Analysis
-
max time kernel
134s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 23:24
Behavioral task
behavioral1
Sample
0a6d59bae52f7d357589713d099cef30_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0a6d59bae52f7d357589713d099cef30_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
0a6d59bae52f7d357589713d099cef30_NeikiAnalytics.exe
-
Size
669KB
-
MD5
0a6d59bae52f7d357589713d099cef30
-
SHA1
46ba5e3a1fcbf750a9cbef2b44abe36201042f68
-
SHA256
ff48b5ce64c6060f42f431fde4955411ef02923198a2cb6824d5b83b8fa854c2
-
SHA512
1fc37c2cef273c07d7227b268d97b07dbd81a8d5476626ed9ecbdec3cd1bcb8740cb5aaefc3e501a30c9cd2d007ee47299c29ac9d013e45831b025fa6642ad80
-
SSDEEP
12288:qooB+Eo+eVKhMpQnqr+cI3a72LXrY6x46UbR/qYglMi:qRBjoZchMpQnqrdX72LbY6x46uR/qYgL
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Kflnfcgg.exeAckigjmh.exeDimenegi.exeHiiggoaf.exeDddhpjof.exeAokcklid.exeBggnof32.exeFcniglmb.exeOihagaji.exeJdaaaeqg.exeKfcdfbqo.exeDifpmfna.exeCnffqf32.exeJfehed32.exeEiaoid32.exeChmndlge.exeJklinohd.exeJnifigpa.exeIjqmhnko.exeIinqbn32.exeNenbjo32.exeGkglja32.exeHgdejd32.exeJnfcia32.exePiijno32.exeCcgjopal.exeJpaleglc.exeBljlfh32.exeJklphekp.exePhbhcmjl.exeBcddcbab.exeQdbiedpa.exeHjhalefe.exeAjpqnneo.exeDhfajjoj.exeFjhacf32.exeOelolmnd.exeDmefhako.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kflnfcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ackigjmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dimenegi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiiggoaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dddhpjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aokcklid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bggnof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcniglmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihagaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdaaaeqg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfcdfbqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difpmfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnffqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfehed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiaoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chmndlge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jklinohd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnifigpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijqmhnko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iinqbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenbjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkglja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdejd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnfcia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Piijno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccgjopal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpaleglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bljlfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jklphekp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phbhcmjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcddcbab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdbiedpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhalefe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajpqnneo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjhacf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oelolmnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmefhako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Pmoahijl.exe family_berbew C:\Windows\SysWOW64\Pcijeb32.exe family_berbew C:\Windows\SysWOW64\Pggbkagp.exe family_berbew C:\Windows\SysWOW64\Pggbkagp.exe family_berbew C:\Windows\SysWOW64\Pjeoglgc.exe family_berbew C:\Windows\SysWOW64\Qdbiedpa.exe family_berbew C:\Windows\SysWOW64\Qfcfml32.exe family_berbew C:\Windows\SysWOW64\Anmjcieo.exe family_berbew C:\Windows\SysWOW64\Afhohlbj.exe family_berbew C:\Windows\SysWOW64\Afhohlbj.exe family_berbew C:\Windows\SysWOW64\Aeiofcji.exe family_berbew C:\Windows\SysWOW64\Acnlgp32.exe family_berbew C:\Windows\SysWOW64\Amgapeea.exe family_berbew C:\Windows\SysWOW64\Aeniabfd.exe family_berbew C:\Windows\SysWOW64\Bjmnoi32.exe family_berbew C:\Windows\SysWOW64\Bagflcje.exe family_berbew C:\Windows\SysWOW64\Bnkgeg32.exe family_berbew C:\Windows\SysWOW64\Bgcknmop.exe family_berbew C:\Windows\SysWOW64\Bnmcjg32.exe family_berbew C:\Windows\SysWOW64\Bjddphlq.exe family_berbew C:\Windows\SysWOW64\Beihma32.exe family_berbew C:\Windows\SysWOW64\Belebq32.exe family_berbew C:\Windows\SysWOW64\Cjinkg32.exe family_berbew C:\Windows\SysWOW64\Ggqida32.exe family_berbew C:\Windows\SysWOW64\Ggeboaob.exe family_berbew C:\Windows\SysWOW64\Hninbj32.exe family_berbew C:\Windows\SysWOW64\Jkhngl32.exe family_berbew C:\Windows\SysWOW64\Jbgoof32.exe family_berbew C:\Windows\SysWOW64\Kfcdfbqo.exe