Analysis
-
max time kernel
143s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 00:23
Behavioral task
behavioral1
Sample
12e64a027738e20798c8eb243caee880_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
12e64a027738e20798c8eb243caee880_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
12e64a027738e20798c8eb243caee880_NeikiAnalytics.exe
-
Size
400KB
-
MD5
12e64a027738e20798c8eb243caee880
-
SHA1
5978b1ca3cca2e4fc957608bf2ebbee66f1ea4fe
-
SHA256
c7460806352b611d6eb865d851d1c8c79a255929d07e486402fef8ab752a63ce
-
SHA512
9558054a3893beb87ce8474d325fbd5f44382435f0537bfa354dd7b2d53ab4b2d668b4490ccb6a78b52f0bf6f7c98ebe6ff93e1efd67fb16a489599d101cfed1
-
SSDEEP
12288:n8HgYJ07kE0KoFtw2gu9RxrBIUbPLwH96/I0lOZ0vbqFB:n8gYJ07kE0KoFtw2gu9RxrBIUbPLwH9n
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ahpmjejp.exeAnobgl32.exeKpcjgnhb.exeApodoq32.exeQmhlgmmm.exeEehicoel.exeHpchib32.exeLpepbgbd.exeAlbpkc32.exeDnbakghm.exeHiipmhmk.exeJlgepanl.exeLnldla32.exeBknlbhhe.exeBnlhncgi.exeBoldhf32.exeLindkm32.exeBkkhbb32.exeKgflcifg.exeNjjdho32.exeHbnaeh32.exeIlphdlqh.exeCgklmacf.exeJphkkpbp.exeLmdnbn32.exeDqpfmlce.exeEnfckp32.exeHnnljj32.exeAdikdfna.exeNagiji32.exeIeojgc32.exeAogiap32.exeBkobmnka.exeLhcali32.exeAojefobm.exeJebfng32.exeJllokajf.exeDpkmal32.exeHfjdqmng.exeImpliekg.exeQaqegecm.exeBoeebnhp.exeOnapdl32.exeFooclapd.exeHnibokbd.exeKbhmbdle.exeAknifq32.exeBepmoh32.exeHoclopne.exeIfomll32.exeIidphgcn.exeHaaaaeim.exeFpkibf32.exeKlhnfo32.exeBpcgpihi.exePefabkej.exeGemkelcd.exeHplbickp.exePfandnla.exeIbegfglj.exeLaiipofp.exePkegpb32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpmjejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anobgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpcjgnhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Apodoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmhlgmmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eehicoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpchib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpepbgbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dnbakghm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiipmhmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlgepanl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnldla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bknlbhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnlhncgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Boldhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lindkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkkhbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgflcifg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njjdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbnaeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilphdlqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgklmacf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jphkkpbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmdnbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqpfmlce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enfckp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnnljj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adikdfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nagiji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieojgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aogiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkobmnka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhcali32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aojefobm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jebfng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jllokajf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpkmal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfjdqmng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Impliekg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qaqegecm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Boeebnhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onapdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fooclapd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnibokbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbhmbdle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aknifq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bepmoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoclopne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifomll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iidphgcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haaaaeim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkobmnka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpkibf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klhnfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpcgpihi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pefabkej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gemkelcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hplbickp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfandnla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibegfglj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laiipofp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkegpb32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Pefabkej.exe family_berbew C:\Windows\SysWOW64\Phdnngdn.exe family_berbew C:\Windows\SysWOW64\Pdkoch32.exe family_berbew C:\Windows\SysWOW64\Phfjcf32.exe family_berbew C:\Windows\SysWOW64\Plbfdekd.exe family_berbew C:\Windows\SysWOW64\Pkegpb32.exe family_berbew C:\Windows\SysWOW64\Pldcjeia.exe family_berbew C:\Windows\SysWOW64\Qmepam32.exe family_berbew C:\Windows\SysWOW64\Qoelkp32.exe family_berbew C:\Windows\SysWOW64\Qdbdcg32.exe family_berbew C:\Windows\SysWOW64\Bffcpg32.exe family_berbew C:\Windows\SysWOW64\Ahpmjejp.exe family_berbew C:\Windows\SysWOW64\Addaif32.exe family_berbew