Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 01:32
Behavioral task
behavioral1
Sample
1ccf306419b42c380b49791cd48cce30_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1ccf306419b42c380b49791cd48cce30_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
1ccf306419b42c380b49791cd48cce30_NeikiAnalytics.exe
-
Size
240KB
-
MD5
1ccf306419b42c380b49791cd48cce30
-
SHA1
1917247a7cb2aa7768388e36f8d002c63a01e065
-
SHA256
9485af7556be8c67677e01aa31f2f88d14f1d76ce7983113f1873c15ba972ec2
-
SHA512
4bc428190ebb94625bf1d6e3cb556bf7dabdc9c14f2e41df786d8d078b03bd04f322f1778f8754d1e6b4031b8b05b1a2b8f64db8cf19e14ea1e699189115babf
-
SSDEEP
6144:UWwZFWo/EcAJN+SYSUZCb6M3W8DStQUkA1FiHwSD:U9Z3/tycSly8DSUA1YHVD
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ecdbdl32.exeImfdff32.exeAjkaii32.exeCnkplejl.exeHaidklda.exeHbbmmi32.exeCadlbk32.exeDikpbl32.exeCfigpm32.exeGdjjckag.exeKmkfhc32.exeHkikkeeo.exeBhhdil32.exeAhkobekf.exeBbacqape.exeEolhbc32.exeJfgdkd32.exeMlnipg32.exeHeocnk32.exeJmkdlkph.exeDhbgqohi.exeDjgjlelk.exeIcgqggce.exeOflgep32.exeEfikji32.exeBdolhc32.exeHcbpab32.exeMhppji32.exeBaaggo32.exeEmhldnkj.exeDapkni32.exeNjciko32.exeEkefmc32.exeOkhfjh32.exeMdmnlj32.exeBcjlcn32.exeGfnnlffc.exeAclpap32.exeGcddpdpo.exeFajgkfio.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecdbdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imfdff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajkaii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkplejl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haidklda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbbmmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cadlbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dikpbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfigpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdjjckag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmkfhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkikkeeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahkobekf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbacqape.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eolhbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfgdkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlnipg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Heocnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmkdlkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhbgqohi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgjlelk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icgqggce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oflgep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efikji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdolhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcbpab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhppji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baaggo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhldnkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dapkni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njciko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekefmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okhfjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmnlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcjlcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfnnlffc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aclpap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcddpdpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fajgkfio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Bifbbllg.exe family_berbew C:\Windows\SysWOW64\Blennh32.exe family_berbew C:\Windows\SysWOW64\Baaggo32.exe family_berbew C:\Windows\SysWOW64\Biiohl32.exe family_berbew C:\Windows\SysWOW64\Bbacqape.exe family_berbew C:\Windows\SysWOW64\Bbacqape.exe family_berbew C:\Windows\SysWOW64\Bikkml32.exe family_berbew C:\Windows\SysWOW64\Clihig32.exe family_berbew C:\Windows\SysWOW64\Cccpfa32.exe family_berbew C:\Windows\SysWOW64\Chphoh32.exe family_berbew C:\Windows\SysWOW64\Cpgqpe32.exe family_berbew C:\Windows\SysWOW64\Caimgncj.exe family_berbew C:\Windows\SysWOW64\Clnadfbp.exe family_berbew C:\Windows\SysWOW64\Cakjmm32.exe family_berbew C:\Windows\SysWOW64\Chebighd.exe family_berbew C:\Windows\SysWOW64\Cpljkdig.exe family_berbew C:\Windows\SysWOW64\Camfbm32.exe family_berbew C:\Windows\SysWOW64\Chgoogfa.exe family_berbew C:\Windows\SysWOW64\Ccmclp32.exe family_berbew C:\Windows\SysWOW64\Dhjkdg32.exe family_berbew C:\Windows\SysWOW64\Doccaall.exe family_berbew C:\Windows\SysWOW64\Denlnk32.exe family_berbew C:\Windows\SysWOW64\Dhlhjf32.exe family_berbew C:\Windows\SysWOW64\Dpcpkc32.exe family_berbew C:\Windows\SysWOW64\Dadlclim.exe family_berbew C:\Windows\SysWOW64\Dljqpd32.exe family_berbew C:\Windows\SysWOW64\Dohmlp32.exe family_berbew C:\Windows\SysWOW64\Debeijoc.exe family_berbew C:\Windows\SysWOW64\Dokjbp32.exe family_berbew C:\Windows\SysWOW64\Dfdbojmq.exe family_berbew C:\Windows\SysWOW64\Dpjflb32.exe family_berbew