Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 23:25
Behavioral task
behavioral1
Sample
0a8fd725bd1e7040b7b6bc052e9563c0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0a8fd725bd1e7040b7b6bc052e9563c0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
0a8fd725bd1e7040b7b6bc052e9563c0_NeikiAnalytics.exe
-
Size
664KB
-
MD5
0a8fd725bd1e7040b7b6bc052e9563c0
-
SHA1
9cfc70f24a8dcb1cde4aef9b9c26bc355be5a4dd
-
SHA256
545d61dc12958b73b16958e11c20d1baa0d395ade13c7c73b958e22f002527f6
-
SHA512
53884d8c1bcccd8eb910d52dc4dcee1a4554bafd33457161ba589d8a3ac7487d5f41b7417bcb38e5bc75081828d5fa3bf95887ef3c2dc62fdc52b5dcdaf1c0b1
-
SSDEEP
12288:78pV6yYPv058KpV6yYPNUir2MhNl6zX3w9As/xO23WM6tJmDYjmR54F:wWceKWNUir2MhNl6zX3w9As/xO23WM67
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Bcghch32.exeGjfnedho.exeMqdcnl32.exeDhkjej32.exeIokgal32.exeFlkdfh32.exeAogbfi32.exeCfmajipb.exeOimkbaed.exeHfnphn32.exePknqoc32.exeLpcfkm32.exeHkjjlhle.exeBkobmnka.exeIdhnkf32.exeCohkokgj.exeKegpifod.exePmiikh32.exeKilhgk32.exeKlfjijgq.exeCbgnemjj.exeLnohlgep.exePdfehh32.exeQmepam32.exeCddecc32.exeCeckcp32.exeCfadkb32.exeFohfbpgi.exeMgddhf32.exeHkckeo32.exeDcigeooj.exeHkbmqb32.exeAaohcj32.exeHfcicmqp.exeAeddnp32.exeQqhcpo32.exePqbdjfln.exeMibijk32.exeGiqkkf32.exeKbddfmgl.exeGpkchqdj.exeKcpjnjii.exeBjddphlq.exeFkqeib32.exeOhjlgefb.exeEjalcgkg.exeBnkbcj32.exeEadopc32.exeLlgcph32.exeKjpijpdg.exeNbefdijg.exeCliaoq32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bcghch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gjfnedho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mqdcnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhkjej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iokgal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flkdfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aogbfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfmajipb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oimkbaed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfnphn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pknqoc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpcfkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkjjlhle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkobmnka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idhnkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cohkokgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kegpifod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmiikh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kilhgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klfjijgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbgnemjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnohlgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdfehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qmepam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cddecc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ceckcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfadkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fohfbpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgddhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkckeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcigeooj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkbmqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaohcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfcicmqp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeddnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qqhcpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqbdjfln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mibijk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giqkkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbddfmgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpkchqdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcpjnjii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjddphlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkqeib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohjlgefb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejalcgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnkbcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eadopc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llgcph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjpijpdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbefdijg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cliaoq32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Kdopod32.exe family_berbew C:\Windows\SysWOW64\Kilhgk32.exe family_berbew C:\Windows\SysWOW64\Kbfiep32.exe family_berbew C:\Windows\SysWOW64\Kgdbkohf.exe family_berbew C:\Windows\SysWOW64\Kkbkamnl.exe family_berbew C:\Windows\SysWOW64\Lpocjdld.exe family_berbew C:\Windows\SysWOW64\Lijdhiaa.exe family_berbew C:\Windows\SysWOW64\Lpcmec32.exe family_berbew C:\Windows\SysWOW64\Laciofpa.exe family_berbew C:\Windows\SysWOW64\Lklnhlfb.exe family_berbew C:\Windows\SysWOW64\Laefdf32.exe family_berbew C:\Windows\SysWOW64\Mjqjih32.exe