Analysis
-
max time kernel
147s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 01:39
Behavioral task
behavioral1
Sample
1dcd98b09f1ee450bd4efb4fc75a5ba0_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1dcd98b09f1ee450bd4efb4fc75a5ba0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
1dcd98b09f1ee450bd4efb4fc75a5ba0_NeikiAnalytics.exe
-
Size
367KB
-
MD5
1dcd98b09f1ee450bd4efb4fc75a5ba0
-
SHA1
7c9b0027fd1a9e5407bbb918ad00e68bf2df36ba
-
SHA256
bf778817e648f51f0e8314ea7eaf46f2213a99ffac001273a2a40e46079da4ff
-
SHA512
bf9ad4070cd132faa5854eb8c91d85c86be1668387d93328aea1afb62b7b68aeef9c265fe1bd95378f653990ea4aadacd936846ca99178ae2b1a404f2cf5af06
-
SSDEEP
6144:2ICLP61YFz9wXsZl8tnJfKXqPTX7D7FM6234lKm3mo8Yvi4KsLTFM6234lKm3cM9:2f61YFz9wXdtJCXqP77D7FB24lwR45Fb
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Mpoefk32.exeKefdbo32.exeEaindh32.exeAeddnp32.exeJgnqgqan.exeMiifeq32.exePfjcgn32.exeNhahaiec.exeOgekbb32.exeHglipp32.exeNlqomd32.exeIhphkl32.exeIcplcpgo.exeQddfkd32.exeMmbfpp32.exeNdfqbhia.exeLjhnlb32.exeNnafno32.exeHihbijhn.exeEifhdd32.exeJiokfpph.exeJljbeali.exeLjceqb32.exeDhnnep32.exeBcebhoii.exeManmoq32.exeLacdmh32.exeFjmkoeqi.exeEeelnp32.exeBdmpcdfm.exeEolhbc32.exeNohehq32.exeLeihbeib.exeBemlmgnp.exeCdkldb32.exeLhdqnj32.exeCnnlaehj.exeDpnbog32.exeFpimlfke.exeOcohmc32.exeDahode32.exeMedgncoe.exeDeanodkh.exeEolpmi32.exeFcniglmb.exeGingkqkd.exePlkpcfal.exeChghdqbf.exeDaaicfgd.exeFojedapj.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpoefk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kefdbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaindh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aeddnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgnqgqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Miifeq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfjcgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhahaiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogekbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hglipp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlqomd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihphkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icplcpgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qddfkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndfqbhia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljhnlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnafno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hihbijhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eifhdd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiokfpph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jljbeali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljceqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhnnep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcebhoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Manmoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lacdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjmkoeqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeelnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdmpcdfm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miifeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eolhbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nohehq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leihbeib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemlmgnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdkldb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhdqnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnlaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpnbog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpimlfke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocohmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dahode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Medgncoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deanodkh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eolpmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcniglmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gingkqkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plkpcfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chghdqbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daaicfgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fojedapj.