Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 22:53
Behavioral task
behavioral1
Sample
065758121befb57fbf4d8fbd9e601f50_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
065758121befb57fbf4d8fbd9e601f50_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
065758121befb57fbf4d8fbd9e601f50_NeikiAnalytics.exe
-
Size
229KB
-
MD5
065758121befb57fbf4d8fbd9e601f50
-
SHA1
db734605cc8c4889314e8a8ca64c0fee68f6dfd8
-
SHA256
9468171447556018ceca1a15e810a8291574cbcee7afafdfd06bf26b22d7cc1b
-
SHA512
27506c68c6660038e0ff4caa04a22f62be72b5718028beeb1a4d8eec8ffdb1c04c761eac8935edb0045d905a6b3df3566a361e5f352d8446a51294b314a8a369
-
SSDEEP
6144:4Qh1PjaEEPu+271+HZ/pvkym/89bYEwPhCKvav:4QCEf7AIfFfvav
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Fdialn32.exeLhdqnj32.exeDpphjp32.exeDceohhja.exePnakhkol.exeKbpbed32.exeKpiljh32.exeLemkcnaa.exeIbmeoq32.exeFjhacf32.exeIgedlh32.exeFpjcgm32.exeDpqodfij.exeNgmgne32.exeGkgeoklj.exeDlijfneg.exeHkehkocf.exeGoedpofl.exeKldmckic.exeAqkpeopg.exeFddqghpd.exeLeoghn32.exeHcmbee32.exeObfhba32.exePofjpl32.exeAjqgidij.exeAhjgjj32.exeBdkcmdhp.exeAgbkmijg.exeElbhjp32.exeKknafn32.exeEdpgli32.exeFkalchij.exeIicbehnq.exeIppggbck.exeFhdohp32.exeGmoeoidl.exeLdjhpl32.exeFajgkfio.exeChcddk32.exeHjmoibog.exeDjmibn32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdialn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhdqnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpphjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dceohhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnakhkol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbpbed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpiljh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lemkcnaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibmeoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjhacf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igedlh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpjcgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpqodfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngmgne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgeoklj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlijfneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkehkocf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goedpofl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kldmckic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqkpeopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fddqghpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leoghn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcmbee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obfhba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pofjpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajqgidij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahjgjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdkcmdhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agbkmijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elbhjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kknafn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edpgli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkalchij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iicbehnq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ippggbck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhdohp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmoeoidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldjhpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fajgkfio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chcddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjmoibog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djmibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Gogbdl32.exe family_berbew C:\Windows\SysWOW64\Gmkbnp32.exe family_berbew C:\Windows\SysWOW64\Gbgkfg32.exe family_berbew C:\Windows\SysWOW64\Gmmocpjk.exe family_berbew C:\Windows\SysWOW64\Gfedle32.exe family_berbew C:\Windows\SysWOW64\Gqkhjn32.exe family_berbew C:\Windows\SysWOW64\Gjclbc32.exe family_berbew C:\Windows\SysWOW64\Gppekj32.exe family_berbew C:\Windows\SysWOW64\Hapaemll.exe family_berbew C:\Windows\SysWOW64\Hjhfnccl.exe family_berbew C:\Windows\SysWOW64\Hpenfjad.exe family_berbew C:\Windows\SysWOW64\Hfofbd32.exe family_berbew C:\Windows\SysWOW64\Hadkpm32.exe family_berbew C:\Windows\SysWOW64\Hjmoibog.exe family_berbew C:\Windows\SysWOW64\Hpihai32.exe family_berbew C:\Windows\SysWOW64\Hjolnb32.exe family_berbew C:\Windows\SysWOW64\Haidklda.exe family_berbew C:\Windows\SysWOW64\Ibjqcd32.exe family_berbew C:\Windows\SysWOW64\Ibjqcd32.exe family_berbew C:\Windows\SysWOW64\Ipnalhii.exe family_berbew C:\Windows\SysWOW64\Ifhiib32.exe family_berbew C:\Windows\SysWOW64\Icljbg32.exe family_berbew C:\Windows\SysWOW64\Iiibkn32.exe family_berbew