Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 02:19
Behavioral task
behavioral1
Sample
248abd4c7e98f9aec219eacb9015f400_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
248abd4c7e98f9aec219eacb9015f400_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
248abd4c7e98f9aec219eacb9015f400_NeikiAnalytics.exe
-
Size
400KB
-
MD5
248abd4c7e98f9aec219eacb9015f400
-
SHA1
b51114e539b7fd839aa9624d042227bf1edb8cdf
-
SHA256
9d90b192cee83c5af604c43c27120226e50a4972d4760b7a4b87714a2fcc2436
-
SHA512
3eb490aa13dc62bda2f538810247c3594ae7a0ee3324a3b1b91fc6759210fe99e09caa5fcd3177f20ead9fc4fec407b7abc5a79ee00ad5210eafd89f0d06c2ad
-
SSDEEP
12288:+XLLLLLLLLLLLLLLbLLLLLLSPLLLLLLgYJ07kE0KoFtw2gu9RxrBIUbPLwH96/Ir:ILLLLLLLLLLLLLLbLLLLLLSPLLLLLLgB
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Pcjiff32.exeNplkmckj.exeEaladnik.exeJpdhkf32.exeDpckjfgg.exeCagobalc.exeMedgncoe.exeNipekiep.exeFhmigagd.exeOnhhamgg.exeIgfkfo32.exeAqoiqn32.exeEpikpo32.exeKmfmmcbo.exeOgkcpbam.exeLelchgne.exeNojjcj32.exeNepgjaeg.exeNjefqo32.exeMfjcnold.exeNgbpidjh.exeQmmnjfnl.exeQjnkcekm.exeGlcaambb.exeFhpmgg32.exeKnbbep32.exeEhnglm32.exeGhopckpi.exeDmdhcddh.exePgopffec.exePdpmpdbd.exeFnjhjn32.exeHdlpneli.exeNlihle32.exeJncoikmp.exeJlkagbej.exeIgcoqocb.exeJjlmclqa.exeDelnin32.exeOcamjm32.exeKnefeffd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcjiff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nplkmckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ealadnik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpdhkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpckjfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cagobalc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Medgncoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nipekiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhmigagd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onhhamgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igfkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aqoiqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epikpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmfmmcbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogkcpbam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lelchgne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nojjcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nepgjaeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njefqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mfjcnold.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngbpidjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qmmnjfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qjnkcekm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glcaambb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhpmgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knbbep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehnglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghopckpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmdhcddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgopffec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdpmpdbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnjhjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdlpneli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlihle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jncoikmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlkagbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igcoqocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjlmclqa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocamjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpdhkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knefeffd.