Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 02:44
Behavioral task
behavioral1
Sample
27dccc3e0fcc7ff0894aedc26d315170_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
27dccc3e0fcc7ff0894aedc26d315170_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
27dccc3e0fcc7ff0894aedc26d315170_NeikiAnalytics.exe
-
Size
276KB
-
MD5
27dccc3e0fcc7ff0894aedc26d315170
-
SHA1
b777fafd1d17190547afe227dbc68fa34015fd87
-
SHA256
e17548baaeab7c6ef5484cce3c0c50605a81647cd39d72246efbf4f96bd3494f
-
SHA512
96a81a9a2c833a3184ca0a9e9517b047d99d10281eba18384f517601e1492eb192388af9a53513e81e966989b45053b0a9eb9b5cfd3db14e880d476fca4e775e
-
SSDEEP
6144:lHjBHyvlwqwptRIJsdWZHEFJ7aWN1rtMsQBOSGaF+:lHjxRIo2HEGWN1RMs1S7
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Icplcpgo.exeOjoign32.exeIgchfiof.exeOaompd32.exeHihbijhn.exeHpcodihc.exeIjcjmmil.exePhaahggp.exeOihagaji.exeCmklglpn.exeNognnj32.exeAjbmdn32.exeGkglja32.exeFdepgkgj.exeMilidebi.exeNgdmod32.exeJbdbjf32.exeDddojq32.exeOcopdn32.exePcjiff32.exeNnlhfn32.exeEdopabqn.exeGgahedjn.exeOelolmnd.exeJnjejjgh.exeMmlpoqpg.exeIkejgf32.exeCjkjpgfi.exeFfaong32.exePoimpapp.exeGomakdcp.exeAednci32.exeBfhhoi32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icplcpgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojoign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igchfiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaompd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hihbijhn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpcodihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijcjmmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phaahggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oihagaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmklglpn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nognnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajbmdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkglja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihagaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdepgkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Milidebi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngdmod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdbjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddojq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocopdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcjiff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnlhfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edopabqn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggahedjn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oelolmnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnjejjgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmlpoqpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikejgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjkjpgfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffaong32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poimpapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gomakdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aednci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfhhoi32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Pbkamqmd.exe family_berbew C:\Windows\SysWOW64\Pkceffcd.exe family_berbew C:\Windows\SysWOW64\Pnbbbabh.exe family_berbew C:\Windows\SysWOW64\Pqpnombl.exe family_berbew C:\Windows\SysWOW64\Pkfblfab.exe family_berbew C:\Windows\SysWOW64\Pndohaqe.exe family_berbew C:\Windows\SysWOW64\Pgmcqggf.exe family_berbew C:\Windows\SysWOW64\Pjkombfj.exe family_berbew C:\Windows\SysWOW64\Pnfkma32.exe family_berbew C:\Windows\SysWOW64\Paegjl32.exe family_berbew C:\Windows\SysWOW64\Pcccfh32.exe family_berbew C:\Windows\SysWOW64\Pgopffec.exe family_berbew C:\Windows\SysWOW64\Pnihcq32.exe family_berbew C:\Windows\SysWOW64\Pagdol32.exe family_berbew C:\Windows\SysWOW64\Qecppkdm.exe family_berbew C:\Windows\SysWOW64\Qkmhlekj.exe family_berbew C:\Windows\SysWOW64\Qnkdhpjn.exe family_berbew C:\Windows\SysWOW64\Qbgqio32.exe family_berbew C:\Windows\SysWOW64\Qeemej32.exe family_berbew C:\Windows\SysWOW64\Qloebdig.exe family_berbew C:\Windows\SysWOW64\Qjbena32.exe family_berbew C:\Windows\SysWOW64\Qbimoo32.exe family_berbew C:\Windows\SysWOW64\Qalnjkgo.exe family_berbew C:\Windows\SysWOW64\Acjjfggb.exe family_berbew C:\Windows\SysWOW64\Abkjdnoa.exe family_berbew C:\Windows\SysWOW64\Ajdbcano.exe family_berbew C:\Windows\SysWOW64\Qchmagie.exe family_berbew C:\Windows\SysWOW64\Qgallfcq.exe family_berbew C:\Windows\SysWOW64\Pjmlbbdg.exe family_berbew C:\Windows\SysWOW64\Pcagphom.exe family_berbew C:\Windows\SysWOW64\Pabkdmpi.exe family_berbew C:\Windows\SysWOW64\Peljol32.exe family_berbew