C:\Windows\SysWOW64\Dakbckbe.exe family_berbew C:\Windows\SysWOW64\Ehekqe32.exe family_berbew C:\Windows\SysWOW64\Eodlho32.exe family_berbew C:\Windows\SysWOW64\Ffekegon.exe family_berbew C:\Windows\SysWOW64\Fopldmcl.exe family_berbew C:\Windows\SysWOW64\Gmkbnp32.exe family_berbew C:\Windows\SysWOW64\Hcnnaikp.exe family_berbew C:\Windows\SysWOW64\Hmioonpn.exe family_berbew C:\Windows\SysWOW64\Hfcpncdk.exe family_berbew C:\Windows\SysWOW64\Ijaida32.exe family_berbew C:\Windows\SysWOW64\Iapjlk32.exe family_berbew C:\Windows\SysWOW64\Jmkdlkph.exe family_berbew C:\Windows\SysWOW64\Jfdida32.exe family_berbew C:\Windows\SysWOW64\Jangmibi.exe family_berbew C:\Windows\SysWOW64\Kdaldd32.exe family_berbew C:\Windows\SysWOW64\Kgbefoji.exe family_berbew C:\Windows\SysWOW64\Kgdbkohf.exe family_berbew C:\Windows\SysWOW64\Lmqgnhmp.exe family_berbew C:\Windows\SysWOW64\Lcbiao32.exe family_berbew C:\Windows\SysWOW64\Laefdf32.exe family_berbew C:\Windows\SysWOW64\Mamleegg.exe family_berbew C:\Windows\SysWOW64\Nklfoi32.exe family_berbew C:\Windows\SysWOW64\Ngcgcjnc.exe family_berbew C:\Windows\SysWOW64\Njcpee32.exe family_berbew C:\Windows\SysWOW64\Ondeac32.exe family_berbew C:\Windows\SysWOW64\Okhfjh32.exe family_berbew C:\Windows\SysWOW64\Okjbpglo.exe family_berbew C:\Windows\SysWOW64\Odednmpm.exe family_berbew C:\Windows\SysWOW64\Pjdilcla.exe family_berbew C:\Windows\SysWOW64\Pnbbbabh.exe family_berbew C:\Windows\SysWOW64\Pabkdmpi.exe family_berbew C:\Windows\SysWOW64\Qeemej32.exe family_berbew C:\Windows\SysWOW64\Qalnjkgo.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Bifbbllg.exeBlennh32.exeBaaggo32.exeBiiohl32.exeBbacqape.exeBikkml32.exeClihig32.exeCccpfa32.exeChphoh32.exeCpgqpe32.exeCaimgncj.exeClnadfbp.exeCakjmm32.exeChebighd.exeCpljkdig.exeCamfbm32.exeChgoogfa.exeCcmclp32.exeDhjkdg32.exeDoccaall.exeDenlnk32.exeDhlhjf32.exeDpcpkc32.exeDadlclim.exeDljqpd32.exeDohmlp32.exeDebeijoc.exeDokjbp32.exeDfdbojmq.exeDpjflb32.exeDakbckbe.exeEhekqe32.exeEckonn32.exeEfikji32.exeEhhgfdho.exeEoapbo32.exeEflhoigi.exeEleplc32.exeEodlho32.exeEbbidj32.exeEhlaaddj.exeEqciba32.exeEcbenm32.exeEhonfc32.exeEmjjgbjp.exeEcdbdl32.exeFbgbpihg.exeFhajlc32.exeFqhbmqqg.exeFokbim32.exeFfekegon.exeFicgacna.exeFqkocpod.exeFbllkh32.exeFifdgblo.exeFopldmcl.exeFfjdqg32.exeFihqmb32.exeFqohnp32.exeFcnejk32.exeFflaff32.exeFmficqpc.exeFodeolof.exeGfnnlffc.exepid process 2092 Bifbbllg.exe 880 Blennh32.exe 3344 Baaggo32.exe 3952 Biiohl32.exe 4756 Bbacqape.exe 4504 Bikkml32.exe 1288 Clihig32.exe 4584 Cccpfa32.exe 2460 Chphoh32.exe 3692 Cpgqpe32.exe 736 Caimgncj.exe 3116 Clnadfbp.exe 3824 Cakjmm32.exe 3140 Chebighd.exe 3768 Cpljkdig.exe 468 Camfbm32.exe 228 Chgoogfa.exe 1928 Ccmclp32.exe 3756 Dhjkdg32.exe 2548 Doccaall.exe 4392 Denlnk32.exe 1308 Dhlhjf32.exe 4680 Dpcpkc32.exe 2752 Dadlclim.exe 3080 Dljqpd32.exe 3428 Dohmlp32.exe 4652 Debeijoc.exe 4508 Dokjbp32.exe 4776 Dfdbojmq.exe 4156 Dpjflb32.exe 3052 Dakbckbe.exe 3416 Ehekqe32.exe 4468 Eckonn32.exe 2576 Efikji32.exe 2220 Ehhgfdho.exe 728 Eoapbo32.exe 4564 Eflhoigi.exe 5064 Eleplc32.exe 4748 Eodlho32.exe 2148 Ebbidj32.exe 2296 Ehlaaddj.exe 1188 Eqciba32.exe 1500 Ecbenm32.exe 1984 Ehonfc32.exe 1536 Emjjgbjp.exe 1724 Ecdbdl32.exe 4828 Fbgbpihg.exe 3136 Fhajlc32.exe 4996 Fqhbmqqg.exe 4524 Fokbim32.exe 804 Ffekegon.exe 1416 Ficgacna.exe 1244 Fqkocpod.exe 1736 Fbllkh32.exe 952 Fifdgblo.exe 1912 Fopldmcl.exe 3880 Ffjdqg32.exe 4044 Fihqmb32.exe 4300 Fqohnp32.exe 1324 Fcnejk32.exe 1384 Fflaff32.exe 4460 Fmficqpc.exe 4512 Fodeolof.exe 3332 Gfnnlffc.exe -
Drops file in System32 directory 64 IoCs
Processes:
Nnqbanmo.exeKihnmohm.exeNjcpee32.exeLocbfd32.exeLfealaol.exeCjliajmo.exeJmkdlkph.exeEepjpb32.exeMeiaib32.exeGknkpjfb.exeJbfpobpb.exeKmegbjgn.exeLgpagm32.exeAanjpk32.exeOcmconhk.exeEhfjah32.exeQqffjo32.exeEmnbdioi.exeOcopdn32.exeKilhgk32.exeFkopnh32.exeHopnqdan.exeQcbfakec.exeOgnpebpj.exeEkefmc32.exeMpaifalo.exeFoabofnn.exeImmapg32.exeGglpibgm.exeDfmcfp32.exeNgedij32.exeNcfdie32.exeMeamcg32.exeKdgljmcd.exeBanllbdn.exeCglgjeci.exeBkoigdom.exeMfcmmp32.exeNacmdf32.exeOohgdhfn.exeDhbgqohi.exeBjmnoi32.exeOohnonij.exedescription ioc process File created C:\Windows\SysWOW64\Oponmilc.exe Nnqbanmo.exe File created C:\Windows\SysWOW64\Hbkbod32.dll Kihnmohm.exe File opened for modification C:\Windows\SysWOW64\Fneggdhg.exe File opened for modification C:\Windows\SysWOW64\Apjkcadp.exe File created C:\Windows\SysWOW64\Dlddhggk.dll Njcpee32.exe File created C:\Windows\SysWOW64\Lemkcnaa.exe Locbfd32.exe File opened for modification C:\Windows\SysWOW64\Lhfmdj32.exe Lfealaol.exe File opened for modification C:\Windows\SysWOW64\Cmjemflb.exe Cjliajmo.exe File opened for modification C:\Windows\SysWOW64\Hpofii32.exe File opened for modification C:\Windows\SysWOW64\Deqcbpld.exe File opened for modification C:\Windows\SysWOW64\Kdmqmc32.exe File created C:\Windows\SysWOW64\Llgmeiqa.dll File created C:\Windows\SysWOW64\Hdbplg32.dll File created C:\Windows\SysWOW64\Mjlcankg.dll Jmkdlkph.exe File opened for modification C:\Windows\SysWOW64\Fljcmlfd.exe Eepjpb32.exe File created