family_berbew C:\Windows\SysWOW64\Mjcgohig.exe family_berbew C:\Windows\SysWOW64\Mcklgm32.exe family_berbew C:\Windows\SysWOW64\Mglack32.exe family_berbew C:\Windows\SysWOW64\Njljefql.exe family_berbew C:\Windows\SysWOW64\Njljefql.exe family_berbew C:\Windows\SysWOW64\Nqiogp32.exe family_berbew C:\Windows\SysWOW64\Ngcgcjnc.exe family_berbew C:\Windows\SysWOW64\Nnmopdep.exe family_berbew C:\Windows\SysWOW64\Nqmhbpba.exe family_berbew C:\Windows\SysWOW64\Ojhiqefo.exe family_berbew C:\Windows\SysWOW64\Okhfjh32.exe family_berbew C:\Windows\SysWOW64\Ogogoi32.exe family_berbew C:\Windows\SysWOW64\Obdkma32.exe family_berbew C:\Windows\SysWOW64\Odednmpm.exe family_berbew C:\Windows\SysWOW64\Okolkg32.exe family_berbew C:\Windows\SysWOW64\Pkaiqf32.exe family_berbew C:\Windows\SysWOW64\Peimil32.exe family_berbew C:\Windows\SysWOW64\Pcojkhap.exe family_berbew C:\Windows\SysWOW64\Pcagphom.exe family_berbew C:\Windows\SysWOW64\Pnfkma32.exe family_berbew C:\Windows\SysWOW64\Pagdol32.exe family_berbew C:\Windows\SysWOW64\Aldomc32.exe family_berbew C:\Windows\SysWOW64\Andgoobc.exe family_berbew C:\Windows\SysWOW64\Bldgdago.exe family_berbew C:\Windows\SysWOW64\Chbnia32.exe family_berbew C:\Windows\SysWOW64\Doqpak32.exe family_berbew C:\Windows\SysWOW64\Ddpeoafg.exe family_berbew C:\Windows\SysWOW64\Dhpjkojk.exe family_berbew C:\Windows\SysWOW64\Dlncan32.exe family_berbew C:\Windows\SysWOW64\Elbmlmml.exe family_berbew C:\Windows\SysWOW64\Fkmchi32.exe family_berbew C:\Windows\SysWOW64\Fafkecel.exe family_berbew C:\Windows\SysWOW64\Fdialn32.exe family_berbew C:\Windows\SysWOW64\Fbpnkama.exe family_berbew C:\Windows\SysWOW64\Glhonj32.exe family_berbew C:\Windows\SysWOW64\Gdeqhl32.exe family_berbew C:\Windows\SysWOW64\Gokdeeec.exe family_berbew C:\Windows\SysWOW64\Gdjjckag.exe family_berbew C:\Windows\SysWOW64\Hflcbngh.exe family_berbew C:\Windows\SysWOW64\Hodgkc32.exe family_berbew C:\Windows\SysWOW64\Ifefimom.exe family_berbew C:\Windows\SysWOW64\Ickchq32.exe family_berbew C:\Windows\SysWOW64\Ilghlc32.exe family_berbew C:\Windows\SysWOW64\Jlkagbej.exe family_berbew C:\Windows\SysWOW64\Jcgbco32.exe family_berbew C:\Windows\SysWOW64\Kikame32.exe family_berbew C:\Windows\SysWOW64\Kefkme32.exe family_berbew C:\Windows\SysWOW64\Lffhfh32.exe family_berbew C:\Windows\SysWOW64\Lgokmgjm.exe family_berbew C:\Windows\SysWOW64\Mbfkbhpa.exe family_berbew C:\Windows\SysWOW64\Mckemg32.exe family_berbew C:\Windows\SysWOW64\Mpablkhc.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Kdopod32.exeKilhgk32.exeKbfiep32.exeKgdbkohf.exeKkbkamnl.exeLpocjdld.exeLijdhiaa.exeLpcmec32.exeLaciofpa.exeLklnhlfb.exeLaefdf32.exeMjqjih32.exeMjcgohig.exeMcklgm32.exeMglack32.exeNjljefql.exeNqiogp32.exeNgcgcjnc.exeNnmopdep.exeNqmhbpba.exeOjhiqefo.exeOkhfjh32.exeOgogoi32.exeObdkma32.exeOdednmpm.exeOkolkg32.exePkaiqf32.exePeimil32.exePcojkhap.exePcagphom.exePnfkma32.exePagdol32.exeQajadlja.exeQjbena32.exeQbimoo32.exeAegikj32.exeAgffge32.exeAbkjdnoa.exeAejfpjne.exeAldomc32.exeAbngjnmo.exeAhkobekf.exeAndgoobc.exeAeopki32.exeAlhhhcal.exeAaepqjpd.exeAlkdnboj.exeAbemjmgg.exeBhaebcen.exeBnlnon32.exeBajjli32.exeBlpnib32.exeBnnjen32.exeBehbag32.exeBhfonc32.exeBjdkjo32.exeBaocghgi.exeBldgdago.exeBbnpqk32.exeBhkhibmc.exeBoepel32.exeCeoibflm.exeCliaoq32.exeCbcilkjg.exepid process 2508 Kdopod32.exe 2752 Kilhgk32.exe 432 Kbfiep32.exe 1256 Kgdbkohf.exe 1924 Kkbkamnl.exe 4280 Lpocjdld.exe 4784 Lijdhiaa.exe 3972 Lpcmec32.exe 2960 Laciofpa.exe 2712 Lklnhlfb.exe 3976 Laefdf32.exe 3264 Mjqjih32.exe 2112 Mjcgohig.exe 4680 Mcklgm32.exe 3760 Mglack32.exe 3900 Njljefql.exe 620 Nqiogp32.exe 4176 Ngcgcjnc.exe 1780 Nnmopdep.exe 4728 Nqmhbpba.exe 4396 Ojhiqefo.exe 3376 Okhfjh32.exe 3920 Ogogoi32.exe 888 Obdkma32.exe 4792 Odednmpm.exe 752 Okolkg32.exe 3880 Pkaiqf32.exe 4428 Peimil32.exe 2616 Pcojkhap.exe 4072 Pcagphom.exe 2936 Pnfkma32.exe 3932 Pagdol32.exe 4332 Qajadlja.exe 2076 Qjbena32.exe 3960 Qbimoo32.exe 3100 Aegikj32.exe 4736 Agffge32.exe 4192 Abkjdnoa.exe 4516 Aejfpjne.exe 4304 Aldomc32.exe 4576 Abngjnmo.exe 3548 Ahkobekf.exe 232 Andgoobc.exe 4932 Aeopki32.exe 1148 Alhhhcal.exe 568 Aaepqjpd.exe 364 Alkdnboj.exe 3864 Abemjmgg.exe 4056 Bhaebcen.exe 2832 Bnlnon32.exe 3668 Bajjli32.exe 4356 Blpnib32.exe 4496 Bnnjen32.exe 5060 Behbag32.exe 2216 Bhfonc32.exe 1220 Bjdkjo32.exe 3212 Baocghgi.exe 2988 Bldgdago.exe 2152 Bbnpqk32.exe 4048 Bhkhibmc.exe 3580 Boepel32.exe 3132 Ceoibflm.exe 3420 Cliaoq32.exe 4540 Cbcilkjg.exe -
Drops file in System32 directory 64 IoCs
Processes:
Bldgdago.exeAjqgidij.exeCjjlkk32.exeFecadghc.exeQfbobf32.exeIjqmhnko.exeAgdcpkll.exeGeoapenf.exeLaefdf32.exeKenggi32.exeGljgbllj.exeFlkdfh32.exeDoilmc32.exeDnmhpg32.exeDoccpcja.exeIeccbbkn.exeDldpkoil.exeEpagkd32.exeIcnklbmj.exeHmmfmhll.exeDhclmp32.exeDeanodkh.exeJjlmclqa.exeOmqmop32.exeOmcjep32.exeHkbmqb32.exeEiieicml.exeIkkpgafg.exePdfehh32.exeAeopki32.exeLjhefhha.exeAhpmjejp.exeBklomh32.exeAajhndkb.exeLblaabdp.exeMjpbam32.exeEppqqn32.exeJghpbk32.exeAndgoobc.exeGokdeeec.exeHflcbngh.exeBaocghgi.exeBohibc32.exeJdfjld32.exePjmehkqk.exeDigehphc.exeGngeik32.exeQffbbldm.exeGaogak32.exeMadjhb32.exeNeclenfo.exedescription ioc process File created C:\Windows\SysWOW64\Bbnpqk32.exe Bldgdago.exe File created C:\Windows\SysWOW64\Nmhbnnof.dll Ajqgidij.exe File opened for modification C:\Windows\SysWOW64\Ckkiccep.exe Cjjlkk32.exe File created C:\Windows\SysWOW64\Fganqbgg.exe Fecadghc.exe File opened for modification C:\Windows\SysWOW64\Qlmgopjq.exe Qfbobf32.exe File created C:\Windows\SysWOW64\Inlihl32.exe Ijqmhnko.exe File opened for modification C:\Windows\SysWOW64\Aajhndkb.exe Agdcpkll.exe File opened for modification C:\Windows\SysWOW64\Gngeik32.exe Geoapenf.exe File opened for modification C:\Windows\SysWOW64\Nmcpoedn.exe File created C:\Windows\SysWOW64\Lppbjjia.dll Laefdf32.exe File created C:\Windows\SysWOW64\Fjbhpb32.dll Kenggi32.exe File created C:\Windows\SysWOW64\Cjelhg32.dll Gljgbllj.exe File created C:\Windows\SysWOW64\Fbelcblk.exe Flkdfh32.exe File opened for modification C:\Windows\SysWOW64\Dcphdqmj.exe File opened for modification C:\Windows\SysWOW64\Gqpapacd.exe File created C:\Windows\SysWOW64\Ckamjcad.dll Doilmc32.exe File opened for modification C:\Windows\SysWOW64\Dhclmp32.exe Dnmhpg32.exe File created C:\Windows\SysWOW64\Clmipm32.dll Doccpcja.exe File opened for modification C:\Windows\SysWOW64\Ilnlom32.exe Ieccbbkn.exe File opened for modification C:\Windows\SysWOW64\Daaicfgd.exe Dldpkoil.exe File opened for modification C:\Windows\SysWOW64\Ejflhm32.exe Epagkd32.exe File opened for modification C:\Windows\SysWOW64\Ibbcfa32.exe File created C:\Windows\SysWOW64\Ikdcmpnl.exe Icnklbmj.exe File opened for modification C:\Windows\SysWOW64\Hoobdp32.exe Hmmfmhll.exe File opened for modification C:\Windows\SysWOW64\Adepji32.exe File created C:\Windows\SysWOW64\Dccfme32.dll File created C:\Windows\SysWOW64\Ifkqol32.dll File created C:\Windows\SysWOW64\Domdjj32.exe Dhclmp32.exe File created C:\Windows\SysWOW64\Jelonkph.exe File created C:\Windows\SysWOW64\Bapolp32.dll Deanodkh.exe File created C:\Windows\SysWOW64\Ejoigd32.dll Jjlmclqa.exe File created C:\Windows\SysWOW64\Bdabnm32.dll Omqmop32.exe File created C:\Windows\SysWOW64\Hhfgeigk.dll Omcjep32.exe File opened for modification C:\Windows\SysWOW64\Hpofii32.exe Hkbmqb32.exe File created C:\Windows\SysWOW64\Gkalbj32.exe File created C:\Windows\SysWOW64\Pakfglam.dll File created C:\Windows\SysWOW64\Fpbmfn32.exe Eiieicml.exe File opened for modification C:\Windows\SysWOW64\Ilmmni32.exe Ikkpgafg.exe File created C:\Windows\SysWOW64\Ddalgo32.dll Pdfehh32.exe File created C:\Windows\SysWOW64\Knaodd32.dll File opened for modification C:\Windows\SysWOW64\Alhhhcal.exe Aeopki32.exe File created C:\Windows\SysWOW64\Lmgabcge.exe Ljhefhha.exe File opened for modification C:\Windows\SysWOW64\Anmfbl32.exe Ahpmjejp.exe File opened for modification C:\Windows\SysWOW64\Bmjkic32.exe Bklomh32.exe File created C:\Windows\SysWOW64\Ahdpjn32.exe Aajhndkb.exe File created C:\Windows\SysWOW64\Ichnpf32.dll File opened for modification C:\Windows\SysWOW64\Lifjnm32.exe Lblaabdp.exe File created C:\Windows\SysWOW64\Hcaihm32.dll Mjpbam32.exe File created C:\Windows\SysWOW64\Efjimhnh.exe Eppqqn32.exe File created C:\Windows\SysWOW64\Accimdgp.dll Jghpbk32.exe File created C:\Windows\SysWOW64\Aeopki32.exe Andgoobc.exe File opened for modification C:\Windows\SysWOW64\Gmoeoidl.exe Gokdeeec.exe File opened for modification C:\Windows\SysWOW64\Hodgkc32.exe Hflcbngh.exe File created C:\Windows\SysWOW64\Bldgdago.exe Baocghgi.exe File created C:\Windows\SysWOW64\Bjnmpl32.exe Bohibc32.exe File created C:\Windows\SysWOW64\Kkpbin32.exe Jdfjld32.exe File opened for modification C:\Windows\SysWOW64\Qmkadgpo.exe Pjmehkqk.exe File created C:\Windows\SysWOW64\Doaneiop.exe Digehphc.exe File created C:\Windows\SysWOW64\Hcmhel32.dll File created C:\Windows\SysWOW64\Pneclb32.dll Gngeik32.exe File created C:\Windows\SysWOW64\Pkmlea32.dll Qffbbldm.exe File created C:\Windows\SysWOW64\Gnfhfl32.exe Gaogak32.exe File created C:\Windows\SysWOW64\Mccfdmmo.exe Madjhb32.exe File created C:\Windows\SysWOW64\Jfdnfdoa.dll Neclenfo.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 5628 5224 -
Modifies registry class 64 IoCs
Processes:
Ccnncgmc.exeMnegbp32.exeEkjfcipa.exeOllnhb32.exeCmdfgm32.exeCmipblaq.exeKclgmq32.exeQbimoo32.exeOblmdhdo.exeGjfnedho.exeQgqeappe.exeMpqkad32.exeNognnj32.exeIckglm32.exeGdppbfff.exeHnodaecc.exeMldhfpib.exeBjdkjo32.exeIeliebnf.exeBmomlnjk.exeOdoogi32.exeJofalmmp.exeMfhbga32.exeDpckjfgg.exeFhdohp32.exePkpmdbfd.exeDldpkoil.exeHgabkoee.exePckppl32.exeDgejpd32.exeIlnlom32.exeFiaael32.exeHpmhdmea.exeJodjhkkj.exeEipinkib.exeMngegmbc.exeGkjhoq32.exeJfgdkd32.exeKnbbep32.exeQmkadgpo.exeFibhpbea.exeDmlkhofd.exeEqncnj32.exeLijdhiaa.exeBjddphlq.exeGkgeoklj.exeIpgkjlmg.exeGnfhfl32.exeLjhefhha.exeNiniei32.exeEachem32.exeKcpahpmd.exeCkjknfnh.exeDfjpfj32.exeEpikpo32.exeKnalji32.exeDhclmp32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ccnncgmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjokon32.dll" Mnegbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ekjfcipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lilqdd32.dll" Ollnhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cmdfgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cmipblaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kclgmq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qbimoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oblmdhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gjfnedho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll" Qgqeappe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mpqkad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nognnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ickglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqjbok32.dll" Gdppbfff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hnodaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mldhfpib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bjdkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoonaj32.dll" Ieliebnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmomlnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhghaf32.dll" Odoogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jofalmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Folnlh32.dll" Mfhbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inicaa32.dll" Dpckjfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fhdohp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igpoaebh.dll" Pkpmdbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcadgkl.dll" Dldpkoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ombmjmoh.dll" Hgabkoee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhomj32.dll" Pckppl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjbbo32.dll" Dgejpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biepfnpi.dll" Ilnlom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqqpck32.dll" Fiaael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mldjbclh.dll" Hpmhdmea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jodjhkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdbnag32.dll" Eipinkib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mngegmbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffnlmnd.dll" Gkjhoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegbb32.dll" Jfgdkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Knbbep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll" Qmkadgpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fibhpbea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afnqfkij.dll" Dmlkhofd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eqncnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljkdeeod.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lijdhiaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bjddphlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkgeoklj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ipgkjlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdflknog.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbcqpq32.dll" Gnfhfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdeodj32.dll" Ljhefhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Niniei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkcmfmhk.dll" Eachem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcpahpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glkkmjeh.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckjknfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfjpfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enabbk32.dll" Epikpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knalji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhclmp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0a8fd725bd1e7040b7b6bc052e9563c0_NeikiAnalytics.exeKdopod32.exeKilhgk32.exeKbfiep32.exeKgdbkohf.exeKkbkamnl.exeLpocjdld.exeLijdhiaa.exeLpcmec32.exeLaciofpa.exeLklnhlfb.exeLaefdf32.exeMjqjih32.exeMjcgohig.exeMcklgm32.exeMglack32.exeNjljefql.exeNqiogp32.exeNgcgcjnc.exeNnmopdep.exeNqmhbpba.exeOjhiqefo.exedescription pid process target process PID 4548 wrote to memory of 2508 4548 0a8fd725bd1e7040b7b6bc052e9563c0_NeikiAnalytics.exe Kdopod32.exe PID 4548 wrote to memory of 2508 4548 0a8fd725bd1e7040b7b6bc052e9563c0_NeikiAnalytics.exe Kdopod32.exe PID 4548 wrote to memory of 2508 4548 0a8fd725bd1e7040b7b6bc052e9563c0_NeikiAnalytics.exe Kdopod32.exe PID 2508 wrote to memory of 2752 2508 Kdopod32.exe Kilhgk32.exe PID 2508 wrote to memory of 2752 2508 Kdopod32.exe Kilhgk32.exe PID 2508 wrote to memory of 2752 2508 Kdopod32.exe Kilhgk32.exe PID 2752 wrote to memory of 432 2752 Kilhgk32.exe Kbfiep32.exe PID 2752 wrote to memory of 432 2752 Kilhgk32.exe Kbfiep32.exe PID 2752 wrote to memory of 432 2752 Kilhgk32.exe Kbfiep32.exe PID 432 wrote to memory of 1256 432 Kbfiep32.exe Kgdbkohf.exe PID 432 wrote to memory of 1256 432 Kbfiep32.exe Kgdbkohf.exe PID 432 wrote to memory of 1256 432 Kbfiep32.exe Kgdbkohf.exe PID 1256 wrote to memory of 1924 1256 Kgdbkohf.exe Kkbkamnl.exe PID 1256 wrote to memory of 1924 1256 Kgdbkohf.exe Kkbkamnl.exe