C:\Windows\SysWOW64\Ibagcc32.exe family_berbew C:\Windows\SysWOW64\Imgkql32.exe family_berbew C:\Windows\SysWOW64\Idacmfkj.exe family_berbew C:\Windows\SysWOW64\Idacmfkj.exe family_berbew C:\Windows\SysWOW64\Imihfl32.exe family_berbew C:\Windows\SysWOW64\Jbfpobpb.exe family_berbew C:\Windows\SysWOW64\Jpjqhgol.exe family_berbew C:\Windows\SysWOW64\Jibeql32.exe family_berbew C:\Windows\SysWOW64\Jplmmfmi.exe family_berbew C:\Windows\SysWOW64\Jfffjqdf.exe family_berbew C:\Windows\SysWOW64\Jdjfcecp.exe family_berbew C:\Windows\SysWOW64\Jkdnpo32.exe family_berbew C:\Windows\SysWOW64\Kckbqpnj.exe family_berbew C:\Windows\SysWOW64\Mglack32.exe family_berbew C:\Windows\SysWOW64\Nqfbaq32.exe family_berbew C:\Windows\SysWOW64\Nbkhfc32.exe family_berbew C:\Windows\SysWOW64\Nggqoj32.exe family_berbew C:\Windows\SysWOW64\Ojhiqefo.exe family_berbew C:\Windows\SysWOW64\Onfbfc32.exe family_berbew C:\Windows\SysWOW64\Okolkg32.exe family_berbew C:\Windows\SysWOW64\Pnfkma32.exe family_berbew C:\Windows\SysWOW64\Aanjpk32.exe family_berbew C:\Windows\SysWOW64\Angddopp.exe family_berbew C:\Windows\SysWOW64\Alkdnboj.exe family_berbew C:\Windows\SysWOW64\Bajjli32.exe family_berbew C:\Windows\SysWOW64\Bbifelba.exe family_berbew C:\Windows\SysWOW64\Blbknaib.exe family_berbew C:\Windows\SysWOW64\Cbqlfkmi.exe family_berbew C:\Windows\SysWOW64\Cecbmf32.exe family_berbew C:\Windows\SysWOW64\Cajcbgml.exe family_berbew C:\Windows\SysWOW64\Dboigi32.exe family_berbew C:\Windows\SysWOW64\Doeiljfn.exe family_berbew C:\Windows\SysWOW64\Ecjhcg32.exe family_berbew C:\Windows\SysWOW64\Eekaebcm.exe family_berbew C:\Windows\SysWOW64\Ecoangbg.exe family_berbew C:\Windows\SysWOW64\Febgea32.exe family_berbew C:\Windows\SysWOW64\Fcfhof32.exe family_berbew C:\Windows\SysWOW64\Fakdpb32.exe family_berbew C:\Windows\SysWOW64\Fkciihgg.exe family_berbew C:\Windows\SysWOW64\Fdnjgmle.exe family_berbew C:\Windows\SysWOW64\Gkkojgao.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Gogbdl32.exeGmkbnp32.exeGbgkfg32.exeGmmocpjk.exeGfedle32.exeGqkhjn32.exeGjclbc32.exeGppekj32.exeHapaemll.exeHjhfnccl.exeHpenfjad.exeHfofbd32.exeHadkpm32.exeHjmoibog.exeHpihai32.exeHjolnb32.exeHaidklda.exeIbjqcd32.exeIpnalhii.exeIfhiib32.exeIcljbg32.exeIiibkn32.exeIbagcc32.exeImgkql32.exeIdacmfkj.exeImihfl32.exeJbfpobpb.exeJpjqhgol.exeJibeql32.exeJplmmfmi.exeJfffjqdf.exeJdjfcecp.exeJkdnpo32.exeJangmibi.exeJdmcidam.exeKmegbjgn.exeKpccnefa.exeKbapjafe.exeKilhgk32.exeKacphh32.exeKbdmpqcb.exeKinemkko.exeKphmie32.exeKbfiep32.exeKknafn32.exeKpjjod32.exeKgdbkohf.exeKibnhjgj.exeKpmfddnf.exeKckbqpnj.exeLalcng32.exeLdkojb32.exeLgikfn32.exeLmccchkn.exeLkgdml32.exeLdohebqh.exeLgneampk.exeLnhmng32.exeLpfijcfl.exeLgpagm32.exeLjnnch32.exeLcgblncm.exeLknjmkdo.exeMdfofakp.exepid process 3244 Gogbdl32.exe 336 Gmkbnp32.exe 1008 Gbgkfg32.exe 1936 Gmmocpjk.exe 2216 Gfedle32.exe 1264 Gqkhjn32.exe 1232 Gjclbc32.exe 5004 Gppekj32.exe 3944 Hapaemll.exe 4564 Hjhfnccl.exe 1836 Hpenfjad.exe 3960 Hfofbd32.exe 5000 Hadkpm32.exe 3568 Hjmoibog.exe 3852 Hpihai32.exe 232 Hjolnb32.exe 1548 Haidklda.exe 2452 Ibjqcd32.exe 1692 Ipnalhii.exe 4032 Ifhiib32.exe 1040 Icljbg32.exe 3572 Iiibkn32.exe 2632 Ibagcc32.exe 1348 Imgkql32.exe 3228 Idacmfkj.exe 2200 Imihfl32.exe 3784 Jbfpobpb.exe 2284 Jpjqhgol.exe 3248 Jibeql32.exe 4652 Jplmmfmi.exe 4212 Jfffjqdf.exe 756 Jdjfcecp.exe 2620 Jkdnpo32.exe 2148 Jangmibi.exe 3788 Jdmcidam.exe 1108 Kmegbjgn.exe 3812 Kpccnefa.exe 3476 Kbapjafe.exe 1800 Kilhgk32.exe 1556 Kacphh32.exe 2364 Kbdmpqcb.exe 4992 Kinemkko.exe 4980 Kphmie32.exe 1072 Kbfiep32.exe 3220 Kknafn32.exe 432 Kpjjod32.exe 3344 Kgdbkohf.exe 5016 Kibnhjgj.exe 4824 Kpmfddnf.exe 3288 Kckbqpnj.exe 1648 Lalcng32.exe 2628 Ldkojb32.exe 2008 Lgikfn32.exe 2320 Lmccchkn.exe 4488 Lkgdml32.exe 3444 Ldohebqh.exe 4596 Lgneampk.exe 3052 Lnhmng32.exe 4680 Lpfijcfl.exe 3348 Lgpagm32.exe 3680 Ljnnch32.exe 4224 Lcgblncm.exe 1588 Lknjmkdo.exe 3748 Mdfofakp.exe -
Drops file in System32 directory 64 IoCs
Processes:
Andqdh32.exeIhphkl32.exeLnpofnhk.exeHlhccj32.exeKbfiep32.exeNdkahnhh.exeIjqmhnko.exePflibgil.exeGaefgd32.exePfolbmje.exeCikglnkj.exeEjpfhnpe.exeIdghpmnp.exeGbabigfj.exeQbimoo32.exeHobkfd32.exeMoaogand.exeElbhjp32.exeOjopad32.exeHhihdcbp.exeGnmnfkia.exeIjfnmc32.exeKinmcg32.exeMhoipb32.exeEofbch32.exeIpknlb32.exeBnpppgdj.exeHfklhhcl.exeKckbqpnj.exeJlfpdh32.exeBelebq32.exeHadkpm32.exeBecifhfj.exeHgkkkcbc.exeEcjhcg32.exedescription ioc process File created C:\Windows\SysWOW64\Hjlena32.dll Andqdh32.exe File opened for modification C:\Windows\SysWOW64\Ijadbdoj.exe Ihphkl32.exe File created C:\Windows\SysWOW64\Lejgch32.exe Lnpofnhk.exe File created C:\Windows\SysWOW64\Icpkgc32.dll Hlhccj32.exe File created C:\Windows\SysWOW64\Hjpefo32.dll File opened for modification C:\Windows\SysWOW64\Ennqfenp.exe File opened for modification C:\Windows\SysWOW64\Kknafn32.exe Kbfiep32.exe File created