhifjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oanfen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahdged32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpeiioac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngbpidjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afnnnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbgeno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inqbclob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acocaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Beihma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daediilg.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Qchmagie.exe family_berbew C:\Windows\SysWOW64\Qjbena32.exe family_berbew C:\Windows\SysWOW64\Qbimoo32.exe family_berbew C:\Windows\SysWOW64\Agffge32.exe family_berbew C:\Windows\SysWOW64\Anpncp32.exe family_berbew C:\Windows\SysWOW64\Ahhblemi.exe family_berbew C:\Windows\SysWOW64\Abngjnmo.exe family_berbew C:\Windows\SysWOW64\Acocaf32.exe family_berbew C:\Windows\SysWOW64\Andgoobc.exe family_berbew C:\Windows\SysWOW64\Aacckjaf.exe family_berbew C:\Windows\SysWOW64\Angddopp.exe family_berbew C:\Windows\SysWOW64\Adcmmeog.exe family_berbew C:\Windows\SysWOW64\Aniajnnn.exe family_berbew C:\Windows\SysWOW64\Becifhfj.exe family_berbew C:\Windows\SysWOW64\Bbgipldd.exe family_berbew C:\Windows\SysWOW64\Bjbndobo.exe family_berbew C:\Windows\SysWOW64\Bbifelba.exe family_berbew C:\Windows\SysWOW64\Bdkcmdhp.exe family_berbew C:\Windows\SysWOW64\Bopgjmhe.exe family_berbew C:\Windows\SysWOW64\Bejogg32.exe family_berbew C:\Windows\SysWOW64\Bemlmgnp.exe family_berbew C:\Windows\SysWOW64\Blfdia32.exe family_berbew C:\Windows\SysWOW64\Cliaoq32.exe family_berbew C:\Windows\SysWOW64\Cogmkl32.exe family_berbew C:\Windows\SysWOW64\Cahfmgoo.exe family_berbew C:\Windows\SysWOW64\Clnjjpod.exe family_berbew C:\Windows\SysWOW64\Colffknh.exe family_berbew C:\Windows\SysWOW64\Camphf32.exe family_berbew C:\Windows\SysWOW64\Ckedalaj.exe family_berbew C:\Windows\SysWOW64\Ddmhja32.exe family_berbew C:\Windows\SysWOW64\Dkgqfl32.exe family_berbew C:\Windows\SysWOW64\Dhkapp32.exe family_berbew C:\Windows\SysWOW64\Dhbgqohi.exe family_berbew C:\Windows\SysWOW64\Eekaebcm.exe family_berbew C:\Windows\SysWOW64\Ecandfpd.exe family_berbew C:\Windows\SysWOW64\Ffimfqgm.exe family_berbew C:\Windows\SysWOW64\Fdnjgmle.exe family_berbew C:\Windows\SysWOW64\Gofkje32.exe family_berbew C:\Windows\SysWOW64\Gkmlofol.exe family_berbew C:\Windows\SysWOW64\Gmlhii32.exe family_berbew C:\Windows\SysWOW64\Gmoeoidl.exe family_berbew C:\Windows\SysWOW64\Hkdbpe32.exe family_berbew C:\Windows\SysWOW64\Hkfoeega.exe family_berbew C:\Windows\SysWOW64\Hijooifk.exe family_berbew C:\Windows\SysWOW64\Hbbdholl.exe family_berbew C:\Windows\SysWOW64\Hkkhqd32.exe family_berbew C:\Windows\SysWOW64\Ipnjab32.exe family_berbew C:\Windows\SysWOW64\Ilghlc32.exe family_berbew C:\Windows\SysWOW64\Ieolehop.exe family_berbew C:\Windows\SysWOW64\Jlkagbej.exe family_berbew C:\Windows\SysWOW64\Jmmjgejj.exe family_berbew C:\Windows\SysWOW64\Jfhlejnh.exe family_berbew C:\Windows\SysWOW64\Kpbmco32.exe family_berbew C:\Windows\SysWOW64\Kfoafi32.exe family_berbew C:\Windows\SysWOW64\Kibgmdcn.exe family_berbew C:\Windows\SysWOW64\Liddbc32.exe family_berbew C:\Windows\SysWOW64\Lfhdlh32.exe family_berbew C:\Windows\SysWOW64\Lenamdem.exe family_berbew C:\Windows\SysWOW64\Lepncd32.exe family_berbew C:\Windows\SysWOW64\Lgokmgjm.exe family_berbew C:\Windows\SysWOW64\Mgagbf32.exe family_berbew C:\Windows\SysWOW64\Mmpijp32.exe family_berbew C:\Windows\SysWOW64\Menjdbgj.exe family_berbew C:\Windows\SysWOW64\Ncbknfed.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Qchmagie.exeQjbena32.exeQbimoo32.exeAgffge32.exeAnpncp32.exeAhhblemi.exeAbngjnmo.exeAcocaf32.exeAndgoobc.exeAacckjaf.exeAngddopp.exeAdcmmeog.exeAniajnnn.exeBecifhfj.exeBbgipldd.exeBjbndobo.exeBbifelba.exeBdkcmdhp.exeBopgjmhe.exeBejogg32.exeBemlmgnp.exeBlfdia32.exeCliaoq32.exeCogmkl32.exeCahfmgoo.exeClnjjpod.exeColffknh.exeCamphf32.exeCkedalaj.exeDdmhja32.exeDkgqfl32.exeDhkapp32.exeDhnnep32.exeDkljak32.exeDddojq32.exeDhbgqohi.exeEhedfo32.exeEdkdkplj.exeEoaihhlp.exeEekaebcm.exeEkhjmiad.exeEemnjbaj.exeElgfgl32.exeEcandfpd.exeEhnglm32.exeFcckif32.exeFebgea32.exeFkopnh32.exeFcfhof32.exeFdgdgnbm.exeFkalchij.exeFdialn32.exeFkciihgg.exeFfimfqgm.exeFhgjblfq.exeFlceckoj.exeFdnjgmle.exeGkhbdg32.exeGcojed32.exeGdqgmmjb.exeGofkje32.exeGfpcgpae.exeGkmlofol.exeGbgdlq32.exepid process 996 Qchmagie.exe 1472 Qjbena32.exe 2456 Qbimoo32.exe 4832 Agffge32.exe 3176 Anpncp32.exe 4860 Ahhblemi.exe 4796 Abngjnmo.exe 2072 Acocaf32.exe 3708 