PID 1256 wrote to memory of 1924 1256 Kgdbkohf.exe Kkbkamnl.exe PID 1924 wrote to memory of 4280 1924 Kkbkamnl.exe Lpocjdld.exe PID 1924 wrote to memory of 4280 1924 Kkbkamnl.exe Lpocjdld.exe PID 1924 wrote to memory of 4280 1924 Kkbkamnl.exe Lpocjdld.exe PID 4280 wrote to memory of 4784 4280 Lpocjdld.exe Lijdhiaa.exe PID 4280 wrote to memory of 4784 4280 Lpocjdld.exe Lijdhiaa.exe PID 4280 wrote to memory of 4784 4280 Lpocjdld.exe Lijdhiaa.exe PID 4784 wrote to memory of 3972 4784 Lijdhiaa.exe Lpcmec32.exe PID 4784 wrote to memory of 3972 4784 Lijdhiaa.exe Lpcmec32.exe PID 4784 wrote to memory of 3972 4784 Lijdhiaa.exe Lpcmec32.exe PID 3972 wrote to memory of 2960 3972 Lpcmec32.exe Laciofpa.exe PID 3972 wrote to memory of 2960 3972 Lpcmec32.exe Laciofpa.exe PID 3972 wrote to memory of 2960 3972 Lpcmec32.exe Laciofpa.exe PID 2960 wrote to memory of 2712 2960 Laciofpa.exe Lklnhlfb.exe PID 2960 wrote to memory of 2712 2960 Laciofpa.exe Lklnhlfb.exe PID 2960 wrote to memory of 2712 2960 Laciofpa.exe Lklnhlfb.exe PID 2712 wrote to memory of 3976 2712 Lklnhlfb.exe Laefdf32.exe PID 2712 wrote to memory of 3976 2712 Lklnhlfb.exe Laefdf32.exe PID 2712 wrote to memory of 3976 2712 Lklnhlfb.exe Laefdf32.exe PID 3976 wrote to memory of 3264 3976 Laefdf32.exe Mjqjih32.exe PID 3976 wrote to memory of 3264 3976 Laefdf32.exe Mjqjih32.exe PID 3976 wrote to memory of 3264 3976 Laefdf32.exe Mjqjih32.exe PID 3264 wrote to memory of 2112 3264 Mjqjih32.exe Mjcgohig.exe PID 3264 wrote to memory of 2112 3264 Mjqjih32.exe Mjcgohig.exe PID 3264 wrote to memory of 2112 3264 Mjqjih32.exe Mjcgohig.exe PID 2112 wrote to memory of 4680 2112 Mjcgohig.exe Mcklgm32.exe PID 2112 wrote to memory of 4680 2112 Mjcgohig.exe Mcklgm32.exe PID 2112 wrote to memory of 4680 2112 Mjcgohig.exe Mcklgm32.exe PID 4680 wrote to memory of 3760 4680 Mcklgm32.exe Mglack32.exe PID 4680 wrote to memory of 3760 4680 Mcklgm32.exe Mglack32.exe PID 4680 wrote to memory of 3760 4680 Mcklgm32.exe Mglack32.exe PID 3760 wrote to memory of 3900 3760 Mglack32.exe Njljefql.exe PID 3760 wrote to memory of 3900 3760 Mglack32.exe Njljefql.exe PID 3760 wrote to memory of 3900 3760 Mglack32.exe Njljefql.exe PID 3900 wrote to memory of 620 3900 Njljefql.exe Nqiogp32.exe PID 3900 wrote to memory of 620 3900 Njljefql.exe Nqiogp32.exe PID 3900 wrote to memory of 620 3900 Njljefql.exe Nqiogp32.exe PID 620 wrote to memory of 4176 620 Nqiogp32.exe Ngcgcjnc.exe PID 620 wrote to memory of 4176 620 Nqiogp32.exe Ngcgcjnc.exe PID 620 wrote to memory of 4176 620 Nqiogp32.exe Ngcgcjnc.exe PID 4176 wrote to memory of 1780 4176 Ngcgcjnc.exe Nnmopdep.exe PID 4176 wrote to memory of 1780 4176 Ngcgcjnc.exe Nnmopdep.exe PID 4176 wrote to memory of 1780 4176 Ngcgcjnc.exe Nnmopdep.exe PID 1780 wrote to memory of 4728 1780 Nnmopdep.exe Nqmhbpba.exe PID 1780 wrote to memory of 4728 1780 Nnmopdep.exe Nqmhbpba.exe PID 1780 wrote to memory of 4728 1780 Nnmopdep.exe Nqmhbpba.exe PID 4728 wrote to memory of 4396 4728 Nqmhbpba.exe Ojhiqefo.exe PID 4728 wrote to memory of 4396 4728 Nqmhbpba.exe Ojhiqefo.exe PID 4728 wrote to memory of 4396 4728 Nqmhbpba.exe Ojhiqefo.exe PID 4396 wrote to memory of 3376 4396 Ojhiqefo.exe Okhfjh32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a8fd725bd1e7040b7b6bc052e9563c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0a8fd725bd1e7040b7b6bc052e9563c0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Lklnhlfb.exeC:\Windows\system32\Lklnhlfb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe23⤵
- Executes dropped EXE
PID:3376 -
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe24⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe25⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe26⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe27⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe28⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe29⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe30⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe31⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe32⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe33⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe34⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe35⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:3960 -
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe37⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe38⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe39⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe40⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe41⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe42⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe43⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:232 -
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4932 -
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe46⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe47⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe48⤵
- Executes dropped EXE
PID:364 -