family_berbew C:\Windows\SysWOW64\Knippe32.exe family_berbew C:\Windows\SysWOW64\Lppbkgcj.exe family_berbew C:\Windows\SysWOW64\Lpbopfag.exe family_berbew C:\Windows\SysWOW64\Miomdk32.exe family_berbew C:\Windows\SysWOW64\Mlpeff32.exe family_berbew C:\Windows\SysWOW64\Mhicpg32.exe family_berbew C:\Windows\SysWOW64\Nhpiafnm.exe family_berbew C:\Windows\SysWOW64\Nchjdo32.exe family_berbew C:\Windows\SysWOW64\Ocopdn32.exe family_berbew C:\Windows\SysWOW64\Oepifi32.exe family_berbew C:\Windows\SysWOW64\Pckppl32.exe family_berbew C:\Windows\SysWOW64\Pleaoa32.exe family_berbew C:\Windows\SysWOW64\Agbkmijg.exe family_berbew C:\Windows\SysWOW64\Qlmgopjq.exe family_berbew C:\Windows\SysWOW64\Afghneoo.exe family_berbew C:\Windows\SysWOW64\Cqpbglno.exe family_berbew C:\Windows\SysWOW64\Cpihcgoa.exe family_berbew C:\Windows\SysWOW64\Fpjjac32.exe family_berbew C:\Windows\SysWOW64\Fibojhim.exe family_berbew C:\Windows\SysWOW64\Gklnjj32.exe family_berbew C:\Windows\SysWOW64\Hkbdki32.exe family_berbew C:\Windows\SysWOW64\Hjhalefe.exe family_berbew C:\Windows\SysWOW64\Ihbdplfi.exe family_berbew C:\Windows\SysWOW64\Hkjjlhle.exe family_berbew C:\Windows\SysWOW64\Jklphekp.exe family_berbew C:\Windows\SysWOW64\Jgenbfoa.exe family_berbew C:\Windows\SysWOW64\Kenggi32.exe family_berbew C:\Windows\SysWOW64\Lkabjbih.exe family_berbew C:\Windows\SysWOW64\Milidebi.exe family_berbew C:\Windows\SysWOW64\Mniallpq.exe family_berbew C:\Windows\SysWOW64\Nahgoe32.exe family_berbew C:\Windows\SysWOW64\Papfgbmg.exe family_berbew C:\Windows\SysWOW64\Ajdjin32.exe family_berbew C:\Windows\SysWOW64\Bcddcbab.exe family_berbew C:\Windows\SysWOW64\Bfbaonae.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Pmoahijl.exePcijeb32.exePggbkagp.exePjeoglgc.exeQdbiedpa.exeQfcfml32.exeAnmjcieo.exeAfhohlbj.exeAeiofcji.exeAcnlgp32.exeAmgapeea.exeAeniabfd.exeAgoabn32.exeBjmnoi32.exeBagflcje.exeBnkgeg32.exeBeeoaapl.exeBgcknmop.exeBnmcjg32.exeBeglgani.exeBgehcmmm.exeBjddphlq.exeBmbplc32.exeBeihma32.exeBhhdil32.exeBjfaeh32.exeBmemac32.exeBelebq32.exeChjaol32.exeCjinkg32.exeCmgjgcgo.exeCenahpha.exeChmndlge.exeCfpnph32.exeCnffqf32.exeCaebma32.exeCdcoim32.exeCfbkeh32.exeCjmgfgdf.exeCmlcbbcj.exeCagobalc.exeCdfkolkf.exeCfdhkhjj.exeCnkplejl.exeCajlhqjp.exeCdhhdlid.exeCffdpghg.exeCnnlaehj.exeCalhnpgn.exeCegdnopg.exeDhfajjoj.exeDjdmffnn.exeDmcibama.exeDejacond.exeDhhnpjmh.exeDjgjlelk.exeDmefhako.exeDelnin32.exeDdonekbl.exeDkifae32.exeDmgbnq32.exeDeokon32.exeDhmgki32.exeDkkcge32.exepid process 3220 Pmoahijl.exe 4828 Pcijeb32.exe 1276 Pggbkagp.exe 3032 Pjeoglgc.exe 1664 Qdbiedpa.exe 1904 Qfcfml32.exe 4628 Anmjcieo.exe 2764 Afhohlbj.exe 2408 Aeiofcji.exe 2852 Acnlgp32.exe 2012 Amgapeea.exe 4264 Aeniabfd.exe 3012 Agoabn32.exe 2864 Bjmnoi32.exe 692 Bagflcje.exe 1576 Bnkgeg32.exe 4484 Beeoaapl.exe 364 Bgcknmop.exe 1476 Bnmcjg32.exe 3800 Beglgani.exe 2020 Bgehcmmm.exe 588 Bjddphlq.exe 324 Bmbplc32.exe 4776 Beihma32.exe 4708 Bhhdil32.exe 2452 Bjfaeh32.exe 4492 Bmemac32.exe 1096 Belebq32.exe 5020 Chjaol32.exe 4528 Cjinkg32.exe 4348 Cmgjgcgo.exe 1820 Cenahpha.exe 1260 Chmndlge.exe 2484 Cfpnph32.exe 4704 Cnffqf32.exe 1420 Caebma32.exe 1488 Cdcoim32.exe 4608 Cfbkeh32.exe 3596 Cjmgfgdf.exe 3788 Cmlcbbcj.exe 1804 Cagobalc.exe 1596 Cdfkolkf.exe 4320 Cfdhkhjj.exe 756 Cnkplejl.exe 408 Cajlhqjp.exe 908 Cdhhdlid.exe 4732 Cffdpghg.exe 3100 Cnnlaehj.exe 3216 Calhnpgn.exe 4136 Cegdnopg.exe 1588 Dhfajjoj.exe 1888 Djdmffnn.exe 1428 Dmcibama.exe 4496 Dejacond.exe 4940 Dhhnpjmh.exe 3052 Djgjlelk.exe 1592 Dmefhako.exe 2780 Delnin32.exe 2880 Ddonekbl.exe 1432 Dkifae32.exe 3432 Dmgbnq32.exe 4980 Deokon32.exe 2228 Dhmgki32.exe 4792 Dkkcge32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Lfealaol.exeOenlqi32.exeDihlbf32.exeJjamia32.exeJqlefl32.exeNiakfbpa.exeBmemac32.exePefhlaie.exeJcdala32.exeBjmnoi32.exeJnkldqkc.exeMbighjdd.exeLqbncb32.exeInnfnl32.exeGphgbafl.exeDbqqkkbo.exeMnhkbfme.exeIiehpahb.exeIijaka32.exeKlfjijgq.exeNcjginjn.exeLjaoeini.exePoajkgnc.exeAcpbbi32.exeEaqdegaj.exeEjdocm32.exeBmlilh32.exeHhgloc32.exePgbbek32.exeMlkepaam.exePidabppl.exeHlhccj32.exeIkkpgafg.exeHoadkn32.exeJejefqaf.exePhcomcng.