Andgoobc.exe 704 Aacckjaf.exe 4728 Angddopp.exe 2828 Adcmmeog.exe 5032 Aniajnnn.exe 1072 Becifhfj.exe 436 Bbgipldd.exe 3032 Bjbndobo.exe 1076 Bbifelba.exe 3692 Bdkcmdhp.exe 5056 Bopgjmhe.exe 2944 Bejogg32.exe 1624 Bemlmgnp.exe 4436 Blfdia32.exe 4636 Cliaoq32.exe 4040 Cogmkl32.exe 652 Cahfmgoo.exe 792 Clnjjpod.exe 2876 Colffknh.exe 2820 Camphf32.exe 4612 Ckedalaj.exe 3672 Ddmhja32.exe 1364 Dkgqfl32.exe 2892 Dhkapp32.exe 3660 Dhnnep32.exe 4948 Dkljak32.exe 3524 Dddojq32.exe 3488 Dhbgqohi.exe 2052 Ehedfo32.exe 4232 Edkdkplj.exe 1828 Eoaihhlp.exe 1792 Eekaebcm.exe 632 Ekhjmiad.exe 2580 Eemnjbaj.exe 3160 Elgfgl32.exe 1196 Ecandfpd.exe 5088 Ehnglm32.exe 1892 Fcckif32.exe 3588 Febgea32.exe 3964 Fkopnh32.exe 5012 Fcfhof32.exe 1416 Fdgdgnbm.exe 2436 Fkalchij.exe 2292 Fdialn32.exe 348 Fkciihgg.exe 2932 Ffimfqgm.exe 1712 Fhgjblfq.exe 3016 Flceckoj.exe 3048 Fdnjgmle.exe 964 Gkhbdg32.exe 2736 Gcojed32.exe 3468 Gdqgmmjb.exe 2776 Gofkje32.exe 1836 Gfpcgpae.exe 2172 Gkmlofol.exe 3428 Gbgdlq32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Flceckoj.exeIihkpg32.exeMlhbal32.exePmfhig32.exeMhilfa32.exeGkglja32.exeEipinkib.exeAqkgpedc.exeLmbhgd32.exeMmkkmc32.exeNijeec32.exeBfngdn32.exeDmalne32.exeEclmamod.exeOhfami32.exeBohibc32.exePldcjeia.exeOcopdn32.exeAopmfk32.exeFpjcgm32.exeGikkfqmf.exeNnjlpo32.exeKbghfc32.exeCadlbk32.exeOoejohhq.exePfnegggi.exeOiknlagg.exeBopgjmhe.exeLjobpiql.exeNabfjpak.exeOeokal32.exeHgoeep32.exeIghhln32.exeQlggjk32.exeAddaif32.exeNilcjp32.exeNdcdmikd.exeInainbcn.exeKilpmh32.exeKinmcg32.exeBnpppgdj.exeKbbhqn32.exeMegljppl.exeBlfdia32.exeMchhggno.exeMjpbam32.exeJpaleglc.exeGafmaj32.exeDiicml32.exeGddbcp32.exeNjiegl32.exedescription ioc process File created C:\Windows\SysWOW64\Emhkdmlg.exe File created C:\Windows\SysWOW64\Hhhbcf32.dll Flceckoj.exe File opened for modification C:\Windows\SysWOW64\Ilghlc32.exe Iihkpg32.exe File created C:\Windows\SysWOW64\Bkjlibkf.dll Mlhbal32.exe File created C:\Windows\SysWOW64\Pqbdjfln.exe Pmfhig32.exe File created C:\Windows\SysWOW64\Oifdaage.dll Mhilfa32.exe File opened for modification C:\Windows\SysWOW64\Gaadfkgc.exe Gkglja32.exe File created C:\Windows\SysWOW64\Gdbnag32.dll Eipinkib.exe File created C:\Windows\SysWOW64\Goglcahb.exe File created C:\Windows\SysWOW64\Dgfnagdi.dll File created C:\Windows\SysWOW64\Hmcjlfqa.dll Aqkgpedc.exe File created C:\Windows\SysWOW64\Ldipha32.exe Lmbhgd32.exe File created C:\Windows\SysWOW64\Chmbeqne.dll Mmkkmc32.exe File created C:\Windows\SysWOW64\Nbcjnilj.exe Nijeec32.exe File opened for modification C:\Windows\SysWOW64\Bhldpj32.exe Bfngdn32.exe File opened for modification C:\Windows\SysWOW64\Dpphjp32.exe Dmalne32.exe File opened for modification C:\Windows\SysWOW64\Jcanll32.exe File created C:\Windows\SysWOW64\Aablof32.dll File created C:\Windows\SysWOW64\Fkkceedp.dll Eclmamod.exe File created C:\Windows\SysWOW64\Gaakdpkj.dll Ohfami32.exe File created C:\Windows\SysWOW64\Hfcnpn32.exe File opened for modification C:\Windows\SysWOW64\Bbgeno32.exe Bohibc32.exe File created C:\Windows\SysWOW64\Ddgibkpc.exe File opened for modification C:\Windows\SysWOW64\Qmepam32.exe Pldcjeia.exe File created C:\Windows\SysWOW64\Cgnomg32.exe File created C:\Windows\SysWOW64\Ijdgcpaf.dll Ocopdn32.exe File created C:\Windows\SysWOW64\Aggegh32.exe Aopmfk32.exe File created C:\Windows\SysWOW64\Flakaffp.dll Fpjcgm32.exe File created C:\Windows\SysWOW64\Ppipkl32.dll Gikkfqmf.exe File created C:\Windows\SysWOW64\Ndcdmikd.exe Nnjlpo32.exe File opened for modification C:\Windows\SysWOW64\Fpbflg32.exe File opened for modification C:\Windows\SysWOW64\Oanokhdb.exe File created C:\Windows\SysWOW64\Akmmffmb.dll Kbghfc32.exe File created C:\Windows\SysWOW64\Cgndoeag.exe Cadlbk32.exe File created C:\Windows\SysWOW64\Oadfkdgd.exe Ooejohhq.exe File opened for modification C:\Windows\SysWOW64\Phlacbfm.exe Pfnegggi.exe File opened for modification C:\Windows\SysWOW64\Olijhmgj.exe Oiknlagg.exe File created C:\Windows\SysWOW64\Oehldcbk.dll Bopgjmhe.exe File opened for modification C:\Windows\SysWOW64\Lqikmc32.exe Ljobpiql.exe File opened for modification C:\Windows\SysWOW64\Ncabfkqo.exe Nabfjpak.exe File opened for modification C:\Windows\SysWOW64\Okkdic32.exe Oeokal32.exe File created C:\Windows\SysWOW64\Kapjpj32.dll Hgoeep32.exe File opened for modification C:\Windows\SysWOW64\Ioopml32.exe Ighhln32.exe File opened for modification C:\Windows\SysWOW64\Qofcff32.exe Qlggjk32.exe File created C:\Windows\SysWOW64\Kpkbnj32.dll File created C:\Windows\SysWOW64\Hkajlm32.dll Addaif32.exe File opened for modification C:\Windows\SysWOW64\Npfkgjdn.exe Nilcjp32.exe File created