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Bopgjmhe.exe family_berbew C:\Windows\SysWOW64\Bdmpcdfm.exe family_berbew C:\Windows\SysWOW64\Bhikcb32.exe family_berbew C:\Windows\SysWOW64\Bjghpn32.exe family_berbew C:\Windows\SysWOW64\Bobcpmfc.exe family_berbew C:\Windows\SysWOW64\Baaplhef.exe family_berbew C:\Windows\SysWOW64\Bemlmgnp.exe family_berbew C:\Windows\SysWOW64\Boepel32.exe family_berbew C:\Windows\SysWOW64\Ceoibflm.exe family_berbew C:\Windows\SysWOW64\Chmeobkq.exe family_berbew C:\Windows\SysWOW64\Ceaehfjj.exe family_berbew C:\Windows\SysWOW64\Cdfbibnb.exe family_berbew C:\Windows\SysWOW64\Colffknh.exe family_berbew C:\Windows\SysWOW64\Cdiooblp.exe family_berbew C:\Windows\SysWOW64\Cefoce32.exe family_berbew C:\Windows\SysWOW64\Cbgbgj32.exe family_berbew C:\Windows\SysWOW64\Ckpjfm32.exe family_berbew C:\Windows\SysWOW64\Chbnia32.exe family_berbew C:\Windows\SysWOW64\Cecbmf32.exe family_berbew C:\Windows\SysWOW64\Cbefaj32.exe family_berbew C:\Windows\SysWOW64\Cojjqlpk.exe family_berbew C:\Windows\SysWOW64\Cknnpm32.exe family_berbew C:\Windows\SysWOW64\Chpada32.exe family_berbew C:\Windows\SysWOW64\Cddecc32.exe family_berbew C:\Windows\SysWOW64\Cbcilkjg.exe family_berbew C:\Windows\SysWOW64\Cogmkl32.exe family_berbew C:\Windows\SysWOW64\Cklaknjd.exe family_berbew C:\Windows\SysWOW64\Cdainc32.exe family_berbew C:\Windows\SysWOW64\Cbqlfkmi.exe family_berbew C:\Windows\SysWOW64\Bkidenlg.exe family_berbew C:\Windows\SysWOW64\Blfdia32.exe family_berbew C:\Windows\SysWOW64\Bdolhc32.exe family_berbew C:\Windows\SysWOW64\Gdcdbl32.exe family_berbew C:\Windows\SysWOW64\Gkaejf32.exe family_berbew C:\Windows\SysWOW64\Hbgmcnhf.exe family_berbew C:\Windows\SysWOW64\Ifgbnlmj.exe family_berbew C:\Windows\SysWOW64\Jcbihpel.exe family_berbew C:\Windows\SysWOW64\Jpppnp32.exe family_berbew C:\Windows\SysWOW64\Lpnlpnih.exe family_berbew C:\Windows\SysWOW64\Lljfpnjg.exe family_berbew C:\Windows\SysWOW64\Mmpijp32.exe family_berbew C:\Windows\SysWOW64\Npcoakfp.exe family_berbew C:\Windows\SysWOW64\Opakbi32.exe family_berbew C:\Windows\SysWOW64\Olmeci32.exe family_berbew C:\Windows\SysWOW64\Qffbbldm.exe family_berbew C:\Windows\SysWOW64\Aeniabfd.exe family_berbew C:\Windows\SysWOW64\Bnhjohkb.exe family_berbew C:\Windows\SysWOW64\Belebq32.exe family_berbew C:\Windows\SysWOW64\Chmndlge.exe family_berbew C:\Windows\SysWOW64\Chagok32.exe family_berbew C:\Windows\SysWOW64\Ddonekbl.exe family_berbew C:\Windows\SysWOW64\Dknpmdfc.exe family_berbew C:\Windows\SysWOW64\Edpgli32.exe family_berbew C:\Windows\SysWOW64\Feapkk32.exe family_berbew C:\Windows\SysWOW64\Fojedapj.exe family_berbew C:\Windows\SysWOW64\Fgeihcme.exe family_berbew C:\Windows\SysWOW64\Ghniielm.exe family_berbew C:\Windows\SysWOW64\Ghpendjj.exe family_berbew C:\Windows\SysWOW64\Hffcmh32.exe family_berbew C:\Windows\SysWOW64\Hhgloc32.exe family_berbew C:\Windows\SysWOW64\Hbdjchgn.exe family_berbew C:\Windows\SysWOW64\Ihqoeb32.exe family_berbew C:\Windows\SysWOW64\Jngjch32.exe family_berbew C:\Windows\SysWOW64\Jfpojead.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Bopgjmhe.exeBdmpcdfm.exeBhikcb32.exeBjghpn32.exeBobcpmfc.exeBaaplhef.exeBemlmgnp.exeBdolhc32.exeBlfdia32.exeBkidenlg.exeBoepel32.exeCbqlfkmi.exeCeoibflm.exeCdainc32.exeChmeobkq.exeCklaknjd.exeCogmkl32.exeCbcilkjg.exeCeaehfjj.exeCddecc32.exeChpada32.exeCknnpm32.exeCojjqlpk.exeCbefaj32.exeCecbmf32.exeCdfbibnb.exeChbnia32.exeCkpjfm32.exeColffknh.exeCbgbgj32.exeCefoce32.exeCdiooblp.exeChdkoa32.exeCkcgkldl.exeCamphf32.exeCehkhecb.exeCdkldb32.exeChghdqbf.exeCkedalaj.exeDoqpak32.exeDbllbibl.exeDaolnf32.exeDekhneap.exeDhidjpqc.exeDldpkoil.exeDkgqfl32.exeDocmgjhp.exeDboigi32.exeDaaicfgd.exeDdpeoafg.exeDhkapp32.exeDlgmpogj.exeDoeiljfn.exeDbaemi32.exeDadeieea.exeDdbbeade.exeDhnnep32.exeDlijfneg.exeDkljak32.exeDccbbhld.exeDafbne32.exeDeanodkh.exeDddojq32.exeDhpjkojk.exepid process 4136 Bopgjmhe.exe 4460 Bdmpcdfm.exe 3468 Bhikcb32.exe 3032 Bjghpn32.exe 392 Bobcpmfc.exe 2624 Baaplhef.exe 3368 Bemlmgnp.exe 4620 Bdolhc32.exe 2644 Blfdia32.exe 748 Bkidenlg.exe 2100 Boepel32.exe 4432 Cbqlfkmi.exe 3812 Ceoibflm.exe 1540 Cdainc32.exe 2952 Chmeobkq.exe 4284 Cklaknjd.exe 1980 Cogmkl32.exe 2740 Cbcilkjg.exe 3696 Ceaehfjj.exe 1396 Cddecc32.exe 2976 Chpada32.exe 2552 Cknnpm32.exe 1748 Cojjqlpk.exe 3048 Cbefaj32.exe 4188 Cecbmf32.exe 1160 Cdfbibnb.exe 4708 Chbnia32.exe 3872 Ckpjfm32.exe 3444 Colffknh.exe 3140 Cbgbgj32.exe 964 Cefoce32.exe 1388 Cdiooblp.exe 1180 Chdkoa32.exe 3992 Ckcgkldl.exe 3284 Camphf32.exe 1036 Cehkhecb.exe 468 Cdkldb32.exe 208 Chghdqbf.exe 5108 Ckedalaj.exe 3456 Doqpak32.exe 4396 Dbllbibl.exe 2308 Daolnf32.exe 2956 Dekhneap.exe 4484 Dhidjpqc.exe 4112 Dldpkoil.exe 1596 Dkgqfl32.exe 3640 Docmgjhp.exe 3340 Dboigi32.exe 4204 Daaicfgd.exe 3488 Ddpeoafg.exe 4324 Dhkapp32.exe 2448 Dlgmpogj.exe 1852 Doeiljfn.exe 1276 Dbaemi32.exe 4952 Dadeieea.exe 2428 Ddbbeade.exe 3668 Dhnnep32.exe 1628 Dlijfneg.exe 2596 Dkljak32.exe 2608 Dccbbhld.exe 3884 Dafbne32.exe 4856 Deanodkh.exe 4124 Dddojq32.exe 1212 Dhpjkojk.exe -
Drops file in System32 directory 64 IoCs
Processes:
Pfjcgn32.exeHmbphg32.exeMjjkaabc.exeMmkdcm32.exeBdolhc32.exeKpcjgnhb.exeNdhmhh32.exeCalhnpgn.exeBnmcjg32.exeMajjng32.exeAkffafgg.exeKmdlffhj.exeBaicac32.exeBlhpqhlh.exeIojbpo32.exeKelalp32.exeJngjch32.exeFpimlfke.exeLoighj32.exePfolbmje.exeEjdocm32.exeAfmhck32.exeHocqam32.exeLiqihglg.exeBcahmb32.exeKjmfjj32.exeEolpmi32.exeBmemac32.exeCenahpha.exeHffcmh32.exeJfbkpd32.exeKbghfc32.exeNclbpf32.exeJidklf32.exeGoljqnpd.exeKlifnj32.exeLoeolc32.exeBmomlnjk.exeCklaknjd.exeDhlpqc32.exeIbcmom32.exeFgeihcme.exeLnjgfb32.exeMgbefe32.exeBgehcmmm.exeHfningai.exeJehhaaci.exeQeodhjmo.exeKdcbom32.exeBjcmebie.exeOlehhc32.exedescription ioc process File created C:\Windows\SysWOW64\Dbnamnpl.dll Pfjcgn32.exe File created C:\Windows\SysWOW64\Hbohpn32.exe Hmbphg32.exe File created C:\Windows\SysWOW64\Bjokon32.dll Mjjkaabc.exe File opened for modification