C:\Windows\SysWOW64\Aeaanjkl.exe family_berbew C:\Windows\SysWOW64\Aafemk32.exe family_berbew C:\Windows\SysWOW64\Aogiap32.exe family_berbew C:\Windows\SysWOW64\Qklmpalf.exe family_berbew C:\Windows\SysWOW64\Qlimed32.exe family_berbew C:\Windows\SysWOW64\Qachgk32.exe family_berbew C:\Windows\SysWOW64\Qmhlgmmm.exe family_berbew C:\Windows\SysWOW64\Qkipkani.exe family_berbew C:\Windows\SysWOW64\Qhkdof32.exe family_berbew C:\Windows\SysWOW64\Qdphngfl.exe family_berbew C:\Windows\SysWOW64\Qemhbj32.exe family_berbew C:\Windows\SysWOW64\Qaalblgi.exe family_berbew C:\Windows\SysWOW64\Pkgcea32.exe family_berbew C:\Windows\SysWOW64\Phigif32.exe family_berbew C:\Windows\SysWOW64\Pdmkhgho.exe family_berbew C:\Windows\SysWOW64\Pejkmk32.exe family_berbew C:\Windows\SysWOW64\Paoollik.exe family_berbew C:\Windows\SysWOW64\Pmcclm32.exe family_berbew C:\Windows\SysWOW64\Palbgl32.exe family_berbew C:\Windows\SysWOW64\Pkbjjbda.exe family_berbew C:\Windows\SysWOW64\Efjbcakl.exe family_berbew C:\Windows\SysWOW64\Gmojkj32.exe family_berbew C:\Windows\SysWOW64\Holfoqcm.exe family_berbew C:\Windows\SysWOW64\Hmpcbhji.exe family_berbew C:\Windows\SysWOW64\Iebngial.exe family_berbew C:\Windows\SysWOW64\Ickglm32.exe family_berbew C:\Windows\SysWOW64\Impliekg.exe family_berbew C:\Windows\SysWOW64\Jiglnf32.exe family_berbew C:\Windows\SysWOW64\Kgflcifg.exe family_berbew C:\Windows\SysWOW64\Kpcjgnhb.exe family_berbew C:\Windows\SysWOW64\Lgpoihnl.exe family_berbew C:\Windows\SysWOW64\Lopmii32.exe family_berbew C:\Windows\SysWOW64\Lobjni32.exe family_berbew C:\Windows\SysWOW64\Moipoh32.exe family_berbew C:\Windows\SysWOW64\Mjcngpjh.exe family_berbew C:\Windows\SysWOW64\Nnafno32.exe family_berbew C:\Windows\SysWOW64\Ngjkfd32.exe family_berbew C:\Windows\SysWOW64\Ncchae32.exe family_berbew C:\Windows\SysWOW64\Oaifpi32.exe family_berbew C:\Windows\SysWOW64\Oghghb32.exe family_berbew C:\Windows\SysWOW64\Ocaebc32.exe family_berbew C:\Windows\SysWOW64\Pjbcplpe.exe family_berbew C:\Windows\SysWOW64\Phfcipoo.exe family_berbew C:\Windows\SysWOW64\Pjdpelnc.exe family_berbew C:\Windows\SysWOW64\Qdaniq32.exe family_berbew C:\Windows\SysWOW64\Baannc32.exe family_berbew C:\Windows\SysWOW64\Bnoddcef.exe family_berbew C:\Windows\SysWOW64\Cnaaib32.exe family_berbew C:\Windows\SysWOW64\Cglbhhga.exe family_berbew C:\Windows\SysWOW64\Chkobkod.exe family_berbew C:\Windows\SysWOW64\Dgeenfog.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Pefabkej.exePhdnngdn.exePkbjjbda.exePalbgl32.exePdkoch32.exePhfjcf32.exePlbfdekd.exePkegpb32.exePmcclm32.exePaoollik.exePejkmk32.exePdmkhgho.exePhigif32.exePldcjeia.exePkgcea32.exeQmepam32.exeQaalblgi.exeQemhbj32.exeQdphngfl.exeQhkdof32.exeQkipkani.exeQoelkp32.exeQmhlgmmm.exeQachgk32.exeQdbdcg32.exeQlimed32.exeQklmpalf.exeAogiap32.exeAafemk32.exeAeaanjkl.exeAddaif32.exeAhpmjejp.exeAknifq32.exeAojefobm.exeAnmfbl32.exeAahbbkaq.exeAednci32.exeAdfnofpd.exeAhbjoe32.exeAkqfkp32.exeAolblopj.exeAnobgl32.exeAajohjon.exeAdikdfna.exeAhdged32.exeAlpbecod.exeAonoao32.exeAnaomkdb.exeAamknj32.exeAehgnied.exeAhgcjddh.exeAlbpkc32.exeAkepfpcl.exeAnclbkbp.exeAekddhcb.exeAdndoe32.exeAhippdbe.exeAlelqb32.exeBochmn32.exeBnfihkqm.exeBaadiiif.exeBemqih32.exeBhkmec32.exeBlgifbil.exepid process 2196 Pefabkej.exe 5044 Phdnngdn.exe 4440 Pkbjjbda.exe 3564 Palbgl32.exe 4796 Pdkoch32.exe 3936 Phfjcf32.exe 4968 Plbfdekd.exe 3616 Pkegpb32.exe 4580 Pmcclm32.exe 2352 Paoollik.exe 3600 Pejkmk32.exe 1584 Pdmkhgho.exe 3860 Phigif32.exe 2320 Pldcjeia.exe 4288 Pkgcea32.exe 3864 Qmepam32.exe 540 Qaalblgi.exe 1912 Qemhbj32.exe 752 Qdphngfl.exe 1996 Qhkdof32.exe 1528 Qkipkani.exe 1536 Qoelkp32.exe 1032 Qmhlgmmm.exe 208 Qachgk32.exe 4508 Qdbdcg32.exe 2948 Qlimed32.exe 4032 Qklmpalf.exe 1084 Aogiap32.exe 1212 Aafemk32.exe 4420 Aeaanjkl.exe 3780 Addaif32.exe 4316 Ahpmjejp.exe 4984 Aknifq32.exe 1792 Aojefobm.exe 544 Anmfbl32.exe 1352 Aahbbkaq.exe 5036 Aednci32.exe 4044 Adfnofpd.exe 4428 Ahbjoe32.exe 3832 Akqfkp32.exe 3256 Aolblopj.exe 4408 Anobgl32.exe 3164 Aajohjon.exe 1644 Adikdfna.exe 1764 Ahdged32.exe 3252 Alpbecod.exe 2976 Aonoao32.exe 2496 Anaomkdb.exe 1252 Aamknj32.exe 4660 Aehgnied.exe 2680 Ahgcjddh.exe 1888 Albpkc32.exe 728 Akepfpcl.exe 1296 Anclbkbp.exe 452 Aekddhcb.exe 228 Adndoe32.exe 5140 Ahippdbe.exe 5172 Alelqb32.exe 5208 Bochmn32.exe 5248 Bnfihkqm.exe 5284 Baadiiif.exe 5320 Bemqih32.exe 5352 Bhkmec32.exe 5392 Blgifbil.exe -
Drops file in System32 directory 64 IoCs
Processes:
Fbjena32.exeOpclldhj.exeEqgmmk32.exeCkbemgcp.exePalbgl32.exeDoaneiop.exeEmjgim32.exeMmfkhmdi.exeMjlhgaqp.exePmcclm32.exeDkndie32.exeAednci32.exeHbnaeh32.exeObnehj32.exePcpnhl32.exeAbjmkf32.exeBdgged32.exeQhhpop32.exeCgqlcg32.exeHaaaaeim.exePbekii32.exeOifppdpd.exeEiahnnph.exeGbchdp32.exeJpgdai32.exeOcgkan32.exeMcbpjg32.exeApaadpng.exeOcjoadei.exeCnfkdb32.exeBdlfjh32.exeAdndoe32.exeEiloco32.exeLjeafb32.exeBlielbfi.exeOffnhpfo.exeEqncnj32.exeAhgcjddh.exeEfjbcakl.exeHipmfjee.exeCdpcal32.exeDhphmj32.exePhdnngdn.exeEnkdaepb.exeGmojkj32.exeAdfgdpmi.exeBddcenpi.exeIhmfco32.exeCkidcpjl.exeAkepfpcl.exeFijkdmhn.exeGfhndpol.exeIebngial.exeMoipoh32.exeAhbjoe32.exeDfnbgc32.exeBaegibae.exeKhbiello.exeKjlopc32.exeQmeigg32.exeBgelgi32.exedescription ioc process File created C:\Windows\SysWOW64\Gehbjm32.exe Fbjena32.exe File created C:\Windows\SysWOW64\Ogjdmbil.exe Opclldhj.exe File opened for modification C:\Windows\SysWOW64\Ehndnh32.exe Eqgmmk32.exe File created C:\Windows\SysWOW64\Nflnbh32.dll Ckbemgcp.exe File created C:\Windows\SysWOW64\Pdkoch32.exe Palbgl32.exe File created C:\Windows\SysWOW64\Dndnpf32.exe Doaneiop.exe File created C:\Windows\SysWOW64\Lfipab32.dll Emjgim32.exe File opened for modification C:\Windows\SysWOW64\Modgdicm.exe Mmfkhmdi.exe File created C:\Windows\SysWOW64\Mnhdgpii.exe Mjlhgaqp.exe File created C:\Windows\SysWOW64\Eoaedogc.dll Pmcclm32.exe File opened for modification C:\Windows\SysWOW64\Dnmaea32.exe Dkndie32.exe File created