Analysis
-
max time kernel
136s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 22:41
Behavioral task
behavioral1
Sample
04f6c8074ccc32e129e8f4e4c1746d30_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
04f6c8074ccc32e129e8f4e4c1746d30_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
04f6c8074ccc32e129e8f4e4c1746d30_NeikiAnalytics.exe
-
Size
548KB
-
MD5
04f6c8074ccc32e129e8f4e4c1746d30
-
SHA1
67d992e4e9d1f4569c82e39486f94a770993a02f
-
SHA256
88a9423f26344e541b37b3796be6fc0402321f110db54b66f54820ead1f8dadf
-
SHA512
2a3a6a455ecac97ecf2f58ed80dd24b5992c0ee845d2160e3c9fb337f5096b6ea4350e5903778733167f7fdea53a141df1841eafd960050448f66a9c30e2ecd6
-
SSDEEP
12288:bFCpvb6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvGZ+C8lM1:bFClq5htaSHFaZRBEYyqmaf2qwiHPKgV
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jcdala32.exeOdoogi32.exeIpjoja32.exePndohaqe.exePjkombfj.exeBjagjhnc.exePlejdkmm.exeHcblpdgg.exeGfmojenc.exeQachgk32.exeDmlkhofd.exeJlednamo.exeLdanqkki.exeKqnbkl32.exeAjggomog.exeGdaociml.exeFnnjmbpm.exeNnjbke32.exePgioqq32.exePqdqof32.exeIfihif32.exeHloqml32.exeLdoaklml.exeMmnldp32.exeBebblb32.exeBddjpd32.exeCkedalaj.exeKmdqgd32.exeBmpcfdmg.exeOhiemobf.exePnlaml32.exeIjadbdoj.exeNeoieenp.exeHpchib32.exeMpolqa32.exeEofbch32.exeIpdqba32.exeOlmeci32.exeJmmjgejj.exeEolhbc32.exeCkclhn32.exeEkdnei32.exePnpemb32.exeIihkpg32.exeHbhboolf.exeChpada32.exeAacckjaf.exeEciplm32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcdala32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odoogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipjoja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pndohaqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjkombfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjagjhnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plejdkmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcblpdgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfmojenc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qachgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmlkhofd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlednamo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldanqkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqnbkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajggomog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdaociml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnnjmbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnjbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgioqq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqdqof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifihif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hloqml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldoaklml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmnldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bebblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjagjhnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bddjpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckedalaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmdqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmpcfdmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohiemobf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlaml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijadbdoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neoieenp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpchib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpolqa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eofbch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipdqba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmeci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmmjgejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eolhbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckclhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekdnei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnpemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iihkpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbhboolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chpada32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aacckjaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eciplm32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Lcbiao32.exe family_berbew C:\Windows\SysWOW64\Lkiqbl32.exe family_berbew C:\Windows\SysWOW64\Lnhmng32.exe family_berbew C:\Windows\SysWOW64\Lpfijcfl.exe family_berbew C:\Windows\SysWOW64\Mnlfigcc.exe family_berbew C:\Windows\SysWOW64\Mpkbebbf.exe family_berbew C:\Windows\SysWOW64\Mciobn32.exe family_berbew C:\Windows\SysWOW64\Mpolqa32.exe family_berbew C:\Windows\SysWOW64\Mcnhmm32.exe family_berbew C:\Windows\SysWOW64\Mkepnjng.exe family_berbew C:\Windows\SysWOW64\Mncmjfmk.exe family_berbew C:\Windows\SysWOW64\Mnfipekh.exe