C:\Windows\SysWOW64\Gleeed32.dll Ndkahnhh.exe File created C:\Windows\SysWOW64\Ibgdlg32.exe File opened for modification C:\Windows\SysWOW64\Klbnajqc.exe File created C:\Windows\SysWOW64\Jgamhc32.dll File opened for modification C:\Windows\SysWOW64\Gngeik32.exe File created C:\Windows\SysWOW64\Pmdpecjm.dll Ijqmhnko.exe File opened for modification C:\Windows\SysWOW64\Fpdcag32.exe File created C:\Windows\SysWOW64\Ojjhjm32.dll File created C:\Windows\SysWOW64\Phjenbhp.exe Pflibgil.exe File created C:\Windows\SysWOW64\Gddbcp32.exe Gaefgd32.exe File created C:\Windows\SysWOW64\Pmidog32.exe Pfolbmje.exe File created C:\Windows\SysWOW64\Cpeohh32.exe Cikglnkj.exe File opened for modification C:\Windows\SysWOW64\Emnbdioi.exe Ejpfhnpe.exe File created C:\Windows\SysWOW64\Igedlh32.exe Idghpmnp.exe File created C:\Windows\SysWOW64\Iankcfdg.dll Gbabigfj.exe File created C:\Windows\SysWOW64\Fnadil32.dll File opened for modification C:\Windows\SysWOW64\Aegikj32.exe Qbimoo32.exe File opened for modification C:\Windows\SysWOW64\Hbpgbo32.exe Hobkfd32.exe File created C:\Windows\SysWOW64\Hcjnlmph.dll File created C:\Windows\SysWOW64\Cdckomdh.dll Moaogand.exe File created C:\Windows\SysWOW64\Eciplm32.exe Elbhjp32.exe File opened for modification C:\Windows\SysWOW64\Lclpdncg.exe File opened for modification C:\Windows\SysWOW64\Poliea32.exe File created C:\Windows\SysWOW64\Badanigc.exe File created C:\Windows\SysWOW64\Nnafno32.exe File opened for modification C:\Windows\SysWOW64\Obfhba32.exe Ojopad32.exe File opened for modification C:\Windows\SysWOW64\Hkhdqoac.exe Hhihdcbp.exe File created C:\Windows\SysWOW64\Gacepg32.exe File created C:\Windows\SysWOW64\Omopjcjp.exe File created C:\Windows\SysWOW64\Nmigoagp.exe File opened for modification C:\Windows\SysWOW64\Pnmopk32.exe File created C:\Windows\SysWOW64\Ghbbcd32.exe Gnmnfkia.exe File opened for modification C:\Windows\SysWOW64\Ibmeoq32.exe Ijfnmc32.exe File opened for modification C:\Windows\SysWOW64\Kkmioc32.exe Kinmcg32.exe File created C:\Windows\SysWOW64\Nldfjqkf.dll Mhoipb32.exe File created C:\Windows\SysWOW64\Hohahelb.dll File opened for modification C:\Windows\SysWOW64\Eadopc32.exe Eofbch32.exe File created C:\Windows\SysWOW64\Keblci32.dll Ipknlb32.exe File created C:\Windows\SysWOW64\Beihma32.exe Bnpppgdj.exe File created C:\Windows\SysWOW64\Hhihdcbp.exe Hfklhhcl.exe File opened for modification C:\Windows\SysWOW64\Lalcng32.exe Kckbqpnj.exe File created C:\Windows\SysWOW64\Nhegig32.exe File opened for modification C:\Windows\SysWOW64\Jgkdbacp.exe Jlfpdh32.exe File opened for modification C:\Windows\SysWOW64\Lqmmmmph.exe File created C:\Windows\SysWOW64\Mmpdhboj.exe File created C:\Windows\SysWOW64\Nobkpkdh.dll File opened for modification C:\Windows\SysWOW64\Loofnccf.exe File opened for modification C:\Windows\SysWOW64\Ckgohf32.exe File opened for modification C:\Windows\SysWOW64\Damfao32.exe File created C:\Windows\SysWOW64\Cjinkg32.exe Belebq32.exe File opened for modification C:\Windows\SysWOW64\Qdaniq32.exe File created C:\Windows\SysWOW64\Kcapicdj.exe File opened for modification C:\Windows\SysWOW64\Hjmoibog.exe Hadkpm32.exe File opened for modification C:\Windows\SysWOW64\Bnlnon32.exe Becifhfj.exe File opened for modification C:\Windows\SysWOW64\Hiiggoaf.exe Hgkkkcbc.exe File created C:\Windows\SysWOW64\Fpnkah32.dll File created C:\Windows\SysWOW64\Eeidoc32.exe Ecjhcg32.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 3544 15996 -
Modifies registry class 64 IoCs
Processes:
Dpqodfij.exeKgdbkohf.exeDobfld32.exeJioaqfcc.exeFgbfhmll.exeFpbmfn32.exeFmikeaap.exeMdfofakp.exePclneicb.exeGkgeoklj.exeIikhfg32.exeFdamgb32.exeKkmioc32.exeDlncan32.exeJlnnmb32.exeEmeoooml.exeBclang32.exeMpaifalo.exeDmjocp32.exeDkgqfl32.exeQkmdkgob.exePgopffec.exePnfkma32.exeChmndlge.exePlpqil32.exeAkoqpg32.exeIkbfgppo.exeCddecc32.exeHjedffig.exeEhedfo32.exeBhcjqinf.exeBlpnib32.exeHbeqmoji.exeAgiamhdo.exeKpccnefa.exeQgallfcq.exeEjchhgid.exeCojjqlpk.exeDboigi32.exeBkidenlg.exeHplicjok.exeLmppcbjd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgbiiion.dll" Dpqodfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll" Kgdbkohf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll" Dobfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifaohg32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jioaqfcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgbfhmll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpbmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmikeaap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekhobd32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdfofakp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pclneicb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbemad32.dll" Gkgeoklj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dndgjk32.dll" Iikhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdamgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkmioc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkpjkai.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pniggbmk.dll" Dlncan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlnnmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mflfak32.dll" Emeoooml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmjgpgc.dll" Bclang32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjojj32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll" Mpaifalo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkgqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnclimck.dll" Qkmdkgob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klqmnp32.dll" Pgopffec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmhgag32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnfkma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chmndlge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obimmnpq.dll" Plpqil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfinqm32.dll" Akoqpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikbfgppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cddecc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjkhmfa.dll" Hjedffig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehedfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhcjqinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blpnib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpeohm32.dll" Hbeqmoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iejpiq32.dll" Agiamhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncpgam32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpccnefa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qgallfcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejchhgid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdmkp32.dll" Cojjqlpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbldglg.dll" Dboigi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmolo32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkidenlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hplicjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlineehd.dll" Lmppcbjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imffkelf.dll" -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
065758121befb57fbf4d8fbd9e601f50_NeikiAnalytics.exeGogbdl32.exeGmkbnp32.exeGbgkfg32.exeGmmocpjk.exeGfedle32.exeGqkhjn32.exeGjclbc32.exeGppekj32.exeHapaemll.exeHjhfnccl.exeHpenfjad.exeHfofbd32.exeHadkpm32.exeHjmoibog.exeHpihai32.exeHjolnb32.exeHaidklda.exeIbjqcd32.exeIpnalhii.exeIfhiib32.exeIcljbg32.exedescription pid process target process PID 2524 wrote to memory of 3244 2524 065758121befb57fbf4d8fbd9e601f50_NeikiAnalytics.exe Gogbdl32.exe PID 2524 wrote to memory of 3244 2524 065758121befb57fbf4d8fbd9e601f50_NeikiAnalytics.exe Gogbdl32.exe PID 2524 wrote to memory of 3244 2524 065758121befb57fbf4d8fbd9e601f50_NeikiAnalytics.exe Gogbdl32.exe PID 3244 wrote to memory of 336 3244 Gogbdl32.exe Gmkbnp32.exe PID 3244 wrote to memory of 336 3244 Gogbdl32.exe Gmkbnp32.exe PID 3244 wrote to memory of 336 3244 Gogbdl32.exe Gmkbnp32.exe PID 336 wrote to memory of 1008 336 Gmkbnp32.exe Gbgkfg32.exe PID 336 wrote to memory of 1008 336 Gmkbnp32.exe Gbgkfg32.exe PID 336 wrote to memory of 1008 336 Gmkbnp32.exe Gbgkfg32.exe PID 1008 wrote to memory of 1936 1008 Gbgkfg32.exe Gmmocpjk.exe PID 1008 wrote to memory of 1936 1008 Gbgkfg32.exe Gmmocpjk.exe PID 1008 wrote to memory of 1936 1008 Gbgkfg32.exe Gmmocpjk.exe PID 1936 wrote to memory of 2216 1936 Gmmocpjk.exe Gfedle32.exe PID 1936 wrote to memory of 2216 1936 Gmmocpjk.exe Gfedle32.exe PID 1936 wrote to memory of 2216 1936 Gmmocpjk.exe Gfedle32.exe PID 2216 wrote to memory of 1264 2216 Gfedle32.exe Gqkhjn32.exe PID 2216 wrote to memory of 1264 2216 Gfedle32.exe Gqkhjn32.exe PID 2216 wrote to memory of 1264 2216 Gfedle32.exe Gqkhjn32.exe PID 1264 wrote to memory of 1232 1264 Gqkhjn32.exe Gjclbc32.exe PID 1264 wrote to memory of 1232 1264 Gqkhjn32.exe Gjclbc32.exe PID 1264 wrote to memory of 1232 1264 Gqkhjn32.exe Gjclbc32.exe PID 1232 wrote to memory of 5004 1232 Gjclbc32.exe Gppekj32.exe PID 1232 wrote to memory of 5004 1232 Gjclbc32.exe Gppekj32.exe PID 1232 wrote to memory of 5004 1232 Gjclbc32.exe Gppekj32.exe PID 5004 wrote to memory of 3944 5004 Gppekj32.exe Hapaemll.exe PID 5004 wrote to memory of 3944 5004 Gppekj32.exe Hapaemll.exe PID 5004 wrote to memory of 3944 5004 Gppekj32.exe Hapaemll.exe PID 3944 wrote to memory of 4564 3944 Hapaemll.exe Hjhfnccl.exe PID 3944 wrote to memory of 4564 3944 Hapaemll.exe Hjhfnccl.exe PID 3944 wrote to memory of 4564 3944 Hapaemll.exe Hjhfnccl.exe PID 4564 wrote to memory of 1836 4564 Hjhfnccl.exe Hpenfjad.exe PID 4564 wrote to memory of 1836 4564 Hjhfnccl.exe Hpenfjad.exe