C:\Windows\SysWOW64\Adfnofpd.exe Aednci32.exe File opened for modification C:\Windows\SysWOW64\Dndnpf32.exe Doaneiop.exe File created C:\Windows\SysWOW64\Haaaaeim.exe Hbnaeh32.exe File created C:\Windows\SysWOW64\Oflmnh32.exe Obnehj32.exe File created C:\Windows\SysWOW64\Kqkplq32.dll Pcpnhl32.exe File opened for modification C:\Windows\SysWOW64\Aalmimfd.exe Abjmkf32.exe File created C:\Windows\SysWOW64\Obgbikfp.dll Bdgged32.exe File created C:\Windows\SysWOW64\Qjfmkk32.exe Qhhpop32.exe File created C:\Windows\SysWOW64\Oblknjim.dll Cgqlcg32.exe File created C:\Windows\SysWOW64\Hpceplkl.dll Haaaaeim.exe File opened for modification C:\Windows\SysWOW64\Piocecgj.exe Pbekii32.exe File created C:\Windows\SysWOW64\Obnehj32.exe Oifppdpd.exe File created C:\Windows\SysWOW64\Emmdom32.exe Eiahnnph.exe File created C:\Windows\SysWOW64\Geaepk32.exe Gbchdp32.exe File opened for modification C:\Windows\SysWOW64\Khbiello.exe Jpgdai32.exe File created C:\Windows\SysWOW64\Cknmplfo.dll Ocgkan32.exe File created C:\Windows\SysWOW64\Mfqlfb32.exe Mcbpjg32.exe File opened for modification C:\Windows\SysWOW64\Bdmmeo32.exe Apaadpng.exe File opened for modification C:\Windows\SysWOW64\Ofhknodl.exe Ocjoadei.exe File opened for modification C:\Windows\SysWOW64\Caageq32.exe Cnfkdb32.exe File created C:\Windows\SysWOW64\Elekoe32.dll Bdlfjh32.exe File created C:\Windows\SysWOW64\Ejoaandc.dll Adndoe32.exe File created C:\Windows\SysWOW64\Ekkkoj32.exe Eiloco32.exe File created C:\Windows\SysWOW64\Lmdnbn32.exe Ljeafb32.exe File created C:\Windows\SysWOW64\Bohbhmfm.exe Blielbfi.exe File opened for modification C:\Windows\SysWOW64\Mnhdgpii.exe Mjlhgaqp.exe File created C:\Windows\SysWOW64\Kofmfi32.dll Offnhpfo.exe File created C:\Windows\SysWOW64\Edionhpn.exe Eqncnj32.exe File created C:\Windows\SysWOW64\Lfklem32.dll Ahgcjddh.exe File opened for modification C:\Windows\SysWOW64\Fmcjpl32.exe Efjbcakl.exe File created C:\Windows\SysWOW64\Fenhjedb.dll Hipmfjee.exe File created C:\Windows\SysWOW64\Mbkkam32.dll Cdpcal32.exe File created C:\Windows\SysWOW64\Dgcihgaj.exe Dhphmj32.exe File created C:\Windows\SysWOW64\Pkbjjbda.exe Phdnngdn.exe File created C:\Windows\SysWOW64\Paoollik.exe Pmcclm32.exe File opened for modification C:\Windows\SysWOW64\Efblbbqd.exe Enkdaepb.exe File created C:\Windows\SysWOW64\Gnqfcbnj.exe Gmojkj32.exe File created C:\Windows\SysWOW64\Dnkdmlfj.dll Adfgdpmi.exe File opened for modification C:\Windows\SysWOW64\Bgbpaipl.exe Bddcenpi.exe File created C:\Windows\SysWOW64\Clmmco32.dll Ihmfco32.exe File created C:\Windows\SysWOW64\Dccfme32.dll Ckidcpjl.exe File created C:\Windows\SysWOW64\Anclbkbp.exe Akepfpcl.exe File created C:\Windows\SysWOW64\Ahoemi32.dll Fijkdmhn.exe File opened for modification C:\Windows\SysWOW64\Gejopl32.exe Gfhndpol.exe File opened for modification C:\Windows\SysWOW64\Illfdc32.exe Iebngial.exe File opened for modification C:\Windows\SysWOW64\Mfchlbfd.exe Moipoh32.exe File created C:\Windows\SysWOW64\Ieoacg32.dll Ahbjoe32.exe File created C:\Windows\SysWOW64\Npdpachh.dll Dfnbgc32.exe File created C:\Windows\SysWOW64\Ndikch32.dll Baegibae.exe File created C:\Windows\SysWOW64\Kbhmbdle.exe Khbiello.exe File created C:\Windows\SysWOW64\Gddedlaq.dll Kjlopc32.exe File opened for modification C:\Windows\SysWOW64\Qaqegecm.exe Qmeigg32.exe File created C:\Windows\SysWOW64\Boldhf32.exe Bgelgi32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 14352 13396 WerFault.exe Diqnjl32.exe -
Modifies registry class 64 IoCs
Processes:
Gpolbo32.exeGmojkj32.exeJphkkpbp.exeKflide32.exeKnenkbio.exeAmjbbfgo.exeIbjqaf32.exeEokqkh32.exeJnlkedai.exeLjeafb32.exeMnjqmpgg.exePpjbmc32.exeObnehj32.exeEbdcld32.exeGlkmmefl.exeAafemk32.exeBdgged32.exeEkaapi32.exePbekii32.exeAagdnn32.exeMqfpckhm.exeMgeakekd.exeEoepebho.exeEomffaag.exePpikbm32.exeDndnpf32.exeEmmdom32.exeGbchdp32.exePhajna32.exeBklomh32.exeOoibkpmi.exeImpliekg.exeEnhpao32.exeGkaclqkk.exeAnmfbl32.exeBoeebnhp.exeDbbffdlq.exeAgimkk32.exeAkdilipp.exeCkbemgcp.exeMjidgkog.exeGnepna32.exeMoipoh32.exeAhaceo32.exeAhbjoe32.exeAbfdpfaj.exeKncaec32.exeMfchlbfd.exeAaldccip.exePjjfdfbb.exePjoppf32.exeQmhlgmmm.exeEblimcdf.exeBddcenpi.exeDgcihgaj.exeEdgbii32.exeDkahilkl.exeBdagpnbk.exeFgjhpcmo.exeCogddd32.exeGokbgpeg.exeCfpffeaj.exeDoccpcja.exeMjpjgj32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gpolbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmojkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcbfe32.dll" Jphkkpbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kflide32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Knenkbio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amjbbfgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmbbe32.dll" Ibjqaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eokqkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jnlkedai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmfqknfm.dll" Ljeafb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdbeojmh.dll" Mnjqmpgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppjbmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obnehj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebdcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iophfi32.dll" Glkmmefl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aafemk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdgged32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ekaapi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pbekii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmebednk.dll" Aagdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mqfpckhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mgeakekd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eoepebho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eomffaag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cohddjgl.dll" Ppikbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dndnpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Emmdom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpdhj32.dll" Gbchdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnfpnk32.dll" Phajna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bklomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogmeemdg.dll" Ooibkpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcghdkpf.dll" Impliekg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpjccmbf.dll" Enhpao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gkaclqkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Anmfbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Boeebnhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbbffdlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkhnbpne.dll" Agimkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Akdilipp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckbemgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oipgkfab.dll" Mjidgkog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gnepna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Moipoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahaceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieoacg32.dll" Ahbjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghpkld32.dll" Abfdpfaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kncaec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mfchlbfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aaldccip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anlkecaj.dll" Pjjfdfbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhlbgmif.dll" Pjoppf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qmhlgmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofpnmakg.dll" Eblimcdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bddcenpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dgcihgaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Edgbii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkahilkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdagpnbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fgjhpcmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cogddd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmefoohh.dll" Gokbgpeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfpffeaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Doccpcja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mjpjgj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
12e64a027738e20798c8eb243caee880_NeikiAnalytics.exePefabkej.exePhdnngdn.exePkbjjbda.exePalbgl32.exePdkoch32.exePhfjcf32.exePlbfdekd.exePkegpb32.exePmcclm32.exePaoollik.exePejkmk32.exePdmkhgho.exePhigif32.exePldcjeia.exePkgcea32.exeQmepam32.exeQaalblgi.exeQemhbj32.exeQdphngfl.exeQhkdof32.exeQkipkani.exedescription pid process target process PID 2696 wrote to memory of 2196 2696 12e64a027738e20798c8eb243caee880_NeikiAnalytics.exe Pefabkej.exe PID 2696 wrote to memory of 2196 2696 12e64a027738e20798c8eb243caee880_NeikiAnalytics.exe Pefabkej.exe PID 2696 wrote to memory of 2196 2696 12e64a027738e20798c8eb243caee880_NeikiAnalytics.exe Pefabkej.exe PID 2196 wrote to memory of 5044 2196 Pefabkej.exe Phdnngdn.exe PID 2196 wrote to memory of 5044 2196 Pefabkej.exe Phdnngdn.exe PID 2196 wrote to memory of 5044 2196 Pefabkej.exe Phdnngdn.exe PID 5044 wrote to memory of 4440 5044 Phdnngdn.exe Pkbjjbda.exe PID 5044 wrote to memory of 4440 5044 Phdnngdn.exe Pkbjjbda.exe PID 5044 wrote to memory of 4440 5044 Phdnngdn.exe Pkbjjbda.exe PID 4440 wrote to memory of 3564 4440 Pkbjjbda.exe Palbgl32.exe PID 4440 wrote to memory of 3564 4440 Pkbjjbda.exe Palbgl32.exe PID 4440 wrote to memory of 3564 4440 Pkbjjbda.exe Palbgl32.exe PID 3564 wrote to memory of 4796 3564 Palbgl32.exe Pdkoch32.exe PID 3564 wrote to memory of 4796 3564 Palbgl32.exe Pdkoch32.exe PID 3564 wrote to memory of 4796 3564 Palbgl32.exe Pdkoch32.exe PID 4796 wrote to memory of 3936 4796 Pdkoch32.exe Phfjcf32.exe PID 4796 wrote to memory of 3936 4796 Pdkoch32.exe Phfjcf32.exe PID 4796 wrote to memory of 3936 4796 Pdkoch32.exe Phfjcf32.exe PID 3936 wrote to memory of 4968 3936 Phfjcf32.exe Plbfdekd.exe PID 3936 wrote to memory of 4968 3936 Phfjcf32.exe Plbfdekd.exe PID 3936 wrote to memory of 4968 3936 Phfjcf32.exe Plbfdekd.exe PID 4968 wrote to memory of 3616 4968 Plbfdekd.exe Pkegpb32.exe PID 4968 wrote to memory of 3616 4968 Plbfdekd.exe Pkegpb32.exe PID 4968 wrote to memory of 3616 4968 Plbfdekd.exe Pkegpb32.exe PID 3616 wrote to memory of 4580 3616 Pkegpb32.exe Pmcclm32.exe PID 3616 wrote to memory of 4580 3616 Pkegpb32.exe Pmcclm32.exe PID 3616 wrote to memory of 4580 3616 Pkegpb32.exe Pmcclm32.exe PID 4580 wrote to memory of 2352 4580 Pmcclm32.exe Paoollik.exe PID 4580 wrote to memory of 2352 4580 Pmcclm32.exe Paoollik.exe PID 4580 wrote to memory of 2352 4580 Pmcclm32.exe Paoollik.exe PID 2352 wrote to memory of 3600 2352 Paoollik.exe Pejkmk32.exe PID 2352 wrote to memory of 3600 2352 Paoollik.exe Pejkmk32.exe PID 2352 wrote to memory of 3600 2352 Paoollik.exe Pejkmk32.exe PID 3600 wrote to memory of 1584 3600 Pejkmk32.exe Pdmkhgho.exe PID 3600 wrote to memory of 1584 3600 Pejkmk32.exe Pdmkhgho.exe PID 3600 wrote to memory of 1584 3600 Pejkmk32.exe Pdmkhgho.exe PID 1584 wrote to memory of 3860 1584 Pdmkhgho.exe Phigif32.exe PID 1584 wrote to memory of 3860 1584 Pdmkhgho.exe Phigif32.exe PID 1584 wrote to memory of 3860 1584 Pdmkhgho.exe Phigif32.exe PID 3860 wrote to memory of 2320 3860 Phigif32.exe Pldcjeia.exe PID 3860 wrote to memory of 2320 3860 Phigif32.exe Pldcjeia.exe PID 3860 wrote to memory of 2320 3860 Phigif32.exe Pldcjeia.exe PID 2320 wrote to memory of 4288 2320 Pldcjeia.exe Pkgcea32.exe PID 2320 wrote to memory of 4288 2320 Pldcjeia.exe Pkgcea32.exe PID 2320 wrote to memory of 4288 2320 Pldcjeia.exe Pkgcea32.exe PID 4288 wrote to memory of 3864 4288 Pkgcea32.exe