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Lijdhiaa.exe family_berbew C:\Windows\SysWOW64\Ldohebqh.exe family_berbew C:\Windows\SysWOW64\Lpfijcfl.exe family_berbew C:\Windows\SysWOW64\Lcdegnep.exe family_berbew C:\Windows\SysWOW64\Lddbqa32.exe family_berbew C:\Windows\SysWOW64\Mpkbebbf.exe family_berbew C:\Windows\SysWOW64\Mjcgohig.exe family_berbew C:\Windows\SysWOW64\Majopeii.exe family_berbew C:\Windows\SysWOW64\Mjeddggd.exe family_berbew C:\Windows\SysWOW64\Mgidml32.exe family_berbew C:\Windows\SysWOW64\Mpaifalo.exe family_berbew C:\Windows\SysWOW64\Mkgmcjld.exe family_berbew C:\Windows\SysWOW64\Mdpalp32.exe family_berbew C:\Windows\SysWOW64\Nnhfee32.exe family_berbew C:\Windows\SysWOW64\Nnhfee32.exe family_berbew C:\Windows\SysWOW64\Ndbnboqb.exe family_berbew C:\Windows\SysWOW64\Nklfoi32.exe family_berbew C:\Windows\SysWOW64\Nafokcol.exe family_berbew C:\Windows\SysWOW64\Ncgkcl32.exe family_berbew C:\Windows\SysWOW64\Njacpf32.exe family_berbew C:\Windows\SysWOW64\Ncihikcg.exe family_berbew C:\Windows\SysWOW64\Ncihikcg.exe family_berbew C:\Windows\SysWOW64\Nnolfdcn.exe family_berbew C:\Windows\SysWOW64\Ncldnkae.exe family_berbew C:\Windows\SysWOW64\Nqpego32.exe family_berbew C:\Windows\SysWOW64\Ondeac32.exe family_berbew C:\Windows\SysWOW64\Ocqnij32.exe family_berbew C:\Windows\SysWOW64\Okhfjh32.exe family_berbew C:\Windows\SysWOW64\Obangb32.exe family_berbew C:\Windows\SysWOW64\Onholckc.exe family_berbew C:\Windows\SysWOW64\Ogaceh32.exe family_berbew C:\Windows\SysWOW64\Onklabip.exe family_berbew C:\Windows\SysWOW64\Ogcpjhoq.exe family_berbew C:\Windows\SysWOW64\Oqkdcn32.exe family_berbew C:\Windows\SysWOW64\Pjkombfj.exe family_berbew C:\Windows\SysWOW64\Aelcfilb.exe family_berbew C:\Windows\SysWOW64\Adcmmeog.exe family_berbew C:\Windows\SysWOW64\Chbnia32.exe family_berbew C:\Windows\SysWOW64\Cbjoljdo.exe family_berbew C:\Windows\SysWOW64\Docmgjhp.exe family_berbew C:\Windows\SysWOW64\Deoaid32.exe family_berbew C:\Windows\SysWOW64\Ecmeig32.exe family_berbew C:\Windows\SysWOW64\Fohoigfh.exe family_berbew C:\Windows\SysWOW64\Fhjfhl32.exe family_berbew C:\Windows\SysWOW64\Gododflk.exe family_berbew C:\Windows\SysWOW64\Gcddpdpo.exe family_berbew C:\Windows\SysWOW64\Gokdeeec.exe family_berbew C:\Windows\SysWOW64\Hbnjmp32.exe family_berbew C:\Windows\SysWOW64\Hkfoeega.exe family_berbew C:\Windows\SysWOW64\Hbeqmoji.exe family_berbew C:\Windows\SysWOW64\Immapg32.exe family_berbew C:\Windows\SysWOW64\Iifokh32.exe family_berbew C:\Windows\SysWOW64\Ifllil32.exe family_berbew C:\Windows\SysWOW64\Ibcmom32.exe family_berbew C:\Windows\SysWOW64\Jcbihpel.exe family_berbew C:\Windows\SysWOW64\Jbhfjljd.exe family_berbew C:\Windows\SysWOW64\Jifhaenk.exe family_berbew C:\Windows\SysWOW64\Kfjhkjle.exe family_berbew C:\Windows\SysWOW64\Kdqejn32.exe family_berbew C:\Windows\SysWOW64\Kpgfooop.exe family_berbew C:\Windows\SysWOW64\Kipkhdeq.exe family_berbew C:\Windows\SysWOW64\Klqcioba.exe family_berbew C:\Windows\SysWOW64\Lffhfh32.exe family_berbew