PID 4564 wrote to memory of 1836 4564 Hjhfnccl.exe Hpenfjad.exe PID 1836 wrote to memory of 3960 1836 Hpenfjad.exe Hfofbd32.exe PID 1836 wrote to memory of 3960 1836 Hpenfjad.exe Hfofbd32.exe PID 1836 wrote to memory of 3960 1836 Hpenfjad.exe Hfofbd32.exe PID 3960 wrote to memory of 5000 3960 Hfofbd32.exe Hadkpm32.exe PID 3960 wrote to memory of 5000 3960 Hfofbd32.exe Hadkpm32.exe PID 3960 wrote to memory of 5000 3960 Hfofbd32.exe Hadkpm32.exe PID 5000 wrote to memory of 3568 5000 Hadkpm32.exe Hjmoibog.exe PID 5000 wrote to memory of 3568 5000 Hadkpm32.exe Hjmoibog.exe PID 5000 wrote to memory of 3568 5000 Hadkpm32.exe Hjmoibog.exe PID 3568 wrote to memory of 3852 3568 Hjmoibog.exe Hpihai32.exe PID 3568 wrote to memory of 3852 3568 Hjmoibog.exe Hpihai32.exe PID 3568 wrote to memory of 3852 3568 Hjmoibog.exe Hpihai32.exe PID 3852 wrote to memory of 232 3852 Hpihai32.exe Hjolnb32.exe PID 3852 wrote to memory of 232 3852 Hpihai32.exe Hjolnb32.exe PID 3852 wrote to memory of 232 3852 Hpihai32.exe Hjolnb32.exe PID 232 wrote to memory of 1548 232 Hjolnb32.exe Haidklda.exe PID 232 wrote to memory of 1548 232 Hjolnb32.exe Haidklda.exe PID 232 wrote to memory of 1548 232 Hjolnb32.exe Haidklda.exe PID 1548 wrote to memory of 2452 1548 Haidklda.exe Ibjqcd32.exe PID 1548 wrote to memory of 2452 1548 Haidklda.exe Ibjqcd32.exe PID 1548 wrote to memory of 2452 1548 Haidklda.exe Ibjqcd32.exe PID 2452 wrote to memory of 1692 2452 Ibjqcd32.exe Ipnalhii.exe PID 2452 wrote to memory of 1692 2452 Ibjqcd32.exe Ipnalhii.exe PID 2452 wrote to memory of 1692 2452 Ibjqcd32.exe Ipnalhii.exe PID 1692 wrote to memory of 4032 1692 Ipnalhii.exe Ifhiib32.exe PID 1692 wrote to memory of 4032 1692 Ipnalhii.exe Ifhiib32.exe PID 1692 wrote to memory of 4032 1692 Ipnalhii.exe Ifhiib32.exe PID 4032 wrote to memory of 1040 4032 Ifhiib32.exe Icljbg32.exe PID 4032 wrote to memory of 1040 4032 Ifhiib32.exe Icljbg32.exe PID 4032 wrote to memory of 1040 4032 Ifhiib32.exe Icljbg32.exe PID 1040 wrote to memory of 3572 1040 Icljbg32.exe Iiibkn32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\065758121befb57fbf4d8fbd9e601f50_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\065758121befb57fbf4d8fbd9e601f50_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Gogbdl32.exeC:\Windows\system32\Gogbdl32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\Gbgkfg32.exeC:\Windows\system32\Gbgkfg32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Gmmocpjk.exeC:\Windows\system32\Gmmocpjk.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Gfedle32.exeC:\Windows\system32\Gfedle32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Gqkhjn32.exeC:\Windows\system32\Gqkhjn32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Hapaemll.exeC:\Windows\system32\Hapaemll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Hjmoibog.exeC:\Windows\system32\Hjmoibog.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\Hpihai32.exeC:\Windows\system32\Hpihai32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Ipnalhii.exeC:\Windows\system32\Ipnalhii.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe23⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe24⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Imgkql32.exeC:\Windows\system32\Imgkql32.exe25⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe26⤵
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe27⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe28⤵
- Executes dropped EXE
PID:3784 -
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe29⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe30⤵
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe31⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe32⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe33⤵PID:4424
-
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe34⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe35⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe36⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe37⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe38⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:3812 -
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe40⤵
- Executes dropped EXE
PID:3476 -
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe41⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Kacphh32.exeC:\Windows\system32\Kacphh32.exe42⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe43⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe44⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe45⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1072 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3220 -
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe48⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:3344 -
