Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 23:19
Behavioral task
behavioral1
Sample
09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe
-
Size
384KB
-
MD5
09b410a6ed3f36af91142aae29719a60
-
SHA1
2386a042e30434a8dd120ff0610ec6502385ddf4
-
SHA256
01ee5dfc93b1ab96f600e79b6cecea4d7d89e1061f1fe91c5ef2c7b99f1d905a
-
SHA512
102b8f70281e0adce361cd64be8984a904a5ef6b064cd83577873ab30950e39da77bd7d609b67e6594a9a5b3a5b3d439e1e7125a3ebeb9d17c20c9b683bd2651
-
SSDEEP
6144:h0Vqz4Pi5upui6yYPaIGckpyWO63t5YNpui6yYPaIGcky0PVd68LwYwI+8mkUr1s:CnHpV6yYPI3cpV6yYPZ0PVdvcY9+8hka
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Cdiooblp.exeIcifbang.exeIbnccmbo.exeBnhjohkb.exeCliaoq32.exeMmpijp32.exeNdokbi32.exeAbkjdnoa.exeDhkapp32.exeIpdqba32.exeNljofl32.exeBgehcmmm.exeEdnaqo32.exeFhcpgmjf.exeOcnjidkf.exeDfknkg32.exeDbllbibl.exeGdcdbl32.exeHfcicmqp.exeIcgjmapi.exeOqhacgdh.exeChpada32.exeDhidjpqc.exeHmhhehlb.exeNdaggimg.exeNnlhfn32.exeCeckcp32.exeBkidenlg.exeCbcilkjg.exeGfembo32.exeCjinkg32.exeDhkjej32.exeChbnia32.exeDekhneap.exeDadeieea.exeDafbne32.exeJpnchp32.exeLpqiemge.exeMlampmdo.exeNcfdie32.exeBjokdipf.exeBhaebcen.exeDaolnf32.exeFckajehi.exeIldkgc32.exeIpbdmaah.exeOjaelm32.exePdfjifjo.exeDlgmpogj.exeOjllan32.exeHbgmcnhf.exeNgbpidjh.exeBobcpmfc.exeCojjqlpk.exeCdkldb32.exeDkgqfl32.exeEchknh32.exeIiaephpc.exeBagflcje.exeIemppiab.exeIbqpimpl.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdiooblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icifbang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibnccmbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhjohkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cliaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmpijp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndokbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abkjdnoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkapp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipdqba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nljofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnhjohkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bgehcmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ednaqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhcpgmjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocnjidkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfknkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbllbibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdcdbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfcicmqp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icgjmapi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqhacgdh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chpada32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhidjpqc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmhhehlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndaggimg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnlhfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ceckcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkidenlg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbcilkjg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfembo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjinkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhkjej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chbnia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dekhneap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dadeieea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dafbne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpnchp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpqiemge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlampmdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncfdie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjokdipf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhaebcen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Daolnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fckajehi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ildkgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipbdmaah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojaelm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdfjifjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdfjifjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkjej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlgmpogj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojllan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbgmcnhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngbpidjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bobcpmfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cojjqlpk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdkldb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkgqfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echknh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiaephpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bagflcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iemppiab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibqpimpl.exe -