family_berbew C:\Windows\SysWOW64\Mgnnhk32.exe family_berbew C:\Windows\SysWOW64\Nqfbaq32.exe family_berbew C:\Windows\SysWOW64\Nbkhfc32.exe family_berbew C:\Windows\SysWOW64\Njcpee32.exe family_berbew C:\Windows\SysWOW64\Nkqpjidj.exe family_berbew C:\Windows\SysWOW64\Ncihikcg.exe family_berbew C:\Windows\SysWOW64\Nqklmpdd.exe family_berbew C:\Windows\SysWOW64\Nnmopdep.exe family_berbew C:\Windows\SysWOW64\Nkncdifl.exe family_berbew C:\Windows\SysWOW64\Ncgkcl32.exe family_berbew C:\Windows\SysWOW64\Nqiogp32.exe family_berbew C:\Windows\SysWOW64\Nnjbke32.exe family_berbew C:\Windows\SysWOW64\Ngpjnkpf.exe family_berbew C:\Windows\SysWOW64\Ndbnboqb.exe family_berbew C:\Windows\SysWOW64\Nnhfee32.exe family_berbew C:\Windows\SysWOW64\Njljefql.exe family_berbew C:\Windows\SysWOW64\Mdpalp32.exe family_berbew C:\Windows\SysWOW64\Mpdelajl.exe family_berbew C:\Windows\SysWOW64\Mjjmog32.exe family_berbew C:\Windows\SysWOW64\Mglack32.exe family_berbew C:\Windows\SysWOW64\Bbifelba.exe family_berbew C:\Windows\SysWOW64\Bdolhc32.exe family_berbew C:\Windows\SysWOW64\Dbllbibl.exe family_berbew C:\Windows\SysWOW64\Daaicfgd.exe family_berbew C:\Windows\SysWOW64\Deoaid32.exe family_berbew C:\Windows\SysWOW64\Eemnjbaj.exe family_berbew C:\Windows\SysWOW64\Fhemmlhc.exe family_berbew C:\Windows\SysWOW64\Gbdgfa32.exe family_berbew C:\Windows\SysWOW64\Gbgdlq32.exe family_berbew C:\Windows\SysWOW64\Gkoiefmj.exe family_berbew C:\Windows\SysWOW64\Gcimkc32.exe family_berbew C:\Windows\SysWOW64\Ifefimom.exe family_berbew C:\Windows\SysWOW64\Jcbihpel.exe family_berbew C:\Windows\SysWOW64\Jfcbjk32.exe family_berbew C:\Windows\SysWOW64\Jcgbco32.exe family_berbew C:\Windows\SysWOW64\Jeklag32.exe family_berbew C:\Windows\SysWOW64\Kepelfam.exe family_berbew C:\Windows\SysWOW64\Kdeoemeg.exe family_berbew C:\Windows\SysWOW64\Likjcbkc.exe family_berbew C:\Windows\SysWOW64\Lgokmgjm.exe family_berbew C:\Windows\SysWOW64\Lphoelqn.exe family_berbew C:\Windows\SysWOW64\Miifeq32.exe family_berbew C:\Windows\SysWOW64\Ndaggimg.exe family_berbew C:\Windows\SysWOW64\Ngbpidjh.exe family_berbew C:\Windows\SysWOW64\Njefqo32.exe family_berbew C:\Windows\SysWOW64\Oflgep32.exe family_berbew C:\Windows\SysWOW64\Odocigqg.exe family_berbew C:\Windows\SysWOW64\Ogbipa32.exe family_berbew C:\Windows\SysWOW64\Pgefeajb.exe family_berbew C:\Windows\SysWOW64\Pmdkch32.exe family_berbew C:\Windows\SysWOW64\Pmfhig32.exe family_berbew C:\Windows\SysWOW64\Pcbmka32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Lcbiao32.exeLkiqbl32.exeLnhmng32.exeLpfijcfl.exeMnlfigcc.exeMpkbebbf.exeMciobn32.exeMpolqa32.exeMcnhmm32.exeMkepnjng.exeMncmjfmk.exeMglack32.exeMjjmog32.exeMnfipekh.exeMpdelajl.exeMdpalp32.exeMgnnhk32.exeNjljefql.exeNnhfee32.exeNqfbaq32.exeNdbnboqb.exeNgpjnkpf.exeNnjbke32.exeNqiogp32.exeNcgkcl32.exeNkncdifl.exeNnmopdep.exeNqklmpdd.exeNcihikcg.exeNkqpjidj.exeNjcpee32.exeNbkhfc32.exeNdidbn32.exeNggqoj32.exeNjfmke32.exeNbmelbid.exeNdkahnhh.exeOgjmdigk.exeOkeieh32.exeOndeac32.exeOboaabga.exeOdnnnnfe.exeOcqnij32.exeOkhfjh32.exeOnfbfc32.exeObangb32.exeOdpjcm32.exeOcckojkm.exeOkjbpglo.exeOqgkhnjf.exeOdbgim32.exeOgaceh32.exeOjopad32.exeOnklabip.exeOqihnn32.exeOdednmpm.exeOgcpjhoq.exeOkolkg32.exeOnmhgb32.exeObidhaog.exeOdgqdlnj.exePcjapi32.exePkaiqf32.exePnpemb32.exepid process 516 Lcbiao32.exe 3892 Lkiqbl32.exe 1032 Lnhmng32.exe 2064 Lpfijcfl.exe 3904 Mnlfigcc.exe 3472 Mpkbebbf.exe 3144 Mciobn32.exe 1056 Mpolqa32.exe 3124 Mcnhmm32.exe 3544 Mkepnjng.exe 2540 Mncmjfmk.exe 3548 Mglack32.exe 4156 Mjjmog32.exe 3684 Mnfipekh.exe 1400 Mpdelajl.exe 3344 Mdpalp32.exe 3008 Mgnnhk32.exe 400 Njljefql.exe 2872 Nnhfee32.exe 2180 Nqfbaq32.exe 2340 Ndbnboqb.exe 3596 Ngpjnkpf.exe 1420 Nnjbke32.exe 528 Nqiogp32.exe 1864 Ncgkcl32.exe 816 Nkncdifl.exe 2520 Nnmopdep.exe 1636 Nqklmpdd.exe 1972 Ncihikcg.exe 5104 Nkqpjidj.exe 2432 Njcpee32.exe 4008 Nbkhfc32.exe 1644 Ndidbn32.exe 4812 Nggqoj32.exe 4532 Njfmke32.exe 4488 Nbmelbid.exe 116 Ndkahnhh.exe 2216 Ogjmdigk.exe 744 Okeieh32.exe 2104 Ondeac32.exe 2780 Oboaabga.exe 4200 Odnnnnfe.exe 4080 Ocqnij32.exe 4136 Okhfjh32.exe 2692 Onfbfc32.exe 2504 Obangb32.exe 1868 Odpjcm32.exe 1744 Occkojkm.exe 3216 Okjbpglo.exe 4956 Oqgkhnjf.exe 4620 Odbgim32.exe 2772 Ogaceh32.exe 2488 Ojopad32.exe 2112 Onklabip.exe 1516 Oqihnn32.exe 4476 Odednmpm.exe 1976 Ogcpjhoq.exe 4904 Okolkg32.exe 2688 Onmhgb32.exe 4752 Obidhaog.exe 2844 Odgqdlnj.exe 4644 Pcjapi32.exe 4284 Pkaiqf32.exe 3732 Pnpemb32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Pkfblfab.exeImmapg32.exeFnnjmbpm.exeGhaliknf.exeNphhmj32.exePomgjn32.exeMlbkap32.exeAknifq32.exeAckigjmh.exeDpbdopck.exePdmkhgho.exeDmlkhofd.exeAnpncp32.exeAeopki32.exeJngjch32.exePlkpcfal.exeMipcob32.exeIjfnmc32.exeDiccgfpd.exeLqikmc32.exeJpnchp32.exeQgnbaj32.exeLgccinoe.exeCkedalaj.exeEoolbinc.exeFcckif32.exeHibafp32.exeDoilmc32.exeHgdejd32.exeKimghn32.exeLhfmdj32.exeLikcilhh.exeAndgoobc.exeEolpmi32.exeOeheqm32.exeAjiknpjj.exeChpada32.exeGbdgfa32.exeFdkggg32.exeFmikeaap.exeNndjndbh.exeJcbihpel.exeEbejfk32.exeHplbickp.exeNggqoj32.exeIpdqba32.exeJcllonma.exePjffbc32.exedescription