C:\Windows\SysWOW64\Mcelpggq.exe Mmkdcm32.exe File created C:\Windows\SysWOW64\Eicplccq.dll Bdolhc32.exe File created C:\Windows\SysWOW64\Kcbfcigf.exe Kpcjgnhb.exe File created C:\Windows\SysWOW64\Hejeak32.dll File opened for modification C:\Windows\SysWOW64\Affikdfn.exe File created C:\Windows\SysWOW64\Nckndeni.exe Ndhmhh32.exe File created C:\Windows\SysWOW64\Hfanhp32.dll Calhnpgn.exe File opened for modification C:\Windows\SysWOW64\Gicgpelg.exe File opened for modification C:\Windows\SysWOW64\Balpgb32.exe Bnmcjg32.exe File created C:\Windows\SysWOW64\Aaldccip.exe File created C:\Windows\SysWOW64\Mhdckaeo.exe Majjng32.exe File opened for modification C:\Windows\SysWOW64\Afkknogn.exe Akffafgg.exe File opened for modification C:\Windows\SysWOW64\Kkeldnpi.exe Kmdlffhj.exe File opened for modification C:\Windows\SysWOW64\Aopemh32.exe File created C:\Windows\SysWOW64\Hmjbog32.dll File opened for modification C:\Windows\SysWOW64\Nfqnbjfi.exe File created C:\Windows\SysWOW64\Eknphfld.dll File created C:\Windows\SysWOW64\Akichh32.dll Baicac32.exe File opened for modification C:\Windows\SysWOW64\Bcahmb32.exe Blhpqhlh.exe File opened for modification C:\Windows\SysWOW64\Igajal32.exe Iojbpo32.exe File opened for modification C:\Windows\SysWOW64\Kgknhl32.exe Kelalp32.exe File created C:\Windows\SysWOW64\Mgdbei32.dll Jngjch32.exe File opened for modification C:\Windows\SysWOW64\Fefedmil.exe Fpimlfke.exe File opened for modification C:\Windows\SysWOW64\Lgpoihnl.exe Loighj32.exe File created C:\Windows\SysWOW64\Mhldbh32.exe File created C:\Windows\SysWOW64\Biiobo32.exe File opened for modification C:\Windows\SysWOW64\Pmidog32.exe Pfolbmje.exe File created C:\Windows\SysWOW64\Debbhd32.dll Ejdocm32.exe File created C:\Windows\SysWOW64\Echegpbb.dll Afmhck32.exe File opened for modification C:\Windows\SysWOW64\Hnfamjqg.exe Hocqam32.exe File created C:\Windows\SysWOW64\Jgamgpme.dll Liqihglg.exe File opened for modification C:\Windows\SysWOW64\Bfpdin32.exe Bcahmb32.exe File opened for modification C:\Windows\SysWOW64\Kqfngd32.exe Kjmfjj32.exe File created C:\Windows\SysWOW64\Gfpggnan.dll Eolpmi32.exe File opened for modification C:\Windows\SysWOW64\Belebq32.exe Bmemac32.exe File opened for modification C:\Windows\SysWOW64\Chmndlge.exe Cenahpha.exe File opened for modification C:\Windows\SysWOW64\Hghoeqmp.exe Hffcmh32.exe File opened for modification C:\Windows\SysWOW64\Jgdhgmep.exe Jfbkpd32.exe File created C:\Windows\SysWOW64\Akmmffmb.dll Kbghfc32.exe File opened for modification C:\Windows\SysWOW64\Nnafno32.exe Nclbpf32.exe File opened for modification C:\Windows\SysWOW64\Loacdc32.exe File opened for modification C:\Windows\SysWOW64\Jpnchp32.exe Jidklf32.exe File created C:\Windows\SysWOW64\Pmjggi32.dll Goljqnpd.exe File created C:\Windows\SysWOW64\Keakgpko.exe Klifnj32.exe File created C:\Windows\SysWOW64\Lflgmqhd.exe Loeolc32.exe File opened for modification C:\Windows\SysWOW64\Bjcmebie.exe Bmomlnjk.exe File opened for modification C:\Windows\SysWOW64\Aonhghjl.exe File opened for modification C:\Windows\SysWOW64\Cogmkl32.exe Cklaknjd.exe File opened for modification C:\Windows\SysWOW64\Djklmo32.exe Dhlpqc32.exe File created C:\Windows\SysWOW64\Jeaikh32.exe Ibcmom32.exe File opened for modification C:\Windows\SysWOW64\Fnobem32.exe Fgeihcme.exe File created C:\Windows\SysWOW64\Lokdnjkg.exe Lnjgfb32.exe File created C:\Windows\SysWOW64\Figfoijn.dll Mgbefe32.exe File created C:\Windows\SysWOW64\Hfggmg32.dll Bgehcmmm.exe File created C:\Windows\SysWOW64\Hhlejcpm.exe Hfningai.exe File opened for modification C:\Windows\SysWOW64\Jgfdmlcm.exe Jehhaaci.exe File created C:\Windows\SysWOW64\Qklmpalf.exe Qeodhjmo.exe File created C:\Windows\SysWOW64\Imllie32.dll Kdcbom32.exe File created C:\Windows\SysWOW64\Mbibfm32.exe File created C:\Windows\SysWOW64\Mhibfmcl.dll Bjcmebie.exe File opened for modification C:\Windows\SysWOW64\Ogklelna.exe Olehhc32.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 14652 14568 -
Modifies registry class 64 IoCs
Processes:
Ahchda32.exeEiildjag.exeJjpode32.exeIciaqc32.exeKclgmq32.exeJgkmgk32.exeAclpap32.exeDfnjafap.exeMlkepaam.exeEplgeokq.exeJgfdmlcm.exeKgamnded.exeAjndioga.exeGigheh32.exeOnpjichj.exeAekddhcb.exeJgmjmjnb.exeNjjdho32.exeBdolhc32.exeIfefimom.exePcncpbmd.exeMqimikfj.exeNghekkmn.exeOhfami32.exeEfeihb32.exeHlcjhkdp.exeLqkgbcff.exeNnlhfn32.exeDknpmdfc.exeObcceg32.exeNmfcok32.exeCkpjfm32.exeHimldi32.exeNliaao32.exeIbffhhek.exeLnqeqd32.exeOjbacd32.exeGfeaopqo.exeKpjgaoqm.exeLqojclne.exeIicbehnq.exeQmmnjfnl.exeEkmhejao.exeBaaplhef.exePqmjog32.exeOjfcdnjc.exeColffknh.exeDdonekbl.exeCkilmcgb.exeFbjena32.exeKnqepc32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpeipb32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahchda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eiildjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjpode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blafme32.dll" Iciaqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhohnk32.dll" Kclgmq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgkmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll" Aclpap