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Lidmhmnp.exe Lfealaol.exe File created C:\Windows\SysWOW64\Olgemcli.exe Oenlqi32.exe File created C:\Windows\SysWOW64\Dhikci32.exe File created C:\Windows\SysWOW64\Gejhef32.exe File opened for modification C:\Windows\SysWOW64\Dlghoa32.exe Dihlbf32.exe File created C:\Windows\SysWOW64\Ibepke32.dll File created C:\Windows\SysWOW64\Lhqefjpo.exe File opened for modification C:\Windows\SysWOW64\Jnmijq32.exe Jjamia32.exe File opened for modification C:\Windows\SysWOW64\Jibmgi32.exe Jqlefl32.exe File opened for modification C:\Windows\SysWOW64\Nlphbnoe.exe Niakfbpa.exe File opened for modification C:\Windows\SysWOW64\Enkdaepb.exe File created C:\Windows\SysWOW64\Gallfmbn.dll Bmemac32.exe File created C:\Windows\SysWOW64\Gbobfjdp.dll Pefhlaie.exe File created C:\Windows\SysWOW64\Pcegclgp.exe File opened for modification C:\Windows\SysWOW64\Jklinohd.exe Jcdala32.exe File created C:\Windows\SysWOW64\Nqbpojnp.exe File created C:\Windows\SysWOW64\Jleijb32.exe File created C:\Windows\SysWOW64\Hmafal32.dll File created C:\Windows\SysWOW64\Bagflcje.exe Bjmnoi32.exe File created C:\Windows\SysWOW64\Jqiipljg.exe Jnkldqkc.exe File opened for modification C:\Windows\SysWOW64\Mehcdfch.exe Mbighjdd.exe File created C:\Windows\SysWOW64\Mcqjon32.exe Lqbncb32.exe File created C:\Windows\SysWOW64\Cfkeihph.dll File opened for modification C:\Windows\SysWOW64\Ilafiihp.exe Innfnl32.exe File opened for modification C:\Windows\SysWOW64\Alpbecod.exe File created C:\Windows\SysWOW64\Qdhogopn.dll File created C:\Windows\SysWOW64\Imqpnq32.dll File created C:\Windows\SysWOW64\Plpjfnfg.dll Gphgbafl.exe File opened for modification C:\Windows\SysWOW64\Dflmlj32.exe Dbqqkkbo.exe File created C:\Windows\SysWOW64\Maggnali.exe Mnhkbfme.exe File opened for modification C:\Windows\SysWOW64\Dpiplm32.exe File created C:\Windows\SysWOW64\Ighhln32.exe Iiehpahb.exe File opened for modification C:\Windows\SysWOW64\Jkhngl32.exe Iijaka32.exe File created C:\Windows\SysWOW64\Knefeffd.exe Klfjijgq.exe File created C:\Windows\SysWOW64\Ogfcjm32.exe Ncjginjn.exe File created C:\Windows\SysWOW64\Akeodedd.dll File opened for modification C:\Windows\SysWOW64\Mljmhflh.exe File created C:\Windows\SysWOW64\Dbdplc32.dll Ljaoeini.exe File opened for modification C:\Windows\SysWOW64\Imiehfao.exe File opened for modification C:\Windows\SysWOW64\Papfgbmg.exe Poajkgnc.exe File created C:\Windows\SysWOW64\Afnnnd32.exe Acpbbi32.exe File created C:\Windows\SysWOW64\Edopabqn.exe Eaqdegaj.exe File created C:\Windows\SysWOW64\Hlnjbedi.exe File opened for modification C:\Windows\SysWOW64\Embkoi32.exe Ejdocm32.exe File created C:\Windows\SysWOW64\Mehcdfch.exe Mbighjdd.exe File opened for modification C:\Windows\SysWOW64\Dpkmal32.exe File created C:\Windows\SysWOW64\Epmfkk32.dll Bmlilh32.exe File opened for modification C:\Windows\SysWOW64\Dolmodpi.exe File created C:\Windows\SysWOW64\Fooclapd.exe File created C:\Windows\SysWOW64\Nqobhgmh.dll File created C:\Windows\SysWOW64\Hkehkocf.exe Hhgloc32.exe File created C:\Windows\SysWOW64\Pjpobg32.exe Pgbbek32.exe File created C:\Windows\SysWOW64\Mniallpq.exe Mlkepaam.exe File created C:\Windows\SysWOW64\Phganm32.exe Pidabppl.exe File created C:\Windows\SysWOW64\Glofjfnn.dll File opened for modification C:\Windows\SysWOW64\Akqfkp32.exe File opened for modification C:\Windows\SysWOW64\Ipgkjlmg.exe File created C:\Windows\SysWOW64\Hpcodihc.exe Hlhccj32.exe File created C:\Windows\SysWOW64\Aobbbd32.dll Ikkpgafg.exe File created C:\Windows\SysWOW64\Dbqpfg32.dll File created C:\Windows\SysWOW64\Akfiji32.dll File created C:\Windows\SysWOW64\Cpagaq32.dll Hoadkn32.exe File created C:\Windows\SysWOW64\Oahlhhel.dll Jejefqaf.exe File opened for modification C:\Windows\SysWOW64\Ppjgoaoj.exe Phcomcng.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 10496 13532 -
Modifies registry class 64 IoCs
Processes:
Fipkjb32.exeHildmn32.exeMmpdhboj.exeEmehdh32.exeHacbhb32.exeEfafgifc.exeFimodc32.exeIngpmmgm.exeOhqbhdpj.exeAcpbbi32.exeJjgchm32.exePgdokkfg.exeDinmhkke.exeCoiaiakf.exeOobfob32.exeCfdhkhjj.exeGkjhoq32.exeIfdonfka.exeIhgnkkbd.exeLbngllob.exeFgjccb32.exeKnippe32.exeNdflak32.exeGoljqnpd.exeMhafeb32.exeAqoiqn32.exeJgadgf32.exeKgipcogp.exeMmnhcb32.exeEcefqnel.exeKkeldnpi.exePkpmdbfd.exeCnffqf32.exeCmipblaq.exeNclikl32.exeGpkchqdj.exePamiaboj.exeHdmoohbo.exeHkhdqoac.exeJfpojead.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fipkjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hildmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikdcj32.dll" Mmpdhboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdmlme32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hacbhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efafgifc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fimodc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ingpmmgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idpeeehm.dll" Ohqbhdpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeipof32.dll" Acpbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eephln32.dll" Jjgchm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgdokkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nllbhl32.dll" Dinmhkke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Coiaiakf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oobfob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mklbeh32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbibld32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipecicga.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll" Cfdhkhjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkjhoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifdonfka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihgnkkbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbngllob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efqidp32.dll" Fgjccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knippe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndflak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbqfhb32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Goljqnpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhafeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ploija32.dll" Aqoiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahkpm32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemfmoce.dll" Jgadgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgipcogp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmnhcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eccphn32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhefclee.dll" Ecefqnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glmoga32.dll" Kkeldnpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjpekc32.dll" Pkpmdbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnffqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnmoekkn.dll" Cmipblaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nclikl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hknfelnj.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjekecm.dll" Gpkchqdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feaabknn.dll" Pamiaboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennioe32.dll" Hdmoohbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmkmfbo.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkhdqoac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfpojead.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0a6d59bae52f7d357589713d099cef30_NeikiAnalytics.exePmoahijl.exePcijeb32.exePggbkagp.exePjeoglgc.exeQdbiedpa.exeQfcfml32.exeAnmjcieo.exeAfhohlbj.exeAeiofcji.exeAcnlgp32.exeAmgapeea.exeAeniabfd.exeAgoabn32.exeBjmnoi32.exeBagflcje.exeBnkgeg32.exeBeeoaapl.exeBgcknmop.exeBnmcjg32.exeBeglgani.exeBgehcmmm.exedescription pid process target process PID 1748 wrote to memory of 3220 1748 0a6d59bae52f7d357589713d099cef30_NeikiAnalytics.exe Pmoahijl.exe PID 1748 wrote to memory of 3220 1748 0a6d59bae52f7d357589713d099cef30_NeikiAnalytics.exe Pmoahijl.exe PID 1748 wrote to memory of 3220 1748 0a6d59bae52f7d357589713d099cef30_NeikiAnalytics.exe Pmoahijl.exe PID 3220 wrote to memory of 4828 3220 Pmoahijl.exe Pcijeb32.exe PID 3220 wrote to memory of 4828 3220 Pmoahijl.exe Pcijeb32.exe PID 3220 wrote to memory of 4828 3220 Pmoahijl.exe Pcijeb32.exe PID 4828 wrote to memory of 1276 4828 Pcijeb32.exe Pggbkagp.exe PID 4828 wrote to memory of 1276 4828 Pcijeb32.exe Pggbkagp.exe PID 4828 wrote to memory of 1276 4828 Pcijeb32.exe Pggbkagp.exe PID 1276 wrote to memory of 3032 1276 Pggbkagp.exe Pjeoglgc.exe PID 1276 wrote to memory of 3032 1276 Pggbkagp.exe Pjeoglgc.exe PID 1276 wrote to memory of 3032 1276 Pggbkagp.exe Pjeoglgc.exe PID 3032 wrote to memory of 1664 3032 Pjeoglgc.exe Qdbiedpa.exe PID 3032 wrote to memory of 1664 3032 Pjeoglgc.exe Qdbiedpa.exe PID 3032 wrote to memory of 1664 3032 Pjeoglgc.exe Qdbiedpa.exe PID 1664 wrote to memory of 1904 1664 Qdbiedpa.exe Qfcfml32.exe PID 1664 wrote to memory of 1904 1664 Qdbiedpa.exe Qfcfml32.exe PID 1664 wrote to memory of 1904 1664 Qdbiedpa.exe Qfcfml32.exe PID 1904 wrote to memory of 4628 1904 Qfcfml32.exe Anmjcieo.exe PID 1904 wrote to memory of 4628 1904 Qfcfml32.exe Anmjcieo.exe PID 1904 wrote to memory of 4628 1904 Qfcfml32.exe Anmjcieo.exe PID 4628 wrote to memory of 2764 4628 Anmjcieo.exe Afhohlbj.exe PID 4628 wrote to memory of 2764 4628 Anmjcieo.exe Afhohlbj.exe PID 4628 wrote to memory of 2764 4628 Anmjcieo.exe Afhohlbj.exe PID 2764 wrote to memory of 2408 2764 Afhohlbj.exe Aeiofcji.exe PID 2764 wrote to memory of 2408 2764 Afhohlbj.exe Aeiofcji.exe PID 2764 wrote to memory of 2408 2764 Afhohlbj.exe Aeiofcji.exe PID 2408 wrote to memory of 2852 2408 Aeiofcji.exe Acnlgp32.exe PID 2408 wrote to memory of 2852 2408 Aeiofcji.exe Acnlgp32.exe PID 2408 wrote to memory of 2852 2408 Aeiofcji.exe Acnlgp32.exe PID 2852 wrote to memory of 2012 2852 Acnlgp32.exe Amgapeea.exe PID 2852 wrote to memory of 2012 2852 Acnlgp32.exe Amgapeea.exe PID 2852 wrote to memory of 2012 2852 Acnlgp32.exe Amgapeea.exe PID 2012 wrote to memory of 4264 2012 Amgapeea.exe Aeniabfd.exe PID 2012 wrote to memory of 4264 2012 Amgapeea.exe Aeniabfd.exe PID 2012 wrote to memory of 4264 2012 Amgapeea.exe Aeniabfd.exe PID 4264 wrote to memory of 3012 4264 Aeniabfd.exe Agoabn32.exe PID 4264 wrote to memory of 3012 4264 Aeniabfd.exe Agoabn32.exe