Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 01:06
Behavioral task
behavioral1
Sample
190d5f23efe27fbef5236b0d54d50900_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
190d5f23efe27fbef5236b0d54d50900_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
190d5f23efe27fbef5236b0d54d50900_NeikiAnalytics.exe
-
Size
177KB
-
MD5
190d5f23efe27fbef5236b0d54d50900
-
SHA1
32eee70a04e5da5227142d749c28cb05cc3beb78
-
SHA256
6cfe2a4d0b10c32b95fba3d29132d81eaaa3e55085c4b0f9780fe02829e715f3
-
SHA512
d5766e8ec4ae67edcaeca7d69cf31fbb070e9b2b4a45d61ce34e0a33567cda596c89601379aad85fe4a62214c5d71eb73ac7d7ee491bf00619301783a386a373
-
SSDEEP
3072:M1n9l8FieMyc2r3sM2bh2ijiTlg3q/haR5sS+vfvLHhjh8g1eGFyOsa:MjHGsrYiclga/harSvLHh98gwG0ON
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ejflhm32.exeQadoba32.exeGpecbk32.exeLknojl32.exeNeclenfo.exeLgcjdd32.exePkenjh32.exeFdnjgmle.exeNcfdie32.exeBfgjjm32.exeOgnpebpj.exeLejgch32.exeAcmobchj.exeDckdjomg.exeNabfjpak.exeHjchaf32.exeJodjhkkj.exeDaediilg.exeIloidijb.exeOjllan32.exeLlbidimc.exeMimpolee.exeGpcmga32.exePonfka32.exeMblkhq32.exePlmmif32.exeGnfhfl32.exeOebflhaf.exeDmdonkgc.exeJnelok32.exeKbfbkj32.exeMigjoaaf.exeHcbpab32.exeQfbobf32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejflhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qadoba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpecbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lknojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neclenfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgcjdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkenjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdnjgmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncfdie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfgjjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ognpebpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lejgch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acmobchj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dckdjomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nabfjpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjchaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jodjhkkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daediilg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iloidijb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojllan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llbidimc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mimpolee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpcmga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ponfka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mblkhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plmmif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnfhfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oebflhaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmdonkgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnelok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbfbkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Migjoaaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcbpab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfbobf32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Bhikcb32.exe family_berbew C:\Windows\SysWOW64\Bbnpqk32.exe family_berbew C:\Windows\SysWOW64\Bemlmgnp.exe family_berbew C:\Windows\SysWOW64\Cbqlfkmi.exe family_berbew C:\Windows\SysWOW64\Ceoibflm.exe family_berbew C:\Windows\SysWOW64\Cliaoq32.exe family_berbew C:\Windows\SysWOW64\Cafigg32.exe family_berbew C:\Windows\SysWOW64\Clkndpag.exe family_berbew C:\Windows\SysWOW64\Cahfmgoo.exe family_berbew C:\Windows\SysWOW64\Clnjjpod.exe family_berbew C:\Windows\SysWOW64\Cbgbgj32.exe family_berbew C:\Windows\SysWOW64\Chdkoa32.exe family_berbew C:\Windows\SysWOW64\Cbjoljdo.exe family_berbew C:\Windows\SysWOW64\Cdkldb32.exe family_berbew C:\Windows\SysWOW64\Dbllbibl.exe family_berbew C:\Windows\SysWOW64\Ddmhja32.exe family_berbew C:\Windows\SysWOW64\Dkgqfl32.exe family_berbew C:\Windows\SysWOW64\Daaicfgd.exe family_berbew C:\Windows\SysWOW64\Doeiljfn.exe family_berbew C:\Windows\SysWOW64\Dadeieea.exe family_berbew C:\Windows\SysWOW64\Dafbne32.exe family_berbew C:\Windows\SysWOW64\Dahode32.exe family_berbew C:\Windows\SysWOW64\Ddgkpp32.exe family_berbew C:\Windows\SysWOW64\Elppfmoo.exe family_berbew C:\Windows\SysWOW64\Ecjhcg32.exe family_berbew C:\Windows\SysWOW64\Eoaihhlp.exe family_berbew C:\Windows\SysWOW64\Eekaebcm.exe family_berbew C:\Windows\SysWOW64\Eleiam32.exe family_berbew C:\Windows\SysWOW64\Edpnfo32.exe family_berbew C:\Windows\SysWOW64\Eofbch32.exe family_berbew C:\Windows\SysWOW64\Edbklofb.exe family_berbew C:\Windows\SysWOW64\Fohoigfh.exe family_berbew C:\Windows\SysWOW64\Fdnjgmle.exe family_berbew C:\Windows\SysWOW64\Gfngap32.exe family_berbew C:\Windows\SysWOW64\Gkmlofol.exe family_berbew