Malware Dropper & Backdoor - Berbew 54 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Qecppkdm.exe family_berbew C:\Windows\SysWOW64\Qkmhlekj.exe family_berbew C:\Windows\SysWOW64\Qchmagie.exe family_berbew C:\Windows\SysWOW64\Agffge32.exe family_berbew C:\Windows\SysWOW64\Abkjdnoa.exe family_berbew C:\Windows\SysWOW64\Acocaf32.exe family_berbew C:\Windows\SysWOW64\Andgoobc.exe family_berbew C:\Windows\SysWOW64\Aeopki32.exe family_berbew C:\Windows\SysWOW64\Aaepqjpd.exe family_berbew C:\Windows\SysWOW64\Abemjmgg.exe family_berbew C:\Windows\SysWOW64\Bhaebcen.exe family_berbew C:\Windows\SysWOW64\Bjpaooda.exe family_berbew C:\Windows\SysWOW64\Bbgipldd.exe family_berbew C:\Windows\SysWOW64\Bdhfhe32.exe family_berbew C:\Windows\SysWOW64\Bnnjen32.exe family_berbew C:\Windows\SysWOW64\Bdkcmdhp.exe family_berbew C:\Windows\SysWOW64\Bblckl32.exe family_berbew C:\Windows\SysWOW64\Bhikcb32.exe family_berbew C:\Windows\SysWOW64\Bemlmgnp.exe family_berbew C:\Windows\SysWOW64\Blfdia32.exe family_berbew C:\Windows\SysWOW64\Cbqlfkmi.exe family_berbew C:\Windows\SysWOW64\Cliaoq32.exe family_berbew C:\Windows\SysWOW64\Cbcilkjg.exe family_berbew C:\Windows\SysWOW64\Cklaknjd.exe family_berbew C:\Windows\SysWOW64\Cdainc32.exe family_berbew C:\Windows\SysWOW64\Ceoibflm.exe family_berbew C:\Windows\SysWOW64\Bkidenlg.exe family_berbew C:\Windows\SysWOW64\Bdolhc32.exe family_berbew C:\Windows\SysWOW64\Bbnpqk32.exe family_berbew C:\Windows\SysWOW64\Bobcpmfc.exe family_berbew C:\Windows\SysWOW64\Bdmpcdfm.exe family_berbew C:\Windows\SysWOW64\Blbknaib.exe family_berbew C:\Windows\SysWOW64\Jbeidl32.exe family_berbew C:\Windows\SysWOW64\Kepelfam.exe family_berbew C:\Windows\SysWOW64\Kbceejpf.exe family_berbew C:\Windows\SysWOW64\Kpgfooop.exe family_berbew C:\Windows\SysWOW64\Lpcfkm32.exe family_berbew C:\Windows\SysWOW64\Lllcen32.exe family_berbew C:\Windows\SysWOW64\Ndaggimg.exe family_berbew C:\Windows\SysWOW64\Ndfqbhia.exe family_berbew C:\Windows\SysWOW64\Njciko32.exe family_berbew C:\Windows\SysWOW64\Nfjjppmm.exe family_berbew C:\Windows\SysWOW64\Olfobjbg.exe family_berbew C:\Windows\SysWOW64\Ogbipa32.exe family_berbew C:\Windows\SysWOW64\Pfjcgn32.exe family_berbew C:\Windows\SysWOW64\Pqpgdfnp.exe family_berbew C:\Windows\SysWOW64\Qmkadgpo.exe family_berbew C:\Windows\SysWOW64\Ajfhnjhq.exe family_berbew C:\Windows\SysWOW64\Acqimo32.exe family_berbew C:\Windows\SysWOW64\Aadifclh.exe family_berbew C:\Windows\SysWOW64\Balpgb32.exe family_berbew C:\Windows\SysWOW64\Cjinkg32.exe family_berbew C:\Windows\SysWOW64\Cmqmma32.exe family_berbew C:\Windows\SysWOW64\Dmjocp32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Qecppkdm.exeQkmhlekj.exeQchmagie.exeAgffge32.exeAbkjdnoa.exeAcocaf32.exeAndgoobc.exeAeopki32.exeAaepqjpd.exeAbemjmgg.exeBhaebcen.exeBjpaooda.exeBbgipldd.exeBdhfhe32.exeBnnjen32.exeBdkcmdhp.exeBlbknaib.exeBblckl32.exeBdmpcdfm.exeBhikcb32.exeBobcpmfc.exeBbnpqk32.exeBemlmgnp.exeBdolhc32.exeBlfdia32.exeBkidenlg.exeCbqlfkmi.exeCeoibflm.exeCdainc32.exeCliaoq32.exeCklaknjd.exeCbcilkjg.exeCddecc32.exeChpada32.exeCknnpm32.exeCojjqlpk.exeCahfmgoo.exeCdfbibnb.exeChbnia32.exeCkpjfm32.exeCefoce32.exeCdiooblp.exeClpgpp32.exeConclk32.exeCbjoljdo.exeCehkhecb.exeCdkldb32.exeChghdqbf.exeCkedalaj.exeDoqpak32.exeDbllbibl.exeDaolnf32.exeDekhneap.exeDhidjpqc.exeDkgqfl32.exeDocmgjhp.exeDboigi32.exeDaaicfgd.exeDemecd32.exeDhkapp32.exeDlgmpogj.exeDkjmlk32.exeDoeiljfn.exeDadeieea.exepid process 4668 Qecppkdm.exe 1136 Qkmhlekj.exe 3188 Qchmagie.exe 456 Agffge32.exe 2920 Abkjdnoa.exe 3172 Acocaf32.exe 4840 Andgoobc.exe 4844 Aeopki32.exe 4108 Aaepqjpd.exe 1840 Abemjmgg.exe 4416 Bhaebcen.exe 2964 Bjpaooda.exe 2360 Bbgipldd.exe 3204 Bdhfhe32.exe 3468 Bnnjen32.exe 3532 Bdkcmdhp.exe 788 Blbknaib.exe 4040 Bblckl32.exe 4032 Bdmpcdfm.exe 1744 Bhikcb32.exe 1988 Bobcpmfc.exe 4248 Bbnpqk32.exe 2384 Bemlmgnp.exe 3320 Bdolhc32.exe 2056 Blfdia32.exe 4320 Bkidenlg.exe 4012 Cbqlfkmi.exe 4480 Ceoibflm.exe 3520 Cdainc32.exe 2164 Cliaoq32.exe 452 Cklaknjd.exe 5024 Cbcilkjg.exe 4604 Cddecc32.exe 2480 Chpada32.exe 1096 Cknnpm32.exe 2152 Cojjqlpk.exe 3052 Cahfmgoo.exe 2308 Cdfbibnb.exe 2408 Chbnia32.exe 3972 Ckpjfm32.exe 1980 Cefoce32.exe 628 Cdiooblp.exe 3944 Clpgpp32.exe 4760 Conclk32.exe 3252 Cbjoljdo.exe 4344 Cehkhecb.exe 2112 Cdkldb32.exe 3452 Chghdqbf.exe 2620 Ckedalaj.exe 1964 Doqpak32.exe 2604 Dbllbibl.exe 2732 Daolnf32.exe 1756 Dekhneap.exe 4736 Dhidjpqc.exe 2160 Dkgqfl32.exe 772 Docmgjhp.exe 1676 Dboigi32.exe 1688 Daaicfgd.exe 1440 Demecd32.exe 3084 Dhkapp32.exe 4904 Dlgmpogj.exe 784 Dkjmlk32.exe 4984 Doeiljfn.exe 744 Dadeieea.exe -
Drops file in System32 directory 64 IoCs
Processes:
Lpqiemge.exeNljofl32.exeDhmgki32.exeMibpda32.exeNnlhfn32.exeCliaoq32.exeGhaliknf.exeMgddhf32.exeDlijfneg.exeIbqpimpl.exeConclk32.exeEdbklofb.exeAfoeiklb.exeMdckfk32.exeNgbpidjh.exeCefoce32.exeFllpbldb.exeHeapdjlp.exeFhcpgmjf.exeAndgoobc.exeBdhfhe32.exeJbeidl32.exeJfcbjk32.exeEdnaqo32.exeFckajehi.exeImdgqfbd.exePqbdjfln.exeChpada32.exeEcoangbg.exeLingibiq.exeLmbmibhb.exeLmgfda32.exeKdgljmcd.exeElbmlmml.exeKbhoqj32.exeFcckif32.exeFbpnkama.exeOgpmjb32.exeBfabnjjp.exeBhhdil32.exeAaepqjpd.exeDohfbj32.exeEchknh32.exeLiimncmf.exeBbgipldd.exeClpgpp32.exeAadifclh.exeOgbipa32.exePfolbmje.exeAgffge32.exeFkalchij.exeMdmnlj32.exeNckndeni.exeCdfbibnb.exeFebgea32.exeLmppcbjd.exeOcnjidkf.exeAfhohlbj.exeHbgmcnhf.exedescription ioc process File created C:\Windows\SysWOW64\Lfkaag32.exe Lpqiemge.exe File created C:\Windows\SysWOW64\Ndaggimg.exe