ioc process File created C:\Windows\SysWOW64\Cagecd32.dll Pkfblfab.exe File created C:\Windows\SysWOW64\Docjlc32.dll Immapg32.exe File created C:\Windows\SysWOW64\Kqqpck32.dll Fnnjmbpm.exe File opened for modification C:\Windows\SysWOW64\Glfmgp32.exe File created C:\Windows\SysWOW64\Glllagck.dll File created C:\Windows\SysWOW64\Mcoljagj.exe File opened for modification C:\Windows\SysWOW64\Gkoiefmj.exe Ghaliknf.exe File opened for modification C:\Windows\SysWOW64\Ngbpidjh.exe Nphhmj32.exe File opened for modification C:\Windows\SysWOW64\Plagcbdn.exe Pomgjn32.exe File created C:\Windows\SysWOW64\Fndchiip.dll Mlbkap32.exe File created C:\Windows\SysWOW64\Amoljp32.dll Aknifq32.exe File created C:\Windows\SysWOW64\Agiamhdo.exe Ackigjmh.exe File created C:\Windows\SysWOW64\Qlejfm32.dll Dpbdopck.exe File opened for modification C:\Windows\SysWOW64\Pldcjeia.exe Pdmkhgho.exe File opened for modification C:\Windows\SysWOW64\Dokgdkeh.exe Dmlkhofd.exe File created C:\Windows\SysWOW64\Damfao32.exe File created C:\Windows\SysWOW64\Bpflfc32.dll Anpncp32.exe File created C:\Windows\SysWOW64\Ahmlgd32.exe Aeopki32.exe File created C:\Windows\SysWOW64\Jeqbpb32.exe Jngjch32.exe File created C:\Windows\SysWOW64\Pahilmoc.exe Plkpcfal.exe File opened for modification C:\Windows\SysWOW64\Nfohgqlg.exe File created C:\Windows\SysWOW64\Mlopkm32.exe Mipcob32.exe File created C:\Windows\SysWOW64\Ihgnkkbd.exe Ijfnmc32.exe File opened for modification C:\Windows\SysWOW64\Dpnkdq32.exe Diccgfpd.exe File created C:\Windows\SysWOW64\Lgccinoe.exe Lqikmc32.exe File created C:\Windows\SysWOW64\Ingapb32.dll Jpnchp32.exe File opened for modification C:\Windows\SysWOW64\Qoifflkg.exe Qgnbaj32.exe File created C:\Windows\SysWOW64\Lnmkfh32.exe Lgccinoe.exe File opened for modification C:\Windows\SysWOW64\Dbllbibl.exe Ckedalaj.exe File opened for modification C:\Windows\SysWOW64\Ecjhcg32.exe Eoolbinc.exe File created C:\Windows\SysWOW64\Bnmqkjel.dll Fcckif32.exe File created C:\Windows\SysWOW64\Gckoph32.dll Hibafp32.exe File created C:\Windows\SysWOW64\Jdeiigql.dll Doilmc32.exe File created C:\Windows\SysWOW64\Efpgoecp.dll Hgdejd32.exe File created C:\Windows\SysWOW64\Hnbeeiji.exe File opened for modification C:\Windows\SysWOW64\Kechmoil.exe Kimghn32.exe File created C:\Windows\SysWOW64\Ojobciba.dll Lhfmdj32.exe File created C:\Windows\SysWOW64\Lbchba32.exe Likcilhh.exe File opened for modification C:\Windows\SysWOW64\Aacckjaf.exe Andgoobc.exe File created C:\Windows\SysWOW64\Gfpggnan.dll Eolpmi32.exe File created C:\Windows\SysWOW64\Kpqgeihg.dll File created C:\Windows\SysWOW64\Bdabnm32.dll Oeheqm32.exe File created C:\Windows\SysWOW64\Ignlbcmf.dll File created C:\Windows\SysWOW64\Cnnobj32.dll Ajiknpjj.exe File created C:\Windows\SysWOW64\Cojjqlpk.exe Chpada32.exe File opened for modification C:\Windows\SysWOW64\Gmjlcj32.exe Gbdgfa32.exe File created C:\Windows\SysWOW64\Fnckpmql.exe Fdkggg32.exe File opened for modification C:\Windows\SysWOW64\Ffaong32.exe Fmikeaap.exe File created C:\Windows\SysWOW64\Nenbjo32.exe Nndjndbh.exe File created C:\Windows\SysWOW64\Lepleocn.exe File created C:\Windows\SysWOW64\Ommceclc.exe File opened for modification C:\Windows\SysWOW64\Jedeph32.exe Jcbihpel.exe File opened for modification C:\Windows\SysWOW64\Ejlbhh32.exe Ebejfk32.exe File opened for modification C:\Windows\SysWOW64\Hbjoeojc.exe Hplbickp.exe File created C:\Windows\SysWOW64\Himfiblh.dll File created C:\Windows\SysWOW64\Njfmke32.exe Nggqoj32.exe File created C:\Windows\SysWOW64\Flakmgga.dll Ipdqba32.exe File created C:\Windows\SysWOW64\Lnhjmp32.dll Jcllonma.exe File opened for modification C:\Windows\SysWOW64\Bahdob32.exe File created C:\Windows\SysWOW64\Figfoijn.dll File opened for modification C:\Windows\SysWOW64\Edbiniff.exe File created C:\Windows\SysWOW64\Cpdgqmnb.exe File opened for modification C:\Windows\SysWOW64\Omfekbdh.exe File created C:\Windows\SysWOW64\Aolmfp32.dll Pjffbc32.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 14000 1784 -
Modifies registry class 64 IoCs
Processes:
Oqihnn32.exeFlceckoj.exeEaonjngh.exeGmimai32.exeKfoafi32.exeFdkggg32.exePjgebf32.exeKaehljpj.exeHcblpdgg.exeKkeldnpi.exeGdhmnlcj.exeLqpamb32.exeMglack32.exeNbmelbid.exeCdainc32.exeEofbch32.exeEopbnbhd.exeNgjbaj32.exeNdbnboqb.exeOigllh32.exeDdadpdmn.exeMkepnjng.exeCbqlfkmi.exeHimldi32.exeKimnbd32.exeBdgged32.exeEcoangbg.exeKdcbom32.exeBhdbhcck.exeHbpgbo32.exePllgnl32.exeIljpij32.exeHdpiid32.exeNlphbnoe.exeAhenokjf.exeFcfhof32.exeFielph32.exeAbponp32.exeDkdliame.exeIkpjbq32.exeCdiooblp.exeBjagjhnc.exeNlkngo32.exeGemkelcd.exeLdanqkki.exeEejjjl32.exeJbdbjf32.exeJgadgf32.exeJbfheo32.exeDceohhja.exeFineoi32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqihnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flceckoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eaonjngh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmimai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdfog32.dll" Kfoafi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eaonjngh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbbpccql.dll" Fdkggg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjgebf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihqiqn32.dll" Kaehljpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcblpdgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmokmkpo.dll" Kkeldnpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpihae32.dll" Gdhmnlcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqpamb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mglack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbmelbid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdainc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpili32.dll" Eofbch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eopbnbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkcckgg.dll" Ngjbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll" Ndbnboqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcdikecn.dll" Oigllh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednhgjia.dll" Ddadpdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcblpdgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll" Mkepnjng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbqlfkmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbbae32.dll" Himldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqdeld32.dll" Kimnbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdgged32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecoangbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfnbea32.dll" Kdcbom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhdbhcck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oekgfqeg.dll" Hbpgbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnpaa32.dll" Pllgnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iljpij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmalnp32.dll" Hdpiid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgekdpbp.dll" Nlphbnoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahenokjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmkmfbo.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcfhof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnaggngj.dll" Eaonjngh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fielph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abponp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkdliame.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blafme32.dll" Ikpjbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlajgl32.dll" Cdiooblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll" Bjagjhnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcodim32.dll" Nlkngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gemkelcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldanqkki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eejjjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbdbjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgadgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhmabfb.dll" Jbfheo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdgged32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dceohhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mndmof32.dll" Fineoi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
04f6c8074ccc32e129e8f4e4c1746d30_NeikiAnalytics.exeLcbiao32.exeLkiqbl32.exeLnhmng32.exeLpfijcfl.exeMnlfigcc.exeMpkbebbf.exeMciobn32.exeMpolqa32.exeMcnhmm32.exeMkepnjng.exeMncmjfmk.exeMglack32.exeMjjmog32.exeMnfipekh.exeMpdelajl.exeMdpalp32.exeMgnnhk32.exeNjljefql.exeNnhfee32.exeNqfbaq32.exeNdbnboqb.exedescription pid process target process PID 1008 wrote to memory of 516 1008 04f6c8074ccc32e129e8f4e4c1746d30_NeikiAnalytics.exe Lcbiao32.exe PID 1008 wrote to memory of 516 1008 04f6c8074ccc32e129e8f4e4c1746d30_NeikiAnalytics.exe Lcbiao32.exe PID 1008 wrote to memory of 516 1008 04f6c8074ccc32e129e8f4e4c1746d30_NeikiAnalytics.exe Lcbiao32.exe PID 516 wrote to memory of 3892 516 Lcbiao32.exe Lkiqbl32.exe PID 516 wrote to memory of 3892 516 Lcbiao32.exe Lkiqbl32.exe PID 516 wrote to memory of 3892 516 Lcbiao32.exe Lkiqbl32.exe PID 3892 wrote to memory of 1032 3892 Lkiqbl32.exe Lnhmng32.exe PID 3892 wrote to memory of 1032 3892 Lkiqbl32.exe Lnhmng32.exe PID 3892 wrote to memory of 1032 3892 Lkiqbl32.exe Lnhmng32.exe PID 1032 wrote to memory of 2064 1032 Lnhmng32.exe Lpfijcfl.exe PID 1032 wrote to memory of 2064 1032 Lnhmng32.exe Lpfijcfl.exe PID 1032 wrote to memory of 2064 1032 Lnhmng32.exe Lpfijcfl.exe PID 2064 wrote to memory of 3904 2064 Lpfijcfl.exe Mnlfigcc.exe PID 2064 wrote to