C:\Windows\SysWOW64\Gcfqfc32.exe family_berbew C:\Windows\SysWOW64\Hkikkeeo.exe family_berbew C:\Windows\SysWOW64\Hcdmga32.exe family_berbew C:\Windows\SysWOW64\Ikpaldog.exe family_berbew C:\Windows\SysWOW64\Ipnjab32.exe family_berbew C:\Windows\SysWOW64\Iihkpg32.exe family_berbew C:\Windows\SysWOW64\Ilidbbgl.exe family_berbew C:\Windows\SysWOW64\Jbeidl32.exe family_berbew C:\Windows\SysWOW64\Jehokgge.exe family_berbew C:\Windows\SysWOW64\Jlednamo.exe family_berbew C:\Windows\SysWOW64\Kpbmco32.exe family_berbew C:\Windows\SysWOW64\Kikame32.exe family_berbew C:\Windows\SysWOW64\Kplpjn32.exe family_berbew C:\Windows\SysWOW64\Lmdina32.exe family_berbew C:\Windows\SysWOW64\Lpebpm32.exe family_berbew C:\Windows\SysWOW64\Lmiciaaj.exe family_berbew C:\Windows\SysWOW64\Mipcob32.exe family_berbew C:\Windows\SysWOW64\Mlcifmbl.exe family_berbew C:\Windows\SysWOW64\Nckndeni.exe family_berbew C:\Windows\SysWOW64\Ocnjidkf.exe family_berbew C:\Windows\SysWOW64\Oqfdnhfk.exe family_berbew C:\Windows\SysWOW64\Ojoign32.exe family_berbew C:\Windows\SysWOW64\Ojaelm32.exe family_berbew C:\Windows\SysWOW64\Pfhfan32.exe family_berbew C:\Windows\SysWOW64\Pdkcde32.exe family_berbew C:\Windows\SysWOW64\Pmfhig32.exe family_berbew C:\Windows\SysWOW64\Pgnilpah.exe family_berbew C:\Windows\SysWOW64\Qjoankoi.exe family_berbew C:\Windows\SysWOW64\Qgcbgo32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Bhikcb32.exeBbnpqk32.exeBemlmgnp.exeCbqlfkmi.exeCeoibflm.exeCliaoq32.exeCafigg32.exeClkndpag.exeCahfmgoo.exeClnjjpod.exeCbgbgj32.exeChdkoa32.exeCbjoljdo.exeCdkldb32.exeDbllbibl.exeDdmhja32.exeDkgqfl32.exeDaaicfgd.exeDoeiljfn.exeDadeieea.exeDafbne32.exeDahode32.exeDdgkpp32.exeElppfmoo.exeEcjhcg32.exeEoaihhlp.exeEekaebcm.exeEleiam32.exeEdpnfo32.exeEofbch32.exeEdbklofb.exeFohoigfh.exeFafkecel.exeFhqcam32.exeFkopnh32.exeFcfhof32.exeFaihkbci.exeFdgdgnbm.exeFomhdg32.exeFdialn32.exeFckajehi.exeFhgjblfq.exeFcmnpe32.exeFdnjgmle.exeGkhbdg32.exeGfngap32.exeGkkojgao.exeGdcdbl32.exeGkmlofol.exeGdeqhl32.exeGcfqfc32.exeGdhmnlcj.exeGkaejf32.exeGblngpbd.exeGdjjckag.exeHmabdibj.exeHckjacjg.exeHfifmnij.exeHkfoeega.exeHflcbngh.exeHeocnk32.exeHkikkeeo.exeHeapdjlp.exeHmhhehlb.exepid process 224 Bhikcb32.exe 1400 Bbnpqk32.exe 864 Bemlmgnp.exe 1620 Cbqlfkmi.exe 4872 Ceoibflm.exe 4288 Cliaoq32.exe 4092 Cafigg32.exe 464 Clkndpag.exe 2068 Cahfmgoo.exe 4832 Clnjjpod.exe 3288 Cbgbgj32.exe 1008 Chdkoa32.exe 5040 Cbjoljdo.exe 4460 Cdkldb32.exe 2928 Dbllbibl.exe 548 Ddmhja32.exe 5116 Dkgqfl32.exe 3988 Daaicfgd.exe 4948 Doeiljfn.exe 2024 Dadeieea.exe 4684 Dafbne32.exe 1772 Dahode32.exe 3008 Ddgkpp32.exe 3268 Elppfmoo.exe 1856 Ecjhcg32.exe 1976 Eoaihhlp.exe 956 Eekaebcm.exe 3324 Eleiam32.exe 4788 Edpnfo32.exe 4260 Eofbch32.exe 2236 Edbklofb.exe 4332 Fohoigfh.exe 4036 Fafkecel.exe 1708 Fhqcam32.exe 628 Fkopnh32.exe 1808 Fcfhof32.exe 4836 Faihkbci.exe 4696 Fdgdgnbm.exe 4364 Fomhdg32.exe 3800 Fdialn32.exe 3452 Fckajehi.exe 1984 Fhgjblfq.exe 820 Fcmnpe32.exe 1540 Fdnjgmle.exe 3544 Gkhbdg32.exe 4284 Gfngap32.exe 4060 Gkkojgao.exe 1964 Gdcdbl32.exe 3696 Gkmlofol.exe 3720 Gdeqhl32.exe 388 Gcfqfc32.exe 3200 Gdhmnlcj.exe 3676 Gkaejf32.exe 1476 Gblngpbd.exe 3896 Gdjjckag.exe 3828 Hmabdibj.exe 1700 Hckjacjg.exe 3900 Hfifmnij.exe 2592 Hkfoeega.exe 3608 Hflcbngh.exe 3332 Heocnk32.exe 2956 Hkikkeeo.exe 452 Heapdjlp.exe 2436 Hmhhehlb.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jbeidl32.exeCcdnjp32.exeJpfepf32.exeDobfld32.exeIickkbje.exeHpbiip32.exeEoaihhlp.exeGkhbdg32.exeAaiimadl.exeBblnindg.exePgbbek32.exeIjadbdoj.exeJnkldqkc.exeEfafgifc.exeEbjcajjd.exeKdpmbc32.exeAlnfpcag.exeDdgkpp32.exeMlefklpj.exeBqmeal32.exeLjbfpo32.exeIpflihfq.exeKbaipkbi.exeBhamkipi.exeCalhnpgn.exeHgabkoee.exeLeoghn32.exePoodpmca.exeFdhcgaic.exeCkclhn32.exeLqikmc32.exePqmjog32.exeQachgk32.exeLfealaol.exeOocddono.exeJgbjbp32.exeKmncnb32.exePcmlfl32.exeJdpkflfe.exeHoadkn32.exeQebhhp32.exeEfccmidp.exedescription ioc process File created C:\Windows\SysWOW64\Jiopcppf.dll Jbeidl32.exe File opened for modification C:\Windows\SysWOW64\Ckpbnb32.exe Ccdnjp32.exe File created C:\Windows\SysWOW64\Nfamlc32.dll Jpfepf32.exe File created C:\Windows\SysWOW64\Mbkkam32.dll File opened for modification C:\Windows\SysWOW64\Daqbip32.exe Dobfld32.exe File opened for modification C:\Windows\SysWOW64\Ikaggmii.exe Iickkbje.exe File created C:\Windows\SysWOW64\Hhiajmod.exe Hpbiip32.exe File created C:\Windows\SysWOW64\Nhfjcpfb.dll File created C:\Windows\SysWOW64\Lfojfj32.dll File created C:\Windows\SysWOW64\Njkdbljm.dll Eoaihhlp.exe File created C:\Windows\SysWOW64\Dqlbaq32.dll Gkhbdg32.exe File opened for modification C:\Windows\SysWOW64\Ajpqnneo.exe Aaiimadl.exe File created C:\Windows\SysWOW64\Bfgjjm32.exe Bblnindg.exe File created C:\Windows\SysWOW64\Jiiicf32.exe File created C:\Windows\SysWOW64\Kpmdfonj.exe File opened for modification C:\Windows\SysWOW64\Ommceclc.exe File opened for modification