C:\Windows\SysWOW64\Dbllbibl.exe family_berbew C:\Windows\SysWOW64\Fkopnh32.exe family_berbew C:\Windows\SysWOW64\Fcmnpe32.exe family_berbew C:\Windows\SysWOW64\Ibjjhn32.exe family_berbew C:\Windows\SysWOW64\Ildkgc32.exe family_berbew C:\Windows\SysWOW64\Jimekgff.exe family_berbew C:\Windows\SysWOW64\Jpnchp32.exe family_berbew C:\Windows\SysWOW64\Kpeiioac.exe family_berbew C:\Windows\SysWOW64\Kmkfhc32.exe family_berbew C:\Windows\SysWOW64\Kmncnb32.exe family_berbew C:\Windows\SysWOW64\Lpcfkm32.exe family_berbew C:\Windows\SysWOW64\Lgokmgjm.exe family_berbew C:\Windows\SysWOW64\Mpoefk32.exe family_berbew C:\Windows\SysWOW64\Nljofl32.exe family_berbew C:\Windows\SysWOW64\Ngpccdlj.exe family_berbew C:\Windows\SysWOW64\Nnjlpo32.exe family_berbew C:\Windows\SysWOW64\Ogkcpbam.exe family_berbew C:\Windows\SysWOW64\Ogpmjb32.exe family_berbew C:\Windows\SysWOW64\Oddmdf32.exe family_berbew C:\Windows\SysWOW64\Pnakhkol.exe family_berbew C:\Windows\SysWOW64\Aglemn32.exe family_berbew C:\Windows\SysWOW64\Bebblb32.exe family_berbew C:\Windows\SysWOW64\Bfhhoi32.exe family_berbew C:\Windows\SysWOW64\Cagobalc.exe family_berbew C:\Windows\SysWOW64\Danecp32.exe family_berbew C:\Windows\SysWOW64\Dodbbdbb.exe family_berbew C:\Windows\SysWOW64\Edfdej32.exe family_berbew C:\Windows\SysWOW64\Ekgbccni.exe family_berbew C:\Windows\SysWOW64\Fkllnbjc.exe family_berbew C:\Windows\SysWOW64\Fhpmgg32.exe family_berbew C:\Windows\SysWOW64\Fahaplon.exe family_berbew C:\Windows\SysWOW64\Fefjfked.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Pbkamqmd.exePkceffcd.exePnbbbabh.exePqpnombl.exePeljol32.exePkfblfab.exePndohaqe.exePabkdmpi.exePcagphom.exePgmcqggf.exePjkombfj.exePnfkma32.exePaegjl32.exePcccfh32.exePgopffec.exePjmlbbdg.exePnihcq32.exePagdol32.exeQecppkdm.exeQgallfcq.exeQkmhlekj.exeQnkdhpjn.exeQbgqio32.exeQeemej32.exeQchmagie.exeQloebdig.exeQjbena32.exeQbimoo32.exeQalnjkgo.exeAcjjfggb.exeAjdbcano.exeAbkjdnoa.exeAanjpk32.exeAcmflf32.exeAhhblemi.exeAjfoiqll.exeAnbkio32.exeAaqgek32.exeAelcfilb.exeAhkobekf.exeAlfkbc32.exeAndgoobc.exeAbpcon32.exeAacckjaf.exeAdapgfqj.exeAhmlgd32.exeAjkhdp32.exeAngddopp.exeAbbpem32.exeAaepqjpd.exeAealah32.exeAjneip32.exeBehbag32.exeBjdkjo32.exeBblckl32.exeBejogg32.exeBjghpn32.exeBbnpqk32.exeBdolhc32.exeCacmah32.exeChmeobkq.exeCklaknjd.exeCafigg32.exeCeaehfjj.exepid process 1880 Pbkamqmd.exe 2512 Pkceffcd.exe 3092 Pnbbbabh.exe 3828 Pqpnombl.exe 3672 Peljol32.exe 4076 Pkfblfab.exe 2800 Pndohaqe.exe 4176 Pabkdmpi.exe 1824 Pcagphom.exe 1484 Pgmcqggf.exe 4944 Pjkombfj.exe 2016 Pnfkma32.exe 1468 Paegjl32.exe 440 Pcccfh32.exe 4568 Pgopffec.exe 4504 Pjmlbbdg.exe 5040 Pnihcq32.exe 1812 Pagdol32.exe 32 Qecppkdm.exe 1692 Qgallfcq.exe 1488 Qkmhlekj.exe 2864 Qnkdhpjn.exe 4388 Qbgqio32.exe 3948 Qeemej32.exe 3044 Qchmagie.exe 1156 Qloebdig.exe 536 Qjbena32.exe 876 Qbimoo32.exe 1012 Qalnjkgo.exe 3488 Acjjfggb.exe 4600 Ajdbcano.exe 1076 Abkjdnoa.exe 2836 Aanjpk32.exe 2792 Acmflf32.exe 4300 Ahhblemi.exe 5052 Ajfoiqll.exe 3388 Anbkio32.exe 1352 Aaqgek32.exe 512 Aelcfilb.exe 4248 Ahkobekf.exe 3504 Alfkbc32.exe 2084 Andgoobc.exe 2732 Abpcon32.exe 2036 Aacckjaf.exe 2776 Adapgfqj.exe 4348 Ahmlgd32.exe 4652 Ajkhdp32.exe 3852 Angddopp.exe 4432 Abbpem32.exe 228 Aaepqjpd.exe 2868 Aealah32.exe 4656 Ajneip32.exe 2892 Behbag32.exe 4552 Bjdkjo32.exe 2424 Bblckl32.exe 3536 Bejogg32.exe 2396 Bjghpn32.exe 4308 Bbnpqk32.exe 3516 Bdolhc32.exe 1236 Cacmah32.exe 3180 Chmeobkq.exe 3116 Cklaknjd.exe 5004 Cafigg32.exe 2572 Ceaehfjj.exe -
Drops file in System32 directory 64 IoCs
Processes:
Gomakdcp.exeAednci32.exeJidklf32.exeNpchgdcd.exeNcofplba.exeBejogg32.exeAeklkchg.exeIakiia32.exeDaekdooc.exeMnnkgl32.exeDdgkpp32.exeJgdhgmep.exeLpkiph32.exeEaqdegaj.exeNliaao32.exeBlgifbil.exeAjkhdp32.exeBebblb32.exeDoilmc32.exeFnobem32.exeAamknj32.exeJlpkba32.exeMlampmdo.exeJjjghcfp.exePoimpapp.exeHcdmga32.exePdmpje32.exeQdbiedpa.exeAhmlgd32.exeKmfmmcbo.exeAgdhbi32.exeGkmlofol.exeHobkfd32.exeBaicac32.exeOjdnid32.exePnakhkol.exeJghabl32.exeLihpif32.exeBohbhmfm.exedescription ioc process File created C:\Windows\SysWOW64\Pohkbc32.dll Gomakdcp.exe File created C:\Windows\SysWOW64\Oddfcg32.dll Aednci32.exe File opened for modification C:\Windows\SysWOW64\Pnkbkk32.exe File opened for modification C:\Windows\SysWOW64\Jlbgha32.exe Jidklf32.exe File opened for modification C:\Windows\SysWOW64\Kifojnol.exe File created C:\Windows\SysWOW64\Nlihle32.exe Npchgdcd.exe File created C:\Windows\SysWOW64\Jlpncq32.dll Ncofplba.exe File created C:\Windows\SysWOW64\Ifenan32.dll File opened for modification C:\Windows\SysWOW64\Ojcpdg32.exe File created C:\Windows\SysWOW64\Dpqdba32.dll Bejogg32.exe File created C:\Windows\SysWOW64\Ffcnippo.dll Aeklkchg.exe File created