C:\Windows\SysWOW64\Lfhdlh32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Lijdhiaa.exeLdohebqh.exeLpfijcfl.exeLcdegnep.exeLddbqa32.exeMpkbebbf.exeMjcgohig.exeMajopeii.exeMjeddggd.exeMgidml32.exeMpaifalo.exeMkgmcjld.exeMdpalp32.exeNnhfee32.exeNdbnboqb.exeNklfoi32.exeNafokcol.exeNcgkcl32.exeNjacpf32.exeNcihikcg.exeNnolfdcn.exeNcldnkae.exeNqpego32.exeOndeac32.exeOcqnij32.exeOkhfjh32.exeObangb32.exeOnholckc.exeOgaceh32.exeOnklabip.exeOgcpjhoq.exeOqkdcn32.exePgemphmn.exePjdilcla.exePbkamqmd.exePeimil32.exePghieg32.exePnbbbabh.exePqpnombl.exePkfblfab.exePndohaqe.exePengdk32.exePgmcqggf.exePjkombfj.exePeqcjkfp.exePgopffec.exePkjlge32.exeQgallfcq.exeQjpiha32.exeQbgqio32.exeQchmagie.exeQloebdig.exeQalnjkgo.exeAcjjfggb.exeAlabgd32.exeAbkjdnoa.exeAcmflf32.exeAbngjnmo.exeAelcfilb.exeAacckjaf.exeAdapgfqj.exeAbbpem32.exeAdcmmeog.exeAniajnnn.exepid process 1312 Lijdhiaa.exe 2396 Ldohebqh.exe 2216 Lpfijcfl.exe 4920 Lcdegnep.exe 2444 Lddbqa32.exe 3360 Mpkbebbf.exe 2124 Mjcgohig.exe 1084 Majopeii.exe 4872 Mjeddggd.exe 228 Mgidml32.exe 2184 Mpaifalo.exe 5080 Mkgmcjld.exe 816 Mdpalp32.exe 1072 Nnhfee32.exe 4652 Ndbnboqb.exe 3556 Nklfoi32.exe 2912 Nafokcol.exe 4212 Ncgkcl32.exe 3296 Njacpf32.exe 1696 Ncihikcg.exe 4016 Nnolfdcn.exe 4800 Ncldnkae.exe 4552 Nqpego32.exe 4208 Ondeac32.exe 1460 Ocqnij32.exe 1160 Okhfjh32.exe 2264 Obangb32.exe 1556 Onholckc.exe 3344 Ogaceh32.exe 3000 Onklabip.exe 4288 Ogcpjhoq.exe 2620 Oqkdcn32.exe 884 Pgemphmn.exe 1656 Pjdilcla.exe 4432 Pbkamqmd.exe 716 Peimil32.exe 3864 Pghieg32.exe 2364 Pnbbbabh.exe 4640 Pqpnombl.exe 2008 Pkfblfab.exe 1408 Pndohaqe.exe 3604 Pengdk32.exe 404 Pgmcqggf.exe 2824 Pjkombfj.exe 4088 Peqcjkfp.exe 1596 Pgopffec.exe 4356 Pkjlge32.exe 756 Qgallfcq.exe 3016 Qjpiha32.exe 4136 Qbgqio32.exe 4036 Qchmagie.exe 3504 Qloebdig.exe 1216 Qalnjkgo.exe 3760 Acjjfggb.exe 1900 Alabgd32.exe 4420 Abkjdnoa.exe 2548 Acmflf32.exe 2512 Abngjnmo.exe 4532 Aelcfilb.exe 4504 Aacckjaf.exe 3196 Adapgfqj.exe 2112 Abbpem32.exe 2688 Adcmmeog.exe 1740 Aniajnnn.exe -
Drops file in System32 directory 64 IoCs
Processes:
Abbpem32.exeLingibiq.exeNbgcih32.exeIciaqc32.exePeimil32.exeAqppkd32.exeFhflnpoi.exeKjpijpdg.exeKedoge32.exeLdanqkki.exeAimkjp32.exeJbiejoaj.exeJnlbojee.exeQgallfcq.exeEhnglm32.exeJlednamo.exeMegdccmb.exeCijpahho.exeKfjhkjle.exeCoiaiakf.exeFbjmhh32.exeGdbmhf32.exeIiehpahb.exeLpneegel.exeNbqmiinl.exeMgagbf32.exeFoqkdp32.exeGgcfja32.exeAleckinj.exeOlgncmim.exeOaompd32.exeNognnj32.exeCcgjopal.exeJknfcofa.exeNjacpf32.exeJianff32.exeOgkcpbam.exePfhfan32.exeHjchaf32.exedescription ioc process File created C:\Windows\SysWOW64\Jiglalpk.dll Abbpem32.exe File created C:\Windows\SysWOW64\Lllcen32.exe Lingibiq.exe File opened for modification C:\Windows\SysWOW64\Niakfbpa.exe Nbgcih32.exe File created C:\Windows\SysWOW64\Pfejnf32.dll Iciaqc32.exe File created C:\Windows\SysWOW64\Ieoacg32.dll File opened for modification C:\Windows\SysWOW64\Gnfooe32.exe File created C:\Windows\SysWOW64\Pghieg32.exe Peimil32.exe File opened for modification C:\Windows\SysWOW64\Aeklkchg.exe Aqppkd32.exe File opened for modification C:\Windows\SysWOW64\Gigheh32.exe Fhflnpoi.exe File created C:\Windows\SysWOW64\Elcfgpga.dll Kjpijpdg.exe File opened for modification C:\Windows\SysWOW64\Hlepcdoa.exe File opened for modification C:\Windows\SysWOW64\Biklho32.exe File created C:\Windows\SysWOW64\Fhccdhqf.dll Kedoge32.exe File created