Qmepam32.exe PID 4288 wrote to memory of 3864 4288 Pkgcea32.exe Qmepam32.exe PID 4288 wrote to memory of 3864 4288 Pkgcea32.exe Qmepam32.exe PID 3864 wrote to memory of 540 3864 Qmepam32.exe Qaalblgi.exe PID 3864 wrote to memory of 540 3864 Qmepam32.exe Qaalblgi.exe PID 3864 wrote to memory of 540 3864 Qmepam32.exe Qaalblgi.exe PID 540 wrote to memory of 1912 540 Qaalblgi.exe Qemhbj32.exe PID 540 wrote to memory of 1912 540 Qaalblgi.exe Qemhbj32.exe PID 540 wrote to memory of 1912 540 Qaalblgi.exe Qemhbj32.exe PID 1912 wrote to memory of 752 1912 Qemhbj32.exe Qdphngfl.exe PID 1912 wrote to memory of 752 1912 Qemhbj32.exe Qdphngfl.exe PID 1912 wrote to memory of 752 1912 Qemhbj32.exe Qdphngfl.exe PID 752 wrote to memory of 1996 752 Qdphngfl.exe Qhkdof32.exe PID 752 wrote to memory of 1996 752 Qdphngfl.exe Qhkdof32.exe PID 752 wrote to memory of 1996 752 Qdphngfl.exe Qhkdof32.exe PID 1996 wrote to memory of 1528 1996 Qhkdof32.exe Qkipkani.exe PID 1996 wrote to memory of 1528 1996 Qhkdof32.exe Qkipkani.exe PID 1996 wrote to memory of 1528 1996 Qhkdof32.exe Qkipkani.exe PID 1528 wrote to memory of 1536 1528 Qkipkani.exe Qoelkp32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\12e64a027738e20798c8eb243caee880_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\12e64a027738e20798c8eb243caee880_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Pefabkej.exeC:\Windows\system32\Pefabkej.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Phdnngdn.exeC:\Windows\system32\Phdnngdn.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Pkbjjbda.exeC:\Windows\system32\Pkbjjbda.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\Palbgl32.exeC:\Windows\system32\Palbgl32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\Pdkoch32.exeC:\Windows\system32\Pdkoch32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Phfjcf32.exeC:\Windows\system32\Phfjcf32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Plbfdekd.exeC:\Windows\system32\Plbfdekd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Pkegpb32.exeC:\Windows\system32\Pkegpb32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\Pmcclm32.exeC:\Windows\system32\Pmcclm32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Paoollik.exeC:\Windows\system32\Paoollik.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Pejkmk32.exeC:\Windows\system32\Pejkmk32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Pdmkhgho.exeC:\Windows\system32\Pdmkhgho.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Phigif32.exeC:\Windows\system32\Phigif32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\Pldcjeia.exeC:\Windows\system32\Pldcjeia.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Pkgcea32.exeC:\Windows\system32\Pkgcea32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\Qmepam32.exeC:\Windows\system32\Qmepam32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\Qaalblgi.exeC:\Windows\system32\Qaalblgi.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Qemhbj32.exeC:\Windows\system32\Qemhbj32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Qdphngfl.exeC:\Windows\system32\Qdphngfl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\Qhkdof32.exeC:\Windows\system32\Qhkdof32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Qkipkani.exeC:\Windows\system32\Qkipkani.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Qoelkp32.exeC:\Windows\system32\Qoelkp32.exe23⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Qmhlgmmm.exeC:\Windows\system32\Qmhlgmmm.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Qachgk32.exeC:\Windows\system32\Qachgk32.exe25⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Qdbdcg32.exeC:\Windows\system32\Qdbdcg32.exe26⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Qlimed32.exeC:\Windows\system32\Qlimed32.exe27⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Qklmpalf.exeC:\Windows\system32\Qklmpalf.exe28⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Aogiap32.exeC:\Windows\system32\Aogiap32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Aafemk32.exeC:\Windows\system32\Aafemk32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:1212 -
C:\Windows\SysWOW64\Aeaanjkl.exeC:\Windows\system32\Aeaanjkl.exe31⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Addaif32.exeC:\Windows\system32\Addaif32.exe32⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Ahpmjejp.exeC:\Windows\system32\Ahpmjejp.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Aknifq32.exeC:\Windows\system32\Aknifq32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Aojefobm.exeC:\Windows\system32\Aojefobm.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Anmfbl32.exeC:\Windows\system32\Anmfbl32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:544 -
C:\Windows\SysWOW64\Aahbbkaq.exeC:\Windows\system32\Aahbbkaq.exe37⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Aednci32.exeC:\Windows\system32\Aednci32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5036 -
C:\Windows\SysWOW64\Adfnofpd.exeC:\Windows\system32\Adfnofpd.exe39⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Ahbjoe32.exeC:\Windows\system32\Ahbjoe32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4428 -
C:\Windows\SysWOW64\Akqfkp32.exeC:\Windows\system32\Akqfkp32.exe41⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Aolblopj.exeC:\Windows\system32\Aolblopj.exe42⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Anobgl32.exeC:\Windows\system32\Anobgl32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Aajohjon.exeC:\Windows\system32\Aajohjon.exe44⤵
- Executes dropped EXE
PID:3164 -