C:\Windows\SysWOW64\Mnkhmbin.dll Meiaib32.exe File opened for modification C:\Windows\SysWOW64\Gdfoio32.exe Gknkpjfb.exe File created C:\Windows\SysWOW64\Jgnqgqan.exe File created C:\Windows\SysWOW64\Mdafpj32.dll File opened for modification C:\Windows\SysWOW64\Jjmhppqd.exe Jbfpobpb.exe File created C:\Windows\SysWOW64\Nphqml32.dll Kmegbjgn.exe File opened for modification C:\Windows\SysWOW64\Ljnnch32.exe Lgpagm32.exe File created C:\Windows\SysWOW64\Ahhblemi.exe Aanjpk32.exe File opened for modification C:\Windows\SysWOW64\Oigllh32.exe Ocmconhk.exe File created C:\Windows\SysWOW64\Haojfo32.dll Ehfjah32.exe File created C:\Windows\SysWOW64\Ooiolbic.dll Qqffjo32.exe File opened for modification C:\Windows\SysWOW64\Eplnpeol.exe Emnbdioi.exe File created C:\Windows\SysWOW64\Hgncclck.dll File created C:\Windows\SysWOW64\Ijdgcpaf.dll Ocopdn32.exe File created C:\Windows\SysWOW64\Bdfpkm32.exe File opened for modification C:\Windows\SysWOW64\Hmmfmhll.exe File opened for modification C:\Windows\SysWOW64\Kpepcedo.exe Kilhgk32.exe File opened for modification C:\Windows\SysWOW64\Fcfhof32.exe Fkopnh32.exe File created C:\Windows\SysWOW64\Hckjacjg.exe Hopnqdan.exe File opened for modification C:\Windows\SysWOW64\Qjlnnemp.exe Qcbfakec.exe File created C:\Windows\SysWOW64\Pkbjjbda.exe File created C:\Windows\SysWOW64\Onhhamgg.exe Ognpebpj.exe File created C:\Windows\SysWOW64\Eopbnbhd.exe Ekefmc32.exe File created C:\Windows\SysWOW64\Copdgb32.dll File created C:\Windows\SysWOW64\Fneiph32.dll Mpaifalo.exe File opened for modification C:\Windows\SysWOW64\Fbpnkama.exe Foabofnn.exe File created C:\Windows\SysWOW64\Ceacpg32.dll Immapg32.exe File opened for modification C:\Windows\SysWOW64\Gochjpho.exe Gglpibgm.exe File created C:\Windows\SysWOW64\Inhdfkln.dll Dfmcfp32.exe File opened for modification C:\Windows\SysWOW64\Njcpee32.exe Ngedij32.exe File created C:\Windows\SysWOW64\Gbdhjm32.dll Ncfdie32.exe File created C:\Windows\SysWOW64\Milidebi.exe Meamcg32.exe File created C:\Windows\SysWOW64\Igpoaebh.dll File opened for modification C:\Windows\SysWOW64\Iefgbh32.exe File created C:\Windows\SysWOW64\Pmmanjof.dll File opened for modification C:\Windows\SysWOW64\Lffhfh32.exe Kdgljmcd.exe File created C:\Windows\SysWOW64\Iqjikg32.dll Banllbdn.exe File opened for modification C:\Windows\SysWOW64\Cimcan32.exe Cglgjeci.exe File created C:\Windows\SysWOW64\Qgfcle32.dll Bkoigdom.exe File created C:\Windows\SysWOW64\Lccahg32.dll File created C:\Windows\SysWOW64\Nqomdf32.dll Mfcmmp32.exe File opened for modification C:\Windows\SysWOW64\Nhmeapmd.exe Nacmdf32.exe File opened for modification C:\Windows\SysWOW64\Phaahggp.exe File created C:\Windows\SysWOW64\Oeaoab32.exe Oohgdhfn.exe File opened for modification C:\Windows\SysWOW64\Okkdic32.exe File created C:\Windows\SysWOW64\Meepdp32.exe File created C:\Windows\SysWOW64\Echknh32.exe Dhbgqohi.exe File opened for modification C:\Windows\SysWOW64\Bmkjkd32.exe Bjmnoi32.exe File created C:\Windows\SysWOW64\Ogpepl32.exe Oohnonij.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 14984 15152 -
Modifies registry class 64 IoCs
Processes:
Kenggi32.exeLndham32.exeFcckif32.exeAadifclh.exeOqfdnhfk.exeCaghhk32.exeIannfk32.exeBdhfhe32.exeLbngllob.exeDllfkn32.exePcmlfl32.exeMiofjepg.exeMalgcg32.exeNcbknfed.exeHhihdcbp.exeMlbbkfoq.exePpopjp32.exePaegjl32.exeDeagdn32.exeLpneegel.exeDhnnep32.exeHhgloc32.exeEglgbdep.exeFkqeib32.exeJecofa32.exeInainbcn.exeNddkgonp.exeAcqimo32.exeEhcfaboo.exePgjfkg32.exeFcfhof32.exeDdjejl32.exeMpghkf32.exeBfchidda.exeKpccnefa.exeNbmelbid.exeCdfkolkf.exeOcopdn32.exeEkjfcipa.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Micfao32.dll" Kenggi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaedkn32.dll" Lndham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poigcbng.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fcckif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aadifclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oqfdnhfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Caghhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iannfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgpjhl32.dll" Bdhfhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmikmcgp.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lbngllob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffkpn32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkllcbh.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dllfkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pcmlfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmggcl32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Miofjepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Malgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncbknfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhihdcbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mlbbkfoq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppopjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehjgecbe.dll" Paegjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll" Deagdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lpneegel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhnnep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhgloc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmqopc32.dll" Eglgbdep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fkqeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jecofa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Inainbcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll" Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Acqimo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalhik32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehcfaboo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pgjfkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fcfhof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddjejl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpghkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naqbda32.dll" Bfchidda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokmqben.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll" Kpccnefa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nbmelbid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cdfkolkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ocopdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmjob32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ekjfcipa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1ccf306419b42c380b49791cd48cce30_NeikiAnalytics.exeBifbbllg.exeBlennh32.exeBaaggo32.exeBiiohl32.exeBbacqape.exeBikkml32.exeClihig32.exeCccpfa32.exeChphoh32.exeCpgqpe32.exeCaimgncj.exeClnadfbp.exeCakjmm32.exeChebighd.exeCpljkdig.exeCamfbm32.exeChgoogfa.exeCcmclp32.exeDhjkdg32.exeDoccaall.exeDenlnk32.exedescription pid process target process PID 4792 wrote to memory of 2092 4792 1ccf306419b42c380b49791cd48cce30_NeikiAnalytics.exe Bifbbllg.exe PID 4792 wrote to memory of 2092 4792 1ccf306419b42c380b49791cd48cce30_NeikiAnalytics.exe Bifbbllg.exe PID 4792 wrote to memory of 2092 4792 1ccf306419b42c380b49791cd48cce30_NeikiAnalytics.exe Bifbbllg.exe PID 2092 wrote to memory of 880 2092 Bifbbllg.exe Blennh32.exe PID 2092 wrote to memory of 880 2092 Bifbbllg.exe Blennh32.exe PID 2092 wrote to memory of 880 2092 Bifbbllg.exe Blennh32.exe PID 880 wrote to memory of 3344 880 Blennh32.exe Baaggo32.exe PID 880 wrote to memory of 3344 880 Blennh32.exe Baaggo32.exe PID 880 wrote to memory of 3344 880 Blennh32.exe Baaggo32.exe PID 3344 wrote to memory of 3952 3344 Baaggo32.exe Biiohl32.exe PID 3344 wrote to memory of 3952 3344 Baaggo32.exe Biiohl32.exe PID 3344 wrote to memory of 3952 3344 Baaggo32.exe Biiohl32.exe PID 3952 wrote to memory of 4756 3952 Biiohl32.exe Bbacqape.exe PID 3952 wrote to memory of 4756 3952 Biiohl32.exe Bbacqape.exe PID 3952 wrote to memory of 4756 3952 Biiohl32.exe Bbacqape.exe PID 4756 wrote to memory of 4504 4756 Bbacqape.exe Bikkml32.exe PID 4756 wrote to memory of 4504 4756 Bbacqape.exe Bikkml32.exe PID 4756 wrote to memory of 4504 4756 Bbacqape.exe Bikkml32.exe PID 4504 wrote to memory of 1288 4504 Bikkml32.exe Clihig32.exe PID 4504 wrote to memory of 1288 4504 Bikkml32.exe Clihig32.exe PID 4504 wrote to memory of 1288 4504 Bikkml32.exe Clihig32.exe PID 1288 wrote to memory of 4584 1288 Clihig32.exe Cccpfa32.exe PID 1288 wrote to memory of 4584 1288 Clihig32.exe Cccpfa32.exe PID 1288 wrote to memory of 4584 1288 Clihig32.exe Cccpfa32.exe PID 4584 wrote to memory of 2460 4584 Cccpfa32.exe Chphoh32.exe PID 4584 wrote to memory of 2460 4584 Cccpfa32.exe Chphoh32.exe PID 4584 wrote to memory of 2460 4584 Cccpfa32.exe Chphoh32.exe PID 2460 wrote to memory of 3692 2460 Chphoh32.exe Cpgqpe32.exe PID 2460 wrote to memory of 3692 2460 Chphoh32.exe Cpgqpe32.exe PID 2460 wrote to memory of 3692 2460 Chphoh32.exe Cpgqpe32.exe PID 3692 wrote to memory of 736 3692 Cpgqpe32.exe Caimgncj.exe PID 3692 wrote to memory of 736 3692 Cpgqpe32.exe Caimgncj.exe PID 3692 wrote to memory of 736 3692 Cpgqpe32.exe Caimgncj.exe PID 736 wrote to memory of 3116 736 Caimgncj.exe Clnadfbp.exe PID 736 wrote to memory of 3116 736 Caimgncj.exe Clnadfbp.exe PID 736 wrote to memory of 3116 736 Caimgncj.exe Clnadfbp.exe PID 3116 wrote to memory of 3824 3116 Clnadfbp.exe Cakjmm32.exe PID 3116 wrote to memory of 3824 3116 Clnadfbp.exe Cakjmm32.exe PID 3116 wrote to memory of 3824 3116 Clnadfbp.exe Cakjmm32.exe PID 3824 wrote to memory of 3140 3824 Cakjmm32.exe Chebighd.exe PID 3824 wrote to memory of 3140 3824 Cakjmm32.exe Chebighd.exe PID 3824 wrote to memory of 3140 3824 Cakjmm32.exe Chebighd.exe PID 3140 wrote to memory of 3768 3140 Chebighd.exe Cpljkdig.exe PID 3140 wrote to memory of 3768 3140 Chebighd.exe Cpljkdig.exe PID 3140 wrote to memory of 3768 3140 Chebighd.exe Cpljkdig.exe PID 3768 wrote to memory of 468 3768 Cpljkdig.exe Camfbm32.exe PID 3768 wrote to memory of 468 3768 Cpljkdig.exe Camfbm32.exe PID 3768 wrote to memory of 468 3768 Cpljkdig.exe Camfbm32.exe PID 468 wrote to memory of 228 468 Camfbm32.exe