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlkepaam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eplgeokq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgfdmlcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgamnded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajndioga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gigheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Onpjichj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejoaandc.dll" Aekddhcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgmjmjnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njjdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdolhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ifefimom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pcncpbmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnocia32.dll" Mqimikfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgjhee32.dll" Nghekkmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohfami32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efeihb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgiklme.dll" Hlcjhkdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkiocibf.dll" Lqkgbcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpaoan32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll" Nnlhfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dknpmdfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obcceg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmfcok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccegpn32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnpn32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckpjfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdphnlp.dll" Himldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nliaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Efeihb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbdco32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibffhhek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foalam32.dll" Lnqeqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ojbacd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gfeaopqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpjgaoqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lqojclne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iicbehnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll" Qmmnjfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcmgob32.dll" Ekmhejao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgempgqo.dll" Baaplhef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll" Pqmjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idaiki32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ojfcdnjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Colffknh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddonekbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckilmcgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbjena32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knqepc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1dcd98b09f1ee450bd4efb4fc75a5ba0_NeikiAnalytics.exeBopgjmhe.exeBdmpcdfm.exeBhikcb32.exeBjghpn32.exeBobcpmfc.exeBaaplhef.exeBemlmgnp.exeBdolhc32.exeBlfdia32.exeBkidenlg.exeBoepel32.exeCbqlfkmi.exeCeoibflm.exeCdainc32.exeChmeobkq.exeCklaknjd.exeCogmkl32.exeCbcilkjg.exeCeaehfjj.exeCddecc32.exeChpada32.exedescription pid process target process PID 2764 wrote to memory of 4136 2764 1dcd98b09f1ee450bd4efb4fc75a5ba0_NeikiAnalytics.exe Bopgjmhe.exe PID 2764 wrote to memory of 4136 2764 1dcd98b09f1ee450bd4efb4fc75a5ba0_NeikiAnalytics.exe Bopgjmhe.exe PID 2764 wrote to memory of 4136 2764 1dcd98b09f1ee450bd4efb4fc75a5ba0_NeikiAnalytics.exe Bopgjmhe.exe PID 4136 wrote to memory of 4460 4136 Bopgjmhe.exe Bdmpcdfm.exe PID 4136 wrote to memory of 4460 4136 Bopgjmhe.exe Bdmpcdfm.exe PID 4136 wrote to memory of 4460 4136 Bopgjmhe.exe Bdmpcdfm.exe PID 4460 wrote to memory of 3468 4460 Bdmpcdfm.exe Bhikcb32.exe PID 4460 wrote to memory of 3468 4460 Bdmpcdfm.exe Bhikcb32.exe PID 4460 wrote to memory of 3468 4460 Bdmpcdfm.exe Bhikcb32.exe PID 3468 wrote to memory of 3032 3468 Bhikcb32.exe Bjghpn32.exe PID 3468 wrote to memory of 3032 3468 Bhikcb32.exe Bjghpn32.exe PID 3468 wrote to memory of 3032 3468 Bhikcb32.exe Bjghpn32.exe PID 3032 wrote to memory of 392 3032 Bjghpn32.exe Bobcpmfc.exe PID 3032 wrote to memory of 392 3032 Bjghpn32.exe Bobcpmfc.exe PID 3032 wrote to memory of 392 3032 Bjghpn32.exe Bobcpmfc.exe PID 392 wrote to memory of 2624 392 Bobcpmfc.exe Baaplhef.exe PID 392 wrote to memory of 2624 392 Bobcpmfc.exe Baaplhef.exe PID 392 wrote to memory of 2624 392 Bobcpmfc.exe Baaplhef.exe PID 2624 wrote to memory of 3368 2624 Baaplhef.exe Bemlmgnp.exe PID 2624 wrote to memory of 3368 2624 Baaplhef.exe Bemlmgnp.exe PID 2624 wrote to memory of 3368 2624 Baaplhef.exe Bemlmgnp.exe PID 3368 wrote to memory of 4620 3368 Bemlmgnp.exe Bdolhc32.exe PID 3368 wrote to memory of 4620 3368 Bemlmgnp.exe Bdolhc32.exe PID 3368 wrote to memory of 4620 3368 Bemlmgnp.exe Bdolhc32.exe PID 4620 wrote to memory of 2644 4620 Bdolhc32.exe Blfdia32.exe