Nljofl32.exe File created C:\Windows\SysWOW64\Bobiobnp.dll Dhmgki32.exe File created C:\Windows\SysWOW64\Mlampmdo.exe Mibpda32.exe File opened for modification C:\Windows\SysWOW64\Ndfqbhia.exe Nnlhfn32.exe File opened for modification C:\Windows\SysWOW64\Cklaknjd.exe Cliaoq32.exe File created C:\Windows\SysWOW64\Gokdeeec.exe Ghaliknf.exe File created C:\Windows\SysWOW64\Mibpda32.exe Mgddhf32.exe File created C:\Windows\SysWOW64\Dohfbj32.exe Dlijfneg.exe File created C:\Windows\SysWOW64\Bkblkg32.dll Ibqpimpl.exe File opened for modification C:\Windows\SysWOW64\Cbjoljdo.exe Conclk32.exe File opened for modification C:\Windows\SysWOW64\Ehnglm32.exe Edbklofb.exe File opened for modification C:\Windows\SysWOW64\Aminee32.exe Afoeiklb.exe File created C:\Windows\SysWOW64\Nniadn32.dll Mdckfk32.exe File opened for modification C:\Windows\SysWOW64\Nnlhfn32.exe Ngbpidjh.exe File opened for modification C:\Windows\SysWOW64\Cdiooblp.exe Cefoce32.exe File created C:\Windows\SysWOW64\Fojlngce.exe Fllpbldb.exe File created C:\Windows\SysWOW64\Hmhhehlb.exe Heapdjlp.exe File opened for modification C:\Windows\SysWOW64\Fkalchij.exe Fhcpgmjf.exe File created C:\Windows\SysWOW64\Cleqadmh.dll Andgoobc.exe File created C:\Windows\SysWOW64\Bnnjen32.exe Bdhfhe32.exe File opened for modification C:\Windows\SysWOW64\Fojlngce.exe Fllpbldb.exe File created C:\Windows\SysWOW64\Fllifblf.dll Jbeidl32.exe File opened for modification C:\Windows\SysWOW64\Jianff32.exe Jfcbjk32.exe File created C:\Windows\SysWOW64\Acbmpm32.dll Ednaqo32.exe File opened for modification C:\Windows\SysWOW64\Ffimfqgm.exe Fckajehi.exe File created C:\Windows\SysWOW64\Pacghh32.dll Imdgqfbd.exe File opened for modification C:\Windows\SysWOW64\Pfolbmje.exe Pqbdjfln.exe File created C:\Windows\SysWOW64\Keoakjca.dll Chpada32.exe File created C:\Windows\SysWOW64\Eemnjbaj.exe Ecoangbg.exe File opened for modification C:\Windows\SysWOW64\Lllcen32.exe Lingibiq.exe File created C:\Windows\SysWOW64\Lpqiemge.exe Lmbmibhb.exe File created C:\Windows\SysWOW64\Ldanqkki.exe Lmgfda32.exe File created C:\Windows\SysWOW64\Bdkfmkdc.dll Kdgljmcd.exe File created C:\Windows\SysWOW64\Kqoieqhe.dll Elbmlmml.exe File created C:\Windows\SysWOW64\Mjddiqoc.dll Jfcbjk32.exe File created C:\Windows\SysWOW64\Gnbinq32.dll Kbhoqj32.exe File created C:\Windows\SysWOW64\Kdihjfbe.dll Fcckif32.exe File created C:\Windows\SysWOW64\Fdnjgmle.exe Fbpnkama.exe File created C:\Windows\SysWOW64\Clncadfb.dll Ogpmjb32.exe File created C:\Windows\SysWOW64\Lommhphi.dll Bfabnjjp.exe File opened for modification C:\Windows\SysWOW64\Bjfaeh32.exe Bhhdil32.exe File opened for modification C:\Windows\SysWOW64\Abemjmgg.exe Aaepqjpd.exe File opened for modification C:\Windows\SysWOW64\Dccbbhld.exe Dohfbj32.exe File created C:\Windows\SysWOW64\Eaklidoi.exe Echknh32.exe File created C:\Windows\SysWOW64\Amhpcomb.dll Liimncmf.exe File created C:\Windows\SysWOW64\Bdhfhe32.exe Bbgipldd.exe File created C:\Windows\SysWOW64\Conclk32.exe Clpgpp32.exe File created C:\Windows\SysWOW64\Ljodkeij.dll Lpqiemge.exe File created C:\Windows\SysWOW64\Bfabnjjp.exe Aadifclh.exe File created C:\Windows\SysWOW64\Ijhkffjm.dll Conclk32.exe File created C:\Windows\SysWOW64\Ojaelm32.exe Ogbipa32.exe File opened for modification C:\Windows\SysWOW64\Pgnilpah.exe Pfolbmje.exe File opened for modification C:\Windows\SysWOW64\Abkjdnoa.exe Agffge32.exe File opened for modification C:\Windows\SysWOW64\Fhemmlhc.exe Fkalchij.exe File created C:\Windows\SysWOW64\Mgkjhe32.exe Mdmnlj32.exe File opened for modification C:\Windows\SysWOW64\Nfjjppmm.exe Nckndeni.exe File opened for modification C:\Windows\SysWOW64\Chbnia32.exe Cdfbibnb.exe File opened for modification C:\Windows\SysWOW64\Fhqcam32.exe Febgea32.exe File opened for modification C:\Windows\SysWOW64\Lfhdlh32.exe Lmppcbjd.exe File opened for modification C:\Windows\SysWOW64\Mgkjhe32.exe Mdmnlj32.exe File opened for modification C:\Windows\SysWOW64\Olfobjbg.exe Ocnjidkf.exe File opened for modification C:\Windows\SysWOW64\Aclpap32.exe Afhohlbj.exe File created C:\Windows\SysWOW64\Hfcicmqp.exe Hbgmcnhf.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 8572 8436 WerFault.exe Dmllipeg.exe -
Modifies registry class 64 IoCs
Processes:
Cklaknjd.exeDkoggkjo.exeIbnccmbo.exeDaaicfgd.exeEhimanbq.exeJfhlejnh.exeBdolhc32.exeImfdff32.exeLbjlfi32.exeDhidjpqc.exeIldkgc32.exeKepelfam.exeMpoefk32.exeOneklm32.exeConclk32.exeCdkldb32.exeDboigi32.exeBhhdil32.exeDaolnf32.exeKefkme32.exeMmbfpp32.exeMiifeq32.exePgefeajb.exePfhfan32.exeCknnpm32.exeEdpnfo32.exeCmiflbel.exeEemnjbaj.exeIkbnacmd.exeMgddhf32.exeAcqimo32.exeBcoenmao.exeCbjoljdo.exeMelnob32.exeDeanodkh.exeBjokdipf.exeJcgbco32.exeMdhdajea.exeNfjjppmm.exeDlgmpogj.exeEdbklofb.exeOcnjidkf.exeFebgea32.exeGcojed32.exeKbaipkbi.exeBnhjohkb.exeBlfdia32.exeCehkhecb.exeEcoangbg.exeGicinj32.exeIbqpimpl.exeIemppiab.exeJfcbjk32.exeOdkjng32.exe09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exeAbemjmgg.exeOjoign32.exeDfknkg32.exeBhaebcen.exeGohhpe32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cklaknjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkoggkjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ibnccmbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Daaicfgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ehimanbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jfhlejnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdolhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Imfdff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gebgohck.dll" Lbjlfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgnafam.dll" Dhidjpqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ildkgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kepelfam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpoefk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oneklm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Conclk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cdkldb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dboigi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bhhdil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jinpgcmg.dll" Daolnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kefkme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mmbfpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Miifeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll" Pgefeajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll" Pfhfan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cknnpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjehk32.dll" Edpnfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cmiflbel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmfmfg32.dll" Eemnjbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ikbnacmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neimdg32.dll" Mgddhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll" Acqimo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bcoenmao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cbjoljdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Melnob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Deanodkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll" Bjokdipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjdlbifk.dll" Jcgbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mdhdajea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll" Nfjjppmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cklaknjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dlgmpogj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgfkkboc.dll" Edbklofb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ocnjidkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Febgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nghjpm32.dll" Gcojed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbaipkbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bnhjohkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll" Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfcibe32.dll" Blfdia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cehkhecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ecoangbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkebndc.dll" Gicinj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ibqpimpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iemppiab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjddiqoc.dll" Jfcbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll" Odkjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" 09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abemjmgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jcgbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll" Ojoign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll" Dfknkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bhaebcen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkomqm32.dll" Gohhpe32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exeQecppkdm.exeQkmhlekj.exeQchmagie.exeAgffge32.exeAbkjdnoa.exeAcocaf32.exeAndgoobc.exeAeopki32.exeAaepqjpd.exeAbemjmgg.exeBhaebcen.exeBjpaooda.exeBbgipldd.exeBdhfhe32.exeBnnjen32.exeBdkcmdhp.exeBlbknaib.exeBblckl32.exeBdmpcdfm.exeBhikcb32.exeBobcpmfc.exedescription pid process target process PID 552 wrote to memory of 4668 552 09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe Qecppkdm.exe PID 552 wrote to memory of 4668 552 09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe Qecppkdm.exe PID 552 wrote to memory of 4668 552 09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe Qecppkdm.exe PID 4668 wrote to memory of 1136 4668 Qecppkdm.exe Qkmhlekj.exe PID 4668 wrote to memory of 1136 4668 Qecppkdm.exe Qkmhlekj.exe PID 4668 wrote to memory of 1136 4668 Qecppkdm.exe Qkmhlekj.exe PID 1136 wrote to memory of 3188 1136 Qkmhlekj.exe Qchmagie.exe PID 1136 wrote to memory of 3188 1136 Qkmhlekj.exe Qchmagie.exe PID 1136 wrote to memory of 3188 1136 Qkmhlekj.exe Qchmagie.exe PID 3188 wrote to memory of 456 3188 Qchmagie.exe Agffge32.exe PID 3188 wrote to memory of 456 3188 Qchmagie.exe Agffge32.exe PID 3188 wrote to memory of 456 3188 Qchmagie.exe Agffge32.exe PID 456 wrote to memory of 2920 456 Agffge32.exe Abkjdnoa.exe PID 456 wrote to memory of 2920 456 Agffge32.exe Abkjdnoa.exe PID 456 wrote to memory of 2920 456 Agffge32.exe Abkjdnoa.exe PID 2920 wrote to memory of 3172 2920 Abkjdnoa.exe Acocaf32.exe PID 2920 wrote to memory of 3172 2920 Abkjdnoa.exe Acocaf32.exe PID 2920 wrote to memory of 3172 2920 Abkjdnoa.exe Acocaf32.exe PID 3172 wrote to memory of 4840 3172 Acocaf32.exe