PID 4264 wrote to memory of 3012 4264 Aeniabfd.exe Agoabn32.exe PID 3012 wrote to memory of 2864 3012 Agoabn32.exe Bjmnoi32.exe PID 3012 wrote to memory of 2864 3012 Agoabn32.exe Bjmnoi32.exe PID 3012 wrote to memory of 2864 3012 Agoabn32.exe Bjmnoi32.exe PID 2864 wrote to memory of 692 2864 Bjmnoi32.exe Bagflcje.exe PID 2864 wrote to memory of 692 2864 Bjmnoi32.exe Bagflcje.exe PID 2864 wrote to memory of 692 2864 Bjmnoi32.exe Bagflcje.exe PID 692 wrote to memory of 1576 692 Bagflcje.exe Bnkgeg32.exe PID 692 wrote to memory of 1576 692 Bagflcje.exe Bnkgeg32.exe PID 692 wrote to memory of 1576 692 Bagflcje.exe Bnkgeg32.exe PID 1576 wrote to memory of 4484 1576 Bnkgeg32.exe Beeoaapl.exe PID 1576 wrote to memory of 4484 1576 Bnkgeg32.exe Beeoaapl.exe PID 1576 wrote to memory of 4484 1576 Bnkgeg32.exe Beeoaapl.exe PID 4484 wrote to memory of 364 4484 Beeoaapl.exe Bgcknmop.exe PID 4484 wrote to memory of 364 4484 Beeoaapl.exe Bgcknmop.exe PID 4484 wrote to memory of 364 4484 Beeoaapl.exe Bgcknmop.exe PID 364 wrote to memory of 1476 364 Bgcknmop.exe Bnmcjg32.exe PID 364 wrote to memory of 1476 364 Bgcknmop.exe Bnmcjg32.exe PID 364 wrote to memory of 1476 364 Bgcknmop.exe Bnmcjg32.exe PID 1476 wrote to memory of 3800 1476 Bnmcjg32.exe Beglgani.exe PID 1476 wrote to memory of 3800 1476 Bnmcjg32.exe Beglgani.exe PID 1476 wrote to memory of 3800 1476 Bnmcjg32.exe Beglgani.exe PID 3800 wrote to memory of 2020 3800 Beglgani.exe Bgehcmmm.exe PID 3800 wrote to memory of 2020 3800 Beglgani.exe Bgehcmmm.exe PID 3800 wrote to memory of 2020 3800 Beglgani.exe Bgehcmmm.exe PID 2020 wrote to memory of 588 2020 Bgehcmmm.exe Bjddphlq.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a6d59bae52f7d357589713d099cef30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0a6d59bae52f7d357589713d099cef30_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Pmoahijl.exeC:\Windows\system32\Pmoahijl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Pcijeb32.exeC:\Windows\system32\Pcijeb32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Pggbkagp.exeC:\Windows\system32\Pggbkagp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Pjeoglgc.exeC:\Windows\system32\Pjeoglgc.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Qdbiedpa.exeC:\Windows\system32\Qdbiedpa.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Qfcfml32.exeC:\Windows\system32\Qfcfml32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Anmjcieo.exeC:\Windows\system32\Anmjcieo.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Acnlgp32.exeC:\Windows\system32\Acnlgp32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Amgapeea.exeC:\Windows\system32\Amgapeea.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\Agoabn32.exeC:\Windows\system32\Agoabn32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\Bgehcmmm.exeC:\Windows\system32\Bgehcmmm.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Bjddphlq.exeC:\Windows\system32\Bjddphlq.exe23⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Bmbplc32.exeC:\Windows\system32\Bmbplc32.exe24⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe25⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe26⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe27⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Bmemac32.exeC:\Windows\system32\Bmemac32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4492 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe29⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe30⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe31⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe32⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe33⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Chmndlge.exeC:\Windows\system32\Chmndlge.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe35⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Cnffqf32.exeC:\Windows\system32\Cnffqf32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4704 -
C:\Windows\SysWOW64\Caebma32.exeC:\Windows\system32\Caebma32.exe37⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe38⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe39⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe40⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Cmlcbbcj.exeC:\Windows\system32\Cmlcbbcj.exe41⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe42⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe43⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4320 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe45⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe46⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe47⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe48⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe49⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe50⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Cegdnopg.exeC:\Windows\system32\Cegdnopg.exe51⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe53⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe54⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe55⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe56⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe57⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe59⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe60⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe61⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe62⤵