C:\Windows\SysWOW64\Adikdfna.exeC:\Windows\system32\Adikdfna.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Ahdged32.exeC:\Windows\system32\Ahdged32.exe46⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Alpbecod.exeC:\Windows\system32\Alpbecod.exe47⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Aonoao32.exeC:\Windows\system32\Aonoao32.exe48⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Anaomkdb.exeC:\Windows\system32\Anaomkdb.exe49⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Aamknj32.exeC:\Windows\system32\Aamknj32.exe50⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Aehgnied.exeC:\Windows\system32\Aehgnied.exe51⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Ahgcjddh.exeC:\Windows\system32\Ahgcjddh.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Albpkc32.exeC:\Windows\system32\Albpkc32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Akepfpcl.exeC:\Windows\system32\Akepfpcl.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:728 -
C:\Windows\SysWOW64\Anclbkbp.exeC:\Windows\system32\Anclbkbp.exe55⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Aekddhcb.exeC:\Windows\system32\Aekddhcb.exe56⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Adndoe32.exeC:\Windows\system32\Adndoe32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:228 -
C:\Windows\SysWOW64\Ahippdbe.exeC:\Windows\system32\Ahippdbe.exe58⤵
- Executes dropped EXE
PID:5140 -
C:\Windows\SysWOW64\Alelqb32.exeC:\Windows\system32\Alelqb32.exe59⤵
- Executes dropped EXE
PID:5172 -
C:\Windows\SysWOW64\Bochmn32.exeC:\Windows\system32\Bochmn32.exe60⤵
- Executes dropped EXE
PID:5208 -
C:\Windows\SysWOW64\Bnfihkqm.exeC:\Windows\system32\Bnfihkqm.exe61⤵
- Executes dropped EXE
PID:5248 -
C:\Windows\SysWOW64\Baadiiif.exeC:\Windows\system32\Baadiiif.exe62⤵
- Executes dropped EXE
PID:5284 -
C:\Windows\SysWOW64\Bemqih32.exeC:\Windows\system32\Bemqih32.exe63⤵
- Executes dropped EXE
PID:5320 -
C:\Windows\SysWOW64\Bhkmec32.exeC:\Windows\system32\Bhkmec32.exe64⤵
- Executes dropped EXE
PID:5352 -
C:\Windows\SysWOW64\Blgifbil.exeC:\Windows\system32\Blgifbil.exe65⤵
- Executes dropped EXE
PID:5392 -
C:\Windows\SysWOW64\Bkjiao32.exeC:\Windows\system32\Bkjiao32.exe66⤵PID:5428
-
C:\Windows\SysWOW64\Boeebnhp.exeC:\Windows\system32\Boeebnhp.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5464 -
C:\Windows\SysWOW64\Badanigc.exeC:\Windows\system32\Badanigc.exe68⤵PID:5496
-
C:\Windows\SysWOW64\Bepmoh32.exeC:\Windows\system32\Bepmoh32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5536 -
C:\Windows\SysWOW64\Bdbnjdfg.exeC:\Windows\system32\Bdbnjdfg.exe70⤵PID:5572
-
C:\Windows\SysWOW64\Bhnikc32.exeC:\Windows\system32\Bhnikc32.exe71⤵PID:5608
-
C:\Windows\SysWOW64\Blielbfi.exeC:\Windows\system32\Blielbfi.exe72⤵
- Drops file in System32 directory
PID:5640 -
C:\Windows\SysWOW64\Bohbhmfm.exeC:\Windows\system32\Bohbhmfm.exe73⤵PID:5680
-
C:\Windows\SysWOW64\Bnkbcj32.exeC:\Windows\system32\Bnkbcj32.exe74⤵PID:5716
-
C:\Windows\SysWOW64\Bafndi32.exeC:\Windows\system32\Bafndi32.exe75⤵PID:5748
-
C:\Windows\SysWOW64\Bebjdgmj.exeC:\Windows\system32\Bebjdgmj.exe76⤵PID:5788
-
C:\Windows\SysWOW64\Bhpfqcln.exeC:\Windows\system32\Bhpfqcln.exe77⤵PID:5820
-
C:\Windows\SysWOW64\Bllbaa32.exeC:\Windows\system32\Bllbaa32.exe78⤵PID:5860
-
C:\Windows\SysWOW64\Bkobmnka.exeC:\Windows\system32\Bkobmnka.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5896 -
C:\Windows\SysWOW64\Bojomm32.exeC:\Windows\system32\Bojomm32.exe80⤵PID:5928
-
C:\Windows\SysWOW64\Bnmoijje.exeC:\Windows\system32\Bnmoijje.exe81⤵PID:5968
-
C:\Windows\SysWOW64\Bedgjgkg.exeC:\Windows\system32\Bedgjgkg.exe82⤵PID:6000
-
C:\Windows\SysWOW64\Bdgged32.exeC:\Windows\system32\Bdgged32.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:6040 -
C:\Windows\SysWOW64\Bhbcfbjk.exeC:\Windows\system32\Bhbcfbjk.exe84⤵PID:6076
-
C:\Windows\SysWOW64\Blnoga32.exeC:\Windows\system32\Blnoga32.exe85⤵PID:6108
-
C:\Windows\SysWOW64\Bkaobnio.exeC:\Windows\system32\Bkaobnio.exe86⤵PID:3448
-
C:\Windows\SysWOW64\Bnoknihb.exeC:\Windows\system32\Bnoknihb.exe87⤵PID:4112
-
C:\Windows\SysWOW64\Bakgoh32.exeC:\Windows\system32\Bakgoh32.exe88⤵PID:1348
-
C:\Windows\SysWOW64\Bffcpg32.exeC:\Windows\system32\Bffcpg32.exe89⤵PID:4416
-
C:\Windows\SysWOW64\Cfpffeaj.exeC:\Windows\system32\Cfpffeaj.exe90⤵
- Modifies registry class
PID:5336 -
C:\Windows\SysWOW64\Dmohno32.exeC:\Windows\system32\Dmohno32.exe91⤵PID:5648
-
C:\Windows\SysWOW64\Dkahilkl.exeC:\Windows\system32\Dkahilkl.exe92⤵
- Modifies registry class
PID:5696 -
C:\Windows\SysWOW64\Dnpdegjp.exeC:\Windows\system32\Dnpdegjp.exe93⤵PID:5736
-
C:\Windows\SysWOW64\Dbkqfe32.exeC:\Windows\system32\Dbkqfe32.exe94⤵PID:5796
-
C:\Windows\SysWOW64\Dfglfdkb.exeC:\Windows\system32\Dfglfdkb.exe95⤵PID:5840
-
C:\Windows\SysWOW64\Ddjmba32.exeC:\Windows\system32\Ddjmba32.exe96⤵PID:3236
-
C:\Windows\SysWOW64\Dkceokii.exeC:\Windows\system32\Dkceokii.exe97⤵PID:2420
-
C:\Windows\SysWOW64\Dooaoj32.exeC:\Windows\system32\Dooaoj32.exe98⤵PID:5992
-
C:\Windows\SysWOW64\Dnbakghm.exeC:\Windows\system32\Dnbakghm.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6068 -
C:\Windows\SysWOW64\Dfiildio.exeC:\Windows\system32\Dfiildio.exe100⤵PID:6104
-
C:\Windows\SysWOW64\Ddligq32.exeC:\Windows\system32\Ddligq32.exe101⤵PID:6136
-
C:\Windows\SysWOW64\Digehphc.exeC:\Windows\system32\Digehphc.exe102⤵PID:1056
-
C:\Windows\SysWOW64\Dmcain32.exeC:\Windows\system32\Dmcain32.exe103⤵PID:1184
-
C:\Windows\SysWOW64\Doaneiop.exeC:\Windows\system32\Doaneiop.exe104⤵
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Dndnpf32.exeC:\Windows\system32\Dndnpf32.exe105⤵
- Modifies registry class
PID:4768 -
C:\Windows\SysWOW64\Dbpjaeoc.exeC:\Windows\system32\Dbpjaeoc.exe106⤵PID:1692
-
C:\Windows\SysWOW64\Dbbffdlq.exeC:\Windows\system32\Dbbffdlq.exe107⤵
- Modifies registry class
PID:5668 -
C:\Windows\SysWOW64\Dfnbgc32.exeC:\Windows\system32\Dfnbgc32.exe108⤵
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Eiloco32.exeC:\Windows\system32\Eiloco32.exe109⤵
- Drops file in System32 directory
PID:5848 -
C:\Windows\SysWOW64\Ekkkoj32.exeC:\Windows\system32\Ekkkoj32.exe110⤵PID:5360
-
C:\Windows\SysWOW64\Enigke32.exeC:\Windows\system32\Enigke32.exe111⤵PID:1988
-