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe50⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe51⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3288 -
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe53⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe54⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe55⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe56⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe57⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe58⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe59⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe60⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe61⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe62⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe63⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe64⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe65⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:3748 -
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe67⤵PID:2260
-
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe68⤵PID:1868
-
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe69⤵PID:2788
-
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe70⤵PID:3416
-
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe71⤵PID:5112
-
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe72⤵PID:2152
-
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe73⤵
- Modifies registry class
PID:3224 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe74⤵PID:1924
-
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe75⤵PID:832
-
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe76⤵PID:2384
-
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe77⤵PID:4228
-
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe78⤵PID:4276
-
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe79⤵PID:1972
-
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe80⤵PID:2728
-
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe81⤵PID:3292
-
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe82⤵PID:2264
-
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe83⤵PID:4668
-
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe84⤵PID:2520
-
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe85⤵PID:4184
-
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe86⤵PID:4844
-
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe87⤵
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe88⤵PID:2416
-
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe89⤵PID:640
-
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe90⤵PID:4552
-
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe91⤵PID:3056
-
C:\Windows\SysWOW64\Onholckc.exeC:\Windows\system32\Onholckc.exe92⤵PID:3404
-
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe93⤵PID:1576
-
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe94⤵PID:3336
-
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe95⤵
- Drops file in System32 directory
PID:5008 -
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2436 -
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe97⤵PID:1292
-
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe98⤵PID:1364
-
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe99⤵PID:5128
-
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe100⤵PID:5164
-
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe101⤵PID:5216
-
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe102⤵PID:5260
-
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe103⤵PID:5304
-
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe104⤵PID:5348
-
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe105⤵
- Modifies registry class
PID:5392 -
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe106⤵PID:5436
-
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe107⤵PID:5496
-
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe108⤵PID:5532
-
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe109⤵PID:5584
-
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe110⤵PID:5632
-
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe111⤵PID:5692
-
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe112⤵PID:5752
-
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe113⤵PID:5812
-
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe114⤵PID:5848
-
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe115⤵
- Modifies registry class
PID:5900 -
C:\Windows\SysWOW64\Pbbgnpgl.exeC:\Windows\system32\Pbbgnpgl.exe116⤵PID:5972
-
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe117⤵PID:6024
-
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe118⤵
- Modifies registry class
PID:6080 -
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe119⤵PID:6132
-
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe120⤵PID:5148
-
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe121⤵PID:5208
-
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe122⤵