Chgoogfa.exe PID 468 wrote to memory of 228 468 Camfbm32.exe Chgoogfa.exe PID 468 wrote to memory of 228 468 Camfbm32.exe Chgoogfa.exe PID 228 wrote to memory of 1928 228 Chgoogfa.exe Ccmclp32.exe PID 228 wrote to memory of 1928 228 Chgoogfa.exe Ccmclp32.exe PID 228 wrote to memory of 1928 228 Chgoogfa.exe Ccmclp32.exe PID 1928 wrote to memory of 3756 1928 Ccmclp32.exe Dhjkdg32.exe PID 1928 wrote to memory of 3756 1928 Ccmclp32.exe Dhjkdg32.exe PID 1928 wrote to memory of 3756 1928 Ccmclp32.exe Dhjkdg32.exe PID 3756 wrote to memory of 2548 3756 Dhjkdg32.exe Doccaall.exe PID 3756 wrote to memory of 2548 3756 Dhjkdg32.exe Doccaall.exe PID 3756 wrote to memory of 2548 3756 Dhjkdg32.exe Doccaall.exe PID 2548 wrote to memory of 4392 2548 Doccaall.exe Denlnk32.exe PID 2548 wrote to memory of 4392 2548 Doccaall.exe Denlnk32.exe PID 2548 wrote to memory of 4392 2548 Doccaall.exe Denlnk32.exe PID 4392 wrote to memory of 1308 4392 Denlnk32.exe Dhlhjf32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ccf306419b42c380b49791cd48cce30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1ccf306419b42c380b49791cd48cce30_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\Bifbbllg.exeC:\Windows\system32\Bifbbllg.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Blennh32.exeC:\Windows\system32\Blennh32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\Baaggo32.exeC:\Windows\system32\Baaggo32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\Biiohl32.exeC:\Windows\system32\Biiohl32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\Bbacqape.exeC:\Windows\system32\Bbacqape.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\Bikkml32.exeC:\Windows\system32\Bikkml32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Clihig32.exeC:\Windows\system32\Clihig32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Cccpfa32.exeC:\Windows\system32\Cccpfa32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\Chphoh32.exeC:\Windows\system32\Chphoh32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Cpgqpe32.exeC:\Windows\system32\Cpgqpe32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\Caimgncj.exeC:\Windows\system32\Caimgncj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\Clnadfbp.exeC:\Windows\system32\Clnadfbp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\Cakjmm32.exeC:\Windows\system32\Cakjmm32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\Chebighd.exeC:\Windows\system32\Chebighd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\Cpljkdig.exeC:\Windows\system32\Cpljkdig.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\Camfbm32.exeC:\Windows\system32\Camfbm32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\Chgoogfa.exeC:\Windows\system32\Chgoogfa.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Ccmclp32.exeC:\Windows\system32\Ccmclp32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Dhjkdg32.exeC:\Windows\system32\Dhjkdg32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\Doccaall.exeC:\Windows\system32\Doccaall.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Denlnk32.exeC:\Windows\system32\Denlnk32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\SysWOW64\Dhlhjf32.exeC:\Windows\system32\Dhlhjf32.exe23⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Dpcpkc32.exeC:\Windows\system32\Dpcpkc32.exe24⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Dadlclim.exeC:\Windows\system32\Dadlclim.exe25⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Dljqpd32.exeC:\Windows\system32\Dljqpd32.exe26⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Dohmlp32.exeC:\Windows\system32\Dohmlp32.exe27⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Debeijoc.exeC:\Windows\system32\Debeijoc.exe28⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Dokjbp32.exeC:\Windows\system32\Dokjbp32.exe29⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Dfdbojmq.exeC:\Windows\system32\Dfdbojmq.exe30⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Dpjflb32.exeC:\Windows\system32\Dpjflb32.exe31⤵
- Executes dropped EXE
PID:4156 -
C:\Windows\SysWOW64\Dakbckbe.exeC:\Windows\system32\Dakbckbe.exe32⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Ehekqe32.exeC:\Windows\system32\Ehekqe32.exe33⤵
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\Eckonn32.exeC:\Windows\system32\Eckonn32.exe34⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Efikji32.exeC:\Windows\system32\Efikji32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Ehhgfdho.exeC:\Windows\system32\Ehhgfdho.exe36⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Eoapbo32.exeC:\Windows\system32\Eoapbo32.exe37⤵
- Executes dropped EXE
PID:728 -