Andgoobc.exe PID 3172 wrote to memory of 4840 3172 Acocaf32.exe Andgoobc.exe PID 3172 wrote to memory of 4840 3172 Acocaf32.exe Andgoobc.exe PID 4840 wrote to memory of 4844 4840 Andgoobc.exe Aeopki32.exe PID 4840 wrote to memory of 4844 4840 Andgoobc.exe Aeopki32.exe PID 4840 wrote to memory of 4844 4840 Andgoobc.exe Aeopki32.exe PID 4844 wrote to memory of 4108 4844 Aeopki32.exe Aaepqjpd.exe PID 4844 wrote to memory of 4108 4844 Aeopki32.exe Aaepqjpd.exe PID 4844 wrote to memory of 4108 4844 Aeopki32.exe Aaepqjpd.exe PID 4108 wrote to memory of 1840 4108 Aaepqjpd.exe Abemjmgg.exe PID 4108 wrote to memory of 1840 4108 Aaepqjpd.exe Abemjmgg.exe PID 4108 wrote to memory of 1840 4108 Aaepqjpd.exe Abemjmgg.exe PID 1840 wrote to memory of 4416 1840 Abemjmgg.exe Bhaebcen.exe PID 1840 wrote to memory of 4416 1840 Abemjmgg.exe Bhaebcen.exe PID 1840 wrote to memory of 4416 1840 Abemjmgg.exe Bhaebcen.exe PID 4416 wrote to memory of 2964 4416 Bhaebcen.exe Bjpaooda.exe PID 4416 wrote to memory of 2964 4416 Bhaebcen.exe Bjpaooda.exe PID 4416 wrote to memory of 2964 4416 Bhaebcen.exe Bjpaooda.exe PID 2964 wrote to memory of 2360 2964 Bjpaooda.exe Bbgipldd.exe PID 2964 wrote to memory of 2360 2964 Bjpaooda.exe Bbgipldd.exe PID 2964 wrote to memory of 2360 2964 Bjpaooda.exe Bbgipldd.exe PID 2360 wrote to memory of 3204 2360 Bbgipldd.exe Bdhfhe32.exe PID 2360 wrote to memory of 3204 2360 Bbgipldd.exe Bdhfhe32.exe PID 2360 wrote to memory of 3204 2360 Bbgipldd.exe Bdhfhe32.exe PID 3204 wrote to memory of 3468 3204 Bdhfhe32.exe Bnnjen32.exe PID 3204 wrote to memory of 3468 3204 Bdhfhe32.exe Bnnjen32.exe PID 3204 wrote to memory of 3468 3204 Bdhfhe32.exe Bnnjen32.exe PID 3468 wrote to memory of 3532 3468 Bnnjen32.exe Bdkcmdhp.exe PID 3468 wrote to memory of 3532 3468 Bnnjen32.exe Bdkcmdhp.exe PID 3468 wrote to memory of 3532 3468 Bnnjen32.exe Bdkcmdhp.exe PID 3532 wrote to memory of 788 3532 Bdkcmdhp.exe Blbknaib.exe PID 3532 wrote to memory of 788 3532 Bdkcmdhp.exe Blbknaib.exe PID 3532 wrote to memory of 788 3532 Bdkcmdhp.exe Blbknaib.exe PID 788 wrote to memory of 4040 788 Blbknaib.exe Bblckl32.exe PID 788 wrote to memory of 4040 788 Blbknaib.exe Bblckl32.exe PID 788 wrote to memory of 4040 788 Blbknaib.exe Bblckl32.exe PID 4040 wrote to memory of 4032 4040 Bblckl32.exe Bdmpcdfm.exe PID 4040 wrote to memory of 4032 4040 Bblckl32.exe Bdmpcdfm.exe PID 4040 wrote to memory of 4032 4040 Bblckl32.exe Bdmpcdfm.exe PID 4032 wrote to memory of 1744 4032 Bdmpcdfm.exe Bhikcb32.exe PID 4032 wrote to memory of 1744 4032 Bdmpcdfm.exe Bhikcb32.exe PID 4032 wrote to memory of 1744 4032 Bdmpcdfm.exe Bhikcb32.exe PID 1744 wrote to memory of 1988 1744 Bhikcb32.exe Bobcpmfc.exe PID 1744 wrote to memory of 1988 1744 Bhikcb32.exe Bobcpmfc.exe PID 1744 wrote to memory of 1988 1744 Bhikcb32.exe Bobcpmfc.exe PID 1988 wrote to memory of 4248 1988 Bobcpmfc.exe Bbnpqk32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Bjpaooda.exeC:\Windows\system32\Bjpaooda.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Bobcpmfc.exeC:\Windows\system32\Bobcpmfc.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe23⤵
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe24⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:3320 -
C:\Windows\SysWOW64\Blfdia32.exeC:\Windows\system32\Blfdia32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe28⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe29⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Cdainc32.exeC:\Windows\system32\Cdainc32.exe30⤵
- Executes dropped EXE
PID:3520 -
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:452 -
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Cddecc32.exeC:\Windows\system32\Cddecc32.exe34⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe38⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe41⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Cefoce32.exeC:\Windows\system32\Cefoce32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3944 -
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4760 -
C:\Windows\SysWOW64\Cbjoljdo.exeC:\Windows\system32\Cbjoljdo.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:3252 -
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:4344 -
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe49⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe50⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe51⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4736 -
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe57⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Dboigi32.exeC:\Windows\system32\Dboigi32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Demecd32.exeC:\Windows\system32\Demecd32.exe60⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3084 -
C:\Windows\SysWOW64\Dlgmpogj.exeC:\Windows\system32\Dlgmpogj.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4904 -
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe63⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe64⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Dadeieea.exeC:\Windows\system32\Dadeieea.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe66⤵PID:220
-
C:\Windows\SysWOW64\Dhnnep32.exeC:\Windows\system32\Dhnnep32.exe67⤵PID:2472
-
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe68⤵