C:\Windows\SysWOW64\Ngbpidjh.exe Ndcdmikd.exe File created C:\Windows\SysWOW64\Klkkgm32.dll Inainbcn.exe File created C:\Windows\SysWOW64\Eghoda32.dll Kilpmh32.exe File created C:\Windows\SysWOW64\Lbgalmej.exe Kinmcg32.exe File opened for modification C:\Windows\SysWOW64\Beihma32.exe Bnpppgdj.exe File created C:\Windows\SysWOW64\Kilpmh32.exe Kbbhqn32.exe File created C:\Windows\SysWOW64\Fgllff32.dll Bohibc32.exe File created C:\Windows\SysWOW64\Mgehfkop.exe Megljppl.exe File created C:\Windows\SysWOW64\Odjjif32.dll File created C:\Windows\SysWOW64\Cliaoq32.exe Blfdia32.exe File created C:\Windows\SysWOW64\Eonefj32.dll Mchhggno.exe File opened for modification C:\Windows\SysWOW64\Majjng32.exe Mjpbam32.exe File opened for modification C:\Windows\SysWOW64\Jcphab32.exe Jpaleglc.exe File opened for modification C:\Windows\SysWOW64\Gddinf32.exe Gafmaj32.exe File created C:\Windows\SysWOW64\Dpckjfgg.exe Diicml32.exe File created C:\Windows\SysWOW64\Obncjbkf.dll Gddbcp32.exe File opened for modification C:\Windows\SysWOW64\Nacmdf32.exe Njiegl32.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 10540 12236 -
Modifies registry class 64 IoCs
Processes:
Fnaokmco.exeHkpqkcpd.exeEajeon32.exeMlpeff32.exeAjhniccb.exePfjcgn32.exeCfdhkhjj.exeKglmio32.exeLlemdo32.exeOoagno32.exeAqaffn32.exeQjbena32.exeCegdnopg.exeEkefmc32.exeGkjhoq32.exeFhflnpoi.exeMehjol32.exeOkgaijaj.exeNiklpj32.exeKkfcndce.exePmfhig32.exeOmegjomb.exePqbdjfln.exeJkhgmf32.exeJpmlnjco.exeBcahmb32.exeEdhakj32.exeHkmnln32.exeAkglloai.exeNfgmjqop.exeNghekkmn.exeAeniabfd.exeNgdfdmdi.exeMdjagjco.exeJkkjmlan.exePakllc32.exeInjmcmej.exePmcclm32.exeAoalgn32.exeIlghlc32.exePhcomcng.exeIcfekc32.exeDhmgki32.exeNobdbkhf.exeLifjnm32.exeOjaelm32.exePgllfp32.exeNkqkhk32.exeNdaggimg.exeMahnhhod.exeEfepbi32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnaokmco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllbndih.dll" Hkpqkcpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eajeon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlpeff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajhniccb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfjcgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll" Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kglmio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhaoapj.dll" Llemdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ooagno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aqaffn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qjbena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cegdnopg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekefmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkjhoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhflnpoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mehjol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfonlkp.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okgaijaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Niklpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjmfo32.dll" Kkfcndce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmfhig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lebcnn32.dll" Omegjomb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pqbdjfln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjigamma.dll" Jkhgmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpmlnjco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlgbnc32.dll" Bcahmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edhakj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkmnln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akglloai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfgmjqop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqnpfi32.dll" Nghekkmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aeniabfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngdfdmdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelche32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdjagjco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lobfem32.dll" Jkkjmlan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pakllc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Injmcmej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmcclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aoalgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilghlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cijnin32.dll" Phcomcng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icfekc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okddnh32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll" Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nobdbkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lifjnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojaelm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll" Pgllfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iadenp32.dll" Nkqkhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofmfi32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkhal32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndaggimg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mahnhhod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efepbi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