memory of 3904 2064 Lpfijcfl.exe Mnlfigcc.exe PID 2064 wrote to memory of 3904 2064 Lpfijcfl.exe Mnlfigcc.exe PID 3904 wrote to memory of 3472 3904 Mnlfigcc.exe Mpkbebbf.exe PID 3904 wrote to memory of 3472 3904 Mnlfigcc.exe Mpkbebbf.exe PID 3904 wrote to memory of 3472 3904 Mnlfigcc.exe Mpkbebbf.exe PID 3472 wrote to memory of 3144 3472 Mpkbebbf.exe Mciobn32.exe PID 3472 wrote to memory of 3144 3472 Mpkbebbf.exe Mciobn32.exe PID 3472 wrote to memory of 3144 3472 Mpkbebbf.exe Mciobn32.exe PID 3144 wrote to memory of 1056 3144 Mciobn32.exe Mpolqa32.exe PID 3144 wrote to memory of 1056 3144 Mciobn32.exe Mpolqa32.exe PID 3144 wrote to memory of 1056 3144 Mciobn32.exe Mpolqa32.exe PID 1056 wrote to memory of 3124 1056 Mpolqa32.exe Mcnhmm32.exe PID 1056 wrote to memory of 3124 1056 Mpolqa32.exe Mcnhmm32.exe PID 1056 wrote to memory of 3124 1056 Mpolqa32.exe Mcnhmm32.exe PID 3124 wrote to memory of 3544 3124 Mcnhmm32.exe Mkepnjng.exe PID 3124 wrote to memory of 3544 3124 Mcnhmm32.exe Mkepnjng.exe PID 3124 wrote to memory of 3544 3124 Mcnhmm32.exe Mkepnjng.exe PID 3544 wrote to memory of 2540 3544 Mkepnjng.exe Mncmjfmk.exe PID 3544 wrote to memory of 2540 3544 Mkepnjng.exe Mncmjfmk.exe PID 3544 wrote to memory of 2540 3544 Mkepnjng.exe Mncmjfmk.exe PID 2540 wrote to memory of 3548 2540 Mncmjfmk.exe Mglack32.exe PID 2540 wrote to memory of 3548 2540 Mncmjfmk.exe Mglack32.exe PID 2540 wrote to memory of 3548 2540 Mncmjfmk.exe Mglack32.exe PID 3548 wrote to memory of 4156 3548 Mglack32.exe Mjjmog32.exe PID 3548 wrote to memory of 4156 3548 Mglack32.exe Mjjmog32.exe PID 3548 wrote to memory of 4156 3548 Mglack32.exe Mjjmog32.exe PID 4156 wrote to memory of 3684 4156 Mjjmog32.exe Mnfipekh.exe PID 4156 wrote to memory of 3684 4156 Mjjmog32.exe Mnfipekh.exe PID 4156 wrote to memory of 3684 4156 Mjjmog32.exe Mnfipekh.exe PID 3684 wrote to memory of 1400 3684 Mnfipekh.exe Mpdelajl.exe PID 3684 wrote to memory of 1400 3684 Mnfipekh.exe Mpdelajl.exe PID 3684 wrote to memory of 1400 3684 Mnfipekh.exe Mpdelajl.exe PID 1400 wrote to memory of 3344 1400 Mpdelajl.exe Mdpalp32.exe PID 1400 wrote to memory of 3344 1400 Mpdelajl.exe Mdpalp32.exe PID 1400 wrote to memory of 3344 1400 Mpdelajl.exe Mdpalp32.exe PID 3344 wrote to memory of 3008 3344 Mdpalp32.exe Mgnnhk32.exe PID 3344 wrote to memory of 3008 3344 Mdpalp32.exe Mgnnhk32.exe PID 3344 wrote to memory of 3008 3344 Mdpalp32.exe Mgnnhk32.exe PID 3008 wrote to memory of 400 3008 Mgnnhk32.exe Njljefql.exe PID 3008 wrote to memory of 400 3008 Mgnnhk32.exe Njljefql.exe PID 3008 wrote to memory of 400 3008 Mgnnhk32.exe Njljefql.exe PID 400 wrote to memory of 2872 400 Njljefql.exe Nnhfee32.exe PID 400 wrote to memory of 2872 400 Njljefql.exe Nnhfee32.exe PID 400 wrote to memory of 2872 400 Njljefql.exe Nnhfee32.exe PID 2872 wrote to memory of 2180 2872 Nnhfee32.exe Nqfbaq32.exe PID 2872 wrote to memory of 2180 2872 Nnhfee32.exe Nqfbaq32.exe PID 2872 wrote to memory of 2180 2872 Nnhfee32.exe Nqfbaq32.exe PID 2180 wrote to memory of 2340 2180 Nqfbaq32.exe Ndbnboqb.exe PID 2180 wrote to memory of 2340 2180 Nqfbaq32.exe Ndbnboqb.exe PID 2180 wrote to memory of 2340 2180 Nqfbaq32.exe Ndbnboqb.exe PID 2340 wrote to memory of 3596 2340 Ndbnboqb.exe Ngpjnkpf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04f6c8074ccc32e129e8f4e4c1746d30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\04f6c8074ccc32e129e8f4e4c1746d30_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe23⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe25⤵
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe26⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Nkncdifl.exeC:\Windows\system32\Nkncdifl.exe27⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe28⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe29⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe30⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe31⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe32⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe33⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe34⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4812 -
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe36⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:4488 -