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe49⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe50⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe51⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe52⤵
- Executes dropped EXE
PID:3668 -
C:\Windows\SysWOW64\Blpnib32.exeC:\Windows\system32\Blpnib32.exe53⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe54⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe55⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe56⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1220 -
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3212 -
C:\Windows\SysWOW64\Bldgdago.exeC:\Windows\system32\Bldgdago.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe60⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe61⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe62⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe63⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe65⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Cddecc32.exeC:\Windows\system32\Cddecc32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3176 -
C:\Windows\SysWOW64\Clkndpag.exeC:\Windows\system32\Clkndpag.exe67⤵PID:4464
-
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe68⤵PID:3768
-
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe69⤵PID:1928
-
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe70⤵PID:2144
-
C:\Windows\SysWOW64\Chdkoa32.exeC:\Windows\system32\Chdkoa32.exe71⤵PID:3528
-
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe72⤵PID:4780
-
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe73⤵PID:2948
-
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe74⤵PID:3488
-
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:4076 -
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe76⤵PID:1572
-
C:\Windows\SysWOW64\Ddpeoafg.exeC:\Windows\system32\Ddpeoafg.exe77⤵PID:2876
-
C:\Windows\SysWOW64\Ddbbeade.exeC:\Windows\system32\Ddbbeade.exe78⤵PID:1080
-
C:\Windows\SysWOW64\Dkljak32.exeC:\Windows\system32\Dkljak32.exe79⤵PID:2136
-
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe80⤵
- Drops file in System32 directory
PID:4248 -
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe81⤵PID:2380
-
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe82⤵PID:5168
-
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe83⤵PID:5216
-
C:\Windows\SysWOW64\Edihepnm.exeC:\Windows\system32\Edihepnm.exe84⤵PID:5260
-
C:\Windows\SysWOW64\Ekcpbj32.exeC:\Windows\system32\Ekcpbj32.exe85⤵PID:5304
-
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe86⤵PID:5340
-
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe87⤵PID:5396
-
C:\Windows\SysWOW64\Ehimanbq.exeC:\Windows\system32\Ehimanbq.exe88⤵PID:5440
-
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe89⤵
- Modifies registry class
PID:5492 -
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5552 -
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe91⤵PID:5592
-
C:\Windows\SysWOW64\Fkmchi32.exeC:\Windows\system32\Fkmchi32.exe92⤵PID:5644
-
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe93⤵PID:5688
-
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe94⤵PID:5732
-
C:\Windows\SysWOW64\Faihkbci.exeC:\Windows\system32\Faihkbci.exe95⤵PID:5780
-
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe96⤵PID:5820
-
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe97⤵PID:5868
-
C:\Windows\SysWOW64\Fbnafb32.exeC:\Windows\system32\Fbnafb32.exe98⤵PID:5912
-
C:\Windows\SysWOW64\Fdlnbm32.exeC:\Windows\system32\Fdlnbm32.exe99⤵PID:5956
-
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe100⤵PID:5996
-
C:\Windows\SysWOW64\Foabofnn.exeC:\Windows\system32\Foabofnn.exe101⤵PID:6040
-
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe102⤵PID:6096
-
C:\Windows\SysWOW64\Glebhjlg.exeC:\Windows\system32\Glebhjlg.exe103⤵PID:5144
-
C:\Windows\SysWOW64\Gbbkaako.exeC:\Windows\system32\Gbbkaako.exe104⤵PID:5212
-
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe105⤵PID:5296
-
C:\Windows\SysWOW64\Gbdgfa32.exeC:\Windows\system32\Gbdgfa32.exe106⤵PID:5328
-
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe107⤵PID:5428
-
C:\Windows\SysWOW64\Gkmlofol.exeC:\Windows\system32\Gkmlofol.exe108⤵PID:5512
-
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe109⤵PID:5576
-
C:\Windows\SysWOW64\Gdeqhl32.exeC:\Windows\system32\Gdeqhl32.exe110⤵PID:5664
-
C:\Windows\SysWOW64\Gokdeeec.exeC:\Windows\system32\Gokdeeec.exe111⤵
- Drops file in System32 directory
PID:5724 -
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe112⤵PID:5808
-
C:\Windows\SysWOW64\Gblngpbd.exeC:\Windows\system32\Gblngpbd.exe113⤵PID:5852
-
C:\Windows\SysWOW64\Gdjjckag.exeC:\Windows\system32\Gdjjckag.exe114⤵PID:5940
-
C:\Windows\SysWOW64\Hckjacjg.exeC:\Windows\system32\Hckjacjg.exe115⤵PID:6020
-
C:\Windows\SysWOW64\Hobkfd32.exeC:\Windows\system32\Hobkfd32.exe116⤵PID:6080
-
C:\Windows\SysWOW64\Hflcbngh.exeC:\Windows\system32\Hflcbngh.exe117⤵
- Drops file in System32 directory
PID:5176 -
C:\Windows\SysWOW64\Hodgkc32.exeC:\Windows\system32\Hodgkc32.exe118⤵PID:5288
-