091a253dc2e199661855b39fd9c6ab70_NeikiAnalytics.exeQchmagie.exeQjbena32.exeQbimoo32.exeAgffge32.exeAnpncp32.exeAhhblemi.exeAbngjnmo.exeAcocaf32.exeAndgoobc.exeAacckjaf.exeAngddopp.exeAdcmmeog.exeAniajnnn.exeBecifhfj.exeBbgipldd.exeBjbndobo.exeBbifelba.exeBdkcmdhp.exeBopgjmhe.exeBejogg32.exeBemlmgnp.exedescription pid process target process PID 5072 wrote to memory of 996 5072 091a253dc2e199661855b39fd9c6ab70_NeikiAnalytics.exe Qchmagie.exe PID 5072 wrote to memory of 996 5072 091a253dc2e199661855b39fd9c6ab70_NeikiAnalytics.exe Qchmagie.exe PID 5072 wrote to memory of 996 5072 091a253dc2e199661855b39fd9c6ab70_NeikiAnalytics.exe Qchmagie.exe PID 996 wrote to memory of 1472 996 Qchmagie.exe Qjbena32.exe PID 996 wrote to memory of 1472 996 Qchmagie.exe Qjbena32.exe PID 996 wrote to memory of 1472 996 Qchmagie.exe Qjbena32.exe PID 1472 wrote to memory of 2456 1472 Qjbena32.exe Qbimoo32.exe PID 1472 wrote to memory of 2456 1472 Qjbena32.exe Qbimoo32.exe PID 1472 wrote to memory of 2456 1472 Qjbena32.exe Qbimoo32.exe PID 2456 wrote to memory of 4832 2456 Qbimoo32.exe Agffge32.exe PID 2456 wrote to memory of 4832 2456 Qbimoo32.exe Agffge32.exe PID 2456 wrote to memory of 4832 2456 Qbimoo32.exe Agffge32.exe PID 4832 wrote to memory of 3176 4832 Agffge32.exe Anpncp32.exe PID 4832 wrote to memory of 3176 4832 Agffge32.exe Anpncp32.exe PID 4832 wrote to memory of 3176 4832 Agffge32.exe Anpncp32.exe PID 3176 wrote to memory of 4860 3176 Anpncp32.exe Ahhblemi.exe PID 3176 wrote to memory of 4860 3176 Anpncp32.exe Ahhblemi.exe PID 3176 wrote to memory of 4860 3176 Anpncp32.exe Ahhblemi.exe PID 4860 wrote to memory of 4796 4860 Ahhblemi.exe Abngjnmo.exe PID 4860 wrote to memory of 4796 4860 Ahhblemi.exe Abngjnmo.exe PID 4860 wrote to memory of 4796 4860 Ahhblemi.exe Abngjnmo.exe PID 4796 wrote to memory of 2072 4796 Abngjnmo.exe Acocaf32.exe PID 4796 wrote to memory of 2072 4796 Abngjnmo.exe Acocaf32.exe PID 4796 wrote to memory of 2072 4796 Abngjnmo.exe Acocaf32.exe PID 2072 wrote to memory of 3708 2072 Acocaf32.exe Andgoobc.exe PID 2072 wrote to memory of 3708 2072 Acocaf32.exe Andgoobc.exe PID 2072 wrote to memory of 3708 2072 Acocaf32.exe Andgoobc.exe PID 3708 wrote to memory of 704 3708 Andgoobc.exe Aacckjaf.exe PID 3708 wrote to memory of 704 3708 Andgoobc.exe Aacckjaf.exe PID 3708 wrote to memory of 704 3708 Andgoobc.exe Aacckjaf.exe PID 704 wrote to memory of 4728 704 Aacckjaf.exe Angddopp.exe PID 704 wrote to memory of 4728 704 Aacckjaf.exe Angddopp.exe PID 704 wrote to memory of 4728 704 Aacckjaf.exe Angddopp.exe PID 4728 wrote to memory of 2828 4728 Angddopp.exe Adcmmeog.exe PID 4728 wrote to memory of 2828 4728 Angddopp.exe Adcmmeog.exe PID 4728 wrote to memory of 2828 4728 Angddopp.exe Adcmmeog.exe PID 2828 wrote to memory of 5032 2828 Adcmmeog.exe Aniajnnn.exe PID 2828 wrote to memory of 5032 2828 Adcmmeog.exe Aniajnnn.exe PID 2828 wrote to memory of 5032 2828 Adcmmeog.exe Aniajnnn.exe PID 5032 wrote to memory of 1072 5032 Aniajnnn.exe Becifhfj.exe PID 5032 wrote to memory of 1072 5032 Aniajnnn.exe Becifhfj.exe PID 5032 wrote to memory of 1072 5032 Aniajnnn.exe Becifhfj.exe PID 1072 wrote to memory of 436 1072 Becifhfj.exe Bbgipldd.exe PID 1072 wrote to memory of 436 1072 Becifhfj.exe Bbgipldd.exe PID 1072 wrote to memory of 436 1072 Becifhfj.exe Bbgipldd.exe PID 436 wrote to memory of 3032 436 Bbgipldd.exe Bjbndobo.exe PID 436 wrote to memory of 3032 436 Bbgipldd.exe Bjbndobo.exe PID 436 wrote to memory of 3032 436 Bbgipldd.exe Bjbndobo.exe PID 3032 wrote to memory of 1076 3032 Bjbndobo.exe Bbifelba.exe PID 3032 wrote to memory of 1076 3032 Bjbndobo.exe Bbifelba.exe PID 3032 wrote to memory of 1076 3032 Bjbndobo.exe Bbifelba.exe PID 1076 wrote to memory of 3692 1076 Bbifelba.exe Bdkcmdhp.exe PID 1076 wrote to memory of 3692 1076 Bbifelba.exe Bdkcmdhp.exe PID 1076 wrote to memory of 3692 1076 Bbifelba.exe Bdkcmdhp.exe PID 3692 wrote to memory of 5056 3692 Bdkcmdhp.exe Bopgjmhe.exe