C:\Windows\SysWOW64\Ppjgoaoj.exe Pgbbek32.exe File created C:\Windows\SysWOW64\Gigmlgok.dll Ijadbdoj.exe File created C:\Windows\SysWOW64\Ejlacgdj.dll Jnkldqkc.exe File created C:\Windows\SysWOW64\Kbpnnj32.dll Efafgifc.exe File opened for modification C:\Windows\SysWOW64\Ejalcgkg.exe Ebjcajjd.exe File created C:\Windows\SysWOW64\Kgninn32.exe Kdpmbc32.exe File created C:\Windows\SysWOW64\Anobgl32.exe Alnfpcag.exe File created C:\Windows\SysWOW64\Jihdea32.dll Ddgkpp32.exe File created C:\Windows\SysWOW64\Mcpnhfhf.exe Mlefklpj.exe File created C:\Windows\SysWOW64\Bclang32.exe Bqmeal32.exe File opened for modification C:\Windows\SysWOW64\Lalnmiia.exe Ljbfpo32.exe File created C:\Windows\SysWOW64\Idahjg32.exe Ipflihfq.exe File created C:\Windows\SysWOW64\Dooaoj32.exe File opened for modification C:\Windows\SysWOW64\Ibjqaf32.exe File opened for modification C:\Windows\SysWOW64\Kikame32.exe Kbaipkbi.exe File created C:\Windows\SysWOW64\Epmfkk32.dll Bhamkipi.exe File opened for modification C:\Windows\SysWOW64\Mnhdgpii.exe File created C:\Windows\SysWOW64\Epoaed32.dll File opened for modification C:\Windows\SysWOW64\Giljfddl.exe File opened for modification C:\Windows\SysWOW64\Ddjejl32.exe Calhnpgn.exe File created C:\Windows\SysWOW64\Hgjbkhen.dll Hgabkoee.exe File created C:\Windows\SysWOW64\Lhncdi32.exe Leoghn32.exe File created C:\Windows\SysWOW64\Jchbom32.dll Poodpmca.exe File created C:\Windows\SysWOW64\Fkbkdkpp.exe Fdhcgaic.exe File opened for modification C:\Windows\SysWOW64\Cnahdi32.exe Ckclhn32.exe File created C:\Windows\SysWOW64\Gnqfcbnj.exe File created C:\Windows\SysWOW64\Lcggio32.exe Lqikmc32.exe File opened for modification C:\Windows\SysWOW64\Pclgkb32.exe Pqmjog32.exe File opened for modification C:\Windows\SysWOW64\Qhmqdemc.exe Qachgk32.exe File opened for modification C:\Windows\SysWOW64\Qdaniq32.exe File created C:\Windows\SysWOW64\Jgqpjb32.dll Lfealaol.exe File created C:\Windows\SysWOW64\Gphqhffa.dll Oocddono.exe File created C:\Windows\SysWOW64\Jjafok32.exe Jgbjbp32.exe File created C:\Windows\SysWOW64\Kjiqkhgo.dll File created C:\Windows\SysWOW64\Kplpjn32.exe Kmncnb32.exe File opened for modification C:\Windows\SysWOW64\Pflibgil.exe Pcmlfl32.exe File created C:\Windows\SysWOW64\Jgogbgei.exe Jdpkflfe.exe File created C:\Windows\SysWOW64\Njhgbp32.exe File created C:\Windows\SysWOW64\Mapppn32.exe File created C:\Windows\SysWOW64\Ncliqp32.dll Ebjcajjd.exe File created C:\Windows\SysWOW64\Fofdocoe.dll File created C:\Windows\SysWOW64\Gaebef32.exe File created C:\Windows\SysWOW64\Jaonbc32.exe File opened for modification C:\Windows\SysWOW64\Lohqnd32.exe File opened for modification C:\Windows\SysWOW64\Hbpphi32.exe Hoadkn32.exe File created C:\Windows\SysWOW64\Bhocin32.dll Qebhhp32.exe File opened for modification C:\Windows\SysWOW64\Eiaoid32.exe Efccmidp.exe File created C:\Windows\SysWOW64\Cnfkdb32.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 17500 17416 -
Modifies registry class 64 IoCs
Processes:
Lfhnaa32.exeFpeafcfa.exeQdphngfl.exePmoahijl.exeEkefmc32.exeKmijbcpl.exeQgcbgo32.exeEjflhm32.exeNhmofj32.exeKcpahpmd.exeGdcdbl32.exeAjfhnjhq.exeHgkkkcbc.exeQachgk32.exeLpnlpnih.exeBeglgani.exeEagaoh32.exeChjaol32.exeHoadkn32.exeAjqgidij.exeBfhhoi32.exeDobfld32.exeFamjkl32.exeCbeapmll.exeMhgfkg32.exeMpghkf32.exeOehlkc32.exeMchppmij.exeHkfoeega.exeIfgbnlmj.exeJicdap32.exePpjgoaoj.exeKnefeffd.exeOlckbd32.exeKnflpoqf.exeBoflmdkk.exeAnobgl32.exeInmgmijo.exeEjalcgkg.exeJpfepf32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfhnaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpeafcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdphngfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjmmpa32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmoahijl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekefmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcjeh32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmijbcpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgcbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejflhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhmofj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcpahpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jipegn32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdcdbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajfhnjhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljeffhcd.dll" Hgkkkcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qachgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpnlpnih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beglgani.