C:\Windows\SysWOW64\Lgokmgjm.exe Ldanqkki.exe File created C:\Windows\SysWOW64\Dppadp32.dll Aimkjp32.exe File created C:\Windows\SysWOW64\Jibmgi32.exe Jbiejoaj.exe File created C:\Windows\SysWOW64\Jqknkedi.exe Jnlbojee.exe File opened for modification C:\Windows\SysWOW64\Lnldla32.exe File created C:\Windows\SysWOW64\Idkobdie.dll File created C:\Windows\SysWOW64\Nmlpen32.dll File created C:\Windows\SysWOW64\Oahhgi32.dll File opened for modification C:\Windows\SysWOW64\Qjpiha32.exe Qgallfcq.exe File created C:\Windows\SysWOW64\Bqhimici.dll Ehnglm32.exe File created C:\Windows\SysWOW64\Jcllonma.exe Jlednamo.exe File created C:\Windows\SysWOW64\Gijlad32.dll Megdccmb.exe File created C:\Windows\SysWOW64\Bfdhdp32.dll Cijpahho.exe File opened for modification C:\Windows\SysWOW64\Nnkpnclp.exe File created C:\Windows\SysWOW64\Hemikcpm.dll File created C:\Windows\SysWOW64\Hledan32.dll Kfjhkjle.exe File opened for modification C:\Windows\SysWOW64\Qdbdcg32.exe File created C:\Windows\SysWOW64\Cfcjfk32.exe Coiaiakf.exe File opened for modification C:\Windows\SysWOW64\Fjadje32.exe Fbjmhh32.exe File created C:\Windows\SysWOW64\Mmkkmc32.exe File created C:\Windows\SysWOW64\Hhjamhbn.dll File created C:\Windows\SysWOW64\Ebcmfjll.dll File opened for modification C:\Windows\SysWOW64\Pjoppf32.exe File opened for modification C:\Windows\SysWOW64\Gkleeplq.exe Gdbmhf32.exe File created C:\Windows\SysWOW64\Inbqhhfj.exe Iiehpahb.exe File opened for modification C:\Windows\SysWOW64\Lejnmncd.exe Lpneegel.exe File created C:\Windows\SysWOW64\Nhmeapmd.exe Nbqmiinl.exe File created C:\Windows\SysWOW64\Edommp32.dll File created C:\Windows\SysWOW64\Eafbac32.dll File opened for modification C:\Windows\SysWOW64\Medgncoe.exe Mgagbf32.exe File opened for modification C:\Windows\SysWOW64\Gaogak32.exe Foqkdp32.exe File opened for modification C:\Windows\SysWOW64\Gahjgj32.exe Ggcfja32.exe File created C:\Windows\SysWOW64\Mkellk32.dll Aleckinj.exe File created C:\Windows\SysWOW64\Bdgged32.exe File created C:\Windows\SysWOW64\Kpanan32.exe File created C:\Windows\SysWOW64\Lcjkqlam.dll Olgncmim.exe File opened for modification C:\Windows\SysWOW64\Megljppl.exe File created C:\Windows\SysWOW64\Obnehj32.exe File opened for modification C:\Windows\SysWOW64\Oifeab32.exe Oaompd32.exe File created C:\Windows\SysWOW64\Fijdjfdb.exe File created C:\Windows\SysWOW64\Biklho32.exe File opened for modification C:\Windows\SysWOW64\Nafjjf32.exe Nognnj32.exe File opened for modification C:\Windows\SysWOW64\Dfefkkqp.exe Ccgjopal.exe File opened for modification C:\Windows\SysWOW64\Lcmodajm.exe File opened for modification C:\Windows\SysWOW64\Egnajocq.exe File opened for modification C:\Windows\SysWOW64\Jnlbojee.exe Jknfcofa.exe File created C:\Windows\SysWOW64\Pkckjila.dll Njacpf32.exe File opened for modification C:\Windows\SysWOW64\Jlpkba32.exe Jianff32.exe File opened for modification C:\Windows\SysWOW64\Oneklm32.exe Ogkcpbam.exe File created C:\Windows\SysWOW64\Pmannhhj.exe Pfhfan32.exe File created C:\Windows\SysWOW64\Hdilnojp.exe Hjchaf32.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 5468 2336 -
Modifies registry class 64 IoCs
Processes:
248abd4c7e98f9aec219eacb9015f400_NeikiAnalytics.exeGkmlofol.exeGdjjckag.exeNpcoakfp.exeOflgep32.exeHdbfodfa.exeGhaliknf.exeIfdonfka.exeDfhjkabi.exeNjacpf32.exeNhmeapmd.exeJbjcolha.exeIndmnh32.exeGpfjma32.exeJioaqfcc.exeOhqbhdpj.exeNojjcj32.exeFjhacf32.exeJcllonma.exeKpiljh32.exeIjegcm32.exeIicbehnq.exePlagcbdn.exeFiliii32.exeIhphkl32.exePekbga32.exeInlihl32.exeMlpeff32.exeMockmala.exeLkofdbkj.exeCobkhb32.exeEifhdd32.exeNdcdmikd.exeIfihif32.exeIggjga32.exeLmppcbjd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll" 248abd4c7e98f9aec219eacb9015f400_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gkmlofol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gdjjckag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Npcoakfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oflgep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dckpaahf.dll" Hdbfodfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnfeqknj.dll" Ghaliknf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehcplf32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhmomen.dll" Ifdonfka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqjkhbpd.dll" Dfhjkabi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klqcmdnk.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dblamanm.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njacpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkbmh32.dll" Nhmeapmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qimkic32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphnbpql.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqcnhf32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbjcolha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Indmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlcagc32.dll" Gpfjma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jioaqfcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kghlhg32.dll" Indmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opakdijo.dll" Ohqbhdpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nojjcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fjhacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeodmbol.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jcllonma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Einbcgha.dll" Kpiljh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ijegcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iicbehnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Plagcbdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Filiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dckhejil.dll" Ihphkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqklch32.dll" Pekbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miepkipc.dll" Inlihl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhfdb32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlpeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbfdbb32.dll" Mockmala.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bicdfa32.dll" Lkofdbkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cobkhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eifhdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjbpn32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kplqhmfl.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffpf32.dll" Ndcdmikd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ifihif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iggjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhfif32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbeedbdm.dll" Lmppcbjd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