PID 3692 wrote to memory of 5056 3692 Bdkcmdhp.exe Bopgjmhe.exe PID 3692 wrote to memory of 5056 3692 Bdkcmdhp.exe Bopgjmhe.exe PID 5056 wrote to memory of 2944 5056 Bopgjmhe.exe Bejogg32.exe PID 5056 wrote to memory of 2944 5056 Bopgjmhe.exe Bejogg32.exe PID 5056 wrote to memory of 2944 5056 Bopgjmhe.exe Bejogg32.exe PID 2944 wrote to memory of 1624 2944 Bejogg32.exe Bemlmgnp.exe PID 2944 wrote to memory of 1624 2944 Bejogg32.exe Bemlmgnp.exe PID 2944 wrote to memory of 1624 2944 Bejogg32.exe Bemlmgnp.exe PID 1624 wrote to memory of 4436 1624 Bemlmgnp.exe Blfdia32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\091a253dc2e199661855b39fd9c6ab70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\091a253dc2e199661855b39fd9c6ab70_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Aniajnnn.exeC:\Windows\system32\Aniajnnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Blfdia32.exeC:\Windows\system32\Blfdia32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4436 -
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe24⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe25⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe26⤵
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe27⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe28⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe29⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe30⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe31⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe32⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe33⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Dhnnep32.exeC:\Windows\system32\Dhnnep32.exe34⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Dkljak32.exeC:\Windows\system32\Dkljak32.exe35⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe36⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Dhbgqohi.exeC:\Windows\system32\Dhbgqohi.exe37⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe38⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe39⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe40⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe41⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Ekhjmiad.exeC:\Windows\system32\Ekhjmiad.exe42⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe43⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Elgfgl32.exeC:\Windows\system32\Elgfgl32.exe44⤵
- Executes dropped EXE
PID:3160 -
C:\Windows\SysWOW64\Ecandfpd.exeC:\Windows\system32\Ecandfpd.exe45⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe46⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Fcckif32.exeC:\Windows\system32\Fcckif32.exe47⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Febgea32.exeC:\Windows\system32\Febgea32.exe48⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe49⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe50⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe51⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe52⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe53⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe54⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe55⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Fhgjblfq.exeC:\Windows\system32\Fhgjblfq.exe56⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe58⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Gkhbdg32.exeC:\Windows\system32\Gkhbdg32.exe59⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Gcojed32.exeC:\Windows\system32\Gcojed32.exe60⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe61⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Gofkje32.exeC:\Windows\system32\Gofkje32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe63⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Gkmlofol.exeC:\Windows\system32\Gkmlofol.exe64⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe65⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Gmlhii32.exeC:\Windows\system32\Gmlhii32.exe66⤵PID:2260
-
C:\Windows\SysWOW64\Gokdeeec.exeC:\Windows\system32\Gokdeeec.exe67⤵PID:4540
-
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe68⤵PID:4280
-
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe69⤵PID:2980
-
C:\Windows\SysWOW64\Gfgjgo32.exeC:\Windows\system32\Gfgjgo32.exe70⤵PID:3652
-
C:\Windows\SysWOW64\Hkdbpe32.exeC:\Windows\system32\Hkdbpe32.exe71⤵PID:4836
-
C:\Windows\SysWOW64\Hbnjmp32.exeC:\Windows\system32\Hbnjmp32.exe72⤵PID:2416
-
C:\Windows\SysWOW64\Helfik32.exeC:\Windows\system32\Helfik32.exe73⤵PID:3740
-
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe74⤵PID:3024
-