C:\Windows\SysWOW64\Ebdcld32.exeC:\Windows\system32\Ebdcld32.exe112⤵
- Modifies registry class
PID:5416 -
C:\Windows\SysWOW64\Eecphp32.exeC:\Windows\system32\Eecphp32.exe113⤵PID:5484
-
C:\Windows\SysWOW64\Emjgim32.exeC:\Windows\system32\Emjgim32.exe114⤵
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Ekmhejao.exeC:\Windows\system32\Ekmhejao.exe115⤵PID:4404
-
C:\Windows\SysWOW64\Enkdaepb.exeC:\Windows\system32\Enkdaepb.exe116⤵
- Drops file in System32 directory
PID:5544 -
C:\Windows\SysWOW64\Efblbbqd.exeC:\Windows\system32\Efblbbqd.exe117⤵PID:5556
-
C:\Windows\SysWOW64\Eiahnnph.exeC:\Windows\system32\Eiahnnph.exe118⤵
- Drops file in System32 directory
PID:4912 -
C:\Windows\SysWOW64\Emmdom32.exeC:\Windows\system32\Emmdom32.exe119⤵
- Modifies registry class
PID:4520 -
C:\Windows\SysWOW64\Eokqkh32.exeC:\Windows\system32\Eokqkh32.exe120⤵
- Modifies registry class
PID:3964 -
C:\Windows\SysWOW64\Ebimgcfi.exeC:\Windows\system32\Ebimgcfi.exe121⤵PID:5688
-
C:\Windows\SysWOW64\Eehicoel.exeC:\Windows\system32\Eehicoel.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2632 -
C:\Windows\SysWOW64\Emoadlfo.exeC:\Windows\system32\Emoadlfo.exe123⤵PID:5380
-
C:\Windows\SysWOW64\Ekaapi32.exeC:\Windows\system32\Ekaapi32.exe124⤵
- Modifies registry class
PID:5988 -
C:\Windows\SysWOW64\Epmmqheb.exeC:\Windows\system32\Epmmqheb.exe125⤵PID:5504
-
C:\Windows\SysWOW64\Eblimcdf.exeC:\Windows\system32\Eblimcdf.exe126⤵
- Modifies registry class
PID:6060 -
C:\Windows\SysWOW64\Eejeiocj.exeC:\Windows\system32\Eejeiocj.exe127⤵PID:3000
-
C:\Windows\SysWOW64\Eifaim32.exeC:\Windows\system32\Eifaim32.exe128⤵PID:4204
-
C:\Windows\SysWOW64\Eppjfgcp.exeC:\Windows\system32\Eppjfgcp.exe129⤵PID:5192
-
C:\Windows\SysWOW64\Efjbcakl.exeC:\Windows\system32\Efjbcakl.exe130⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Fmcjpl32.exeC:\Windows\system32\Fmcjpl32.exe131⤵PID:5924
-
C:\Windows\SysWOW64\Fneggdhg.exeC:\Windows\system32\Fneggdhg.exe132⤵PID:5492
-
C:\Windows\SysWOW64\Fbpchb32.exeC:\Windows\system32\Fbpchb32.exe133⤵PID:6020
-
C:\Windows\SysWOW64\Fijkdmhn.exeC:\Windows\system32\Fijkdmhn.exe134⤵
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Fmfgek32.exeC:\Windows\system32\Fmfgek32.exe135⤵PID:5292
-
C:\Windows\SysWOW64\Fpdcag32.exeC:\Windows\system32\Fpdcag32.exe136⤵PID:5984
-
C:\Windows\SysWOW64\Fbbpmb32.exeC:\Windows\system32\Fbbpmb32.exe137⤵PID:3224
-
C:\Windows\SysWOW64\Fealin32.exeC:\Windows\system32\Fealin32.exe138⤵PID:1340
-
C:\Windows\SysWOW64\Fmhdkknd.exeC:\Windows\system32\Fmhdkknd.exe139⤵PID:5592
-
C:\Windows\SysWOW64\Flkdfh32.exeC:\Windows\system32\Flkdfh32.exe140⤵PID:6128
-
C:\Windows\SysWOW64\Fnipbc32.exeC:\Windows\system32\Fnipbc32.exe141⤵PID:6156
-
C:\Windows\SysWOW64\Ffqhcq32.exeC:\Windows\system32\Ffqhcq32.exe142⤵PID:6208
-
C:\Windows\SysWOW64\Fiodpl32.exeC:\Windows\system32\Fiodpl32.exe143⤵PID:6260
-
C:\Windows\SysWOW64\Flmqlg32.exeC:\Windows\system32\Flmqlg32.exe144⤵PID:6304
-
C:\Windows\SysWOW64\Fnlmhc32.exeC:\Windows\system32\Fnlmhc32.exe145⤵PID:6340
-
C:\Windows\SysWOW64\Ffceip32.exeC:\Windows\system32\Ffceip32.exe146⤵PID:6384
-
C:\Windows\SysWOW64\Fefedmil.exeC:\Windows\system32\Fefedmil.exe147⤵PID:6428
-
C:\Windows\SysWOW64\Fmmmfj32.exeC:\Windows\system32\Fmmmfj32.exe148⤵PID:6472
-
C:\Windows\SysWOW64\Fpkibf32.exeC:\Windows\system32\Fpkibf32.exe149⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6520 -
C:\Windows\SysWOW64\Fbjena32.exeC:\Windows\system32\Fbjena32.exe150⤵
- Drops file in System32 directory
PID:6560 -
C:\Windows\SysWOW64\Gehbjm32.exeC:\Windows\system32\Gehbjm32.exe151⤵PID:6600
-
C:\Windows\SysWOW64\Gmojkj32.exeC:\Windows\system32\Gmojkj32.exe152⤵
- Drops file in System32 directory
- Modifies registry class
PID:6656 -
C:\Windows\SysWOW64\Gnqfcbnj.exeC:\Windows\system32\Gnqfcbnj.exe153⤵PID:6700
-
C:\Windows\SysWOW64\Gfhndpol.exeC:\Windows\system32\Gfhndpol.exe154⤵
- Drops file in System32 directory
PID:6740 -
C:\Windows\SysWOW64\Gejopl32.exeC:\Windows\system32\Gejopl32.exe155⤵PID:6772
-
C:\Windows\SysWOW64\Gldglf32.exeC:\Windows\system32\Gldglf32.exe156⤵PID:6820
-
C:\Windows\SysWOW64\Gncchb32.exeC:\Windows\system32\Gncchb32.exe157⤵PID:6872
-
C:\Windows\SysWOW64\Gbnoiqdq.exeC:\Windows\system32\Gbnoiqdq.exe158⤵PID:6940
-
C:\Windows\SysWOW64\Gemkelcd.exeC:\Windows\system32\Gemkelcd.exe159⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6980 -
C:\Windows\SysWOW64\Gmdcfidg.exeC:\Windows\system32\Gmdcfidg.exe160⤵PID:7028
-
C:\Windows\SysWOW64\Gpbpbecj.exeC:\Windows\system32\Gpbpbecj.exe161⤵PID:7064
-
C:\Windows\SysWOW64\Gnepna32.exeC:\Windows\system32\Gnepna32.exe162⤵
- Modifies registry class
PID:7104 -
C:\Windows\SysWOW64\Gflhoo32.exeC:\Windows\system32\Gflhoo32.exe163⤵PID:7148
-
C:\Windows\SysWOW64\Gikdkj32.exeC:\Windows\system32\Gikdkj32.exe164⤵PID:6188
-
C:\Windows\SysWOW64\Gpelhd32.exeC:\Windows\system32\Gpelhd32.exe165⤵PID:6292
-
C:\Windows\SysWOW64\Gbchdp32.exeC:\Windows\system32\Gbchdp32.exe166⤵
- Drops file in System32 directory
- Modifies registry class
PID:6352 -
C:\Windows\SysWOW64\Geaepk32.exeC:\Windows\system32\Geaepk32.exe167⤵PID:6412
-
C:\Windows\SysWOW64\Gmimai32.exeC:\Windows\system32\Gmimai32.exe168⤵PID:6516
-
C:\Windows\SysWOW64\Glkmmefl.exeC:\Windows\system32\Glkmmefl.exe169⤵
- Modifies registry class
PID:6568 -
C:\Windows\SysWOW64\Hipmfjee.exeC:\Windows\system32\Hipmfjee.exe170⤵
- Drops file in System32 directory
PID:6652 -
C:\Windows\SysWOW64\Holfoqcm.exeC:\Windows\system32\Holfoqcm.exe171⤵PID:6728
-
C:\Windows\SysWOW64\Hefnkkkj.exeC:\Windows\system32\Hefnkkkj.exe172⤵PID:6792
-
C:\Windows\SysWOW64\Hmmfmhll.exeC:\Windows\system32\Hmmfmhll.exe173⤵PID:6860
-
C:\Windows\SysWOW64\Hplbickp.exeC:\Windows\system32\Hplbickp.exe174⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6972 -
C:\Windows\SysWOW64\Hbjoeojc.exeC:\Windows\system32\Hbjoeojc.exe175⤵PID:7060
-
C:\Windows\SysWOW64\Hehkajig.exeC:\Windows\system32\Hehkajig.exe176⤵PID:7112