- Modifies registry class
PID:5288 -
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe123⤵PID:5360
-
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe124⤵PID:5428
-
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe125⤵PID:5508
-
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe126⤵PID:5568
-
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe127⤵PID:5676
-
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe128⤵
- Drops file in System32 directory
PID:5792 -
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe129⤵PID:5888
-
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe130⤵PID:6016
-
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe131⤵PID:6076
-
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe132⤵PID:452
-
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe133⤵PID:5252
-
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe134⤵PID:5344
-
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe135⤵PID:5480
-
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe136⤵PID:5572
-
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe137⤵PID:5736
-
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe138⤵PID:5876
-
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe139⤵PID:6120
-
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe140⤵PID:5156
-
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe141⤵
- Drops file in System32 directory
PID:5324 -
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe142⤵PID:5552
-
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe143⤵PID:5800
-
C:\Windows\SysWOW64\Blpnib32.exeC:\Windows\system32\Blpnib32.exe144⤵
- Modifies registry class
PID:6012 -
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe145⤵PID:5212
-
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe146⤵PID:5404
-
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe147⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6112 -
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe148⤵PID:5144
-
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe149⤵PID:5836
-
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe150⤵PID:5416
-
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe151⤵PID:6096
-
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe152⤵
- Modifies registry class
PID:6160 -
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe153⤵PID:6212
-
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe154⤵PID:6256
-
C:\Windows\SysWOW64\Cddecc32.exeC:\Windows\system32\Cddecc32.exe155⤵
- Modifies registry class
PID:6300 -
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe156⤵
- Modifies registry class
PID:6340 -
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe157⤵PID:6376
-
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe158⤵PID:6428
-
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe159⤵PID:6468
-
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe160⤵PID:6508
-
C:\Windows\SysWOW64\Ckcgkldl.exeC:\Windows\system32\Ckcgkldl.exe161⤵PID:6552
-
C:\Windows\SysWOW64\Cbjoljdo.exeC:\Windows\system32\Cbjoljdo.exe162⤵PID:6596
-
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe163⤵PID:6636
-
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe164⤵PID:6680
-
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe165⤵
- Modifies registry class
PID:6720 -
C:\Windows\SysWOW64\Dboigi32.exeC:\Windows\system32\Dboigi32.exe166⤵
- Modifies registry class
PID:6768 -
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe167⤵PID:6808
-
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe168⤵PID:6864
-
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe169⤵PID:6900
-
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe170⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6952 -
C:\Windows\SysWOW64\Dccbbhld.exeC:\Windows\system32\Dccbbhld.exe171⤵PID:6996
-
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe172⤵PID:7040
-
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe173⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7084 -
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe174⤵PID:7128
-
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe175⤵
- Modifies registry class
PID:6156 -
C:\Windows\SysWOW64\Eolpmi32.exeC:\Windows\system32\Eolpmi32.exe176⤵PID:6200
-
C:\Windows\SysWOW64\Eefhjc32.exeC:\Windows\system32\Eefhjc32.exe177⤵PID:6252
-
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe178⤵
- Modifies registry class
PID:6316 -
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe179⤵
- Drops file in System32 directory
PID:6368 -
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe180⤵PID:6456
-
C:\Windows\SysWOW64\Ekemhj32.exeC:\Windows\system32\Ekemhj32.exe181⤵PID:6528
-
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe182⤵PID:6576
-
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe183⤵PID:6652
-