- Drops file in System32 directory
PID:532 -
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe69⤵
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Dccbbhld.exeC:\Windows\system32\Dccbbhld.exe70⤵PID:1016
-
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5096 -
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe72⤵
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe73⤵PID:2664
-
C:\Windows\SysWOW64\Dkoggkjo.exeC:\Windows\system32\Dkoggkjo.exe74⤵
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe75⤵PID:1984
-
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe76⤵PID:4768
-
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe77⤵PID:5072
-
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\Eaklidoi.exeC:\Windows\system32\Eaklidoi.exe79⤵PID:1760
-
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe80⤵PID:2100
-
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe81⤵PID:4952
-
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe82⤵PID:3504
-
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe83⤵PID:3440
-
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe84⤵PID:4608
-
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe85⤵
- Drops file in System32 directory
PID:5140 -
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe86⤵PID:5180
-
C:\Windows\SysWOW64\Ecmeig32.exeC:\Windows\system32\Ecmeig32.exe87⤵PID:5216
-
C:\Windows\SysWOW64\Eapedd32.exeC:\Windows\system32\Eapedd32.exe88⤵PID:5252
-
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5284 -
C:\Windows\SysWOW64\Ehimanbq.exeC:\Windows\system32\Ehimanbq.exe90⤵
- Modifies registry class
PID:5324 -
C:\Windows\SysWOW64\Ekhjmiad.exeC:\Windows\system32\Ekhjmiad.exe91⤵PID:5360
-
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:5392 -
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe93⤵
- Modifies registry class
PID:5432 -
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe94⤵
- Modifies registry class
PID:5464 -
C:\Windows\SysWOW64\Ehljfnpn.exeC:\Windows\system32\Ehljfnpn.exe95⤵PID:5508
-
C:\Windows\SysWOW64\Eofbch32.exeC:\Windows\system32\Eofbch32.exe96⤵PID:5540
-
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe97⤵PID:5576
-
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:5612 -
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe99⤵PID:5648
-
C:\Windows\SysWOW64\Fkmchi32.exeC:\Windows\system32\Fkmchi32.exe100⤵PID:5684
-
C:\Windows\SysWOW64\Fcckif32.exeC:\Windows\system32\Fcckif32.exe101⤵
- Drops file in System32 directory
PID:5724 -
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe102⤵PID:5756
-
C:\Windows\SysWOW64\Febgea32.exeC:\Windows\system32\Febgea32.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:5796 -
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe104⤵PID:5828
-
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe105⤵
- Drops file in System32 directory
PID:5868 -
C:\Windows\SysWOW64\Fojlngce.exeC:\Windows\system32\Fojlngce.exe106⤵PID:5904
-
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe107⤵PID:5936
-
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5976 -
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe109⤵
- Drops file in System32 directory
PID:6012 -
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe110⤵PID:3492
-
C:\Windows\SysWOW64\Fckajehi.exeC:\Windows\system32\Fckajehi.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3160 -
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe112⤵PID:3900
-
C:\Windows\SysWOW64\Fhgjblfq.exeC:\Windows\system32\Fhgjblfq.exe113⤵PID:5124
-
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe114⤵PID:5164
-
C:\Windows\SysWOW64\Foabofnn.exeC:\Windows\system32\Foabofnn.exe115⤵PID:5236
-
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe116⤵
- Drops file in System32 directory
PID:3964 -
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe117⤵PID:5292
-
C:\Windows\SysWOW64\Glebhjlg.exeC:\Windows\system32\Glebhjlg.exe118⤵PID:5348
-
C:\Windows\SysWOW64\Gkhbdg32.exeC:\Windows\system32\Gkhbdg32.exe119⤵PID:5424
-
C:\Windows\SysWOW64\Gcojed32.exeC:\Windows\system32\Gcojed32.exe120⤵
- Modifies registry class
PID:5472 -
C:\Windows\SysWOW64\Gbbkaako.exeC:\Windows\system32\Gbbkaako.exe121⤵PID:5532
-
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe122⤵PID:5608
-
C:\Windows\SysWOW64\Gkkojgao.exeC:\Windows\system32\Gkkojgao.exe123⤵PID:5788
-
C:\Windows\SysWOW64\Gbdgfa32.exeC:\Windows\system32\Gbdgfa32.exe124⤵PID:5860
-
C:\Windows\SysWOW64\Gdcdbl32.exeC:\Windows\system32\Gdcdbl32.exe125⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1412 -
C:\Windows\SysWOW64\Gmjlcj32.exeC:\Windows\system32\Gmjlcj32.exe126⤵PID:4036
-
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe127⤵
- Modifies registry class
PID:4732 -
C:\Windows\SysWOW64\Gfbploob.exeC:\Windows\system32\Gfbploob.exe128⤵PID:952
-
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe129⤵
- Drops file in System32 directory
PID:4236 -
C:\Windows\SysWOW64\Gokdeeec.exeC:\Windows\system32\Gokdeeec.exe130⤵PID:6000
-
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe131⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5208 -
C:\Windows\SysWOW64\Gicinj32.exeC:\Windows\system32\Gicinj32.exe132⤵
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Heapdjlp.exeC:\Windows\system32\Heapdjlp.exe133⤵
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3240 -