C:\Windows\SysWOW64\Eflhoigi.exeC:\Windows\system32\Eflhoigi.exe38⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe39⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Eodlho32.exeC:\Windows\system32\Eodlho32.exe40⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Ebbidj32.exeC:\Windows\system32\Ebbidj32.exe41⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Ehlaaddj.exeC:\Windows\system32\Ehlaaddj.exe42⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Eqciba32.exeC:\Windows\system32\Eqciba32.exe43⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Ecbenm32.exeC:\Windows\system32\Ecbenm32.exe44⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Ehonfc32.exeC:\Windows\system32\Ehonfc32.exe45⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Emjjgbjp.exeC:\Windows\system32\Emjjgbjp.exe46⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Ecdbdl32.exeC:\Windows\system32\Ecdbdl32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Fbgbpihg.exeC:\Windows\system32\Fbgbpihg.exe48⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Fhajlc32.exeC:\Windows\system32\Fhajlc32.exe49⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Fqhbmqqg.exeC:\Windows\system32\Fqhbmqqg.exe50⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe51⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Ffekegon.exeC:\Windows\system32\Ffekegon.exe52⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Ficgacna.exeC:\Windows\system32\Ficgacna.exe53⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Fqkocpod.exeC:\Windows\system32\Fqkocpod.exe54⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe55⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe56⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Fopldmcl.exeC:\Windows\system32\Fopldmcl.exe57⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe58⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe59⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe60⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Fcnejk32.exeC:\Windows\system32\Fcnejk32.exe61⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe62⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Fmficqpc.exeC:\Windows\system32\Fmficqpc.exe63⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe64⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Gfnnlffc.exeC:\Windows\system32\Gfnnlffc.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Gmhfhp32.exeC:\Windows\system32\Gmhfhp32.exe66⤵PID:4708
-
C:\Windows\SysWOW64\Gogbdl32.exeC:\Windows\system32\Gogbdl32.exe67⤵PID:3156
-
C:\Windows\SysWOW64\Gbenqg32.exeC:\Windows\system32\Gbenqg32.exe68⤵PID:4032
-
C:\Windows\SysWOW64\Gfqjafdq.exeC:\Windows\system32\Gfqjafdq.exe69⤵PID:3876
-
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe70⤵PID:2432
-
C:\Windows\SysWOW64\Goiojk32.exeC:\Windows\system32\Goiojk32.exe71⤵PID:3744
-
C:\Windows\SysWOW64\Gfcgge32.exeC:\Windows\system32\Gfcgge32.exe72⤵PID:800
-
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe73⤵PID:2468
-
C:\Windows\SysWOW64\Gpklpkio.exeC:\Windows\system32\Gpklpkio.exe74⤵PID:1480
-
C:\Windows\SysWOW64\Gfedle32.exeC:\Windows\system32\Gfedle32.exe75⤵PID:4496
-
C:\Windows\SysWOW64\Gidphq32.exeC:\Windows\system32\Gidphq32.exe76⤵PID:4520
-
C:\Windows\SysWOW64\Gbldaffp.exeC:\Windows\system32\Gbldaffp.exe77⤵PID:2720
-
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe78⤵PID:2312
-
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe79⤵PID:4648
-
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe80⤵PID:2812
-
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe81⤵PID:3144
-
C:\Windows\SysWOW64\Hjfihc32.exeC:\Windows\system32\Hjfihc32.exe82⤵PID:3060
-
C:\Windows\SysWOW64\Hcnnaikp.exeC:\Windows\system32\Hcnnaikp.exe83⤵PID:4104
-
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe84⤵PID:2748
-
C:\Windows\SysWOW64\Hmfbjnbp.exeC:\Windows\system32\Hmfbjnbp.exe85⤵PID:4724
-
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe86⤵PID:2788
-
C:\Windows\SysWOW64\Hbckbepg.exeC:\Windows\system32\Hbckbepg.exe87⤵PID:1672
-
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe88⤵PID:400
-
C:\Windows\SysWOW64\Hbeghene.exeC:\Windows\system32\Hbeghene.exe89⤵PID:3704
-
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe90⤵PID:3888
-
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe91⤵PID:4056
-
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe92⤵PID:4880
-
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:404 -
C:\Windows\SysWOW64\Icgqggce.exeC:\Windows\system32\Icgqggce.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3960 -
C:\Windows\SysWOW64\Ijaida32.exeC:\Windows\system32\Ijaida32.exe95⤵PID:4672
-
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe96⤵PID:4124
-
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe97⤵PID:628
-
C:\Windows\SysWOW64\Ijdeiaio.exeC:\Windows\system32\Ijdeiaio.exe98⤵PID:3048
-
C:\Windows\SysWOW64\Imbaemhc.exeC:\Windows\system32\Imbaemhc.exe99⤵PID:5128
-
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe100⤵
- Modifies registry class
PID:5180 -
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe101⤵PID:5232
-
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe102⤵PID:5272
-
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe103⤵PID:5324
-
C:\Windows\SysWOW64\Imdnklfp.exeC:\Windows\system32\Imdnklfp.exe104⤵PID:5388
-
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe105⤵PID:5460
-