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eagaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbgdmb32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll" Chjaol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoadkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmhbnnof.dll" Ajqgidij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eccphn32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll" Bfhhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dobfld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Famjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbeapmll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfljpbki.dll" Mhgfkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pboglh32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmmljnd.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpghkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oehlkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mchppmij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipgdi32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkfoeega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifgbnlmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jicdap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfggbllc.dll" Ppjgoaoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knefeffd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olckbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knflpoqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boflmdkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leifdf32.dll" Anobgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajhapb32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inmgmijo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cplbfcmi.dll" Ejalcgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfamlc32.dll" Jpfepf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
190d5f23efe27fbef5236b0d54d50900_NeikiAnalytics.exeBhikcb32.exeBbnpqk32.exeBemlmgnp.exeCbqlfkmi.exeCeoibflm.exeCliaoq32.exeCafigg32.exeClkndpag.exeCahfmgoo.exeClnjjpod.exeCbgbgj32.exeChdkoa32.exeCbjoljdo.exeCdkldb32.exeDbllbibl.exeDdmhja32.exeDkgqfl32.exeDaaicfgd.exeDoeiljfn.exeDadeieea.exeDafbne32.exedescription pid process target process PID 1636 wrote to memory of 224 1636 190d5f23efe27fbef5236b0d54d50900_NeikiAnalytics.exe Bhikcb32.exe PID 1636 wrote to memory of 224 1636 190d5f23efe27fbef5236b0d54d50900_NeikiAnalytics.exe Bhikcb32.exe PID 1636 wrote to memory of 224 1636 190d5f23efe27fbef5236b0d54d50900_NeikiAnalytics.exe Bhikcb32.exe PID 224 wrote to memory of 1400 224 Bhikcb32.exe Bbnpqk32.exe PID 224 wrote to memory of 1400 224 Bhikcb32.exe Bbnpqk32.exe PID 224 wrote to memory of 1400 224 Bhikcb32.exe Bbnpqk32.exe PID 1400 wrote to memory of 864 1400 Bbnpqk32.exe Bemlmgnp.exe PID 1400 wrote to memory of 864 1400 Bbnpqk32.exe Bemlmgnp.exe PID 1400 wrote to memory of 864 1400 Bbnpqk32.exe Bemlmgnp.exe PID 864 wrote to memory of 1620 864 Bemlmgnp.exe Cbqlfkmi.exe PID 864 wrote to memory of 1620 864 Bemlmgnp.exe Cbqlfkmi.exe PID 864 wrote to memory of 1620 864 Bemlmgnp.exe Cbqlfkmi.exe PID 1620 wrote to memory of 4872 1620 Cbqlfkmi.exe Ceoibflm.exe PID 1620 wrote to memory of 4872 1620 Cbqlfkmi.exe Ceoibflm.exe PID 1620 wrote to memory of 4872 1620 Cbqlfkmi.exe Ceoibflm.exe PID 4872 wrote to memory of 4288 4872 Ceoibflm.exe Cliaoq32.exe PID 4872 wrote to memory of 4288 4872 Ceoibflm.exe Cliaoq32.exe PID 4872 wrote to memory of 4288 4872 Ceoibflm.exe Cliaoq32.exe PID 4288 wrote to memory of 4092 4288 Cliaoq32.exe Cafigg32.exe PID 4288 wrote to memory of 4092 4288 Cliaoq32.exe Cafigg32.exe PID 4288 wrote to memory of 4092 4288 Cliaoq32.exe Cafigg32.exe PID 4092 wrote to memory of 464 4092 Cafigg32.exe Clkndpag.exe PID 4092 wrote to memory of 464 4092 Cafigg32.exe Clkndpag.exe PID 4092 wrote to memory of 464 4092 Cafigg32.exe Clkndpag.exe PID 464 wrote to memory of 2068 464 Clkndpag.exe Cahfmgoo.exe PID 464 wrote to memory of 2068 464 Clkndpag.exe Cahfmgoo.exe PID 464 wrote to memory of 2068 464 Clkndpag.exe Cahfmgoo.exe PID 2068 wrote to memory of 4832 2068 Cahfmgoo.exe Clnjjpod.exe PID 2068 wrote to memory of 4832 2068 Cahfmgoo.exe Clnjjpod.exe PID 2068 wrote to memory of 4832 2068 Cahfmgoo.exe Clnjjpod.exe PID 4832 wrote to memory of 3288 4832 Clnjjpod.exe Cbgbgj32.exe PID 4832 wrote to memory of 3288 4832 Clnjjpod.exe Cbgbgj32.exe PID 4832 wrote to memory of 3288 4832 Clnjjpod.exe Cbgbgj32.exe PID 3288 wrote to memory of 1008 3288 Cbgbgj32.exe Chdkoa32.exe PID 3288 wrote to memory of 1008 3288 Cbgbgj32.exe Chdkoa32.exe PID 3288 wrote to memory of 1008 3288 Cbgbgj32.exe Chdkoa32.exe PID 1008 wrote to memory of 5040 1008 Chdkoa32.exe Cbjoljdo.exe PID 1008 wrote to memory of 5040 1008 Chdkoa32.exe Cbjoljdo.exe PID 1008 wrote to memory of 5040 1008 Chdkoa32.exe Cbjoljdo.exe PID 5040 wrote to memory of 4460 5040 Cbjoljdo.exe Cdkldb32.exe PID 5040 wrote to memory of 4460 5040 Cbjoljdo.exe Cdkldb32.exe PID 5040 wrote to memory of 4460 5040 Cbjoljdo.exe Cdkldb32.exe PID 4460 wrote to memory of 2928 4460 Cdkldb32.exe Dbllbibl.exe PID 4460 wrote to memory of 2928 4460 Cdkldb32.exe