C:\Windows\SysWOW64\Hcmgfbhd.exeC:\Windows\system32\Hcmgfbhd.exe75⤵PID:4380
-
C:\Windows\SysWOW64\Hflcbngh.exeC:\Windows\system32\Hflcbngh.exe76⤵PID:4668
-
C:\Windows\SysWOW64\Hijooifk.exeC:\Windows\system32\Hijooifk.exe77⤵PID:2328
-
C:\Windows\SysWOW64\Hodgkc32.exeC:\Windows\system32\Hodgkc32.exe78⤵PID:3596
-
C:\Windows\SysWOW64\Hbbdholl.exeC:\Windows\system32\Hbbdholl.exe79⤵PID:3460
-
C:\Windows\SysWOW64\Himldi32.exeC:\Windows\system32\Himldi32.exe80⤵PID:456
-
C:\Windows\SysWOW64\Hkkhqd32.exeC:\Windows\system32\Hkkhqd32.exe81⤵PID:4084
-
C:\Windows\SysWOW64\Hbeqmoji.exeC:\Windows\system32\Hbeqmoji.exe82⤵PID:4252
-
C:\Windows\SysWOW64\Hecmijim.exeC:\Windows\system32\Hecmijim.exe83⤵PID:2700
-
C:\Windows\SysWOW64\Hoiafcic.exeC:\Windows\system32\Hoiafcic.exe84⤵PID:4644
-
C:\Windows\SysWOW64\Iefioj32.exeC:\Windows\system32\Iefioj32.exe85⤵PID:2832
-
C:\Windows\SysWOW64\Immapg32.exeC:\Windows\system32\Immapg32.exe86⤵PID:1824
-
C:\Windows\SysWOW64\Icgjmapi.exeC:\Windows\system32\Icgjmapi.exe87⤵PID:432
-
C:\Windows\SysWOW64\Ifefimom.exeC:\Windows\system32\Ifefimom.exe88⤵PID:2312
-
C:\Windows\SysWOW64\Iicbehnq.exeC:\Windows\system32\Iicbehnq.exe89⤵PID:4444
-
C:\Windows\SysWOW64\Ipnjab32.exeC:\Windows\system32\Ipnjab32.exe90⤵PID:1016
-
C:\Windows\SysWOW64\Iblfnn32.exeC:\Windows\system32\Iblfnn32.exe91⤵PID:4516
-
C:\Windows\SysWOW64\Iejcji32.exeC:\Windows\system32\Iejcji32.exe92⤵PID:636
-
C:\Windows\SysWOW64\Ildkgc32.exeC:\Windows\system32\Ildkgc32.exe93⤵PID:1092
-
C:\Windows\SysWOW64\Ickchq32.exeC:\Windows\system32\Ickchq32.exe94⤵PID:3952
-
C:\Windows\SysWOW64\Ifjodl32.exeC:\Windows\system32\Ifjodl32.exe95⤵PID:3164
-
C:\Windows\SysWOW64\Iihkpg32.exeC:\Windows\system32\Iihkpg32.exe96⤵
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Ilghlc32.exeC:\Windows\system32\Ilghlc32.exe97⤵
- Modifies registry class
PID:4904 -
C:\Windows\SysWOW64\Icnpmp32.exeC:\Windows\system32\Icnpmp32.exe98⤵PID:3872
-
C:\Windows\SysWOW64\Ieolehop.exeC:\Windows\system32\Ieolehop.exe99⤵PID:1648
-
C:\Windows\SysWOW64\Imfdff32.exeC:\Windows\system32\Imfdff32.exe100⤵PID:4520
-
C:\Windows\SysWOW64\Ipdqba32.exeC:\Windows\system32\Ipdqba32.exe101⤵PID:3340
-
C:\Windows\SysWOW64\Ibcmom32.exeC:\Windows\system32\Ibcmom32.exe102⤵PID:5160
-
C:\Windows\SysWOW64\Jeaikh32.exeC:\Windows\system32\Jeaikh32.exe103⤵PID:5204
-
C:\Windows\SysWOW64\Jlkagbej.exeC:\Windows\system32\Jlkagbej.exe104⤵PID:5248
-
C:\Windows\SysWOW64\Jcbihpel.exeC:\Windows\system32\Jcbihpel.exe105⤵PID:5292
-
C:\Windows\SysWOW64\Jedeph32.exeC:\Windows\system32\Jedeph32.exe106⤵PID:5332
-
C:\Windows\SysWOW64\Jmknaell.exeC:\Windows\system32\Jmknaell.exe107⤵PID:5376
-
C:\Windows\SysWOW64\Jpijnqkp.exeC:\Windows\system32\Jpijnqkp.exe108⤵PID:5416
-
C:\Windows\SysWOW64\Jfcbjk32.exeC:\Windows\system32\Jfcbjk32.exe109⤵PID:5464
-
C:\Windows\SysWOW64\Jmmjgejj.exeC:\Windows\system32\Jmmjgejj.exe110⤵PID:5508
-
C:\Windows\SysWOW64\Jbjcolha.exeC:\Windows\system32\Jbjcolha.exe111⤵PID:5552
-
C:\Windows\SysWOW64\Jidklf32.exeC:\Windows\system32\Jidklf32.exe112⤵PID:5600
-
C:\Windows\SysWOW64\Jlbgha32.exeC:\Windows\system32\Jlbgha32.exe113⤵PID:5632
-
C:\Windows\SysWOW64\Jfhlejnh.exeC:\Windows\system32\Jfhlejnh.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5688 -
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5732 -
C:\Windows\SysWOW64\Jpppnp32.exeC:\Windows\system32\Jpppnp32.exe116⤵PID:5776
-
C:\Windows\SysWOW64\Kboljk32.exeC:\Windows\system32\Kboljk32.exe117⤵PID:5836
-
C:\Windows\SysWOW64\Kemhff32.exeC:\Windows\system32\Kemhff32.exe118⤵PID:5880
-
C:\Windows\SysWOW64\Kpbmco32.exeC:\Windows\system32\Kpbmco32.exe119⤵PID:5924
-
C:\Windows\SysWOW64\Kfmepi32.exeC:\Windows\system32\Kfmepi32.exe120⤵PID:5968
-
C:\Windows\SysWOW64\Kepelfam.exeC:\Windows\system32\Kepelfam.exe121⤵PID:6008
-
C:\Windows\SysWOW64\Kmfmmcbo.exeC:\Windows\system32\Kmfmmcbo.exe122⤵PID:6072
-
C:\Windows\SysWOW64\Kpeiioac.exeC:\Windows\system32\Kpeiioac.exe123⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6136 -
C:\Windows\SysWOW64\Kfoafi32.exeC:\Windows\system32\Kfoafi32.exe124⤵PID:5184
-
C:\Windows\SysWOW64\Kimnbd32.exeC:\Windows\system32\Kimnbd32.exe125⤵PID:5244
-
C:\Windows\SysWOW64\Kpgfooop.exeC:\Windows\system32\Kpgfooop.exe126⤵PID:5320
-
C:\Windows\SysWOW64\Kfankifm.exeC:\Windows\system32\Kfankifm.exe127⤵PID:5396
-
C:\Windows\SysWOW64\Kpjcdn32.exeC:\Windows\system32\Kpjcdn32.exe128⤵PID:5472
-
C:\Windows\SysWOW64\Kbhoqj32.exeC:\Windows\system32\Kbhoqj32.exe129⤵PID:5540
-
C:\Windows\SysWOW64\Kibgmdcn.exeC:\Windows\system32\Kibgmdcn.exe130⤵PID:5616
-
C:\Windows\SysWOW64\Kplpjn32.exeC:\Windows\system32\Kplpjn32.exe131⤵PID:5680
-