PID 4620 wrote to memory of 2644 4620 Bdolhc32.exe Blfdia32.exe PID 4620 wrote to memory of 2644 4620 Bdolhc32.exe Blfdia32.exe PID 2644 wrote to memory of 748 2644 Blfdia32.exe Bkidenlg.exe PID 2644 wrote to memory of 748 2644 Blfdia32.exe Bkidenlg.exe PID 2644 wrote to memory of 748 2644 Blfdia32.exe Bkidenlg.exe PID 748 wrote to memory of 2100 748 Bkidenlg.exe Boepel32.exe PID 748 wrote to memory of 2100 748 Bkidenlg.exe Boepel32.exe PID 748 wrote to memory of 2100 748 Bkidenlg.exe Boepel32.exe PID 2100 wrote to memory of 4432 2100 Boepel32.exe Cbqlfkmi.exe PID 2100 wrote to memory of 4432 2100 Boepel32.exe Cbqlfkmi.exe PID 2100 wrote to memory of 4432 2100 Boepel32.exe Cbqlfkmi.exe PID 4432 wrote to memory of 3812 4432 Cbqlfkmi.exe Ceoibflm.exe PID 4432 wrote to memory of 3812 4432 Cbqlfkmi.exe Ceoibflm.exe PID 4432 wrote to memory of 3812 4432 Cbqlfkmi.exe Ceoibflm.exe PID 3812 wrote to memory of 1540 3812 Ceoibflm.exe Cdainc32.exe PID 3812 wrote to memory of 1540 3812 Ceoibflm.exe Cdainc32.exe PID 3812 wrote to memory of 1540 3812 Ceoibflm.exe Cdainc32.exe PID 1540 wrote to memory of 2952 1540 Cdainc32.exe Chmeobkq.exe PID 1540 wrote to memory of 2952 1540 Cdainc32.exe Chmeobkq.exe PID 1540 wrote to memory of 2952 1540 Cdainc32.exe Chmeobkq.exe PID 2952 wrote to memory of 4284 2952 Chmeobkq.exe Cklaknjd.exe PID 2952 wrote to memory of 4284 2952 Chmeobkq.exe Cklaknjd.exe PID 2952 wrote to memory of 4284 2952 Chmeobkq.exe Cklaknjd.exe PID 4284 wrote to memory of 1980 4284 Cklaknjd.exe Cogmkl32.exe PID 4284 wrote to memory of 1980 4284 Cklaknjd.exe Cogmkl32.exe PID 4284 wrote to memory of 1980 4284 Cklaknjd.exe Cogmkl32.exe PID 1980 wrote to memory of 2740 1980 Cogmkl32.exe Cbcilkjg.exe PID 1980 wrote to memory of 2740 1980 Cogmkl32.exe Cbcilkjg.exe PID 1980 wrote to memory of 2740 1980 Cogmkl32.exe Cbcilkjg.exe PID 2740 wrote to memory of 3696 2740 Cbcilkjg.exe Ceaehfjj.exe PID 2740 wrote to memory of 3696 2740 Cbcilkjg.exe Ceaehfjj.exe PID 2740 wrote to memory of 3696 2740 Cbcilkjg.exe Ceaehfjj.exe PID 3696 wrote to memory of 1396 3696 Ceaehfjj.exe Cddecc32.exe PID 3696 wrote to memory of 1396 3696 Ceaehfjj.exe Cddecc32.exe PID 3696 wrote to memory of 1396 3696 Ceaehfjj.exe Cddecc32.exe PID 1396 wrote to memory of 2976 1396 Cddecc32.exe Chpada32.exe PID 1396 wrote to memory of 2976 1396 Cddecc32.exe Chpada32.exe PID 1396 wrote to memory of 2976 1396 Cddecc32.exe Chpada32.exe PID 2976 wrote to memory of 2552 2976 Chpada32.exe Cknnpm32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1dcd98b09f1ee450bd4efb4fc75a5ba0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1dcd98b09f1ee450bd4efb4fc75a5ba0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Bobcpmfc.exeC:\Windows\system32\Bobcpmfc.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Blfdia32.exeC:\Windows\system32\Blfdia32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\Cdainc32.exeC:\Windows\system32\Cdainc32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Cddecc32.exeC:\Windows\system32\Cddecc32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe23⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe24⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe25⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe26⤵
- Executes dropped EXE
PID:4188 -
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe27⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe28⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:3872 -
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:3444 -
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe31⤵
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Cefoce32.exeC:\Windows\system32\Cefoce32.exe32⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe33⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Chdkoa32.exeC:\Windows\system32\Chdkoa32.exe34⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Ckcgkldl.exeC:\Windows\system32\Ckcgkldl.exe35⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe36⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe37⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe40⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe41⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe42⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe43⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe44⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe45⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe46⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe47⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe48⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Dboigi32.exeC:\Windows\system32\Dboigi32.exe49⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4204 -
C:\Windows\SysWOW64\Ddpeoafg.exeC:\Windows\system32\Ddpeoafg.exe51⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe52⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Dlgmpogj.exeC:\Windows\system32\Dlgmpogj.exe53⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe54⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Dbaemi32.exeC:\Windows\system32\Dbaemi32.exe55⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Dadeieea.exeC:\Windows\system32\Dadeieea.exe56⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Ddbbeade.exeC:\Windows\system32\Ddbbeade.exe57⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Dhnnep32.exeC:\Windows\system32\Dhnnep32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3668 -