Dbllbibl.exe PID 4460 wrote to memory of 2928 4460 Cdkldb32.exe Dbllbibl.exe PID 2928 wrote to memory of 548 2928 Dbllbibl.exe Ddmhja32.exe PID 2928 wrote to memory of 548 2928 Dbllbibl.exe Ddmhja32.exe PID 2928 wrote to memory of 548 2928 Dbllbibl.exe Ddmhja32.exe PID 548 wrote to memory of 5116 548 Ddmhja32.exe Dkgqfl32.exe PID 548 wrote to memory of 5116 548 Ddmhja32.exe Dkgqfl32.exe PID 548 wrote to memory of 5116 548 Ddmhja32.exe Dkgqfl32.exe PID 5116 wrote to memory of 3988 5116 Dkgqfl32.exe Daaicfgd.exe PID 5116 wrote to memory of 3988 5116 Dkgqfl32.exe Daaicfgd.exe PID 5116 wrote to memory of 3988 5116 Dkgqfl32.exe Daaicfgd.exe PID 3988 wrote to memory of 4948 3988 Daaicfgd.exe Doeiljfn.exe PID 3988 wrote to memory of 4948 3988 Daaicfgd.exe Doeiljfn.exe PID 3988 wrote to memory of 4948 3988 Daaicfgd.exe Doeiljfn.exe PID 4948 wrote to memory of 2024 4948 Doeiljfn.exe Dadeieea.exe PID 4948 wrote to memory of 2024 4948 Doeiljfn.exe Dadeieea.exe PID 4948 wrote to memory of 2024 4948 Doeiljfn.exe Dadeieea.exe PID 2024 wrote to memory of 4684 2024 Dadeieea.exe Dafbne32.exe PID 2024 wrote to memory of 4684 2024 Dadeieea.exe Dafbne32.exe PID 2024 wrote to memory of 4684 2024 Dadeieea.exe Dafbne32.exe PID 4684 wrote to memory of 1772 4684 Dafbne32.exe Dahode32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\190d5f23efe27fbef5236b0d54d50900_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\190d5f23efe27fbef5236b0d54d50900_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\Clkndpag.exeC:\Windows\system32\Clkndpag.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\Chdkoa32.exeC:\Windows\system32\Chdkoa32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Cbjoljdo.exeC:\Windows\system32\Cbjoljdo.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Dadeieea.exeC:\Windows\system32\Dadeieea.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\Dahode32.exeC:\Windows\system32\Dahode32.exe23⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3008 -
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe25⤵
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe26⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe28⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe29⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe30⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Eofbch32.exeC:\Windows\system32\Eofbch32.exe31⤵
- Executes dropped EXE
PID:4260 -
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe32⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe33⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe34⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe35⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe36⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe37⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Faihkbci.exeC:\Windows\system32\Faihkbci.exe38⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe39⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Fomhdg32.exeC:\Windows\system32\Fomhdg32.exe40⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe41⤵
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Flqimk32.exeC:\Windows\system32\Flqimk32.exe42⤵PID:4824
-
C:\Windows\SysWOW64\Fckajehi.exeC:\Windows\system32\Fckajehi.exe43⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Fhgjblfq.exeC:\Windows\system32\Fhgjblfq.exe44⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Fcmnpe32.exeC:\Windows\system32\Fcmnpe32.exe45⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Gkhbdg32.exeC:\Windows\system32\Gkhbdg32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3544 -
C:\Windows\SysWOW64\Gfngap32.exeC:\Windows\system32\Gfngap32.exe48⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Gkkojgao.exeC:\Windows\system32\Gkkojgao.exe49⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Gdcdbl32.exeC:\Windows\system32\Gdcdbl32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Gkmlofol.exeC:\Windows\system32\Gkmlofol.exe51⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Gdeqhl32.exeC:\Windows\system32\Gdeqhl32.exe52⤵
- Executes dropped EXE
PID:3720 -
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe53⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Gdhmnlcj.exeC:\Windows\system32\Gdhmnlcj.exe54⤵
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Gkaejf32.exeC:\Windows\system32\Gkaejf32.exe55⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Gblngpbd.exeC:\Windows\system32\Gblngpbd.exe56⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Gdjjckag.exeC:\Windows\system32\Gdjjckag.exe57⤵
- Executes dropped EXE
PID:3896 -
C:\Windows\SysWOW64\Hmabdibj.exeC:\Windows\system32\Hmabdibj.exe58⤵
- Executes dropped EXE
PID:3828 -