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe184⤵PID:6712
-
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe185⤵PID:6800
-
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe186⤵PID:6876
-
C:\Windows\SysWOW64\Elgfgl32.exeC:\Windows\system32\Elgfgl32.exe187⤵PID:6940
-
C:\Windows\SysWOW64\Eofbch32.exeC:\Windows\system32\Eofbch32.exe188⤵
- Drops file in System32 directory
PID:7020 -
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe189⤵PID:7072
-
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe190⤵PID:7164
-
C:\Windows\SysWOW64\Fkmchi32.exeC:\Windows\system32\Fkmchi32.exe191⤵PID:3688
-
C:\Windows\SysWOW64\Fcckif32.exeC:\Windows\system32\Fcckif32.exe192⤵PID:6296
-
C:\Windows\SysWOW64\Febgea32.exeC:\Windows\system32\Febgea32.exe193⤵PID:6364
-
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe194⤵PID:6516
-
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe195⤵PID:6624
-
C:\Windows\SysWOW64\Ffddka32.exeC:\Windows\system32\Ffddka32.exe196⤵PID:6704
-
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe197⤵PID:6776
-
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe198⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6936 -
C:\Windows\SysWOW64\Fakdpb32.exeC:\Windows\system32\Fakdpb32.exe199⤵PID:7028
-
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe200⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7124 -
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe201⤵PID:6324
-
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe202⤵PID:6408
-
C:\Windows\SysWOW64\Fhgjblfq.exeC:\Windows\system32\Fhgjblfq.exe203⤵PID:6584
-
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe204⤵PID:6744
-
C:\Windows\SysWOW64\Fcmnpe32.exeC:\Windows\system32\Fcmnpe32.exe205⤵PID:6908
-
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe206⤵PID:7092
-
C:\Windows\SysWOW64\Gcojed32.exeC:\Windows\system32\Gcojed32.exe207⤵PID:3540
-
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe208⤵PID:6504
-
C:\Windows\SysWOW64\Gkkojgao.exeC:\Windows\system32\Gkkojgao.exe209⤵PID:6828
-
C:\Windows\SysWOW64\Gcagkdba.exeC:\Windows\system32\Gcagkdba.exe210⤵PID:7116
-
C:\Windows\SysWOW64\Gdcdbl32.exeC:\Windows\system32\Gdcdbl32.exe211⤵PID:6384
-
C:\Windows\SysWOW64\Gmjlcj32.exeC:\Windows\system32\Gmjlcj32.exe212⤵PID:6888
-
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe213⤵PID:6328
-
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe214⤵PID:6388
-
C:\Windows\SysWOW64\Gkoiefmj.exeC:\Windows\system32\Gkoiefmj.exe215⤵PID:6588
-
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe216⤵PID:7212
-
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe217⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7256 -
C:\Windows\SysWOW64\Gcimkc32.exeC:\Windows\system32\Gcimkc32.exe218⤵PID:7296
-
C:\Windows\SysWOW64\Gfgjgo32.exeC:\Windows\system32\Gfgjgo32.exe219⤵PID:7340
-
C:\Windows\SysWOW64\Hiefcj32.exeC:\Windows\system32\Hiefcj32.exe220⤵PID:7384
-
C:\Windows\SysWOW64\Hckjacjg.exeC:\Windows\system32\Hckjacjg.exe221⤵PID:7428
-
C:\Windows\SysWOW64\Hfifmnij.exeC:\Windows\system32\Hfifmnij.exe222⤵PID:7468
-
C:\Windows\SysWOW64\Hmcojh32.exeC:\Windows\system32\Hmcojh32.exe223⤵PID:7512
-
C:\Windows\SysWOW64\Hobkfd32.exeC:\Windows\system32\Hobkfd32.exe224⤵
- Drops file in System32 directory
PID:7556 -
C:\Windows\SysWOW64\Hbpgbo32.exeC:\Windows\system32\Hbpgbo32.exe225⤵PID:7600
-
C:\Windows\SysWOW64\Hijooifk.exeC:\Windows\system32\Hijooifk.exe226⤵PID:7648
-
C:\Windows\SysWOW64\Hodgkc32.exeC:\Windows\system32\Hodgkc32.exe227⤵PID:7692
-
C:\Windows\SysWOW64\Hfnphn32.exeC:\Windows\system32\Hfnphn32.exe228⤵PID:7736
-
C:\Windows\SysWOW64\Heapdjlp.exeC:\Windows\system32\Heapdjlp.exe229⤵PID:7780
-
C:\Windows\SysWOW64\Hkkhqd32.exeC:\Windows\system32\Hkkhqd32.exe230⤵PID:7824
-
C:\Windows\SysWOW64\Hbeqmoji.exeC:\Windows\system32\Hbeqmoji.exe231⤵
- Modifies registry class
PID:7868 -
C:\Windows\SysWOW64\Hioiji32.exeC:\Windows\system32\Hioiji32.exe232⤵PID:7912
-
C:\Windows\SysWOW64\Hcdmga32.exeC:\Windows\system32\Hcdmga32.exe233⤵PID:7956
-
C:\Windows\SysWOW64\Hfcicmqp.exeC:\Windows\system32\Hfcicmqp.exe234⤵PID:8000
-
C:\Windows\SysWOW64\Iiaephpc.exeC:\Windows\system32\Iiaephpc.exe235⤵PID:8044
-
C:\Windows\SysWOW64\Ipknlb32.exeC:\Windows\system32\Ipknlb32.exe236⤵
- Drops file in System32 directory
PID:8084 -
C:\Windows\SysWOW64\Ibjjhn32.exeC:\Windows\system32\Ibjjhn32.exe237⤵PID:8124
-
C:\Windows\SysWOW64\Iicbehnq.exeC:\Windows\system32\Iicbehnq.exe238⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8172 -
C:\Windows\SysWOW64\Ipnjab32.exeC:\Windows\system32\Ipnjab32.exe239⤵PID:7180
-
C:\Windows\SysWOW64\Iblfnn32.exeC:\Windows\system32\Iblfnn32.exe240⤵PID:7252
-
C:\Windows\SysWOW64\Imakkfdg.exeC:\Windows\system32\Imakkfdg.exe241⤵PID:7320
-
C:\Windows\SysWOW64\Ippggbck.exeC:\Windows\system32\Ippggbck.exe242⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7380