C:\Windows\SysWOW64\Idofhfmm.exeC:\Windows\system32\Idofhfmm.exe106⤵PID:5524
-
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe107⤵PID:5564
-
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe108⤵PID:5620
-
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe109⤵PID:5664
-
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe110⤵PID:5704
-
C:\Windows\SysWOW64\Ibccic32.exeC:\Windows\system32\Ibccic32.exe111⤵PID:5752
-
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe112⤵PID:5796
-
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe113⤵PID:5852
-
C:\Windows\SysWOW64\Jdcpcf32.exeC:\Windows\system32\Jdcpcf32.exe114⤵PID:5888
-
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe115⤵
- Drops file in System32 directory
PID:5940 -
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe116⤵PID:5984
-
C:\Windows\SysWOW64\Jmkdlkph.exeC:\Windows\system32\Jmkdlkph.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6028 -
C:\Windows\SysWOW64\Jdemhe32.exeC:\Windows\system32\Jdemhe32.exe118⤵PID:6072
-
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe119⤵PID:6116
-
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe120⤵PID:5140
-
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe121⤵PID:5224
-
C:\Windows\SysWOW64\Jdhine32.exeC:\Windows\system32\Jdhine32.exe122⤵PID:5316
-
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe123⤵PID:5400
-
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe124⤵PID:5500
-
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe125⤵PID:5556
-
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe126⤵PID:5640
-
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe127⤵PID:5696
-
C:\Windows\SysWOW64\Jfkoeppq.exeC:\Windows\system32\Jfkoeppq.exe128⤵PID:5768
-
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe129⤵PID:5844
-
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe130⤵
- Drops file in System32 directory
PID:5908 -
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe131⤵
- Modifies registry class
PID:5960 -
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe132⤵PID:6056
-
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe133⤵PID:6124
-
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe134⤵
- Drops file in System32 directory
PID:5192 -
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe135⤵PID:5308
-
C:\Windows\SysWOW64\Kdaldd32.exeC:\Windows\system32\Kdaldd32.exe136⤵PID:5472
-
C:\Windows\SysWOW64\Kgphpo32.exeC:\Windows\system32\Kgphpo32.exe137⤵PID:5592
-
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe138⤵PID:5672
-
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe139⤵PID:5832
-
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe140⤵PID:5980
-
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe141⤵PID:6020
-
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe142⤵PID:1680
-
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe143⤵PID:5304
-
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe144⤵PID:5516
-
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe145⤵PID:5692
-
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe146⤵PID:5948
-
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe147⤵PID:6136
-
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe148⤵PID:5376
-
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe149⤵PID:5840
-
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe150⤵PID:6096
-
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe151⤵PID:5380
-
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe152⤵PID:6036
-
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe153⤵PID:5924
-
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe154⤵PID:5792
-
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe155⤵PID:5932
-
C:\Windows\SysWOW64\Lilanioo.exeC:\Windows\system32\Lilanioo.exe156⤵PID:6184
-
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe157⤵PID:6224
-
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe158⤵PID:6268
-
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe159⤵
- Drops file in System32 directory
PID:6308 -
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe160⤵PID:6348
-
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe161⤵PID:6392
-
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe162⤵PID:6432
-
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe163⤵PID:6476
-
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe164⤵PID:6516
-
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe165⤵PID:6560
-
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe166⤵PID:6608
-
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe167⤵PID:6648
-
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe168⤵PID:6700
-
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe169⤵PID:6740
-
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe170⤵PID:6784
-
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe171⤵PID:6828
-
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe172⤵
- Drops file in System32 directory
PID:6872 -
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe173⤵PID:6908
-