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe63⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe64⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe65⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe66⤵PID:832
-
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe67⤵PID:2128
-
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3664 -
C:\Windows\SysWOW64\Eonehbjg.exeC:\Windows\system32\Eonehbjg.exe69⤵PID:4368
-
C:\Windows\SysWOW64\Ehfjah32.exeC:\Windows\system32\Ehfjah32.exe70⤵PID:1168
-
C:\Windows\SysWOW64\Edmjfifl.exeC:\Windows\system32\Edmjfifl.exe71⤵PID:3868
-
C:\Windows\SysWOW64\Eglgbdep.exeC:\Windows\system32\Eglgbdep.exe72⤵PID:2784
-
C:\Windows\SysWOW64\Eobocb32.exeC:\Windows\system32\Eobocb32.exe73⤵PID:3188
-
C:\Windows\SysWOW64\Eaakpm32.exeC:\Windows\system32\Eaakpm32.exe74⤵PID:3256
-
C:\Windows\SysWOW64\Edpgli32.exeC:\Windows\system32\Edpgli32.exe75⤵PID:4028
-
C:\Windows\SysWOW64\Egnchd32.exeC:\Windows\system32\Egnchd32.exe76⤵PID:540
-
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe77⤵PID:1944
-
C:\Windows\SysWOW64\Feocelll.exeC:\Windows\system32\Feocelll.exe78⤵PID:116
-
C:\Windows\SysWOW64\Fdbdah32.exeC:\Windows\system32\Fdbdah32.exe79⤵PID:2528
-
C:\Windows\SysWOW64\Foghnabl.exeC:\Windows\system32\Foghnabl.exe80⤵PID:1244
-
C:\Windows\SysWOW64\Fafdkmap.exeC:\Windows\system32\Fafdkmap.exe81⤵PID:3872
-
C:\Windows\SysWOW64\Fhpmgg32.exeC:\Windows\system32\Fhpmgg32.exe82⤵PID:4808
-
C:\Windows\SysWOW64\Fojedapj.exeC:\Windows\system32\Fojedapj.exe83⤵PID:60
-
C:\Windows\SysWOW64\Fahaplon.exeC:\Windows\system32\Fahaplon.exe84⤵PID:4408
-
C:\Windows\SysWOW64\Fhbimf32.exeC:\Windows\system32\Fhbimf32.exe85⤵PID:3512
-
C:\Windows\SysWOW64\Fkqeib32.exeC:\Windows\system32\Fkqeib32.exe86⤵PID:3148
-
C:\Windows\SysWOW64\Fefjfked.exeC:\Windows\system32\Fefjfked.exe87⤵PID:8
-
C:\Windows\SysWOW64\Fggfnc32.exeC:\Windows\system32\Fggfnc32.exe88⤵PID:428
-
C:\Windows\SysWOW64\Fnaokmco.exeC:\Windows\system32\Fnaokmco.exe89⤵PID:3748
-
C:\Windows\SysWOW64\Fdkggg32.exeC:\Windows\system32\Fdkggg32.exe90⤵PID:3084
-
C:\Windows\SysWOW64\Fgjccb32.exeC:\Windows\system32\Fgjccb32.exe91⤵
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Foqkdp32.exeC:\Windows\system32\Foqkdp32.exe92⤵PID:3896
-
C:\Windows\SysWOW64\Gdncmghi.exeC:\Windows\system32\Gdncmghi.exe93⤵PID:4404
-
C:\Windows\SysWOW64\Gkglja32.exeC:\Windows\system32\Gkglja32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3756 -
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe95⤵PID:2448
-
C:\Windows\SysWOW64\Gempgj32.exeC:\Windows\system32\Gempgj32.exe96⤵PID:1492
-
C:\Windows\SysWOW64\Ghklce32.exeC:\Windows\system32\Ghklce32.exe97⤵PID:2492
-
C:\Windows\SysWOW64\Gkjhoq32.exeC:\Windows\system32\Gkjhoq32.exe98⤵
- Modifies registry class
PID:5136 -
C:\Windows\SysWOW64\Gnhdkl32.exeC:\Windows\system32\Gnhdkl32.exe99⤵PID:5176
-
C:\Windows\SysWOW64\Gepmlimi.exeC:\Windows\system32\Gepmlimi.exe100⤵PID:5216
-
C:\Windows\SysWOW64\Gdbmhf32.exeC:\Windows\system32\Gdbmhf32.exe101⤵PID:5252
-
C:\Windows\SysWOW64\Ggqida32.exeC:\Windows\system32\Ggqida32.exe102⤵PID:5296
-
C:\Windows\SysWOW64\Gnkaalkd.exeC:\Windows\system32\Gnkaalkd.exe103⤵PID:5340
-
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe104⤵PID:5380
-
C:\Windows\SysWOW64\Gkobjpin.exeC:\Windows\system32\Gkobjpin.exe105⤵PID:5420
-
C:\Windows\SysWOW64\Gnmnfkia.exeC:\Windows\system32\Gnmnfkia.exe106⤵PID:5460
-
C:\Windows\SysWOW64\Gahjgj32.exeC:\Windows\system32\Gahjgj32.exe107⤵PID:5500
-
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe108⤵PID:5536
-
C:\Windows\SysWOW64\Ggeboaob.exeC:\Windows\system32\Ggeboaob.exe109⤵PID:5580
-
C:\Windows\SysWOW64\Goljqnpd.exeC:\Windows\system32\Goljqnpd.exe110⤵
- Modifies registry class
PID:5620 -
C:\Windows\SysWOW64\Hakgmjoh.exeC:\Windows\system32\Hakgmjoh.exe111⤵PID:5656
-
C:\Windows\SysWOW64\Hdicienl.exeC:\Windows\system32\Hdicienl.exe112⤵PID:5700
-
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe113⤵PID:5736
-
C:\Windows\SysWOW64\Hoogfnnb.exeC:\Windows\system32\Hoogfnnb.exe114⤵PID:5780
-
C:\Windows\SysWOW64\Hnagak32.exeC:\Windows\system32\Hnagak32.exe115⤵PID:5812
-
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe116⤵PID:5860
-
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe117⤵