C:\Windows\SysWOW64\Hcbpab32.exeC:\Windows\system32\Hcbpab32.exe135⤵PID:6112
-
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe136⤵PID:5332
-
C:\Windows\SysWOW64\Hmjdjgjo.exeC:\Windows\system32\Hmjdjgjo.exe137⤵PID:5456
-
C:\Windows\SysWOW64\Hoiafcic.exeC:\Windows\system32\Hoiafcic.exe138⤵PID:6032
-
C:\Windows\SysWOW64\Hbgmcnhf.exeC:\Windows\system32\Hbgmcnhf.exe139⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5600 -
C:\Windows\SysWOW64\Hfcicmqp.exeC:\Windows\system32\Hfcicmqp.exe140⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5704 -
C:\Windows\SysWOW64\Iiaephpc.exeC:\Windows\system32\Iiaephpc.exe141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6092 -
C:\Windows\SysWOW64\Icgjmapi.exeC:\Windows\system32\Icgjmapi.exe142⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5816 -
C:\Windows\SysWOW64\Ibjjhn32.exeC:\Windows\system32\Ibjjhn32.exe143⤵PID:5892
-
C:\Windows\SysWOW64\Iicbehnq.exeC:\Windows\system32\Iicbehnq.exe144⤵PID:5964
-
C:\Windows\SysWOW64\Ikbnacmd.exeC:\Windows\system32\Ikbnacmd.exe145⤵
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Icifbang.exeC:\Windows\system32\Icifbang.exe146⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5260 -
C:\Windows\SysWOW64\Iejcji32.exeC:\Windows\system32\Iejcji32.exe147⤵PID:3032
-
C:\Windows\SysWOW64\Ildkgc32.exeC:\Windows\system32\Ildkgc32.exe148⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6128 -
C:\Windows\SysWOW64\Ickchq32.exeC:\Windows\system32\Ickchq32.exe149⤵PID:2776
-
C:\Windows\SysWOW64\Ibnccmbo.exeC:\Windows\system32\Ibnccmbo.exe150⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6100 -
C:\Windows\SysWOW64\Iemppiab.exeC:\Windows\system32\Iemppiab.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5668 -
C:\Windows\SysWOW64\Imdgqfbd.exeC:\Windows\system32\Imdgqfbd.exe152⤵
- Drops file in System32 directory
PID:5780 -
C:\Windows\SysWOW64\Ipbdmaah.exeC:\Windows\system32\Ipbdmaah.exe153⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:984 -
C:\Windows\SysWOW64\Ibqpimpl.exeC:\Windows\system32\Ibqpimpl.exe154⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4676 -
C:\Windows\SysWOW64\Ieolehop.exeC:\Windows\system32\Ieolehop.exe155⤵PID:4508
-
C:\Windows\SysWOW64\Imfdff32.exeC:\Windows\system32\Imfdff32.exe156⤵
- Modifies registry class
PID:5560 -
C:\Windows\SysWOW64\Ipdqba32.exeC:\Windows\system32\Ipdqba32.exe157⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6104 -
C:\Windows\SysWOW64\Ibcmom32.exeC:\Windows\system32\Ibcmom32.exe158⤵PID:6088
-
C:\Windows\SysWOW64\Jfoiokfb.exeC:\Windows\system32\Jfoiokfb.exe159⤵PID:1356
-
C:\Windows\SysWOW64\Jmhale32.exeC:\Windows\system32\Jmhale32.exe160⤵PID:5172
-
C:\Windows\SysWOW64\Jpgmha32.exeC:\Windows\system32\Jpgmha32.exe161⤵PID:5500
-
C:\Windows\SysWOW64\Jbeidl32.exeC:\Windows\system32\Jbeidl32.exe162⤵
- Drops file in System32 directory
PID:5812 -
C:\Windows\SysWOW64\Jioaqfcc.exeC:\Windows\system32\Jioaqfcc.exe163⤵PID:5132
-
C:\Windows\SysWOW64\Jlnnmb32.exeC:\Windows\system32\Jlnnmb32.exe164⤵PID:5764
-
C:\Windows\SysWOW64\Jcefno32.exeC:\Windows\system32\Jcefno32.exe165⤵PID:1128
-
C:\Windows\SysWOW64\Jfcbjk32.exeC:\Windows\system32\Jfcbjk32.exe166⤵
- Drops file in System32 directory
- Modifies registry class
PID:6084 -
C:\Windows\SysWOW64\Jianff32.exeC:\Windows\system32\Jianff32.exe167⤵PID:6152
-
C:\Windows\SysWOW64\Jlpkba32.exeC:\Windows\system32\Jlpkba32.exe168⤵PID:6192
-
C:\Windows\SysWOW64\Jcgbco32.exeC:\Windows\system32\Jcgbco32.exe169⤵
- Modifies registry class
PID:6232 -
C:\Windows\SysWOW64\Jfeopj32.exeC:\Windows\system32\Jfeopj32.exe170⤵PID:6272
-
C:\Windows\SysWOW64\Jidklf32.exeC:\Windows\system32\Jidklf32.exe171⤵PID:6316
-
C:\Windows\SysWOW64\Jpnchp32.exeC:\Windows\system32\Jpnchp32.exe172⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6356 -
C:\Windows\SysWOW64\Jcioiood.exeC:\Windows\system32\Jcioiood.exe173⤵PID:6388
-
C:\Windows\SysWOW64\Jfhlejnh.exeC:\Windows\system32\Jfhlejnh.exe174⤵
- Modifies registry class
PID:6428 -
C:\Windows\SysWOW64\Jifhaenk.exeC:\Windows\system32\Jifhaenk.exe175⤵PID:6472
-
C:\Windows\SysWOW64\Jlednamo.exeC:\Windows\system32\Jlednamo.exe176⤵PID:6516
-
C:\Windows\SysWOW64\Kboljk32.exeC:\Windows\system32\Kboljk32.exe177⤵PID:6552
-
C:\Windows\SysWOW64\Kiidgeki.exeC:\Windows\system32\Kiidgeki.exe178⤵PID:6592
-
C:\Windows\SysWOW64\Kpbmco32.exeC:\Windows\system32\Kpbmco32.exe179⤵PID:6632
-
C:\Windows\SysWOW64\Kbaipkbi.exeC:\Windows\system32\Kbaipkbi.exe180⤵
- Modifies registry class
PID:6672 -
C:\Windows\SysWOW64\Kepelfam.exeC:\Windows\system32\Kepelfam.exe181⤵
- Modifies registry class
PID:6724 -
C:\Windows\SysWOW64\Kdqejn32.exeC:\Windows\system32\Kdqejn32.exe182⤵PID:6764
-
C:\Windows\SysWOW64\Kbceejpf.exeC:\Windows\system32\Kbceejpf.exe183⤵PID:6804
-
C:\Windows\SysWOW64\Kpgfooop.exeC:\Windows\system32\Kpgfooop.exe184⤵PID:6868
-
C:\Windows\SysWOW64\Kipkhdeq.exeC:\Windows\system32\Kipkhdeq.exe185⤵PID:6936
-
C:\Windows\SysWOW64\Kpjcdn32.exeC:\Windows\system32\Kpjcdn32.exe186⤵PID:6984
-
C:\Windows\SysWOW64\Kbhoqj32.exeC:\Windows\system32\Kbhoqj32.exe187⤵
- Drops file in System32 directory
PID:7024 -
C:\Windows\SysWOW64\Kefkme32.exeC:\Windows\system32\Kefkme32.exe188⤵
- Modifies registry class
PID:7068 -
C:\Windows\SysWOW64\Kibgmdcn.exeC:\Windows\system32\Kibgmdcn.exe189⤵PID:7108
-