C:\Windows\SysWOW64\Hfnphn32.exeC:\Windows\system32\Hfnphn32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5380 -
C:\Windows\SysWOW64\Hkkhqd32.exeC:\Windows\system32\Hkkhqd32.exe120⤵PID:5476
-
C:\Windows\SysWOW64\Hioiji32.exeC:\Windows\system32\Hioiji32.exe121⤵PID:5624
-
C:\Windows\SysWOW64\Hkmefd32.exeC:\Windows\system32\Hkmefd32.exe122⤵PID:5740
-
C:\Windows\SysWOW64\Hfcicmqp.exeC:\Windows\system32\Hfcicmqp.exe123⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5864 -
C:\Windows\SysWOW64\Ipknlb32.exeC:\Windows\system32\Ipknlb32.exe124⤵PID:5948
-
C:\Windows\SysWOW64\Ifefimom.exeC:\Windows\system32\Ifefimom.exe125⤵PID:6084
-
C:\Windows\SysWOW64\Imoneg32.exeC:\Windows\system32\Imoneg32.exe126⤵PID:5196
-
C:\Windows\SysWOW64\Iblfnn32.exeC:\Windows\system32\Iblfnn32.exe127⤵PID:5388
-
C:\Windows\SysWOW64\Iifokh32.exeC:\Windows\system32\Iifokh32.exe128⤵PID:5604
-
C:\Windows\SysWOW64\Ickchq32.exeC:\Windows\system32\Ickchq32.exe129⤵PID:5748
-
C:\Windows\SysWOW64\Iihkpg32.exeC:\Windows\system32\Iihkpg32.exe130⤵PID:5936
-
C:\Windows\SysWOW64\Ilghlc32.exeC:\Windows\system32\Ilghlc32.exe131⤵PID:2308
-
C:\Windows\SysWOW64\Imfdff32.exeC:\Windows\system32\Imfdff32.exe132⤵PID:5372
-
C:\Windows\SysWOW64\Icplcpgo.exeC:\Windows\system32\Icplcpgo.exe133⤵PID:5676
-
C:\Windows\SysWOW64\Jlkagbej.exeC:\Windows\system32\Jlkagbej.exe134⤵PID:5920
-
C:\Windows\SysWOW64\Jlnnmb32.exeC:\Windows\system32\Jlnnmb32.exe135⤵PID:3936
-
C:\Windows\SysWOW64\Jmmjgejj.exeC:\Windows\system32\Jmmjgejj.exe136⤵PID:2848
-
C:\Windows\SysWOW64\Jcgbco32.exeC:\Windows\system32\Jcgbco32.exe137⤵PID:5348
-
C:\Windows\SysWOW64\Jcioiood.exeC:\Windows\system32\Jcioiood.exe138⤵PID:5716
-
C:\Windows\SysWOW64\Jeklag32.exeC:\Windows\system32\Jeklag32.exe139⤵PID:4608
-
C:\Windows\SysWOW64\Jlednamo.exeC:\Windows\system32\Jlednamo.exe140⤵PID:5608
-
C:\Windows\SysWOW64\Jcllonma.exeC:\Windows\system32\Jcllonma.exe141⤵PID:5652
-
C:\Windows\SysWOW64\Kemhff32.exeC:\Windows\system32\Kemhff32.exe142⤵PID:4956
-
C:\Windows\SysWOW64\Kdnidn32.exeC:\Windows\system32\Kdnidn32.exe143⤵PID:5932
-
C:\Windows\SysWOW64\Kikame32.exeC:\Windows\system32\Kikame32.exe144⤵PID:5448
-
C:\Windows\SysWOW64\Kebbafoj.exeC:\Windows\system32\Kebbafoj.exe145⤵PID:6104
-
C:\Windows\SysWOW64\Kbfbkj32.exeC:\Windows\system32\Kbfbkj32.exe146⤵PID:5548
-
C:\Windows\SysWOW64\Kmkfhc32.exeC:\Windows\system32\Kmkfhc32.exe147⤵PID:6184
-
C:\Windows\SysWOW64\Kefkme32.exeC:\Windows\system32\Kefkme32.exe148⤵PID:6236
-
C:\Windows\SysWOW64\Kdgljmcd.exeC:\Windows\system32\Kdgljmcd.exe149⤵PID:6292
-
C:\Windows\SysWOW64\Lffhfh32.exeC:\Windows\system32\Lffhfh32.exe150⤵PID:6364
-
C:\Windows\SysWOW64\Llcpoo32.exeC:\Windows\system32\Llcpoo32.exe151⤵PID:6420
-
C:\Windows\SysWOW64\Ldjhpl32.exeC:\Windows\system32\Ldjhpl32.exe152⤵PID:6476
-
C:\Windows\SysWOW64\Lfhdlh32.exeC:\Windows\system32\Lfhdlh32.exe153⤵PID:6536
-
C:\Windows\SysWOW64\Lmbmibhb.exeC:\Windows\system32\Lmbmibhb.exe154⤵PID:6600
-
C:\Windows\SysWOW64\Lpqiemge.exeC:\Windows\system32\Lpqiemge.exe155⤵PID:6648
-
C:\Windows\SysWOW64\Lfkaag32.exeC:\Windows\system32\Lfkaag32.exe156⤵PID:6680
-
C:\Windows\SysWOW64\Lpcfkm32.exeC:\Windows\system32\Lpcfkm32.exe157⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6748 -
C:\Windows\SysWOW64\Lbabgh32.exeC:\Windows\system32\Lbabgh32.exe158⤵PID:6792
-
C:\Windows\SysWOW64\Likjcbkc.exeC:\Windows\system32\Likjcbkc.exe159⤵PID:6832
-
C:\Windows\SysWOW64\Lpebpm32.exeC:\Windows\system32\Lpebpm32.exe160⤵PID:6876
-
C:\Windows\SysWOW64\Lgokmgjm.exeC:\Windows\system32\Lgokmgjm.exe161⤵PID:6920
-
C:\Windows\SysWOW64\Lllcen32.exeC:\Windows\system32\Lllcen32.exe162⤵PID:6964
-
C:\Windows\SysWOW64\Mbfkbhpa.exeC:\Windows\system32\Mbfkbhpa.exe163⤵PID:7008
-
C:\Windows\SysWOW64\Mlopkm32.exeC:\Windows\system32\Mlopkm32.exe164⤵PID:7052
-
C:\Windows\SysWOW64\Mgddhf32.exeC:\Windows\system32\Mgddhf32.exe165⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7096 -
C:\Windows\SysWOW64\Mplhql32.exeC:\Windows\system32\Mplhql32.exe166⤵PID:7132
-
C:\Windows\SysWOW64\Mckemg32.exeC:\Windows\system32\Mckemg32.exe167⤵PID:6172
-
C:\Windows\SysWOW64\Mmpijp32.exeC:\Windows\system32\Mmpijp32.exe168⤵PID:6244
-
C:\Windows\SysWOW64\Mcmabg32.exeC:\Windows\system32\Mcmabg32.exe169⤵PID:6352
-
C:\Windows\SysWOW64\Melnob32.exeC:\Windows\system32\Melnob32.exe170⤵PID:6264
-
C:\Windows\SysWOW64\Mmbfpp32.exeC:\Windows\system32\Mmbfpp32.exe171⤵PID:6544
-
C:\Windows\SysWOW64\Mpablkhc.exeC:\Windows\system32\Mpablkhc.exe172⤵PID:6616
-
C:\Windows\SysWOW64\Miifeq32.exeC:\Windows\system32\Miifeq32.exe173⤵PID:6704
-
C:\Windows\SysWOW64\Ndokbi32.exeC:\Windows\system32\Ndokbi32.exe174⤵PID:6772
-
C:\Windows\SysWOW64\Nepgjaeg.exeC:\Windows\system32\Nepgjaeg.exe175⤵PID:6840
-
C:\Windows\SysWOW64\Nljofl32.exeC:\Windows\system32\Nljofl32.exe176⤵PID:6912
-
C:\Windows\SysWOW64\Ndaggimg.exeC:\Windows\system32\Ndaggimg.exe177⤵PID:6984
-
C:\Windows\SysWOW64\Nebdoa32.exeC:\Windows\system32\Nebdoa32.exe178⤵PID:7044
-
C:\Windows\SysWOW64\Nphhmj32.exeC:\Windows\system32\Nphhmj32.exe179⤵PID:7128
-
C:\Windows\SysWOW64\Ncfdie32.exeC:\Windows\system32\Ncfdie32.exe180⤵PID:6192