C:\Windows\SysWOW64\Ihdafkdg.exe Iakiia32.exe File created C:\Windows\SysWOW64\Debbff32.dll File created C:\Windows\SysWOW64\Dddhpjof.exe Daekdooc.exe File created C:\Windows\SysWOW64\Mjnafk32.dll Mnnkgl32.exe File opened for modification C:\Windows\SysWOW64\Feoodn32.exe File created C:\Windows\SysWOW64\Kplqhmfl.dll File created C:\Windows\SysWOW64\Jbppgona.exe File created C:\Windows\SysWOW64\Gjihje32.dll Ddgkpp32.exe File created C:\Windows\SysWOW64\Jicdap32.exe Jgdhgmep.exe File created C:\Windows\SysWOW64\Lhfmdj32.exe Lpkiph32.exe File opened for modification C:\Windows\SysWOW64\Edopabqn.exe Eaqdegaj.exe File created C:\Windows\SysWOW64\Clkbmh32.dll Nliaao32.exe File created C:\Windows\SysWOW64\Bkjiao32.exe Blgifbil.exe File created C:\Windows\SysWOW64\Pbhgoh32.exe File created C:\Windows\SysWOW64\Khecje32.dll File created C:\Windows\SysWOW64\Phadlp32.dll Ajkhdp32.exe File opened for modification C:\Windows\SysWOW64\Bjokdipf.exe Bebblb32.exe File created C:\Windows\SysWOW64\Dahhio32.exe Doilmc32.exe File created C:\Windows\SysWOW64\Pacmhc32.dll Fnobem32.exe File created C:\Windows\SysWOW64\Adkgje32.exe Aamknj32.exe File opened for modification C:\Windows\SysWOW64\Lfgipd32.exe File created C:\Windows\SysWOW64\Ccdihbgg.exe File created C:\Windows\SysWOW64\Njjdho32.exe File created C:\Windows\SysWOW64\Jbjcolha.exe Jlpkba32.exe File created C:\Windows\SysWOW64\Mplhql32.exe Mlampmdo.exe File created C:\Windows\SysWOW64\Jqdoem32.exe Jjjghcfp.exe File created C:\Windows\SysWOW64\Pecellgl.exe Poimpapp.exe File created C:\Windows\SysWOW64\Emamkgpg.dll File opened for modification C:\Windows\SysWOW64\Fecadghc.exe File opened for modification C:\Windows\SysWOW64\Hbiapb32.exe File created C:\Windows\SysWOW64\Koljgppp.exe File opened for modification C:\Windows\SysWOW64\Hbgmcnhf.exe Hcdmga32.exe File created C:\Windows\SysWOW64\Pgllfp32.exe Pdmpje32.exe File created C:\Windows\SysWOW64\Qciaajej.dll Qdbiedpa.exe File created C:\Windows\SysWOW64\Oaabap32.dll File opened for modification C:\Windows\SysWOW64\Ajkhdp32.exe Ahmlgd32.exe File opened for modification C:\Windows\SysWOW64\Kpeiioac.exe Kmfmmcbo.exe File opened for modification C:\Windows\SysWOW64\Amaqjp32.exe Agdhbi32.exe File opened for modification C:\Windows\SysWOW64\Ohlqcagj.exe File opened for modification C:\Windows\SysWOW64\Oqoefand.exe File created C:\Windows\SysWOW64\Gcddpdpo.exe Gkmlofol.exe File opened for modification C:\Windows\SysWOW64\Hbpgbo32.exe Hobkfd32.exe File created C:\Windows\SysWOW64\Bgcknmop.exe Baicac32.exe File created C:\Windows\SysWOW64\Oanfen32.exe Ojdnid32.exe File opened for modification C:\Windows\SysWOW64\Hibjli32.exe File created C:\Windows\SysWOW64\Pqpgdfnp.exe Pnakhkol.exe File opened for modification C:\Windows\SysWOW64\Kfjapcii.exe Jghabl32.exe File created C:\Windows\SysWOW64\Dnqjcbao.dll Lihpif32.exe File created C:\Windows\SysWOW64\Bafndi32.exe Bohbhmfm.exe File opened for modification C:\Windows\SysWOW64\Ojqcnhkl.exe File opened for modification C:\Windows\SysWOW64\Pidlqb32.exe File opened for modification C:\Windows\SysWOW64\Ekimjn32.exe File created C:\Windows\SysWOW64\Ieaqqigc.dll -
Program crash 1 IoCs
Processes:
pid pid_target process target process 5692 5224 -
Modifies registry class 64 IoCs
Processes:
Pabblb32.exeJgenbfoa.exePoliea32.exeIefioj32.exeAlcfei32.exeNnkpnclp.exeFcmnpe32.exeIkpaldog.exeOgpmjb32.exeGpfjma32.exeJkaqnk32.exeFpodlbng.exeFfkjlp32.exeCfnqklgh.exeIpflihfq.exeColffknh.exeDboigi32.exeJlbgha32.exeNnfgcd32.exePmaffnce.exeLiimncmf.exeJnkldqkc.exeQcbfakec.exeCjhfpa32.exeCmklglpn.exePjjhbl32.exeHkmnln32.exeEmmkiclm.exeHdokdg32.exeQqfmde32.exeQdbiedpa.exeJgadgf32.exeDmhand32.exeIkbfgppo.exeOnnmdcjm.exeAanjpk32.exeKpeiioac.exeCbphdn32.exeGbdoof32.exeGhlcnk32.exeJfhlejnh.exeEopbnbhd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pabblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpaoan32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgenbfoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Poliea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iefioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmpbnihe.dll" Alcfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnkpnclp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjfmcmai.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcmnpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikpaldog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogpmjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpfjma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkaqnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqhgk32.dll" Fpodlbng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffkjlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfnqklgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipflihfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Colffknh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dboigi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdbinofi.dll" Jlbgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodoah32.dll" Nnfgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmaffnce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papambbb.