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe38⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe39⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe40⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe41⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe42⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe43⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe44⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe45⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe46⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe47⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe48⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe49⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe50⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe51⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe52⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe53⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe54⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe55⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe57⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe58⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe59⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe60⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe61⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe62⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe63⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe64⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3732 -
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe66⤵PID:3440
-
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe67⤵PID:2416
-
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe68⤵PID:5116
-
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe69⤵
- Drops file in System32 directory
PID:4952 -
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe70⤵PID:4784
-
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe71⤵PID:4548
-
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe72⤵PID:1780
-
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe73⤵PID:4300
-
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe74⤵
- Drops file in System32 directory
PID:4984 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:716 -
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe76⤵PID:4944
-
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe77⤵PID:4724
-
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe78⤵PID:3116
-
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1712 -
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe80⤵PID:5352
-
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe81⤵PID:5384
-
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe82⤵PID:5420
-
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe83⤵PID:5456
-
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe84⤵PID:5492
-
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe85⤵PID:5528
-
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe86⤵PID:5564
-
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe87⤵PID:5600
-
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe88⤵PID:5636
-
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe89⤵PID:5676
-
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe90⤵PID:5712
-
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe91⤵PID:5744
-
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe92⤵PID:5780
-
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe93⤵
- Drops file in System32 directory
PID:5816 -
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe94⤵PID:5852
-
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe95⤵PID:5888
-
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe96⤵PID:5924
-
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe97⤵PID:5960
-
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe98⤵PID:5996
-
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe99⤵PID:6032
-
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe100⤵PID:6068
-
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe101⤵PID:6104
-
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe102⤵
- Drops file in System32 directory
PID:6140 -
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe103⤵
- Drops file in System32 directory
PID:440 -
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3448 -
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe105⤵
- Drops file in System32 directory
PID:1196 -
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe106⤵PID:1264
-
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe107⤵PID:3728
-
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe108⤵PID:1388
-
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe109⤵PID:1108
-
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe110⤵PID:4040
-
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe111⤵PID:5320
-
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe112⤵PID:5664
-
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe113⤵PID:5736
-
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe114⤵
- Modifies registry class
PID:5836 -
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe115⤵PID:3468
-
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe116⤵PID:5952
-
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe117⤵PID:5968
-
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe118⤵PID:5156
-
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe119⤵PID:6092
-
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe120⤵PID:2264