C:\Windows\SysWOW64\Lffhfh32.exeC:\Windows\system32\Lffhfh32.exe132⤵PID:5744
-
C:\Windows\SysWOW64\Liddbc32.exeC:\Windows\system32\Liddbc32.exe133⤵PID:5824
-
C:\Windows\SysWOW64\Lpnlpnih.exeC:\Windows\system32\Lpnlpnih.exe134⤵PID:5896
-
C:\Windows\SysWOW64\Lfhdlh32.exeC:\Windows\system32\Lfhdlh32.exe135⤵PID:5964
-
C:\Windows\SysWOW64\Lmbmibhb.exeC:\Windows\system32\Lmbmibhb.exe136⤵PID:6060
-
C:\Windows\SysWOW64\Llemdo32.exeC:\Windows\system32\Llemdo32.exe137⤵
- Modifies registry class
PID:5124 -
C:\Windows\SysWOW64\Ldleel32.exeC:\Windows\system32\Ldleel32.exe138⤵PID:5240
-
C:\Windows\SysWOW64\Lenamdem.exeC:\Windows\system32\Lenamdem.exe139⤵PID:5344
-
C:\Windows\SysWOW64\Llgjjnlj.exeC:\Windows\system32\Llgjjnlj.exe140⤵PID:5460
-
C:\Windows\SysWOW64\Ldoaklml.exeC:\Windows\system32\Ldoaklml.exe141⤵PID:5588
-
C:\Windows\SysWOW64\Lepncd32.exeC:\Windows\system32\Lepncd32.exe142⤵PID:5712
-
C:\Windows\SysWOW64\Lljfpnjg.exeC:\Windows\system32\Lljfpnjg.exe143⤵PID:5820
-
C:\Windows\SysWOW64\Lpebpm32.exeC:\Windows\system32\Lpebpm32.exe144⤵PID:5944
-
C:\Windows\SysWOW64\Lgokmgjm.exeC:\Windows\system32\Lgokmgjm.exe145⤵PID:6036
-
C:\Windows\SysWOW64\Lmiciaaj.exeC:\Windows\system32\Lmiciaaj.exe146⤵PID:5148
-
C:\Windows\SysWOW64\Lphoelqn.exeC:\Windows\system32\Lphoelqn.exe147⤵PID:5312
-
C:\Windows\SysWOW64\Mgagbf32.exeC:\Windows\system32\Mgagbf32.exe148⤵PID:5520
-
C:\Windows\SysWOW64\Mmlpoqpg.exeC:\Windows\system32\Mmlpoqpg.exe149⤵PID:5740
-
C:\Windows\SysWOW64\Mpjlklok.exeC:\Windows\system32\Mpjlklok.exe150⤵PID:5888
-
C:\Windows\SysWOW64\Mchhggno.exeC:\Windows\system32\Mchhggno.exe151⤵
- Drops file in System32 directory
PID:6128 -
C:\Windows\SysWOW64\Mmnldp32.exeC:\Windows\system32\Mmnldp32.exe152⤵PID:5408
-
C:\Windows\SysWOW64\Mplhql32.exeC:\Windows\system32\Mplhql32.exe153⤵PID:5444
-
C:\Windows\SysWOW64\Mgfqmfde.exeC:\Windows\system32\Mgfqmfde.exe154⤵PID:6028
-
C:\Windows\SysWOW64\Mmpijp32.exeC:\Windows\system32\Mmpijp32.exe155⤵PID:5340
-
C:\Windows\SysWOW64\Mdjagjco.exeC:\Windows\system32\Mdjagjco.exe156⤵
- Modifies registry class
PID:5764 -
C:\Windows\SysWOW64\Migjoaaf.exeC:\Windows\system32\Migjoaaf.exe157⤵PID:5212
-
C:\Windows\SysWOW64\Mpablkhc.exeC:\Windows\system32\Mpablkhc.exe158⤵PID:6056
-
C:\Windows\SysWOW64\Mcpnhfhf.exeC:\Windows\system32\Mcpnhfhf.exe159⤵PID:5316
-
C:\Windows\SysWOW64\Menjdbgj.exeC:\Windows\system32\Menjdbgj.exe160⤵PID:6080
-
C:\Windows\SysWOW64\Mlhbal32.exeC:\Windows\system32\Mlhbal32.exe161⤵
- Drops file in System32 directory
PID:6168 -
C:\Windows\SysWOW64\Npcoakfp.exeC:\Windows\system32\Npcoakfp.exe162⤵PID:6208
-
C:\Windows\SysWOW64\Ncbknfed.exeC:\Windows\system32\Ncbknfed.exe163⤵PID:6256
-
C:\Windows\SysWOW64\Nilcjp32.exeC:\Windows\system32\Nilcjp32.exe164⤵
- Drops file in System32 directory
PID:6300 -
C:\Windows\SysWOW64\Npfkgjdn.exeC:\Windows\system32\Npfkgjdn.exe165⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6348 -
C:\Windows\SysWOW64\Ndaggimg.exeC:\Windows\system32\Ndaggimg.exe166⤵
- Modifies registry class
PID:6392 -
C:\Windows\SysWOW64\Ngpccdlj.exeC:\Windows\system32\Ngpccdlj.exe167⤵PID:6436
-
C:\Windows\SysWOW64\Nnjlpo32.exeC:\Windows\system32\Nnjlpo32.exe168⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6484 -
C:\Windows\SysWOW64\Ndcdmikd.exeC:\Windows\system32\Ndcdmikd.exe169⤵
- Drops file in System32 directory
PID:6528 -
C:\Windows\SysWOW64\Ngbpidjh.exeC:\Windows\system32\Ngbpidjh.exe170⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6576 -
C:\Windows\SysWOW64\Nnlhfn32.exeC:\Windows\system32\Nnlhfn32.exe171⤵PID:6620
-
C:\Windows\SysWOW64\Nloiakho.exeC:\Windows\system32\Nloiakho.exe172⤵PID:6664
-
C:\Windows\SysWOW64\Ncianepl.exeC:\Windows\system32\Ncianepl.exe173⤵PID:6708
-
C:\Windows\SysWOW64\Nfgmjqop.exeC:\Windows\system32\Nfgmjqop.exe174⤵
- Modifies registry class
PID:6752 -
C:\Windows\SysWOW64\Nlaegk32.exeC:\Windows\system32\Nlaegk32.exe175⤵PID:6796
-
C:\Windows\SysWOW64\Nckndeni.exeC:\Windows\system32\Nckndeni.exe176⤵PID:6840
-
C:\Windows\SysWOW64\Njefqo32.exeC:\Windows\system32\Njefqo32.exe177⤵PID:6884
-
C:\Windows\SysWOW64\Olcbmj32.exeC:\Windows\system32\Olcbmj32.exe178⤵PID:6928
-
C:\Windows\SysWOW64\Ocnjidkf.exeC:\Windows\system32\Ocnjidkf.exe179⤵PID:6972
-
C:\Windows\SysWOW64\Oflgep32.exeC:\Windows\system32\Oflgep32.exe180⤵PID:7016
-
C:\Windows\SysWOW64\Ojgbfocc.exeC:\Windows\system32\Ojgbfocc.exe181⤵PID:7060
-
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe182⤵PID:7100
-
C:\Windows\SysWOW64\Ogkcpbam.exeC:\Windows\system32\Ogkcpbam.exe183⤵PID:7152
-
C:\Windows\SysWOW64\Ojjolnaq.exeC:\Windows\system32\Ojjolnaq.exe184⤵PID:6204
-
C:\Windows\SysWOW64\Olhlhjpd.exeC:\Windows\system32\Olhlhjpd.exe185⤵PID:6248