C:\Windows\SysWOW64\Hckjacjg.exeC:\Windows\system32\Hckjacjg.exe59⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Hfifmnij.exeC:\Windows\system32\Hfifmnij.exe60⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Hflcbngh.exeC:\Windows\system32\Hflcbngh.exe62⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Heocnk32.exeC:\Windows\system32\Heocnk32.exe63⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Hkikkeeo.exeC:\Windows\system32\Hkikkeeo.exe64⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Heapdjlp.exeC:\Windows\system32\Heapdjlp.exe65⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe66⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Hcbpab32.exeC:\Windows\system32\Hcbpab32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3596 -
C:\Windows\SysWOW64\Hecmijim.exeC:\Windows\system32\Hecmijim.exe68⤵PID:1412
-
C:\Windows\SysWOW64\Hcdmga32.exeC:\Windows\system32\Hcdmga32.exe69⤵PID:1404
-
C:\Windows\SysWOW64\Hfcicmqp.exeC:\Windows\system32\Hfcicmqp.exe70⤵PID:3388
-
C:\Windows\SysWOW64\Ikpaldog.exeC:\Windows\system32\Ikpaldog.exe71⤵PID:4360
-
C:\Windows\SysWOW64\Icgjmapi.exeC:\Windows\system32\Icgjmapi.exe72⤵PID:4604
-
C:\Windows\SysWOW64\Iehfdi32.exeC:\Windows\system32\Iehfdi32.exe73⤵PID:800
-
C:\Windows\SysWOW64\Ipnjab32.exeC:\Windows\system32\Ipnjab32.exe74⤵PID:2516
-
C:\Windows\SysWOW64\Ifgbnlmj.exeC:\Windows\system32\Ifgbnlmj.exe75⤵
- Modifies registry class
PID:4916 -
C:\Windows\SysWOW64\Imakkfdg.exeC:\Windows\system32\Imakkfdg.exe76⤵PID:2148
-
C:\Windows\SysWOW64\Ippggbck.exeC:\Windows\system32\Ippggbck.exe77⤵PID:2332
-
C:\Windows\SysWOW64\Iihkpg32.exeC:\Windows\system32\Iihkpg32.exe78⤵PID:3236
-
C:\Windows\SysWOW64\Ilghlc32.exeC:\Windows\system32\Ilghlc32.exe79⤵PID:2636
-
C:\Windows\SysWOW64\Ibqpimpl.exeC:\Windows\system32\Ibqpimpl.exe80⤵PID:780
-
C:\Windows\SysWOW64\Ilidbbgl.exeC:\Windows\system32\Ilidbbgl.exe81⤵PID:3620
-
C:\Windows\SysWOW64\Jfoiokfb.exeC:\Windows\system32\Jfoiokfb.exe82⤵PID:4440
-
C:\Windows\SysWOW64\Jimekgff.exeC:\Windows\system32\Jimekgff.exe83⤵PID:1272
-
C:\Windows\SysWOW64\Jbeidl32.exeC:\Windows\system32\Jbeidl32.exe84⤵
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\Jedeph32.exeC:\Windows\system32\Jedeph32.exe85⤵PID:4264
-
C:\Windows\SysWOW64\Jcefno32.exeC:\Windows\system32\Jcefno32.exe86⤵PID:3096
-
C:\Windows\SysWOW64\Jfcbjk32.exeC:\Windows\system32\Jfcbjk32.exe87⤵PID:2228
-
C:\Windows\SysWOW64\Jianff32.exeC:\Windows\system32\Jianff32.exe88⤵PID:3272
-
C:\Windows\SysWOW64\Jehokgge.exeC:\Windows\system32\Jehokgge.exe89⤵PID:4368
-
C:\Windows\SysWOW64\Jmpgldhg.exeC:\Windows\system32\Jmpgldhg.exe90⤵PID:3160
-
C:\Windows\SysWOW64\Jblpek32.exeC:\Windows\system32\Jblpek32.exe91⤵PID:3156
-
C:\Windows\SysWOW64\Jlednamo.exeC:\Windows\system32\Jlednamo.exe92⤵PID:3748
-
C:\Windows\SysWOW64\Jcllonma.exeC:\Windows\system32\Jcllonma.exe93⤵PID:1552
-
C:\Windows\SysWOW64\Kboljk32.exeC:\Windows\system32\Kboljk32.exe94⤵PID:3528
-
C:\Windows\SysWOW64\Kiidgeki.exeC:\Windows\system32\Kiidgeki.exe95⤵PID:4852
-
C:\Windows\SysWOW64\Kpbmco32.exeC:\Windows\system32\Kpbmco32.exe96⤵PID:604
-
C:\Windows\SysWOW64\Kbaipkbi.exeC:\Windows\system32\Kbaipkbi.exe97⤵
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Kikame32.exeC:\Windows\system32\Kikame32.exe98⤵PID:1028
-
C:\Windows\SysWOW64\Kpeiioac.exeC:\Windows\system32\Kpeiioac.exe99⤵PID:4640
-
C:\Windows\SysWOW64\Kbceejpf.exeC:\Windows\system32\Kbceejpf.exe100⤵PID:1968
-
C:\Windows\SysWOW64\Kebbafoj.exeC:\Windows\system32\Kebbafoj.exe101⤵PID:2292
-
C:\Windows\SysWOW64\Kmijbcpl.exeC:\Windows\system32\Kmijbcpl.exe102⤵
- Modifies registry class
PID:432 -
C:\Windows\SysWOW64\Kbfbkj32.exeC:\Windows\system32\Kbfbkj32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4796 -
C:\Windows\SysWOW64\Kedoge32.exeC:\Windows\system32\Kedoge32.exe104⤵PID:1300
-
C:\Windows\SysWOW64\Kmkfhc32.exeC:\Windows\system32\Kmkfhc32.exe105⤵PID:4376
-
C:\Windows\SysWOW64\Kbhoqj32.exeC:\Windows\system32\Kbhoqj32.exe106⤵PID:4980
-
C:\Windows\SysWOW64\Kefkme32.exeC:\Windows\system32\Kefkme32.exe107⤵PID:4720
-
C:\Windows\SysWOW64\Kmncnb32.exeC:\Windows\system32\Kmncnb32.exe108⤵
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Kplpjn32.exeC:\Windows\system32\Kplpjn32.exe109⤵PID:4592
-
C:\Windows\SysWOW64\Lbjlfi32.exeC:\Windows\system32\Lbjlfi32.exe110⤵PID:2036
-
C:\Windows\SysWOW64\Liddbc32.exeC:\Windows\system32\Liddbc32.exe111⤵PID:3556
-
C:\Windows\SysWOW64\Lpnlpnih.exeC:\Windows\system32\Lpnlpnih.exe112⤵
- Modifies registry class
PID:372 -
C:\Windows\SysWOW64\Lbmhlihl.exeC:\Windows\system32\Lbmhlihl.exe113⤵PID:3736
-
C:\Windows\SysWOW64\Lmbmibhb.exeC:\Windows\system32\Lmbmibhb.exe114⤵PID:3944
-
C:\Windows\SysWOW64\Ldleel32.exeC:\Windows\system32\Ldleel32.exe115⤵PID:4340
-
C:\Windows\SysWOW64\Lenamdem.exeC:\Windows\system32\Lenamdem.exe116⤵PID:5140
-
C:\Windows\SysWOW64\Lmdina32.exeC:\Windows\system32\Lmdina32.exe117⤵PID:5184
-
C:\Windows\SysWOW64\Ldoaklml.exeC:\Windows\system32\Ldoaklml.exe118⤵PID:5228
-
C:\Windows\SysWOW64\Lgmngglp.exeC:\Windows\system32\Lgmngglp.exe119⤵PID:5268
-