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Liimncmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnkldqkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpefcn32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qcbfakec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdffhl32.dll" Cjhfpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmklglpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjjhbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjokon32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkioig32.dll" Hkmnln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emmkiclm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdokdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qqfmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll" Qdbiedpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndlapjeg.dll" Jgadgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcmhh32.dll" Dmhand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikbfgppo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onnmdcjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dooaccfg.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debheb32.dll" Aanjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeclnmik.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpeiioac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbphdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbdoof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghlcnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnbnoffm.dll" Jfhlejnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdmoejcc.dll" Eopbnbhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdokdg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
27dccc3e0fcc7ff0894aedc26d315170_NeikiAnalytics.exePbkamqmd.exePkceffcd.exePnbbbabh.exePqpnombl.exePeljol32.exePkfblfab.exePndohaqe.exePabkdmpi.exePcagphom.exePgmcqggf.exePjkombfj.exePnfkma32.exePaegjl32.exePcccfh32.exePgopffec.exePjmlbbdg.exePnihcq32.exePagdol32.exeQecppkdm.exeQgallfcq.exeQkmhlekj.exedescription pid process target process PID 3560 wrote to memory of 1880 3560 27dccc3e0fcc7ff0894aedc26d315170_NeikiAnalytics.exe Pbkamqmd.exe PID 3560 wrote to memory of 1880 3560 27dccc3e0fcc7ff0894aedc26d315170_NeikiAnalytics.exe Pbkamqmd.exe PID 3560 wrote to memory of 1880 3560 27dccc3e0fcc7ff0894aedc26d315170_NeikiAnalytics.exe Pbkamqmd.exe PID 1880 wrote to memory of 2512 1880 Pbkamqmd.exe Pkceffcd.exe PID 1880 wrote to memory of 2512 1880 Pbkamqmd.exe Pkceffcd.exe PID 1880 wrote to memory of 2512 1880 Pbkamqmd.exe Pkceffcd.exe PID 2512 wrote to memory of 3092 2512 Pkceffcd.exe Pnbbbabh.exe PID 2512 wrote to memory of 3092 2512 Pkceffcd.exe Pnbbbabh.exe PID 2512 wrote to memory of 3092 2512 Pkceffcd.exe Pnbbbabh.exe PID 3092 wrote to memory of 3828 3092 Pnbbbabh.exe Pqpnombl.exe PID 3092 wrote to memory of 3828 3092 Pnbbbabh.exe Pqpnombl.exe PID 3092 wrote to memory of 3828 3092 Pnbbbabh.exe Pqpnombl.exe PID 3828 wrote to memory of 3672 3828 Pqpnombl.exe Peljol32.exe PID 3828 wrote to memory of 3672 3828 Pqpnombl.exe Peljol32.exe PID 3828 wrote to memory of 3672 3828 Pqpnombl.exe Peljol32.exe PID 3672 wrote to memory of 4076 3672 Peljol32.exe Pkfblfab.exe PID 3672 wrote to memory of 4076 3672 Peljol32.exe Pkfblfab.exe PID 3672 wrote to memory of 4076 3672 Peljol32.exe Pkfblfab.exe PID 4076 wrote to memory of 2800 4076 Pkfblfab.exe Pndohaqe.exe PID 4076 wrote to memory of 2800 4076 Pkfblfab.exe Pndohaqe.exe PID 4076 wrote to memory of 2800 4076 Pkfblfab.exe Pndohaqe.exe PID 2800 wrote to memory of 4176 2800 Pndohaqe.exe Pabkdmpi.exe PID 2800 wrote to memory of 4176 2800 Pndohaqe.exe Pabkdmpi.exe PID 2800 wrote to memory of 4176 2800 Pndohaqe.exe Pabkdmpi.exe PID 4176 wrote to memory of 1824 4176 Pabkdmpi.exe Pcagphom.exe PID 4176 wrote to memory of 1824 4176 Pabkdmpi.exe Pcagphom.exe PID 4176 wrote to memory of 1824 4176 Pabkdmpi.exe Pcagphom.exe PID 1824 wrote to memory of 1484 1824 Pcagphom.exe Pgmcqggf.exe PID 1824 wrote to memory of 1484 1824 Pcagphom.exe Pgmcqggf.exe PID 1824 wrote to memory of 1484 1824 Pcagphom.exe Pgmcqggf.exe PID 1484 wrote to memory of 4944 1484 Pgmcqggf.exe Pjkombfj.exe PID 1484 wrote to memory of 4944 1484 Pgmcqggf.exe