- Drops file in System32 directory
PID:5900 -
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe118⤵PID:5940
-
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe119⤵
- Drops file in System32 directory
PID:5976 -
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe120⤵PID:6020
-
C:\Windows\SysWOW64\Hdnldd32.exeC:\Windows\system32\Hdnldd32.exe121⤵PID:6060
-
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe122⤵PID:6100
-
C:\Windows\SysWOW64\Hkhdqoac.exeC:\Windows\system32\Hkhdqoac.exe123⤵
- Modifies registry class
PID:6140 -
C:\Windows\SysWOW64\Hnfamjqg.exeC:\Windows\system32\Hnfamjqg.exe124⤵PID:5164
-
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe125⤵PID:4888
-
C:\Windows\SysWOW64\Hdpiid32.exeC:\Windows\system32\Hdpiid32.exe126⤵PID:5304
-
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe127⤵PID:5364
-
C:\Windows\SysWOW64\Hofmfmhj.exeC:\Windows\system32\Hofmfmhj.exe128⤵PID:5408
-
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe129⤵PID:5480
-
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe130⤵PID:5548
-
C:\Windows\SysWOW64\Hhnbpb32.exeC:\Windows\system32\Hhnbpb32.exe131⤵PID:856
-
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe132⤵PID:5692
-
C:\Windows\SysWOW64\Ifbbig32.exeC:\Windows\system32\Ifbbig32.exe133⤵PID:5768
-
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe134⤵PID:5840
-
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe135⤵PID:5924
-
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe136⤵PID:5988
-
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe137⤵
- Modifies registry class
PID:6068 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe138⤵PID:6136
-
C:\Windows\SysWOW64\Ikaggmii.exeC:\Windows\system32\Ikaggmii.exe139⤵PID:5208
-
C:\Windows\SysWOW64\Inpccihl.exeC:\Windows\system32\Inpccihl.exe140⤵PID:5360
-
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe141⤵PID:2104
-
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe142⤵
- Drops file in System32 directory
PID:5456 -
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe143⤵PID:5604
-
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe144⤵PID:5680
-
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe145⤵PID:5820
-
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe146⤵PID:5896
-
C:\Windows\SysWOW64\Ikfabm32.exeC:\Windows\system32\Ikfabm32.exe147⤵PID:6056
-
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe148⤵PID:6120
-
C:\Windows\SysWOW64\Ifleoe32.exeC:\Windows\system32\Ifleoe32.exe149⤵PID:5240
-
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe150⤵
- Drops file in System32 directory
PID:1452 -
C:\Windows\SysWOW64\Jkhngl32.exeC:\Windows\system32\Jkhngl32.exe151⤵PID:5544
-
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe152⤵PID:1164
-
C:\Windows\SysWOW64\Jeqbpb32.exeC:\Windows\system32\Jeqbpb32.exe153⤵PID:5880
-
C:\Windows\SysWOW64\Jkkjmlan.exeC:\Windows\system32\Jkkjmlan.exe154⤵PID:6088
-
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe155⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5328 -
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe156⤵
- Modifies registry class
PID:5524 -
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe157⤵PID:5892
-
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe158⤵PID:5560
-
C:\Windows\SysWOW64\Jbgoof32.exeC:\Windows\system32\Jbgoof32.exe159⤵PID:5748
-
C:\Windows\SysWOW64\Jeekkafl.exeC:\Windows\system32\Jeekkafl.exe160⤵PID:5488
-
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe161⤵PID:636
-
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe162⤵PID:5204
-
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe163⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6188 -
C:\Windows\SysWOW64\Jicdap32.exeC:\Windows\system32\Jicdap32.exe164⤵PID:6232
-
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe165⤵PID:6296
-
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe166⤵PID:6340
-
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe167⤵
- Drops file in System32 directory
PID:6376 -
C:\Windows\SysWOW64\Kldmckic.exeC:\Windows\system32\Kldmckic.exe168⤵PID:6424
-
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe169⤵PID:6464
-
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe170⤵PID:6512
-
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe171⤵PID:6556
-
C:\Windows\SysWOW64\Kihnmohm.exeC:\Windows\system32\Kihnmohm.exe172⤵PID:6596
-
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe173⤵
- Drops file in System32 directory
PID:6636 -
C:\Windows\SysWOW64\Knefeffd.exeC:\Windows\system32\Knefeffd.exe174⤵PID:6688
-
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe175⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6732 -
C:\Windows\SysWOW64\Khmknk32.exeC:\Windows\system32\Khmknk32.exe176⤵PID:6776
-
C:\Windows\SysWOW64\Klifnj32.exeC:\Windows\system32\Klifnj32.exe177⤵PID:6816