C:\Windows\SysWOW64\Lpebpm32.exeC:\Windows\system32\Lpebpm32.exe120⤵PID:5312
-
C:\Windows\SysWOW64\Ldanqkki.exeC:\Windows\system32\Ldanqkki.exe121⤵PID:5356
-
C:\Windows\SysWOW64\Lmiciaaj.exeC:\Windows\system32\Lmiciaaj.exe122⤵PID:5396
-
C:\Windows\SysWOW64\Mdckfk32.exeC:\Windows\system32\Mdckfk32.exe123⤵PID:5440
-
C:\Windows\SysWOW64\Mgagbf32.exeC:\Windows\system32\Mgagbf32.exe124⤵PID:5484
-
C:\Windows\SysWOW64\Mipcob32.exeC:\Windows\system32\Mipcob32.exe125⤵PID:5528
-
C:\Windows\SysWOW64\Mdehlk32.exeC:\Windows\system32\Mdehlk32.exe126⤵PID:5568
-
C:\Windows\SysWOW64\Mgddhf32.exeC:\Windows\system32\Mgddhf32.exe127⤵PID:5616
-
C:\Windows\SysWOW64\Mibpda32.exeC:\Windows\system32\Mibpda32.exe128⤵PID:5664
-
C:\Windows\SysWOW64\Mlampmdo.exeC:\Windows\system32\Mlampmdo.exe129⤵PID:5708
-
C:\Windows\SysWOW64\Mdhdajea.exeC:\Windows\system32\Mdhdajea.exe130⤵PID:5752
-
C:\Windows\SysWOW64\Mgfqmfde.exeC:\Windows\system32\Mgfqmfde.exe131⤵PID:5796
-
C:\Windows\SysWOW64\Mlcifmbl.exeC:\Windows\system32\Mlcifmbl.exe132⤵PID:5840
-
C:\Windows\SysWOW64\Mcmabg32.exeC:\Windows\system32\Mcmabg32.exe133⤵PID:5884
-
C:\Windows\SysWOW64\Migjoaaf.exeC:\Windows\system32\Migjoaaf.exe134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5928 -
C:\Windows\SysWOW64\Mlefklpj.exeC:\Windows\system32\Mlefklpj.exe135⤵
- Drops file in System32 directory
PID:5972 -
C:\Windows\SysWOW64\Mcpnhfhf.exeC:\Windows\system32\Mcpnhfhf.exe136⤵PID:6016
-
C:\Windows\SysWOW64\Menjdbgj.exeC:\Windows\system32\Menjdbgj.exe137⤵PID:6060
-
C:\Windows\SysWOW64\Mlhbal32.exeC:\Windows\system32\Mlhbal32.exe138⤵PID:6104
-
C:\Windows\SysWOW64\Ndokbi32.exeC:\Windows\system32\Ndokbi32.exe139⤵PID:6140
-
C:\Windows\SysWOW64\Ngmgne32.exeC:\Windows\system32\Ngmgne32.exe140⤵PID:5192
-
C:\Windows\SysWOW64\Nngokoej.exeC:\Windows\system32\Nngokoej.exe141⤵PID:5260
-
C:\Windows\SysWOW64\Ndaggimg.exeC:\Windows\system32\Ndaggimg.exe142⤵PID:5348
-
C:\Windows\SysWOW64\Ngpccdlj.exeC:\Windows\system32\Ngpccdlj.exe143⤵PID:5408
-
C:\Windows\SysWOW64\Njnpppkn.exeC:\Windows\system32\Njnpppkn.exe144⤵PID:5472
-
C:\Windows\SysWOW64\Nlmllkja.exeC:\Windows\system32\Nlmllkja.exe145⤵PID:5552
-
C:\Windows\SysWOW64\Ncfdie32.exeC:\Windows\system32\Ncfdie32.exe146⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5596 -
C:\Windows\SysWOW64\Nnlhfn32.exeC:\Windows\system32\Nnlhfn32.exe147⤵PID:5696
-
C:\Windows\SysWOW64\Npjebj32.exeC:\Windows\system32\Npjebj32.exe148⤵PID:5760
-
C:\Windows\SysWOW64\Ngdmod32.exeC:\Windows\system32\Ngdmod32.exe149⤵PID:5812
-
C:\Windows\SysWOW64\Nfgmjqop.exeC:\Windows\system32\Nfgmjqop.exe150⤵PID:5924
-
C:\Windows\SysWOW64\Nlaegk32.exeC:\Windows\system32\Nlaegk32.exe151⤵PID:5964
-
C:\Windows\SysWOW64\Nckndeni.exeC:\Windows\system32\Nckndeni.exe152⤵PID:6028
-
C:\Windows\SysWOW64\Nfjjppmm.exeC:\Windows\system32\Nfjjppmm.exe153⤵PID:6096
-
C:\Windows\SysWOW64\Olcbmj32.exeC:\Windows\system32\Olcbmj32.exe154⤵PID:5136
-
C:\Windows\SysWOW64\Ocnjidkf.exeC:\Windows\system32\Ocnjidkf.exe155⤵PID:5244
-
C:\Windows\SysWOW64\Oflgep32.exeC:\Windows\system32\Oflgep32.exe156⤵PID:5392
-
C:\Windows\SysWOW64\Opakbi32.exeC:\Windows\system32\Opakbi32.exe157⤵PID:5492
-
C:\Windows\SysWOW64\Ogkcpbam.exeC:\Windows\system32\Ogkcpbam.exe158⤵PID:5608
-
C:\Windows\SysWOW64\Ojjolnaq.exeC:\Windows\system32\Ojjolnaq.exe159⤵PID:5716
-
C:\Windows\SysWOW64\Olhlhjpd.exeC:\Windows\system32\Olhlhjpd.exe160⤵PID:5836
-
C:\Windows\SysWOW64\Ognpebpj.exeC:\Windows\system32\Ognpebpj.exe161⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5960 -
C:\Windows\SysWOW64\Ojllan32.exeC:\Windows\system32\Ojllan32.exe162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6000 -
C:\Windows\SysWOW64\Oqfdnhfk.exeC:\Windows\system32\Oqfdnhfk.exe163⤵PID:5128
-
C:\Windows\SysWOW64\Ogpmjb32.exeC:\Windows\system32\Ogpmjb32.exe164⤵PID:5284
-
C:\Windows\SysWOW64\Ojoign32.exeC:\Windows\system32\Ojoign32.exe165⤵PID:5448
-
C:\Windows\SysWOW64\Oddmdf32.exeC:\Windows\system32\Oddmdf32.exe166⤵PID:5604
-
C:\Windows\SysWOW64\Ojaelm32.exeC:\Windows\system32\Ojaelm32.exe167⤵PID:5764
-
C:\Windows\SysWOW64\Pmoahijl.exeC:\Windows\system32\Pmoahijl.exe168⤵
- Modifies registry class
PID:5936 -
C:\Windows\SysWOW64\Pfhfan32.exeC:\Windows\system32\Pfhfan32.exe169⤵PID:6128
-
C:\Windows\SysWOW64\Pqmjog32.exeC:\Windows\system32\Pqmjog32.exe170⤵
- Drops file in System32 directory
PID:5388 -
C:\Windows\SysWOW64\Pclgkb32.exeC:\Windows\system32\Pclgkb32.exe171⤵PID:5660
-
C:\Windows\SysWOW64\Pggbkagp.exeC:\Windows\system32\Pggbkagp.exe172⤵PID:5908
-
C:\Windows\SysWOW64\Pjeoglgc.exeC:\Windows\system32\Pjeoglgc.exe173⤵PID:5204
-
C:\Windows\SysWOW64\Pdkcde32.exeC:\Windows\system32\Pdkcde32.exe174⤵PID:5592
-
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe175⤵PID:6092
-
C:\Windows\SysWOW64\Pmfhig32.exeC:\Windows\system32\Pmfhig32.exe176⤵PID:5748
-
C:\Windows\SysWOW64\Pgllfp32.exeC:\Windows\system32\Pgllfp32.exe177⤵PID:5564
-