-
C:\Windows\SysWOW64\Bldgdago.exeC:\Windows\system32\Bldgdago.exe121⤵PID:5188
-
C:\Windows\SysWOW64\Bobcpmfc.exeC:\Windows\system32\Bobcpmfc.exe122⤵PID:4472
-
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe123⤵PID:5236
-
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe124⤵PID:5260
-
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe125⤵PID:5332
-
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe126⤵
- Modifies registry class
PID:448 -
C:\Windows\SysWOW64\Cdainc32.exeC:\Windows\system32\Cdainc32.exe127⤵
- Modifies registry class
PID:5484 -
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe128⤵PID:3916
-
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe129⤵PID:5380
-
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe130⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5428 -
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe131⤵PID:5720
-
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe132⤵PID:5896
-
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe133⤵PID:4252
-
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe134⤵PID:5144
-
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe135⤵PID:6124
-
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe136⤵PID:5200
-
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe137⤵
- Modifies registry class
PID:5224 -
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe138⤵PID:1876
-
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe139⤵PID:2372
-
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe140⤵PID:5360
-
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe141⤵PID:552
-
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe142⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5416 -
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe143⤵PID:5812
-
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe144⤵PID:5132
-
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe145⤵PID:6136
-
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe146⤵PID:4016
-
C:\Windows\SysWOW64\Dlgmpogj.exeC:\Windows\system32\Dlgmpogj.exe147⤵PID:1404
-
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe148⤵PID:4148
-
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe149⤵PID:5404
-
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe150⤵PID:6016
-
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe151⤵PID:5248
-
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe152⤵PID:5572
-
C:\Windows\SysWOW64\Dkoggkjo.exeC:\Windows\system32\Dkoggkjo.exe153⤵PID:6060
-
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe154⤵
- Modifies registry class
PID:4312 -
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe155⤵PID:3888
-
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe156⤵PID:6020
-
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe157⤵PID:6164
-
C:\Windows\SysWOW64\Eolpmi32.exeC:\Windows\system32\Eolpmi32.exe158⤵
- Drops file in System32 directory
PID:6204 -
C:\Windows\SysWOW64\Eaklidoi.exeC:\Windows\system32\Eaklidoi.exe159⤵PID:6240
-
C:\Windows\SysWOW64\Edihepnm.exeC:\Windows\system32\Edihepnm.exe160⤵PID:6280
-
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe161⤵PID:6320
-
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe162⤵
- Drops file in System32 directory
PID:6360 -
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe163⤵PID:6400
-
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe164⤵PID:6440
-
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe165⤵PID:6480
-
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe166⤵PID:6524
-
C:\Windows\SysWOW64\Eapedd32.exeC:\Windows\system32\Eapedd32.exe167⤵PID:6560
-
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe168⤵PID:6604
-
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe169⤵PID:6648
-
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe170⤵
- Modifies registry class
PID:6696 -
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe171⤵PID:6736
-
C:\Windows\SysWOW64\Elgfgl32.exeC:\Windows\system32\Elgfgl32.exe172⤵PID:6776
-
C:\Windows\SysWOW64\Eofbch32.exeC:\Windows\system32\Eofbch32.exe173⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6816 -
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe174⤵PID:6856
-
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe175⤵PID:6896
-
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe176⤵PID:6940
-
C:\Windows\SysWOW64\Fkmchi32.exeC:\Windows\system32\Fkmchi32.exe177⤵PID:6984
-
C:\Windows\SysWOW64\Fcckif32.exeC:\Windows\system32\Fcckif32.exe178⤵
- Drops file in System32 directory
PID:7028 -
C:\Windows\SysWOW64\Febgea32.exeC:\Windows\system32\Febgea32.exe179⤵PID:7076
-
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe180⤵PID:7120
-
C:\Windows\SysWOW64\Fojlngce.exeC:\Windows\system32\Fojlngce.exe181⤵PID:7160
-
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe182⤵
- Modifies registry class
PID:6192 -