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe59⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Dkljak32.exeC:\Windows\system32\Dkljak32.exe60⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Dccbbhld.exeC:\Windows\system32\Dccbbhld.exe61⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe62⤵
- Executes dropped EXE
PID:3884 -
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe64⤵
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe65⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Dllfkn32.exeC:\Windows\system32\Dllfkn32.exe66⤵PID:2668
-
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe67⤵PID:4760
-
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe68⤵PID:3176
-
C:\Windows\SysWOW64\Dahode32.exeC:\Windows\system32\Dahode32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3320 -
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe70⤵PID:4472
-
C:\Windows\SysWOW64\Dhbgqohi.exeC:\Windows\system32\Dhbgqohi.exe71⤵PID:1532
-
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe72⤵PID:4160
-
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe73⤵PID:5036
-
C:\Windows\SysWOW64\Eolpmi32.exeC:\Windows\system32\Eolpmi32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4236 -
C:\Windows\SysWOW64\Eaklidoi.exeC:\Windows\system32\Eaklidoi.exe75⤵PID:4844
-
C:\Windows\SysWOW64\Eefhjc32.exeC:\Windows\system32\Eefhjc32.exe76⤵PID:1652
-
C:\Windows\SysWOW64\Edihepnm.exeC:\Windows\system32\Edihepnm.exe77⤵PID:2340
-
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe78⤵PID:2248
-
C:\Windows\SysWOW64\Ekcpbj32.exeC:\Windows\system32\Ekcpbj32.exe79⤵PID:856
-
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe80⤵PID:952
-
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe81⤵PID:4376
-
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe82⤵PID:3964
-
C:\Windows\SysWOW64\Faihkbci.exeC:\Windows\system32\Faihkbci.exe83⤵PID:4216
-
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe84⤵PID:3080
-
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe85⤵PID:4568
-
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe86⤵PID:4868
-
C:\Windows\SysWOW64\Gdcdbl32.exeC:\Windows\system32\Gdcdbl32.exe87⤵PID:4752
-
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe88⤵PID:1792
-
C:\Windows\SysWOW64\Gcddpdpo.exeC:\Windows\system32\Gcddpdpo.exe89⤵PID:3728
-
C:\Windows\SysWOW64\Gfbploob.exeC:\Windows\system32\Gfbploob.exe90⤵PID:4988
-
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe91⤵PID:4448
-
C:\Windows\SysWOW64\Gokdeeec.exeC:\Windows\system32\Gokdeeec.exe92⤵PID:2500
-
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe93⤵PID:3932
-
C:\Windows\SysWOW64\Gkaejf32.exeC:\Windows\system32\Gkaejf32.exe94⤵PID:3476
-
C:\Windows\SysWOW64\Gblngpbd.exeC:\Windows\system32\Gblngpbd.exe95⤵PID:2924
-
C:\Windows\SysWOW64\Hiefcj32.exeC:\Windows\system32\Hiefcj32.exe96⤵PID:4796
-
C:\Windows\SysWOW64\Hkdbpe32.exeC:\Windows\system32\Hkdbpe32.exe97⤵PID:4000
-
C:\Windows\SysWOW64\Hckjacjg.exeC:\Windows\system32\Hckjacjg.exe98⤵PID:5100
-
C:\Windows\SysWOW64\Hihbijhn.exeC:\Windows\system32\Hihbijhn.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3644 -
C:\Windows\SysWOW64\Hmcojh32.exeC:\Windows\system32\Hmcojh32.exe100⤵PID:2472
-
C:\Windows\SysWOW64\Hobkfd32.exeC:\Windows\system32\Hobkfd32.exe101⤵PID:1508
-
C:\Windows\SysWOW64\Hijooifk.exeC:\Windows\system32\Hijooifk.exe102⤵PID:4404
-
C:\Windows\SysWOW64\Hkikkeeo.exeC:\Windows\system32\Hkikkeeo.exe103⤵PID:3596
-
C:\Windows\SysWOW64\Hcpclbfa.exeC:\Windows\system32\Hcpclbfa.exe104⤵PID:2780
-
C:\Windows\SysWOW64\Hfnphn32.exeC:\Windows\system32\Hfnphn32.exe105⤵PID:408
-
C:\Windows\SysWOW64\Himldi32.exeC:\Windows\system32\Himldi32.exe106⤵
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Hcbpab32.exeC:\Windows\system32\Hcbpab32.exe107⤵PID:2712
-
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe108⤵PID:5128
-
C:\Windows\SysWOW64\Hioiji32.exeC:\Windows\system32\Hioiji32.exe109⤵PID:5168
-
C:\Windows\SysWOW64\Hmjdjgjo.exeC:\Windows\system32\Hmjdjgjo.exe110⤵PID:5212
-
C:\Windows\SysWOW64\Hoiafcic.exeC:\Windows\system32\Hoiafcic.exe111⤵PID:5252
-
C:\Windows\SysWOW64\Hbgmcnhf.exeC:\Windows\system32\Hbgmcnhf.exe112⤵PID:5292
-
C:\Windows\SysWOW64\Ikpaldog.exeC:\Windows\system32\Ikpaldog.exe113⤵PID:5332
-
C:\Windows\SysWOW64\Icgjmapi.exeC:\Windows\system32\Icgjmapi.exe114⤵PID:5372
-
C:\Windows\SysWOW64\Ifefimom.exeC:\Windows\system32\Ifefimom.exe115⤵
- Modifies registry class
PID:5404 -
C:\Windows\SysWOW64\Iicbehnq.exeC:\Windows\system32\Iicbehnq.exe116⤵
- Modifies registry class
PID:5452 -
C:\Windows\SysWOW64\Ikbnacmd.exeC:\Windows\system32\Ikbnacmd.exe117⤵PID:5492
-
C:\Windows\SysWOW64\Icifbang.exeC:\Windows\system32\Icifbang.exe118⤵PID:5528
-
C:\Windows\SysWOW64\Ifgbnlmj.exeC:\Windows\system32\Ifgbnlmj.exe119⤵PID:5572
-