-
C:\Windows\SysWOW64\Njqmepik.exeC:\Windows\system32\Njqmepik.exe181⤵PID:6324
-
C:\Windows\SysWOW64\Nloiakho.exeC:\Windows\system32\Nloiakho.exe182⤵PID:6488
-
C:\Windows\SysWOW64\Ndfqbhia.exeC:\Windows\system32\Ndfqbhia.exe183⤵PID:6632
-
C:\Windows\SysWOW64\Nnneknob.exeC:\Windows\system32\Nnneknob.exe184⤵PID:6736
-
C:\Windows\SysWOW64\Npmagine.exeC:\Windows\system32\Npmagine.exe185⤵PID:6828
-
C:\Windows\SysWOW64\Nckndeni.exeC:\Windows\system32\Nckndeni.exe186⤵PID:7028
-
C:\Windows\SysWOW64\Nfjjppmm.exeC:\Windows\system32\Nfjjppmm.exe187⤵PID:7144
-
C:\Windows\SysWOW64\Nnqbanmo.exeC:\Windows\system32\Nnqbanmo.exe188⤵PID:6280
-
C:\Windows\SysWOW64\Ocnjidkf.exeC:\Windows\system32\Ocnjidkf.exe189⤵PID:6524
-
C:\Windows\SysWOW64\Ojgbfocc.exeC:\Windows\system32\Ojgbfocc.exe190⤵PID:6724
-
C:\Windows\SysWOW64\Olfobjbg.exeC:\Windows\system32\Olfobjbg.exe191⤵PID:6872
-
C:\Windows\SysWOW64\Ocpgod32.exeC:\Windows\system32\Ocpgod32.exe192⤵PID:7064
-
C:\Windows\SysWOW64\Ofnckp32.exeC:\Windows\system32\Ofnckp32.exe193⤵PID:6152
-
C:\Windows\SysWOW64\Olhlhjpd.exeC:\Windows\system32\Olhlhjpd.exe194⤵PID:6756
-
C:\Windows\SysWOW64\Ocbddc32.exeC:\Windows\system32\Ocbddc32.exe195⤵PID:6996
-
C:\Windows\SysWOW64\Ojllan32.exeC:\Windows\system32\Ojllan32.exe196⤵PID:6584
-
C:\Windows\SysWOW64\Olkhmi32.exeC:\Windows\system32\Olkhmi32.exe197⤵PID:6972
-
C:\Windows\SysWOW64\Ocdqjceo.exeC:\Windows\system32\Ocdqjceo.exe198⤵PID:6744
-
C:\Windows\SysWOW64\Olmeci32.exeC:\Windows\system32\Olmeci32.exe199⤵PID:6620
-
C:\Windows\SysWOW64\Oddmdf32.exeC:\Windows\system32\Oddmdf32.exe200⤵PID:6412
-
C:\Windows\SysWOW64\Pqknig32.exeC:\Windows\system32\Pqknig32.exe201⤵PID:6460
-
C:\Windows\SysWOW64\Pfhfan32.exeC:\Windows\system32\Pfhfan32.exe202⤵PID:7208
-
C:\Windows\SysWOW64\Pmannhhj.exeC:\Windows\system32\Pmannhhj.exe203⤵PID:7252
-
C:\Windows\SysWOW64\Pnakhkol.exeC:\Windows\system32\Pnakhkol.exe204⤵PID:7300
-
C:\Windows\SysWOW64\Pdkcde32.exeC:\Windows\system32\Pdkcde32.exe205⤵PID:7336
-
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe206⤵PID:7388
-
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe207⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7432 -
C:\Windows\SysWOW64\Pnfdcjkg.exeC:\Windows\system32\Pnfdcjkg.exe208⤵PID:7476
-
C:\Windows\SysWOW64\Pdpmpdbd.exeC:\Windows\system32\Pdpmpdbd.exe209⤵PID:7520
-
C:\Windows\SysWOW64\Pjmehkqk.exeC:\Windows\system32\Pjmehkqk.exe210⤵
- Drops file in System32 directory
PID:7564 -
C:\Windows\SysWOW64\Qmkadgpo.exeC:\Windows\system32\Qmkadgpo.exe211⤵
- Modifies registry class
PID:7616 -
C:\Windows\SysWOW64\Qgqeappe.exeC:\Windows\system32\Qgqeappe.exe212⤵
- Modifies registry class
PID:7652 -
C:\Windows\SysWOW64\Qnjnnj32.exeC:\Windows\system32\Qnjnnj32.exe213⤵PID:7704
-
C:\Windows\SysWOW64\Qqijje32.exeC:\Windows\system32\Qqijje32.exe214⤵PID:7744
-
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe215⤵PID:7796
-
C:\Windows\SysWOW64\Qffbbldm.exeC:\Windows\system32\Qffbbldm.exe216⤵
- Drops file in System32 directory
PID:7844 -
C:\Windows\SysWOW64\Anmjcieo.exeC:\Windows\system32\Anmjcieo.exe217⤵PID:7896
-
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe218⤵PID:7940
-
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe219⤵PID:7980
-
C:\Windows\SysWOW64\Acnlgp32.exeC:\Windows\system32\Acnlgp32.exe220⤵PID:8028
-
C:\Windows\SysWOW64\Aabmqd32.exeC:\Windows\system32\Aabmqd32.exe221⤵PID:8060
-
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe222⤵PID:8108
-
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe223⤵PID:8156
-
C:\Windows\SysWOW64\Baicac32.exeC:\Windows\system32\Baicac32.exe224⤵PID:7184
-
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe225⤵PID:7248
-
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe226⤵PID:7316
-
C:\Windows\SysWOW64\Bjddphlq.exeC:\Windows\system32\Bjddphlq.exe227⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:7376 -
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe228⤵PID:7460
-
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe229⤵PID:7528
-
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe230⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7604 -
C:\Windows\SysWOW64\Cnffqf32.exeC:\Windows\system32\Cnffqf32.exe231⤵PID:7664
-
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe232⤵PID:7728
-
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe233⤵PID:7788
-
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe234⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7840 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe235⤵PID:1476
-
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe236⤵PID:7880
-
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe237⤵PID:7948
-
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe238⤵PID:8012
-
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe239⤵PID:8088
-
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe240⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8152 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe241⤵PID:7228
-
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe242⤵PID:7308