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe174⤵PID:6960
-
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe175⤵PID:7004
-
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe176⤵PID:7052
-
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe177⤵PID:7104
-
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe178⤵PID:7152
-
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe179⤵
- Modifies registry class
PID:6216 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe180⤵PID:6288
-
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe181⤵PID:6356
-
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe182⤵PID:6420
-
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe183⤵
- Drops file in System32 directory
PID:6484 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe184⤵
- Drops file in System32 directory
PID:6552 -
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe185⤵PID:6600
-
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe186⤵PID:6692
-
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe187⤵
- Modifies registry class
PID:3132 -
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe188⤵PID:3520
-
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe189⤵PID:6804
-
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe190⤵PID:6860
-
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe191⤵PID:6928
-
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe192⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6992 -
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe193⤵PID:7064
-
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe194⤵PID:7148
-
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe195⤵PID:6264
-
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe196⤵PID:6376
-
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe197⤵PID:6504
-
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe198⤵PID:6592
-
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe199⤵PID:1820
-
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe200⤵PID:6796
-
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe201⤵PID:6884
-
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe202⤵PID:7012
-
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe203⤵PID:7136
-
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe204⤵PID:6304
-
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe205⤵PID:6456
-
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe206⤵
- Modifies registry class
PID:6656 -
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe207⤵PID:6720
-
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe208⤵PID:6980
-
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe209⤵
- Modifies registry class
PID:7044 -
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe210⤵PID:7048
-
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe211⤵PID:6676
-
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe212⤵PID:6848
-
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe213⤵PID:7140
-
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe214⤵PID:6596
-
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe215⤵PID:7036
-
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe216⤵PID:6636
-
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe217⤵PID:7160
-
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe218⤵PID:6464
-
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe219⤵PID:6904
-
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe220⤵
- Drops file in System32 directory
PID:7192 -
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe221⤵PID:7232
-
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe222⤵PID:7276
-
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe223⤵PID:7316
-
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7364 -
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe225⤵PID:7404
-
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe226⤵PID:7444
-
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe227⤵PID:7488
-
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe228⤵PID:7536
-
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe229⤵PID:7580
-
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe230⤵PID:7624
-
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe231⤵PID:7664
-
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe232⤵PID:7708
-
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe233⤵
- Modifies registry class
PID:7752 -
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe234⤵PID:7792
-
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe235⤵PID:7836
-
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe236⤵PID:7880
-
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe237⤵PID:7924
-
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe238⤵PID:7968
-
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe239⤵PID:8008
-
C:\Windows\SysWOW64\Bldgdago.exeC:\Windows\system32\Bldgdago.exe240⤵PID:8056
-
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe241⤵PID:8108
-
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe242⤵PID:8164