-
C:\Windows\SysWOW64\Odocigqg.exeC:\Windows\system32\Odocigqg.exe186⤵PID:6332
-
C:\Windows\SysWOW64\Ocbddc32.exeC:\Windows\system32\Ocbddc32.exe187⤵PID:6400
-
C:\Windows\SysWOW64\Onhhamgg.exeC:\Windows\system32\Onhhamgg.exe188⤵PID:6472
-
C:\Windows\SysWOW64\Odapnf32.exeC:\Windows\system32\Odapnf32.exe189⤵PID:6552
-
C:\Windows\SysWOW64\Ogpmjb32.exeC:\Windows\system32\Ogpmjb32.exe190⤵PID:6612
-
C:\Windows\SysWOW64\Ofcmfodb.exeC:\Windows\system32\Ofcmfodb.exe191⤵PID:6688
-
C:\Windows\SysWOW64\Olmeci32.exeC:\Windows\system32\Olmeci32.exe192⤵PID:6744
-
C:\Windows\SysWOW64\Oddmdf32.exeC:\Windows\system32\Oddmdf32.exe193⤵PID:6828
-
C:\Windows\SysWOW64\Ojaelm32.exeC:\Windows\system32\Ojaelm32.exe194⤵
- Modifies registry class
PID:6880 -
C:\Windows\SysWOW64\Pqknig32.exeC:\Windows\system32\Pqknig32.exe195⤵PID:6948
-
C:\Windows\SysWOW64\Pcijeb32.exeC:\Windows\system32\Pcijeb32.exe196⤵PID:7008
-
C:\Windows\SysWOW64\Pfhfan32.exeC:\Windows\system32\Pfhfan32.exe197⤵PID:7080
-
C:\Windows\SysWOW64\Pnonbk32.exeC:\Windows\system32\Pnonbk32.exe198⤵PID:7144
-
C:\Windows\SysWOW64\Pqmjog32.exeC:\Windows\system32\Pqmjog32.exe199⤵PID:6244
-
C:\Windows\SysWOW64\Pdifoehl.exeC:\Windows\system32\Pdifoehl.exe200⤵PID:6372
-
C:\Windows\SysWOW64\Pggbkagp.exeC:\Windows\system32\Pggbkagp.exe201⤵PID:6572
-
C:\Windows\SysWOW64\Pfjcgn32.exeC:\Windows\system32\Pfjcgn32.exe202⤵
- Modifies registry class
PID:6700 -
C:\Windows\SysWOW64\Pnakhkol.exeC:\Windows\system32\Pnakhkol.exe203⤵PID:6852
-
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe204⤵PID:7012
-
C:\Windows\SysWOW64\Pqpgdfnp.exeC:\Windows\system32\Pqpgdfnp.exe205⤵PID:7116
-
C:\Windows\SysWOW64\Pdkcde32.exeC:\Windows\system32\Pdkcde32.exe206⤵PID:6368
-
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe207⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6648 -
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe208⤵PID:6956
-
C:\Windows\SysWOW64\Pmfhig32.exeC:\Windows\system32\Pmfhig32.exe209⤵
- Drops file in System32 directory
- Modifies registry class
PID:7044 -
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe210⤵
- Modifies registry class
PID:6596 -
C:\Windows\SysWOW64\Pdmpje32.exeC:\Windows\system32\Pdmpje32.exe211⤵PID:6872
-
C:\Windows\SysWOW64\Pgllfp32.exeC:\Windows\system32\Pgllfp32.exe212⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6672 -
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe213⤵PID:6416
-
C:\Windows\SysWOW64\Pqdqof32.exeC:\Windows\system32\Pqdqof32.exe214⤵PID:7140
-
C:\Windows\SysWOW64\Pgnilpah.exeC:\Windows\system32\Pgnilpah.exe215⤵PID:6804
-
C:\Windows\SysWOW64\Pfaigm32.exeC:\Windows\system32\Pfaigm32.exe216⤵PID:7208
-
C:\Windows\SysWOW64\Qdbiedpa.exeC:\Windows\system32\Qdbiedpa.exe217⤵PID:7248
-
C:\Windows\SysWOW64\Qnjnnj32.exeC:\Windows\system32\Qnjnnj32.exe218⤵PID:7292
-
C:\Windows\SysWOW64\Qgcbgo32.exeC:\Windows\system32\Qgcbgo32.exe219⤵PID:7332
-
C:\Windows\SysWOW64\Ajanck32.exeC:\Windows\system32\Ajanck32.exe220⤵PID:7372
-
C:\Windows\SysWOW64\Aqkgpedc.exeC:\Windows\system32\Aqkgpedc.exe221⤵
- Drops file in System32 directory
PID:7416 -
C:\Windows\SysWOW64\Acjclpcf.exeC:\Windows\system32\Acjclpcf.exe222⤵PID:7456
-
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe223⤵PID:7500
-
C:\Windows\SysWOW64\Ambgef32.exeC:\Windows\system32\Ambgef32.exe224⤵PID:7544
-
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe225⤵PID:7588
-
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe226⤵PID:7632
-
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe227⤵PID:7676
-
C:\Windows\SysWOW64\Agjhgngj.exeC:\Windows\system32\Agjhgngj.exe228⤵PID:7724
-
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe229⤵PID:7768
-
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe230⤵
- Modifies registry class
PID:7808 -
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe231⤵PID:7852
-
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe232⤵PID:7900
-
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe233⤵PID:7944
-
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe234⤵PID:7988
-
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe235⤵PID:8036
-
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe236⤵PID:8080
-
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe237⤵PID:8124
-
C:\Windows\SysWOW64\Baicac32.exeC:\Windows\system32\Baicac32.exe238⤵PID:8168
-
C:\Windows\SysWOW64\Bjagjhnc.exeC:\Windows\system32\Bjagjhnc.exe239⤵PID:7196
-
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe240⤵PID:7260
-
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe241⤵PID:7328
-
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe242⤵PID:7404