C:\Windows\SysWOW64\Imakkfdg.exeC:\Windows\system32\Imakkfdg.exe120⤵PID:5608
-
C:\Windows\SysWOW64\Ippggbck.exeC:\Windows\system32\Ippggbck.exe121⤵PID:5648
-
C:\Windows\SysWOW64\Ickchq32.exeC:\Windows\system32\Ickchq32.exe122⤵PID:5692
-
C:\Windows\SysWOW64\Ifjodl32.exeC:\Windows\system32\Ifjodl32.exe123⤵PID:5736
-
C:\Windows\SysWOW64\Iihkpg32.exeC:\Windows\system32\Iihkpg32.exe124⤵PID:5772
-
C:\Windows\SysWOW64\Ilghlc32.exeC:\Windows\system32\Ilghlc32.exe125⤵PID:5812
-
C:\Windows\SysWOW64\Icnpmp32.exeC:\Windows\system32\Icnpmp32.exe126⤵PID:5868
-
C:\Windows\SysWOW64\Ifllil32.exeC:\Windows\system32\Ifllil32.exe127⤵PID:5912
-
C:\Windows\SysWOW64\Ieolehop.exeC:\Windows\system32\Ieolehop.exe128⤵PID:5952
-
C:\Windows\SysWOW64\Ilidbbgl.exeC:\Windows\system32\Ilidbbgl.exe129⤵PID:5992
-
C:\Windows\SysWOW64\Icplcpgo.exeC:\Windows\system32\Icplcpgo.exe130⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6032 -
C:\Windows\SysWOW64\Ibcmom32.exeC:\Windows\system32\Ibcmom32.exe131⤵
- Drops file in System32 directory
PID:6076 -
C:\Windows\SysWOW64\Jeaikh32.exeC:\Windows\system32\Jeaikh32.exe132⤵PID:6116
-
C:\Windows\SysWOW64\Jmhale32.exeC:\Windows\system32\Jmhale32.exe133⤵PID:2716
-
C:\Windows\SysWOW64\Jpgmha32.exeC:\Windows\system32\Jpgmha32.exe134⤵PID:5188
-
C:\Windows\SysWOW64\Jcbihpel.exeC:\Windows\system32\Jcbihpel.exe135⤵PID:5248
-
C:\Windows\SysWOW64\Jioaqfcc.exeC:\Windows\system32\Jioaqfcc.exe136⤵PID:5320
-
C:\Windows\SysWOW64\Jlnnmb32.exeC:\Windows\system32\Jlnnmb32.exe137⤵PID:5392
-
C:\Windows\SysWOW64\Jcefno32.exeC:\Windows\system32\Jcefno32.exe138⤵PID:5444
-
C:\Windows\SysWOW64\Jfcbjk32.exeC:\Windows\system32\Jfcbjk32.exe139⤵PID:5524
-
C:\Windows\SysWOW64\Jianff32.exeC:\Windows\system32\Jianff32.exe140⤵PID:5580
-
C:\Windows\SysWOW64\Jlpkba32.exeC:\Windows\system32\Jlpkba32.exe141⤵PID:5656
-
C:\Windows\SysWOW64\Jbjcolha.exeC:\Windows\system32\Jbjcolha.exe142⤵PID:5724
-
C:\Windows\SysWOW64\Jidklf32.exeC:\Windows\system32\Jidklf32.exe143⤵
- Drops file in System32 directory
PID:5800 -
C:\Windows\SysWOW64\Jpnchp32.exeC:\Windows\system32\Jpnchp32.exe144⤵PID:5904
-
C:\Windows\SysWOW64\Jeklag32.exeC:\Windows\system32\Jeklag32.exe145⤵PID:5980
-
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe146⤵PID:6044
-
C:\Windows\SysWOW64\Jpppnp32.exeC:\Windows\system32\Jpppnp32.exe147⤵PID:6100
-
C:\Windows\SysWOW64\Kemhff32.exeC:\Windows\system32\Kemhff32.exe148⤵PID:5180
-
C:\Windows\SysWOW64\Klgqcqkl.exeC:\Windows\system32\Klgqcqkl.exe149⤵PID:5328
-
C:\Windows\SysWOW64\Kdnidn32.exeC:\Windows\system32\Kdnidn32.exe150⤵PID:5460
-
C:\Windows\SysWOW64\Kfmepi32.exeC:\Windows\system32\Kfmepi32.exe151⤵PID:5632
-
C:\Windows\SysWOW64\Kikame32.exeC:\Windows\system32\Kikame32.exe152⤵PID:5700
-
C:\Windows\SysWOW64\Klimip32.exeC:\Windows\system32\Klimip32.exe153⤵PID:5876
-
C:\Windows\SysWOW64\Kdqejn32.exeC:\Windows\system32\Kdqejn32.exe154⤵PID:6000
-
C:\Windows\SysWOW64\Kfoafi32.exeC:\Windows\system32\Kfoafi32.exe155⤵PID:6104
-
C:\Windows\SysWOW64\Kimnbd32.exeC:\Windows\system32\Kimnbd32.exe156⤵PID:5356
-
C:\Windows\SysWOW64\Klljnp32.exeC:\Windows\system32\Klljnp32.exe157⤵PID:5488
-
C:\Windows\SysWOW64\Kdcbom32.exeC:\Windows\system32\Kdcbom32.exe158⤵
- Drops file in System32 directory
PID:5852 -
C:\Windows\SysWOW64\Kfankifm.exeC:\Windows\system32\Kfankifm.exe159⤵PID:6040
-
C:\Windows\SysWOW64\Klngdpdd.exeC:\Windows\system32\Klngdpdd.exe160⤵PID:5480
-
C:\Windows\SysWOW64\Kdeoemeg.exeC:\Windows\system32\Kdeoemeg.exe161⤵PID:5900
-
C:\Windows\SysWOW64\Kfckahdj.exeC:\Windows\system32\Kfckahdj.exe162⤵PID:5636
-
C:\Windows\SysWOW64\Klqcioba.exeC:\Windows\system32\Klqcioba.exe163⤵PID:6084
-
C:\Windows\SysWOW64\Lbjlfi32.exeC:\Windows\system32\Lbjlfi32.exe164⤵PID:5784
-
C:\Windows\SysWOW64\Leihbeib.exeC:\Windows\system32\Leihbeib.exe165⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6180 -
C:\Windows\SysWOW64\Lmppcbjd.exeC:\Windows\system32\Lmppcbjd.exe166⤵PID:6244
-
C:\Windows\SysWOW64\Lpnlpnih.exeC:\Windows\system32\Lpnlpnih.exe167⤵PID:6308
-
C:\Windows\SysWOW64\Lekehdgp.exeC:\Windows\system32\Lekehdgp.exe168⤵PID:6352
-
C:\Windows\SysWOW64\Lmbmibhb.exeC:\Windows\system32\Lmbmibhb.exe169⤵PID:6388
-
C:\Windows\SysWOW64\Lpqiemge.exeC:\Windows\system32\Lpqiemge.exe170⤵PID:6432
-
C:\Windows\SysWOW64\Ldleel32.exeC:\Windows\system32\Ldleel32.exe171⤵PID:6476
-
C:\Windows\SysWOW64\Lfkaag32.exeC:\Windows\system32\Lfkaag32.exe172⤵PID:6512
-
C:\Windows\SysWOW64\Lenamdem.exeC:\Windows\system32\Lenamdem.exe173⤵PID:6556
-
C:\Windows\SysWOW64\Lmdina32.exeC:\Windows\system32\Lmdina32.exe174⤵PID:6600
-
C:\Windows\SysWOW64\Lpcfkm32.exeC:\Windows\system32\Lpcfkm32.exe175⤵PID:6644
-
C:\Windows\SysWOW64\Lbabgh32.exeC:\Windows\system32\Lbabgh32.exe176⤵PID:6692
-
C:\Windows\SysWOW64\Lepncd32.exeC:\Windows\system32\Lepncd32.exe177⤵PID:6740
-
C:\Windows\SysWOW64\Lljfpnjg.exeC:\Windows\system32\Lljfpnjg.exe178⤵PID:6808
-
C:\Windows\SysWOW64\Lbdolh32.exeC:\Windows\system32\Lbdolh32.exe179⤵PID:6880
-
C:\Windows\SysWOW64\Lgokmgjm.exeC:\Windows\system32\Lgokmgjm.exe180⤵PID:6920
-
C:\Windows\SysWOW64\Lmiciaaj.exeC:\Windows\system32\Lmiciaaj.exe181⤵PID:7024
-
C:\Windows\SysWOW64\Lphoelqn.exeC:\Windows\system32\Lphoelqn.exe182⤵PID:7072