C:\Windows\SysWOW64\Pnfdcjkg.exeC:\Windows\system32\Pnfdcjkg.exe178⤵PID:5520
-
C:\Windows\SysWOW64\Pgnilpah.exeC:\Windows\system32\Pgnilpah.exe179⤵PID:5220
-
C:\Windows\SysWOW64\Qnhahj32.exeC:\Windows\system32\Qnhahj32.exe180⤵PID:6180
-
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe181⤵PID:6228
-
C:\Windows\SysWOW64\Qjoankoi.exeC:\Windows\system32\Qjoankoi.exe182⤵PID:6272
-
C:\Windows\SysWOW64\Qmmnjfnl.exeC:\Windows\system32\Qmmnjfnl.exe183⤵PID:6316
-
C:\Windows\SysWOW64\Qgcbgo32.exeC:\Windows\system32\Qgcbgo32.exe184⤵
- Modifies registry class
PID:6356 -
C:\Windows\SysWOW64\Ajanck32.exeC:\Windows\system32\Ajanck32.exe185⤵PID:6400
-
C:\Windows\SysWOW64\Aqkgpedc.exeC:\Windows\system32\Aqkgpedc.exe186⤵PID:6436
-
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe187⤵PID:6480
-
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe188⤵PID:6528
-
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe189⤵PID:6568
-
C:\Windows\SysWOW64\Ajfhnjhq.exeC:\Windows\system32\Ajfhnjhq.exe190⤵
- Modifies registry class
PID:6612 -
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe191⤵PID:6648
-
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe192⤵PID:6696
-
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe193⤵PID:6740
-
C:\Windows\SysWOW64\Aabmqd32.exeC:\Windows\system32\Aabmqd32.exe194⤵PID:6776
-
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe195⤵PID:6824
-
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe196⤵PID:6868
-
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe197⤵PID:6912
-
C:\Windows\SysWOW64\Agoabn32.exeC:\Windows\system32\Agoabn32.exe198⤵PID:6960
-
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe199⤵PID:6996
-
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe200⤵PID:7048
-
C:\Windows\SysWOW64\Bcebhoii.exeC:\Windows\system32\Bcebhoii.exe201⤵PID:7092
-
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe202⤵PID:7136
-
C:\Windows\SysWOW64\Baicac32.exeC:\Windows\system32\Baicac32.exe203⤵PID:6160
-
C:\Windows\SysWOW64\Bchomn32.exeC:\Windows\system32\Bchomn32.exe204⤵PID:6220
-
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe205⤵PID:6284
-
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe206⤵PID:6364
-
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe207⤵
- Modifies registry class
PID:6420 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe208⤵
- Modifies registry class
PID:6508 -
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe209⤵PID:6576
-
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe210⤵PID:6656
-
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe211⤵PID:6708
-
C:\Windows\SysWOW64\Bapiabak.exeC:\Windows\system32\Bapiabak.exe212⤵PID:6772
-
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe213⤵
- Modifies registry class
PID:6852 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe214⤵PID:6920
-
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe215⤵PID:6988
-
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe216⤵PID:7080
-
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe217⤵PID:6168
-
C:\Windows\SysWOW64\Cjkjpgfi.exeC:\Windows\system32\Cjkjpgfi.exe218⤵PID:6300
-
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe219⤵PID:6396
-
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe220⤵PID:6536
-
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe221⤵PID:6632
-
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe222⤵PID:6748
-
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe223⤵PID:6836
-
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe224⤵PID:6956
-
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe225⤵PID:7112
-
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe226⤵
- Drops file in System32 directory
PID:6268 -
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe227⤵PID:6488
-
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe228⤵PID:6596
-
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe229⤵PID:6760
-
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe230⤵PID:6936
-
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe231⤵
- Drops file in System32 directory
- Modifies registry class
PID:6196 -
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe232⤵PID:6516
-
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe233⤵PID:6804
-
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe234⤵PID:7028
-
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe235⤵PID:6392
-
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe236⤵PID:6904
-
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe237⤵PID:6908
-
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe238⤵PID:7172
-
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe239⤵PID:7212
-
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe240⤵PID:7280
-
C:\Windows\SysWOW64\Dahhio32.exeC:\Windows\system32\Dahhio32.exe241⤵PID:7328
-
C:\Windows\SysWOW64\Edfdej32.exeC:\Windows\system32\Edfdej32.exe242⤵PID:7392