Pjkombfj.exe PID 1484 wrote to memory of 4944 1484 Pgmcqggf.exe Pjkombfj.exe PID 4944 wrote to memory of 2016 4944 Pjkombfj.exe Pnfkma32.exe PID 4944 wrote to memory of 2016 4944 Pjkombfj.exe Pnfkma32.exe PID 4944 wrote to memory of 2016 4944 Pjkombfj.exe Pnfkma32.exe PID 2016 wrote to memory of 1468 2016 Pnfkma32.exe Paegjl32.exe PID 2016 wrote to memory of 1468 2016 Pnfkma32.exe Paegjl32.exe PID 2016 wrote to memory of 1468 2016 Pnfkma32.exe Paegjl32.exe PID 1468 wrote to memory of 440 1468 Paegjl32.exe Pcccfh32.exe PID 1468 wrote to memory of 440 1468 Paegjl32.exe Pcccfh32.exe PID 1468 wrote to memory of 440 1468 Paegjl32.exe Pcccfh32.exe PID 440 wrote to memory of 4568 440 Pcccfh32.exe Pgopffec.exe PID 440 wrote to memory of 4568 440 Pcccfh32.exe Pgopffec.exe PID 440 wrote to memory of 4568 440 Pcccfh32.exe Pgopffec.exe PID 4568 wrote to memory of 4504 4568 Pgopffec.exe Pjmlbbdg.exe PID 4568 wrote to memory of 4504 4568 Pgopffec.exe Pjmlbbdg.exe PID 4568 wrote to memory of 4504 4568 Pgopffec.exe Pjmlbbdg.exe PID 4504 wrote to memory of 5040 4504 Pjmlbbdg.exe Pnihcq32.exe PID 4504 wrote to memory of 5040 4504 Pjmlbbdg.exe Pnihcq32.exe PID 4504 wrote to memory of 5040 4504 Pjmlbbdg.exe Pnihcq32.exe PID 5040 wrote to memory of 1812 5040 Pnihcq32.exe Pagdol32.exe PID 5040 wrote to memory of 1812 5040 Pnihcq32.exe Pagdol32.exe PID 5040 wrote to memory of 1812 5040 Pnihcq32.exe Pagdol32.exe PID 1812 wrote to memory of 32 1812 Pagdol32.exe Qecppkdm.exe PID 1812 wrote to memory of 32 1812 Pagdol32.exe Qecppkdm.exe PID 1812 wrote to memory of 32 1812 Pagdol32.exe Qecppkdm.exe PID 32 wrote to memory of 1692 32 Qecppkdm.exe Qgallfcq.exe PID 32 wrote to memory of 1692 32 Qecppkdm.exe Qgallfcq.exe PID 32 wrote to memory of 1692 32 Qecppkdm.exe Qgallfcq.exe PID 1692 wrote to memory of 1488 1692 Qgallfcq.exe Qkmhlekj.exe PID 1692 wrote to memory of 1488 1692 Qgallfcq.exe Qkmhlekj.exe PID 1692 wrote to memory of 1488 1692 Qgallfcq.exe Qkmhlekj.exe PID 1488 wrote to memory of 2864 1488 Qkmhlekj.exe Qnkdhpjn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\27dccc3e0fcc7ff0894aedc26d315170_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\27dccc3e0fcc7ff0894aedc26d315170_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe23⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe24⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe25⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe26⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe27⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe28⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe29⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe30⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe31⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe32⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe33⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe35⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe36⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe37⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe38⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe39⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe40⤵
- Executes dropped EXE
PID:512 -
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe41⤵
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe42⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe43⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe44⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe45⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe46⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4348 -
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4652 -
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe49⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe50⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe51⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe52⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe53⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe54⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe55⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe56⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3536 -
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe58⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe59⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe60⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe61⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe62⤵
- Executes dropped EXE
PID:3180 -
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe63⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe64⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe65⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Clkndpag.exeC:\Windows\system32\Clkndpag.exe66⤵PID:1796