-
C:\Windows\SysWOW64\Mbfkbhpa.exeC:\Windows\system32\Mbfkbhpa.exe183⤵PID:7108
-
C:\Windows\SysWOW64\Medgncoe.exeC:\Windows\system32\Medgncoe.exe184⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7160 -
C:\Windows\SysWOW64\Mipcob32.exeC:\Windows\system32\Mipcob32.exe185⤵PID:6256
-
C:\Windows\SysWOW64\Mlopkm32.exeC:\Windows\system32\Mlopkm32.exe186⤵PID:6384
-
C:\Windows\SysWOW64\Mdehlk32.exeC:\Windows\system32\Mdehlk32.exe187⤵PID:6500
-
C:\Windows\SysWOW64\Mchhggno.exeC:\Windows\system32\Mchhggno.exe188⤵PID:6580
-
C:\Windows\SysWOW64\Megdccmb.exeC:\Windows\system32\Megdccmb.exe189⤵PID:6656
-
C:\Windows\SysWOW64\Mibpda32.exeC:\Windows\system32\Mibpda32.exe190⤵PID:5304
-
C:\Windows\SysWOW64\Mlampmdo.exeC:\Windows\system32\Mlampmdo.exe191⤵PID:5948
-
C:\Windows\SysWOW64\Mdhdajea.exeC:\Windows\system32\Mdhdajea.exe192⤵PID:6792
-
C:\Windows\SysWOW64\Mgfqmfde.exeC:\Windows\system32\Mgfqmfde.exe193⤵PID:6968
-
C:\Windows\SysWOW64\Meiaib32.exeC:\Windows\system32\Meiaib32.exe194⤵PID:7060
-
C:\Windows\SysWOW64\Mmpijp32.exeC:\Windows\system32\Mmpijp32.exe195⤵PID:7156
-
C:\Windows\SysWOW64\Mpoefk32.exeC:\Windows\system32\Mpoefk32.exe196⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6400 -
C:\Windows\SysWOW64\Mcmabg32.exeC:\Windows\system32\Mcmabg32.exe197⤵PID:6472
-
C:\Windows\SysWOW64\Melnob32.exeC:\Windows\system32\Melnob32.exe198⤵PID:6700
-
C:\Windows\SysWOW64\Mmbfpp32.exeC:\Windows\system32\Mmbfpp32.exe199⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5964 -
C:\Windows\SysWOW64\Mdmnlj32.exeC:\Windows\system32\Mdmnlj32.exe200⤵PID:6876
-
C:\Windows\SysWOW64\Miifeq32.exeC:\Windows\system32\Miifeq32.exe201⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7080 -
C:\Windows\SysWOW64\Mlhbal32.exeC:\Windows\system32\Mlhbal32.exe202⤵PID:6228
-
C:\Windows\SysWOW64\Npcoakfp.exeC:\Windows\system32\Npcoakfp.exe203⤵PID:6540
-
C:\Windows\SysWOW64\Ngmgne32.exeC:\Windows\system32\Ngmgne32.exe204⤵PID:6096
-
C:\Windows\SysWOW64\Nngokoej.exeC:\Windows\system32\Nngokoej.exe205⤵PID:6908
-
C:\Windows\SysWOW64\Ndaggimg.exeC:\Windows\system32\Ndaggimg.exe206⤵PID:6156
-
C:\Windows\SysWOW64\Nebdoa32.exeC:\Windows\system32\Nebdoa32.exe207⤵PID:6676
-
C:\Windows\SysWOW64\Nlmllkja.exeC:\Windows\system32\Nlmllkja.exe208⤵PID:7048
-
C:\Windows\SysWOW64\Neeqea32.exeC:\Windows\system32\Neeqea32.exe209⤵PID:6652
-
C:\Windows\SysWOW64\Nnlhfn32.exeC:\Windows\system32\Nnlhfn32.exe210⤵
- Modifies registry class
PID:6508 -
C:\Windows\SysWOW64\Ndfqbhia.exeC:\Windows\system32\Ndfqbhia.exe211⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7176 -
C:\Windows\SysWOW64\Nfgmjqop.exeC:\Windows\system32\Nfgmjqop.exe212⤵PID:7220
-
C:\Windows\SysWOW64\Nlaegk32.exeC:\Windows\system32\Nlaegk32.exe213⤵PID:7260
-
C:\Windows\SysWOW64\Ndhmhh32.exeC:\Windows\system32\Ndhmhh32.exe214⤵
- Drops file in System32 directory
PID:7300 -
C:\Windows\SysWOW64\Nckndeni.exeC:\Windows\system32\Nckndeni.exe215⤵PID:7340
-
C:\Windows\SysWOW64\Olcbmj32.exeC:\Windows\system32\Olcbmj32.exe216⤵PID:7388
-
C:\Windows\SysWOW64\Oflgep32.exeC:\Windows\system32\Oflgep32.exe217⤵PID:7432
-
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe218⤵PID:7468
-
C:\Windows\SysWOW64\Opakbi32.exeC:\Windows\system32\Opakbi32.exe219⤵PID:7520
-
C:\Windows\SysWOW64\Ogkcpbam.exeC:\Windows\system32\Ogkcpbam.exe220⤵PID:7564
-
C:\Windows\SysWOW64\Ojjolnaq.exeC:\Windows\system32\Ojjolnaq.exe221⤵PID:7604
-
C:\Windows\SysWOW64\Oneklm32.exeC:\Windows\system32\Oneklm32.exe222⤵PID:7640
-
C:\Windows\SysWOW64\Opdghh32.exeC:\Windows\system32\Opdghh32.exe223⤵PID:7700
-
C:\Windows\SysWOW64\Ocbddc32.exeC:\Windows\system32\Ocbddc32.exe224⤵PID:7744
-
C:\Windows\SysWOW64\Ojllan32.exeC:\Windows\system32\Ojllan32.exe225⤵PID:7796
-
C:\Windows\SysWOW64\Onhhamgg.exeC:\Windows\system32\Onhhamgg.exe226⤵PID:7840
-
C:\Windows\SysWOW64\Oqfdnhfk.exeC:\Windows\system32\Oqfdnhfk.exe227⤵PID:7884
-
C:\Windows\SysWOW64\Ocdqjceo.exeC:\Windows\system32\Ocdqjceo.exe228⤵PID:7924
-
C:\Windows\SysWOW64\Ofcmfodb.exeC:\Windows\system32\Ofcmfodb.exe229⤵PID:7972
-
C:\Windows\SysWOW64\Ojoign32.exeC:\Windows\system32\Ojoign32.exe230⤵PID:8012
-
C:\Windows\SysWOW64\Olmeci32.exeC:\Windows\system32\Olmeci32.exe231⤵PID:8056
-
C:\Windows\SysWOW64\Ocgmpccl.exeC:\Windows\system32\Ocgmpccl.exe232⤵PID:8096
-
C:\Windows\SysWOW64\Ofeilobp.exeC:\Windows\system32\Ofeilobp.exe233⤵PID:8140
-
C:\Windows\SysWOW64\Pnlaml32.exeC:\Windows\system32\Pnlaml32.exe234⤵PID:8180
-
C:\Windows\SysWOW64\Pqknig32.exeC:\Windows\system32\Pqknig32.exe235⤵PID:7216
-
C:\Windows\SysWOW64\Pcijeb32.exeC:\Windows\system32\Pcijeb32.exe236⤵PID:7308
-
C:\Windows\SysWOW64\Pfhfan32.exeC:\Windows\system32\Pfhfan32.exe237⤵PID:7336
-
C:\Windows\SysWOW64\Pnonbk32.exeC:\Windows\system32\Pnonbk32.exe238⤵PID:7408
-
C:\Windows\SysWOW64\Pqmjog32.exeC:\Windows\system32\Pqmjog32.exe239⤵
- Modifies registry class
PID:7480 -
C:\Windows\SysWOW64\Pclgkb32.exeC:\Windows\system32\Pclgkb32.exe240⤵PID:7552
-
C:\Windows\SysWOW64\Pfjcgn32.exeC:\Windows\system32\Pfjcgn32.exe241⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7624 -
C:\Windows\SysWOW64\Pjeoglgc.exeC:\Windows\system32\Pjeoglgc.exe242⤵PID:7684