-
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe178⤵PID:6852
-
C:\Windows\SysWOW64\Kfnkkb32.exeC:\Windows\system32\Kfnkkb32.exe179⤵PID:6904
-
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe180⤵PID:6948
-
C:\Windows\SysWOW64\Klkcdj32.exeC:\Windows\system32\Klkcdj32.exe181⤵PID:6992
-
C:\Windows\SysWOW64\Knippe32.exeC:\Windows\system32\Knippe32.exe182⤵
- Modifies registry class
PID:7032 -
C:\Windows\SysWOW64\Kfqgab32.exeC:\Windows\system32\Kfqgab32.exe183⤵PID:7072
-
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe184⤵PID:7124
-
C:\Windows\SysWOW64\Klmpiiai.exeC:\Windows\system32\Klmpiiai.exe185⤵PID:7164
-
C:\Windows\SysWOW64\Kbghfc32.exeC:\Windows\system32\Kbghfc32.exe186⤵PID:6220
-
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe187⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5452 -
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe188⤵PID:6368
-
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe189⤵PID:6408
-
C:\Windows\SysWOW64\Lfealaol.exeC:\Windows\system32\Lfealaol.exe190⤵
- Drops file in System32 directory
PID:6492 -
C:\Windows\SysWOW64\Lidmhmnp.exeC:\Windows\system32\Lidmhmnp.exe191⤵PID:6552
-
C:\Windows\SysWOW64\Llbidimc.exeC:\Windows\system32\Llbidimc.exe192⤵PID:6628
-
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe193⤵PID:6708
-
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe194⤵PID:6804
-
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe195⤵PID:6900
-
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe196⤵PID:6976
-
C:\Windows\SysWOW64\Lfjjga32.exeC:\Windows\system32\Lfjjga32.exe197⤵PID:7068
-
C:\Windows\SysWOW64\Lihfcm32.exeC:\Windows\system32\Lihfcm32.exe198⤵PID:7160
-
C:\Windows\SysWOW64\Lpbopfag.exeC:\Windows\system32\Lpbopfag.exe199⤵PID:6268
-
C:\Windows\SysWOW64\Lflgmqhd.exeC:\Windows\system32\Lflgmqhd.exe200⤵PID:5844
-
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe201⤵PID:6532
-
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe202⤵PID:6768
-
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe203⤵PID:6876
-
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe204⤵PID:7056
-
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe205⤵PID:6676
-
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe206⤵PID:2996
-
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe207⤵PID:6444
-
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe208⤵PID:2416
-
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe209⤵PID:6940
-
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe210⤵PID:5788
-
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe211⤵PID:4868
-
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe212⤵PID:2828
-
C:\Windows\SysWOW64\Mffjcopi.exeC:\Windows\system32\Mffjcopi.exe213⤵PID:7116
-
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe214⤵PID:4436
-
C:\Windows\SysWOW64\Mlbbkfoq.exeC:\Windows\system32\Mlbbkfoq.exe215⤵PID:6888
-
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe216⤵PID:4428
-
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe217⤵PID:3368
-
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe218⤵PID:7132
-
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe219⤵PID:7196
-
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe220⤵PID:7236
-
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe221⤵PID:7276
-
C:\Windows\SysWOW64\Niipjj32.exeC:\Windows\system32\Niipjj32.exe222⤵PID:7320
-
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe223⤵PID:7368
-
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe224⤵PID:7408
-
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe225⤵PID:7448
-
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe226⤵PID:7484
-
C:\Windows\SysWOW64\Npedmdab.exeC:\Windows\system32\Npedmdab.exe227⤵PID:7528
-
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe228⤵PID:7572
-
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe229⤵PID:7608
-
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe230⤵PID:7652
-
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe231⤵PID:7696
-
C:\Windows\SysWOW64\Nojanpej.exeC:\Windows\system32\Nojanpej.exe232⤵PID:7732
-
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe233⤵PID:7776
-
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe234⤵PID:7816
-
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe235⤵PID:7860
-
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe236⤵PID:7896
-
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe237⤵PID:7940
-
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe238⤵PID:7984
-
C:\Windows\SysWOW64\Nplkmckj.exeC:\Windows\system32\Nplkmckj.exe239⤵PID:8028
-
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe240⤵
- Drops file in System32 directory
PID:8068 -
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe241⤵PID:8104
-
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe242⤵PID:8148