-
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe67⤵PID:2300
-
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe68⤵PID:2600
-
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe69⤵PID:2124
-
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe70⤵PID:1004
-
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe71⤵PID:4368
-
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe72⤵
- Modifies registry class
PID:928 -
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe73⤵PID:2548
-
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe74⤵PID:1460
-
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe75⤵PID:4928
-
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe76⤵PID:4228
-
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe77⤵PID:4956
-
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe78⤵PID:5008
-
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe79⤵PID:680
-
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe80⤵PID:5024
-
C:\Windows\SysWOW64\Dboigi32.exeC:\Windows\system32\Dboigi32.exe81⤵
- Modifies registry class
PID:448 -
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe82⤵PID:1472
-
C:\Windows\SysWOW64\Dadeieea.exeC:\Windows\system32\Dadeieea.exe83⤵PID:1604
-
C:\Windows\SysWOW64\Ddbbeade.exeC:\Windows\system32\Ddbbeade.exe84⤵PID:4508
-
C:\Windows\SysWOW64\Dkljak32.exeC:\Windows\system32\Dkljak32.exe85⤵PID:4764
-
C:\Windows\SysWOW64\Dccbbhld.exeC:\Windows\system32\Dccbbhld.exe86⤵PID:1980
-
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe87⤵PID:4676
-
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2844 -
C:\Windows\SysWOW64\Dllfkn32.exeC:\Windows\system32\Dllfkn32.exe89⤵PID:1680
-
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe90⤵PID:3104
-
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe91⤵PID:936
-
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe92⤵PID:1584
-
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe93⤵
- Drops file in System32 directory
PID:1440 -
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe94⤵PID:1592
-
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe95⤵PID:1996
-
C:\Windows\SysWOW64\Eolpmi32.exeC:\Windows\system32\Eolpmi32.exe96⤵PID:1044
-
C:\Windows\SysWOW64\Eaklidoi.exeC:\Windows\system32\Eaklidoi.exe97⤵PID:5140
-
C:\Windows\SysWOW64\Eefhjc32.exeC:\Windows\system32\Eefhjc32.exe98⤵PID:5192
-
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe99⤵PID:5236
-
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe100⤵PID:5276
-
C:\Windows\SysWOW64\Eamhodmf.exeC:\Windows\system32\Eamhodmf.exe101⤵PID:5312
-
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe102⤵PID:5356
-
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe103⤵PID:5400
-
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe104⤵PID:5444
-
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe105⤵PID:5488
-
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe106⤵PID:5536
-
C:\Windows\SysWOW64\Eocenh32.exeC:\Windows\system32\Eocenh32.exe107⤵PID:5576
-
C:\Windows\SysWOW64\Eabbjc32.exeC:\Windows\system32\Eabbjc32.exe108⤵PID:5620
-
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe109⤵PID:5664
-
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe110⤵PID:5708
-
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe111⤵PID:5748
-
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe112⤵PID:5796
-
C:\Windows\SysWOW64\Fljcmlfd.exeC:\Windows\system32\Fljcmlfd.exe113⤵PID:5860
-
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe114⤵PID:5920
-
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe115⤵PID:5964
-
C:\Windows\SysWOW64\Febgea32.exeC:\Windows\system32\Febgea32.exe116⤵PID:6008
-
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe117⤵PID:6052
-
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe118⤵PID:6096
-
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe119⤵PID:6140
-
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe120⤵PID:5176
-
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe121⤵PID:5244
-
C:\Windows\SysWOW64\Fomhdg32.exeC:\Windows\system32\Fomhdg32.exe122⤵PID:5324
-
C:\Windows\SysWOW64\Fakdpb32.exeC:\Windows\system32\Fakdpb32.exe123⤵PID:5388
-
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe124⤵PID:5460
-
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe125⤵PID:5524
-
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe126⤵PID:5608
-
C:\Windows\SysWOW64\Fckajehi.exeC:\Windows\system32\Fckajehi.exe127⤵PID:5672
-
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe128⤵PID:5736
-
C:\Windows\SysWOW64\Fhgjblfq.exeC:\Windows\system32\Fhgjblfq.exe129⤵PID:5852
-
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe130⤵PID:5944