-
C:\Windows\SysWOW64\Hmpcbhji.exeC:\Windows\system32\Hmpcbhji.exe177⤵PID:6168
-
C:\Windows\SysWOW64\Hoaojp32.exeC:\Windows\system32\Hoaojp32.exe178⤵PID:6368
-
C:\Windows\SysWOW64\Hblkjo32.exeC:\Windows\system32\Hblkjo32.exe179⤵PID:6508
-
C:\Windows\SysWOW64\Hifcgion.exeC:\Windows\system32\Hifcgion.exe180⤵PID:6680
-
C:\Windows\SysWOW64\Hlepcdoa.exeC:\Windows\system32\Hlepcdoa.exe181⤵PID:6880
-
C:\Windows\SysWOW64\Hoclopne.exeC:\Windows\system32\Hoclopne.exe182⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6988 -
C:\Windows\SysWOW64\Hfjdqmng.exeC:\Windows\system32\Hfjdqmng.exe183⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7096 -
C:\Windows\SysWOW64\Hiipmhmk.exeC:\Windows\system32\Hiipmhmk.exe184⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6328 -
C:\Windows\SysWOW64\Hmdlmg32.exeC:\Windows\system32\Hmdlmg32.exe185⤵PID:6512
-
C:\Windows\SysWOW64\Hpchib32.exeC:\Windows\system32\Hpchib32.exe186⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6736 -
C:\Windows\SysWOW64\Hoeieolb.exeC:\Windows\system32\Hoeieolb.exe187⤵PID:6952
-
C:\Windows\SysWOW64\Ifmqfm32.exeC:\Windows\system32\Ifmqfm32.exe188⤵PID:6332
-
C:\Windows\SysWOW64\Iikmbh32.exeC:\Windows\system32\Iikmbh32.exe189⤵PID:6816
-
C:\Windows\SysWOW64\Imgicgca.exeC:\Windows\system32\Imgicgca.exe190⤵PID:7160
-
C:\Windows\SysWOW64\Ipeeobbe.exeC:\Windows\system32\Ipeeobbe.exe191⤵PID:7036
-
C:\Windows\SysWOW64\Iohejo32.exeC:\Windows\system32\Iohejo32.exe192⤵PID:7224
-
C:\Windows\SysWOW64\Ifomll32.exeC:\Windows\system32\Ifomll32.exe193⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7264 -
C:\Windows\SysWOW64\Iebngial.exeC:\Windows\system32\Iebngial.exe194⤵
- Drops file in System32 directory
PID:7312 -
C:\Windows\SysWOW64\Illfdc32.exeC:\Windows\system32\Illfdc32.exe195⤵PID:7348
-
C:\Windows\SysWOW64\Iojbpo32.exeC:\Windows\system32\Iojbpo32.exe196⤵PID:7392
-
C:\Windows\SysWOW64\Igajal32.exeC:\Windows\system32\Igajal32.exe197⤵PID:7444
-
C:\Windows\SysWOW64\Iedjmioj.exeC:\Windows\system32\Iedjmioj.exe198⤵PID:7480
-
C:\Windows\SysWOW64\Imkbnf32.exeC:\Windows\system32\Imkbnf32.exe199⤵PID:7520
-
C:\Windows\SysWOW64\Ilnbicff.exeC:\Windows\system32\Ilnbicff.exe200⤵PID:7564
-
C:\Windows\SysWOW64\Iomoenej.exeC:\Windows\system32\Iomoenej.exe201⤵PID:7624
-
C:\Windows\SysWOW64\Ibhkfm32.exeC:\Windows\system32\Ibhkfm32.exe202⤵PID:7680
-
C:\Windows\SysWOW64\Iefgbh32.exeC:\Windows\system32\Iefgbh32.exe203⤵PID:7732
-
C:\Windows\SysWOW64\Ilqoobdd.exeC:\Windows\system32\Ilqoobdd.exe204⤵PID:7780
-
C:\Windows\SysWOW64\Ioolkncg.exeC:\Windows\system32\Ioolkncg.exe205⤵PID:7820
-
C:\Windows\SysWOW64\Ickglm32.exeC:\Windows\system32\Ickglm32.exe206⤵PID:7864
-
C:\Windows\SysWOW64\Iidphgcn.exeC:\Windows\system32\Iidphgcn.exe207⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7904 -
C:\Windows\SysWOW64\Impliekg.exeC:\Windows\system32\Impliekg.exe208⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:7952 -
C:\Windows\SysWOW64\Ipoheakj.exeC:\Windows\system32\Ipoheakj.exe209⤵PID:7992
-
C:\Windows\SysWOW64\Jcmdaljn.exeC:\Windows\system32\Jcmdaljn.exe210⤵PID:8040
-
C:\Windows\SysWOW64\Jghpbk32.exeC:\Windows\system32\Jghpbk32.exe211⤵PID:8076
-
C:\Windows\SysWOW64\Jiglnf32.exeC:\Windows\system32\Jiglnf32.exe212⤵PID:8124
-
C:\Windows\SysWOW64\Jocefm32.exeC:\Windows\system32\Jocefm32.exe213⤵PID:8168
-
C:\Windows\SysWOW64\Jcoaglhk.exeC:\Windows\system32\Jcoaglhk.exe214⤵PID:7196
-
C:\Windows\SysWOW64\Jenmcggo.exeC:\Windows\system32\Jenmcggo.exe215⤵PID:7308
-
C:\Windows\SysWOW64\Jiiicf32.exeC:\Windows\system32\Jiiicf32.exe216⤵PID:7376
-
C:\Windows\SysWOW64\Jlgepanl.exeC:\Windows\system32\Jlgepanl.exe217⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7428 -
C:\Windows\SysWOW64\Jpcapp32.exeC:\Windows\system32\Jpcapp32.exe218⤵PID:7504
-
C:\Windows\SysWOW64\Jcanll32.exeC:\Windows\system32\Jcanll32.exe219⤵PID:7560
-
C:\Windows\SysWOW64\Jgmjmjnb.exeC:\Windows\system32\Jgmjmjnb.exe220⤵PID:7704
-
C:\Windows\SysWOW64\Jilfifme.exeC:\Windows\system32\Jilfifme.exe221⤵PID:7800
-
C:\Windows\SysWOW64\Jljbeali.exeC:\Windows\system32\Jljbeali.exe222⤵PID:7892
-
C:\Windows\SysWOW64\Jpenfp32.exeC:\Windows\system32\Jpenfp32.exe223⤵PID:8000
-
C:\Windows\SysWOW64\Johnamkm.exeC:\Windows\system32\Johnamkm.exe224⤵PID:8112
-
C:\Windows\SysWOW64\Jgpfbjlo.exeC:\Windows\system32\Jgpfbjlo.exe225⤵PID:8176
-
C:\Windows\SysWOW64\Jebfng32.exeC:\Windows\system32\Jebfng32.exe226⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7272 -
C:\Windows\SysWOW64\Jniood32.exeC:\Windows\system32\Jniood32.exe227⤵PID:6152
-
C:\Windows\SysWOW64\Jllokajf.exeC:\Windows\system32\Jllokajf.exe228⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7556 -
C:\Windows\SysWOW64\Jphkkpbp.exeC:\Windows\system32\Jphkkpbp.exe229⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:7716 -
C:\Windows\SysWOW64\Jcfggkac.exeC:\Windows\system32\Jcfggkac.exe230⤵PID:7888
-
C:\Windows\SysWOW64\Jedccfqg.exeC:\Windows\system32\Jedccfqg.exe231⤵PID:7212
-
C:\Windows\SysWOW64\Jnlkedai.exeC:\Windows\system32\Jnlkedai.exe232⤵
- Modifies registry class
PID:7332 -
C:\Windows\SysWOW64\Kpjgaoqm.exeC:\Windows\system32\Kpjgaoqm.exe233⤵PID:6780
-
C:\Windows\SysWOW64\Komhll32.exeC:\Windows\system32\Komhll32.exe234⤵PID:7828
-
C:\Windows\SysWOW64\Kgdpni32.exeC:\Windows\system32\Kgdpni32.exe235⤵PID:7232
-
C:\Windows\SysWOW64\Kjblje32.exeC:\Windows\system32\Kjblje32.exe236⤵PID:7488
-
C:\Windows\SysWOW64\Klahfp32.exeC:\Windows\system32\Klahfp32.exe237⤵PID:7980
-
C:\Windows\SysWOW64\Koodbl32.exeC:\Windows\system32\Koodbl32.exe238⤵PID:7292
-
C:\Windows\SysWOW64\Kgflcifg.exeC:\Windows\system32\Kgflcifg.exe239⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7400 -
C:\Windows\SysWOW64\Kjeiodek.exeC:\Windows\system32\Kjeiodek.exe240⤵PID:7664
-
C:\Windows\SysWOW64\Klcekpdo.exeC:\Windows\system32\Klcekpdo.exe241⤵PID:8216
-
C:\Windows\SysWOW64\Koaagkcb.exeC:\Windows\system32\Koaagkcb.exe242⤵PID:8256