C:\Windows\SysWOW64\Klqcioba.exeC:\Windows\system32\Klqcioba.exe190⤵PID:7160
-
C:\Windows\SysWOW64\Kdgljmcd.exeC:\Windows\system32\Kdgljmcd.exe191⤵
- Drops file in System32 directory
PID:6180 -
C:\Windows\SysWOW64\Lbjlfi32.exeC:\Windows\system32\Lbjlfi32.exe192⤵
- Modifies registry class
PID:6256 -
C:\Windows\SysWOW64\Lmppcbjd.exeC:\Windows\system32\Lmppcbjd.exe193⤵
- Drops file in System32 directory
PID:6332 -
C:\Windows\SysWOW64\Lfhdlh32.exeC:\Windows\system32\Lfhdlh32.exe194⤵PID:6404
-
C:\Windows\SysWOW64\Lekehdgp.exeC:\Windows\system32\Lekehdgp.exe195⤵PID:6460
-
C:\Windows\SysWOW64\Lmbmibhb.exeC:\Windows\system32\Lmbmibhb.exe196⤵
- Drops file in System32 directory
PID:6544 -
C:\Windows\SysWOW64\Lpqiemge.exeC:\Windows\system32\Lpqiemge.exe197⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6612 -
C:\Windows\SysWOW64\Lfkaag32.exeC:\Windows\system32\Lfkaag32.exe198⤵PID:6680
-
C:\Windows\SysWOW64\Liimncmf.exeC:\Windows\system32\Liimncmf.exe199⤵
- Drops file in System32 directory
PID:6748 -
C:\Windows\SysWOW64\Lpcfkm32.exeC:\Windows\system32\Lpcfkm32.exe200⤵PID:6828
-
C:\Windows\SysWOW64\Lgmngglp.exeC:\Windows\system32\Lgmngglp.exe201⤵PID:6928
-
C:\Windows\SysWOW64\Lmgfda32.exeC:\Windows\system32\Lmgfda32.exe202⤵
- Drops file in System32 directory
PID:6992 -
C:\Windows\SysWOW64\Ldanqkki.exeC:\Windows\system32\Ldanqkki.exe203⤵PID:7052
-
C:\Windows\SysWOW64\Lgokmgjm.exeC:\Windows\system32\Lgokmgjm.exe204⤵PID:7128
-
C:\Windows\SysWOW64\Lingibiq.exeC:\Windows\system32\Lingibiq.exe205⤵
- Drops file in System32 directory
PID:6160 -
C:\Windows\SysWOW64\Lllcen32.exeC:\Windows\system32\Lllcen32.exe206⤵PID:6240
-
C:\Windows\SysWOW64\Mdckfk32.exeC:\Windows\system32\Mdckfk32.exe207⤵
- Drops file in System32 directory
PID:6372 -
C:\Windows\SysWOW64\Mgagbf32.exeC:\Windows\system32\Mgagbf32.exe208⤵PID:6484
-
C:\Windows\SysWOW64\Medgncoe.exeC:\Windows\system32\Medgncoe.exe209⤵PID:6588
-
C:\Windows\SysWOW64\Mdehlk32.exeC:\Windows\system32\Mdehlk32.exe210⤵PID:6704
-
C:\Windows\SysWOW64\Mgddhf32.exeC:\Windows\system32\Mgddhf32.exe211⤵
- Drops file in System32 directory
- Modifies registry class
PID:6960 -
C:\Windows\SysWOW64\Mibpda32.exeC:\Windows\system32\Mibpda32.exe212⤵
- Drops file in System32 directory
PID:7032 -
C:\Windows\SysWOW64\Mlampmdo.exeC:\Windows\system32\Mlampmdo.exe213⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6312 -
C:\Windows\SysWOW64\Mdhdajea.exeC:\Windows\system32\Mdhdajea.exe214⤵
- Modifies registry class
PID:6500 -
C:\Windows\SysWOW64\Meiaib32.exeC:\Windows\system32\Meiaib32.exe215⤵PID:5028
-
C:\Windows\SysWOW64\Mmpijp32.exeC:\Windows\system32\Mmpijp32.exe216⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7020 -
C:\Windows\SysWOW64\Mpoefk32.exeC:\Windows\system32\Mpoefk32.exe217⤵
- Modifies registry class
PID:6376 -
C:\Windows\SysWOW64\Mcmabg32.exeC:\Windows\system32\Mcmabg32.exe218⤵PID:7000
-
C:\Windows\SysWOW64\Melnob32.exeC:\Windows\system32\Melnob32.exe219⤵
- Modifies registry class
PID:7076 -
C:\Windows\SysWOW64\Mmbfpp32.exeC:\Windows\system32\Mmbfpp32.exe220⤵
- Modifies registry class
PID:7216 -
C:\Windows\SysWOW64\Mlefklpj.exeC:\Windows\system32\Mlefklpj.exe221⤵PID:7260
-
C:\Windows\SysWOW64\Mdmnlj32.exeC:\Windows\system32\Mdmnlj32.exe222⤵
- Drops file in System32 directory
PID:7308 -
C:\Windows\SysWOW64\Mgkjhe32.exeC:\Windows\system32\Mgkjhe32.exe223⤵PID:7344
-
C:\Windows\SysWOW64\Miifeq32.exeC:\Windows\system32\Miifeq32.exe224⤵
- Modifies registry class
PID:7388 -
C:\Windows\SysWOW64\Mlhbal32.exeC:\Windows\system32\Mlhbal32.exe225⤵PID:7432
-
C:\Windows\SysWOW64\Ndokbi32.exeC:\Windows\system32\Ndokbi32.exe226⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7472 -
C:\Windows\SysWOW64\Ncbknfed.exeC:\Windows\system32\Ncbknfed.exe227⤵PID:7512
-
C:\Windows\SysWOW64\Nilcjp32.exeC:\Windows\system32\Nilcjp32.exe228⤵PID:7564
-
C:\Windows\SysWOW64\Nljofl32.exeC:\Windows\system32\Nljofl32.exe229⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7612 -
C:\Windows\SysWOW64\Ndaggimg.exeC:\Windows\system32\Ndaggimg.exe230⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7672 -
C:\Windows\SysWOW64\Ngpccdlj.exeC:\Windows\system32\Ngpccdlj.exe231⤵PID:7712
-
C:\Windows\SysWOW64\Njnpppkn.exeC:\Windows\system32\Njnpppkn.exe232⤵PID:7756
-
C:\Windows\SysWOW64\Ncfdie32.exeC:\Windows\system32\Ncfdie32.exe233⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7800 -
C:\Windows\SysWOW64\Ngbpidjh.exeC:\Windows\system32\Ngbpidjh.exe234⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7840 -
C:\Windows\SysWOW64\Nnlhfn32.exeC:\Windows\system32\Nnlhfn32.exe235⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7880 -
C:\Windows\SysWOW64\Ndfqbhia.exeC:\Windows\system32\Ndfqbhia.exe236⤵PID:7924
-
C:\Windows\SysWOW64\Njciko32.exeC:\Windows\system32\Njciko32.exe237⤵PID:7964
-
C:\Windows\SysWOW64\Nlaegk32.exeC:\Windows\system32\Nlaegk32.exe238⤵PID:8004
-
C:\Windows\SysWOW64\Nckndeni.exeC:\Windows\system32\Nckndeni.exe239⤵
- Drops file in System32 directory
PID:8044 -
C:\Windows\SysWOW64\Nfjjppmm.exeC:\Windows\system32\Nfjjppmm.exe240⤵
- Modifies registry class
PID:8084 -
C:\Windows\SysWOW64\Odkjng32.exeC:\Windows\system32\Odkjng32.exe241⤵
- Modifies registry class
PID:8124 -
C:\Windows\SysWOW64\Ocnjidkf.exeC:\Windows\system32\Ocnjidkf.exe242⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:8168