-
C:\Windows\SysWOW64\Foabofnn.exeC:\Windows\system32\Foabofnn.exe131⤵PID:5984
-
C:\Windows\SysWOW64\Fcmnpe32.exeC:\Windows\system32\Fcmnpe32.exe132⤵
- Modifies registry class
PID:6076 -
C:\Windows\SysWOW64\Ffkjlp32.exeC:\Windows\system32\Ffkjlp32.exe133⤵
- Modifies registry class
PID:5124 -
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe134⤵PID:5224
-
C:\Windows\SysWOW64\Gkhbdg32.exeC:\Windows\system32\Gkhbdg32.exe135⤵PID:5344
-
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe136⤵PID:5436
-
C:\Windows\SysWOW64\Gbbkaako.exeC:\Windows\system32\Gbbkaako.exe137⤵PID:5568
-
C:\Windows\SysWOW64\Gfngap32.exeC:\Windows\system32\Gfngap32.exe138⤵PID:5696
-
C:\Windows\SysWOW64\Ghlcnk32.exeC:\Windows\system32\Ghlcnk32.exe139⤵
- Modifies registry class
PID:5808 -
C:\Windows\SysWOW64\Gkkojgao.exeC:\Windows\system32\Gkkojgao.exe140⤵PID:5996
-
C:\Windows\SysWOW64\Gofkje32.exeC:\Windows\system32\Gofkje32.exe141⤵PID:6092
-
C:\Windows\SysWOW64\Gbdgfa32.exeC:\Windows\system32\Gbdgfa32.exe142⤵PID:5180
-
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe143⤵PID:5292
-
C:\Windows\SysWOW64\Gdcdbl32.exeC:\Windows\system32\Gdcdbl32.exe144⤵PID:5600
-
C:\Windows\SysWOW64\Gkmlofol.exeC:\Windows\system32\Gkmlofol.exe145⤵
- Drops file in System32 directory
PID:5716 -
C:\Windows\SysWOW64\Gcddpdpo.exeC:\Windows\system32\Gcddpdpo.exe146⤵PID:5952
-
C:\Windows\SysWOW64\Gfbploob.exeC:\Windows\system32\Gfbploob.exe147⤵PID:6128
-
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe148⤵PID:5396
-
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe149⤵PID:5684
-
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe150⤵PID:5432
-
C:\Windows\SysWOW64\Gicinj32.exeC:\Windows\system32\Gicinj32.exe151⤵PID:5268
-
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe152⤵PID:6204
-
C:\Windows\SysWOW64\Gomakdcp.exeC:\Windows\system32\Gomakdcp.exe153⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6252 -
C:\Windows\SysWOW64\Gfgjgo32.exeC:\Windows\system32\Gfgjgo32.exe154⤵PID:6300
-
C:\Windows\SysWOW64\Gdjjckag.exeC:\Windows\system32\Gdjjckag.exe155⤵PID:6368
-
C:\Windows\SysWOW64\Hkdbpe32.exeC:\Windows\system32\Hkdbpe32.exe156⤵PID:6412
-
C:\Windows\SysWOW64\Hopnqdan.exeC:\Windows\system32\Hopnqdan.exe157⤵PID:6480
-
C:\Windows\SysWOW64\Hbnjmp32.exeC:\Windows\system32\Hbnjmp32.exe158⤵PID:6544
-
C:\Windows\SysWOW64\Hfifmnij.exeC:\Windows\system32\Hfifmnij.exe159⤵PID:6588
-
C:\Windows\SysWOW64\Hihbijhn.exeC:\Windows\system32\Hihbijhn.exe160⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6628 -
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe161⤵PID:6664
-
C:\Windows\SysWOW64\Hobkfd32.exeC:\Windows\system32\Hobkfd32.exe162⤵
- Drops file in System32 directory
PID:6716 -
C:\Windows\SysWOW64\Hbpgbo32.exeC:\Windows\system32\Hbpgbo32.exe163⤵PID:6764
-
C:\Windows\SysWOW64\Heocnk32.exeC:\Windows\system32\Heocnk32.exe164⤵PID:6808
-
C:\Windows\SysWOW64\Hmfkoh32.exeC:\Windows\system32\Hmfkoh32.exe165⤵PID:6856
-
C:\Windows\SysWOW64\Hodgkc32.exeC:\Windows\system32\Hodgkc32.exe166⤵PID:6912
-
C:\Windows\SysWOW64\Hcpclbfa.exeC:\Windows\system32\Hcpclbfa.exe167⤵PID:6956
-
C:\Windows\SysWOW64\Hfnphn32.exeC:\Windows\system32\Hfnphn32.exe168⤵PID:6996
-
C:\Windows\SysWOW64\Himldi32.exeC:\Windows\system32\Himldi32.exe169⤵PID:7040
-
C:\Windows\SysWOW64\Hkkhqd32.exeC:\Windows\system32\Hkkhqd32.exe170⤵PID:7084
-
C:\Windows\SysWOW64\Hcbpab32.exeC:\Windows\system32\Hcbpab32.exe171⤵PID:7124
-
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe172⤵PID:7164
-
C:\Windows\SysWOW64\Hioiji32.exeC:\Windows\system32\Hioiji32.exe173⤵PID:6188
-
C:\Windows\SysWOW64\Hkmefd32.exeC:\Windows\system32\Hkmefd32.exe174⤵PID:6276
-
C:\Windows\SysWOW64\Hcdmga32.exeC:\Windows\system32\Hcdmga32.exe175⤵
- Drops file in System32 directory
PID:6360 -
C:\Windows\SysWOW64\Hbgmcnhf.exeC:\Windows\system32\Hbgmcnhf.exe176⤵PID:6436
-
C:\Windows\SysWOW64\Iefioj32.exeC:\Windows\system32\Iefioj32.exe177⤵
- Modifies registry class
PID:6524 -
C:\Windows\SysWOW64\Iiaephpc.exeC:\Windows\system32\Iiaephpc.exe178⤵PID:6608
-
C:\Windows\SysWOW64\Ikpaldog.exeC:\Windows\system32\Ikpaldog.exe179⤵
- Modifies registry class
PID:6676 -
C:\Windows\SysWOW64\Ibjjhn32.exeC:\Windows\system32\Ibjjhn32.exe180⤵PID:6760
-
C:\Windows\SysWOW64\Imoneg32.exeC:\Windows\system32\Imoneg32.exe181⤵PID:6832
-
C:\Windows\SysWOW64\Icifbang.exeC:\Windows\system32\Icifbang.exe182⤵PID:6896
-
C:\Windows\SysWOW64\Ifgbnlmj.exeC:\Windows\system32\Ifgbnlmj.exe183⤵PID:6984
-
C:\Windows\SysWOW64\Iifokh32.exeC:\Windows\system32\Iifokh32.exe184⤵PID:7060
-
C:\Windows\SysWOW64\Ildkgc32.exeC:\Windows\system32\Ildkgc32.exe185⤵PID:7120
-
C:\Windows\SysWOW64\Ibnccmbo.exeC:\Windows\system32\Ibnccmbo.exe186⤵PID:6180