C:\Windows\SysWOW64\Ffddka32.exeC:\Windows\system32\Ffddka32.exe183⤵PID:6304
-
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe184⤵PID:6396
-
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe185⤵PID:6492
-
C:\Windows\SysWOW64\Ffgqqaip.exeC:\Windows\system32\Ffgqqaip.exe186⤵PID:6568
-
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe187⤵PID:6684
-
C:\Windows\SysWOW64\Fooeif32.exeC:\Windows\system32\Fooeif32.exe188⤵PID:6772
-
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe189⤵PID:6844
-
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe190⤵
- Modifies registry class
PID:6924 -
C:\Windows\SysWOW64\Foabofnn.exeC:\Windows\system32\Foabofnn.exe191⤵PID:7012
-
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe192⤵PID:7112
-
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe193⤵PID:6200
-
C:\Windows\SysWOW64\Glebhjlg.exeC:\Windows\system32\Glebhjlg.exe194⤵PID:6352
-
C:\Windows\SysWOW64\Gkhbdg32.exeC:\Windows\system32\Gkhbdg32.exe195⤵PID:6548
-
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe196⤵PID:6756
-
C:\Windows\SysWOW64\Gbbkaako.exeC:\Windows\system32\Gbbkaako.exe197⤵PID:6892
-
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe198⤵PID:6968
-
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe199⤵PID:6148
-
C:\Windows\SysWOW64\Gkkojgao.exeC:\Windows\system32\Gkkojgao.exe200⤵PID:6464
-
C:\Windows\SysWOW64\Gofkje32.exeC:\Windows\system32\Gofkje32.exe201⤵PID:6784
-
C:\Windows\SysWOW64\Gbdgfa32.exeC:\Windows\system32\Gbdgfa32.exe202⤵
- Drops file in System32 directory
PID:6976 -
C:\Windows\SysWOW64\Gmjlcj32.exeC:\Windows\system32\Gmjlcj32.exe203⤵PID:6368
-
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe204⤵PID:7020
-
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe205⤵PID:6744
-
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe206⤵
- Drops file in System32 directory
PID:6544 -
C:\Windows\SysWOW64\Gkoiefmj.exeC:\Windows\system32\Gkoiefmj.exe207⤵PID:6996
-
C:\Windows\SysWOW64\Gdhmnlcj.exeC:\Windows\system32\Gdhmnlcj.exe208⤵
- Modifies registry class
PID:7208 -
C:\Windows\SysWOW64\Gkaejf32.exeC:\Windows\system32\Gkaejf32.exe209⤵PID:7252
-
C:\Windows\SysWOW64\Gcimkc32.exeC:\Windows\system32\Gcimkc32.exe210⤵PID:7296
-
C:\Windows\SysWOW64\Gdjjckag.exeC:\Windows\system32\Gdjjckag.exe211⤵PID:7340
-
C:\Windows\SysWOW64\Hkdbpe32.exeC:\Windows\system32\Hkdbpe32.exe212⤵PID:7384
-
C:\Windows\SysWOW64\Hckjacjg.exeC:\Windows\system32\Hckjacjg.exe213⤵PID:7424
-
C:\Windows\SysWOW64\Hihbijhn.exeC:\Windows\system32\Hihbijhn.exe214⤵PID:7464
-
C:\Windows\SysWOW64\Hbpgbo32.exeC:\Windows\system32\Hbpgbo32.exe215⤵
- Modifies registry class
PID:7504 -
C:\Windows\SysWOW64\Hbbdholl.exeC:\Windows\system32\Hbbdholl.exe216⤵PID:7552
-
C:\Windows\SysWOW64\Himldi32.exeC:\Windows\system32\Himldi32.exe217⤵
- Modifies registry class
PID:7596 -
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe218⤵PID:7640
-
C:\Windows\SysWOW64\Hioiji32.exeC:\Windows\system32\Hioiji32.exe219⤵PID:7688
-
C:\Windows\SysWOW64\Hkmefd32.exeC:\Windows\system32\Hkmefd32.exe220⤵PID:7732
-
C:\Windows\SysWOW64\Hoiafcic.exeC:\Windows\system32\Hoiafcic.exe221⤵PID:7776
-
C:\Windows\SysWOW64\Hbgmcnhf.exeC:\Windows\system32\Hbgmcnhf.exe222⤵PID:7816
-
C:\Windows\SysWOW64\Iefioj32.exeC:\Windows\system32\Iefioj32.exe223⤵PID:7860
-
C:\Windows\SysWOW64\Immapg32.exeC:\Windows\system32\Immapg32.exe224⤵
- Drops file in System32 directory
PID:7896 -
C:\Windows\SysWOW64\Ipknlb32.exeC:\Windows\system32\Ipknlb32.exe225⤵PID:7944
-
C:\Windows\SysWOW64\Icgjmapi.exeC:\Windows\system32\Icgjmapi.exe226⤵PID:7988
-
C:\Windows\SysWOW64\Ifefimom.exeC:\Windows\system32\Ifefimom.exe227⤵PID:8032
-
C:\Windows\SysWOW64\Imoneg32.exeC:\Windows\system32\Imoneg32.exe228⤵PID:8072
-
C:\Windows\SysWOW64\Ipnjab32.exeC:\Windows\system32\Ipnjab32.exe229⤵PID:8120
-
C:\Windows\SysWOW64\Iblfnn32.exeC:\Windows\system32\Iblfnn32.exe230⤵PID:8156
-
C:\Windows\SysWOW64\Iejcji32.exeC:\Windows\system32\Iejcji32.exe231⤵PID:6764
-
C:\Windows\SysWOW64\Imakkfdg.exeC:\Windows\system32\Imakkfdg.exe232⤵PID:7236
-
C:\Windows\SysWOW64\Ippggbck.exeC:\Windows\system32\Ippggbck.exe233⤵PID:7312
-
C:\Windows\SysWOW64\Ibnccmbo.exeC:\Windows\system32\Ibnccmbo.exe234⤵PID:7380
-
C:\Windows\SysWOW64\Iemppiab.exeC:\Windows\system32\Iemppiab.exe235⤵PID:7448
-
C:\Windows\SysWOW64\Iihkpg32.exeC:\Windows\system32\Iihkpg32.exe236⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7512 -
C:\Windows\SysWOW64\Ilghlc32.exeC:\Windows\system32\Ilghlc32.exe237⤵PID:7572
-
C:\Windows\SysWOW64\Icnpmp32.exeC:\Windows\system32\Icnpmp32.exe238⤵PID:7648
-
C:\Windows\SysWOW64\Ibqpimpl.exeC:\Windows\system32\Ibqpimpl.exe239⤵PID:7716
-
C:\Windows\SysWOW64\Ieolehop.exeC:\Windows\system32\Ieolehop.exe240⤵PID:7784
-
C:\Windows\SysWOW64\Imfdff32.exeC:\Windows\system32\Imfdff32.exe241⤵PID:7844
-
C:\Windows\SysWOW64\Ipdqba32.exeC:\Windows\system32\Ipdqba32.exe242⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7912