-
C:\Windows\SysWOW64\Iemppiab.exeC:\Windows\system32\Iemppiab.exe187⤵PID:6284
-
C:\Windows\SysWOW64\Imdgqfbd.exeC:\Windows\system32\Imdgqfbd.exe188⤵PID:6460
-
C:\Windows\SysWOW64\Ibqpimpl.exeC:\Windows\system32\Ibqpimpl.exe189⤵PID:6620
-
C:\Windows\SysWOW64\Iikhfg32.exeC:\Windows\system32\Iikhfg32.exe190⤵PID:6728
-
C:\Windows\SysWOW64\Icplcpgo.exeC:\Windows\system32\Icplcpgo.exe191⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6844 -
C:\Windows\SysWOW64\Jimekgff.exeC:\Windows\system32\Jimekgff.exe192⤵PID:6964
-
C:\Windows\SysWOW64\Jbeidl32.exeC:\Windows\system32\Jbeidl32.exe193⤵PID:7100
-
C:\Windows\SysWOW64\Jioaqfcc.exeC:\Windows\system32\Jioaqfcc.exe194⤵PID:6152
-
C:\Windows\SysWOW64\Jpijnqkp.exeC:\Windows\system32\Jpijnqkp.exe195⤵PID:6536
-
C:\Windows\SysWOW64\Jbhfjljd.exeC:\Windows\system32\Jbhfjljd.exe196⤵PID:6672
-
C:\Windows\SysWOW64\Jianff32.exeC:\Windows\system32\Jianff32.exe197⤵PID:6796
-
C:\Windows\SysWOW64\Jlpkba32.exeC:\Windows\system32\Jlpkba32.exe198⤵
- Drops file in System32 directory
PID:7004 -
C:\Windows\SysWOW64\Jbjcolha.exeC:\Windows\system32\Jbjcolha.exe199⤵PID:6148
-
C:\Windows\SysWOW64\Jfeopj32.exeC:\Windows\system32\Jfeopj32.exe200⤵PID:6520
-
C:\Windows\SysWOW64\Jidklf32.exeC:\Windows\system32\Jidklf32.exe201⤵
- Drops file in System32 directory
PID:6816 -
C:\Windows\SysWOW64\Jlbgha32.exeC:\Windows\system32\Jlbgha32.exe202⤵
- Modifies registry class
PID:7144 -
C:\Windows\SysWOW64\Jpnchp32.exeC:\Windows\system32\Jpnchp32.exe203⤵PID:6700
-
C:\Windows\SysWOW64\Jfhlejnh.exeC:\Windows\system32\Jfhlejnh.exe204⤵
- Modifies registry class
PID:3832 -
C:\Windows\SysWOW64\Jeklag32.exeC:\Windows\system32\Jeklag32.exe205⤵PID:6780
-
C:\Windows\SysWOW64\Jifhaenk.exeC:\Windows\system32\Jifhaenk.exe206⤵PID:6660
-
C:\Windows\SysWOW64\Jlednamo.exeC:\Windows\system32\Jlednamo.exe207⤵PID:7180
-
C:\Windows\SysWOW64\Jcllonma.exeC:\Windows\system32\Jcllonma.exe208⤵PID:7228
-
C:\Windows\SysWOW64\Kboljk32.exeC:\Windows\system32\Kboljk32.exe209⤵PID:7276
-
C:\Windows\SysWOW64\Kemhff32.exeC:\Windows\system32\Kemhff32.exe210⤵PID:7320
-
C:\Windows\SysWOW64\Kiidgeki.exeC:\Windows\system32\Kiidgeki.exe211⤵PID:7368
-
C:\Windows\SysWOW64\Klgqcqkl.exeC:\Windows\system32\Klgqcqkl.exe212⤵PID:7412
-
C:\Windows\SysWOW64\Kpbmco32.exeC:\Windows\system32\Kpbmco32.exe213⤵PID:7456
-
C:\Windows\SysWOW64\Kbaipkbi.exeC:\Windows\system32\Kbaipkbi.exe214⤵PID:7492
-
C:\Windows\SysWOW64\Kfmepi32.exeC:\Windows\system32\Kfmepi32.exe215⤵PID:7540
-
C:\Windows\SysWOW64\Kikame32.exeC:\Windows\system32\Kikame32.exe216⤵PID:7584
-
C:\Windows\SysWOW64\Kmfmmcbo.exeC:\Windows\system32\Kmfmmcbo.exe217⤵
- Drops file in System32 directory
PID:7628 -
C:\Windows\SysWOW64\Kpeiioac.exeC:\Windows\system32\Kpeiioac.exe218⤵
- Modifies registry class
PID:7672 -
C:\Windows\SysWOW64\Kfoafi32.exeC:\Windows\system32\Kfoafi32.exe219⤵PID:7716
-
C:\Windows\SysWOW64\Kimnbd32.exeC:\Windows\system32\Kimnbd32.exe220⤵PID:7756
-
C:\Windows\SysWOW64\Klljnp32.exeC:\Windows\system32\Klljnp32.exe221⤵PID:7792
-
C:\Windows\SysWOW64\Kpgfooop.exeC:\Windows\system32\Kpgfooop.exe222⤵PID:7848
-
C:\Windows\SysWOW64\Kfankifm.exeC:\Windows\system32\Kfankifm.exe223⤵PID:7904
-
C:\Windows\SysWOW64\Kedoge32.exeC:\Windows\system32\Kedoge32.exe224⤵PID:7948
-
C:\Windows\SysWOW64\Kmkfhc32.exeC:\Windows\system32\Kmkfhc32.exe225⤵PID:7992
-
C:\Windows\SysWOW64\Kpjcdn32.exeC:\Windows\system32\Kpjcdn32.exe226⤵PID:8036
-
C:\Windows\SysWOW64\Kefkme32.exeC:\Windows\system32\Kefkme32.exe227⤵PID:8080
-
C:\Windows\SysWOW64\Kmncnb32.exeC:\Windows\system32\Kmncnb32.exe228⤵PID:8128
-
C:\Windows\SysWOW64\Kplpjn32.exeC:\Windows\system32\Kplpjn32.exe229⤵PID:8172
-
C:\Windows\SysWOW64\Lbjlfi32.exeC:\Windows\system32\Lbjlfi32.exe230⤵PID:7172
-
C:\Windows\SysWOW64\Lffhfh32.exeC:\Windows\system32\Lffhfh32.exe231⤵PID:7260
-
C:\Windows\SysWOW64\Leihbeib.exeC:\Windows\system32\Leihbeib.exe232⤵PID:7328
-
C:\Windows\SysWOW64\Lmppcbjd.exeC:\Windows\system32\Lmppcbjd.exe233⤵PID:7404
-
C:\Windows\SysWOW64\Lpnlpnih.exeC:\Windows\system32\Lpnlpnih.exe234⤵PID:7480
-
C:\Windows\SysWOW64\Lbmhlihl.exeC:\Windows\system32\Lbmhlihl.exe235⤵PID:7548
-
C:\Windows\SysWOW64\Lfhdlh32.exeC:\Windows\system32\Lfhdlh32.exe236⤵PID:7616
-
C:\Windows\SysWOW64\Lekehdgp.exeC:\Windows\system32\Lekehdgp.exe237⤵PID:7688
-
C:\Windows\SysWOW64\Lmbmibhb.exeC:\Windows\system32\Lmbmibhb.exe238⤵PID:7776
-
C:\Windows\SysWOW64\Lpqiemge.exeC:\Windows\system32\Lpqiemge.exe239⤵PID:7832
-
C:\Windows\SysWOW64\Lfkaag32.exeC:\Windows\system32\Lfkaag32.exe240⤵PID:7912
-
C:\Windows\SysWOW64\Liimncmf.exeC:\Windows\system32\Liimncmf.exe241⤵
- Modifies registry class
PID:7984 -
C:\Windows\SysWOW64\Lmdina32.exeC:\Windows\system32\Lmdina32.exe242⤵PID:8048