248abd4c7e98f9aec219eacb9015f400_NeikiAnalytics.exeLijdhiaa.exeLdohebqh.exeLpfijcfl.exeLcdegnep.exeLddbqa32.exeMpkbebbf.exeMjcgohig.exeMajopeii.exeMjeddggd.exeMgidml32.exeMpaifalo.exeMkgmcjld.exeMdpalp32.exeNnhfee32.exeNdbnboqb.exeNklfoi32.exeNafokcol.exeNcgkcl32.exeNjacpf32.exeNcihikcg.exeNnolfdcn.exedescription pid process target process PID 4636 wrote to memory of 1312 4636 248abd4c7e98f9aec219eacb9015f400_NeikiAnalytics.exe Lijdhiaa.exe PID 4636 wrote to memory of 1312 4636 248abd4c7e98f9aec219eacb9015f400_NeikiAnalytics.exe Lijdhiaa.exe PID 4636 wrote to memory of 1312 4636 248abd4c7e98f9aec219eacb9015f400_NeikiAnalytics.exe Lijdhiaa.exe PID 1312 wrote to memory of 2396 1312 Lijdhiaa.exe Ldohebqh.exe PID 1312 wrote to memory of 2396 1312 Lijdhiaa.exe Ldohebqh.exe PID 1312 wrote to memory of 2396 1312 Lijdhiaa.exe Ldohebqh.exe PID 2396 wrote to memory of 2216 2396 Ldohebqh.exe Lpfijcfl.exe PID 2396 wrote to memory of 2216 2396 Ldohebqh.exe Lpfijcfl.exe PID 2396 wrote to memory of 2216 2396 Ldohebqh.exe Lpfijcfl.exe PID 2216 wrote to memory of 4920 2216 Lpfijcfl.exe Lcdegnep.exe PID 2216 wrote to memory of 4920 2216 Lpfijcfl.exe Lcdegnep.exe PID 2216 wrote to memory of 4920 2216 Lpfijcfl.exe Lcdegnep.exe PID 4920 wrote to memory of 2444 4920 Lcdegnep.exe Lddbqa32.exe PID 4920 wrote to memory of 2444 4920 Lcdegnep.exe Lddbqa32.exe PID 4920 wrote to memory of 2444 4920 Lcdegnep.exe Lddbqa32.exe PID 2444 wrote to memory of 3360 2444 Lddbqa32.exe Mpkbebbf.exe PID 2444 wrote to memory of 3360 2444 Lddbqa32.exe Mpkbebbf.exe PID 2444 wrote to memory of 3360 2444 Lddbqa32.exe Mpkbebbf.exe PID 3360 wrote to memory of 2124 3360 Mpkbebbf.exe Mjcgohig.exe PID 3360 wrote to memory of 2124 3360 Mpkbebbf.exe Mjcgohig.exe PID 3360 wrote to memory of 2124 3360 Mpkbebbf.exe Mjcgohig.exe PID 2124 wrote to memory of 1084 2124 Mjcgohig.exe Majopeii.exe PID 2124 wrote to memory of 1084 2124 Mjcgohig.exe Majopeii.exe PID 2124 wrote to memory of 1084 2124 Mjcgohig.exe Majopeii.exe PID 1084 wrote to memory of 4872 1084 Majopeii.exe Mjeddggd.exe PID 1084 wrote to memory of 4872 1084 Majopeii.exe Mjeddggd.exe PID 1084 wrote to memory of 4872 1084 Majopeii.exe Mjeddggd.exe PID 4872 wrote to memory of 228 4872 Mjeddggd.exe Mgidml32.exe PID 4872 wrote to memory of 228 4872 Mjeddggd.exe Mgidml32.exe PID 4872 wrote to memory of 228 4872 Mjeddggd.exe Mgidml32.exe PID 228 wrote to memory of 2184 228 Mgidml32.exe Mpaifalo.exe PID 228 wrote to memory of 2184 228 Mgidml32.exe Mpaifalo.exe PID 228 wrote to memory of 2184 228 Mgidml32.exe Mpaifalo.exe PID 2184 wrote to memory of 5080 2184 Mpaifalo.exe Mkgmcjld.exe PID 2184 wrote to memory of 5080 2184 Mpaifalo.exe Mkgmcjld.exe PID 2184 wrote to memory of 5080 2184 Mpaifalo.exe Mkgmcjld.exe PID 5080 wrote to memory of 816 5080 Mkgmcjld.exe Mdpalp32.exe PID 5080 wrote to memory of 816 5080 Mkgmcjld.exe Mdpalp32.exe PID 5080 wrote to memory of 816 5080 Mkgmcjld.exe Mdpalp32.exe PID 816 wrote to memory of 1072 816 Mdpalp32.exe Nnhfee32.exe PID 816 wrote to memory of 1072 816 Mdpalp32.exe Nnhfee32.exe PID 816 wrote to memory of 1072 816 Mdpalp32.exe Nnhfee32.exe PID 1072 wrote to memory of 4652 1072 Nnhfee32.exe Ndbnboqb.exe PID 1072 wrote to memory of 4652 1072 Nnhfee32.exe Ndbnboqb.exe PID 1072 wrote to memory of 4652 1072 Nnhfee32.exe Ndbnboqb.exe PID 4652 wrote to memory of 3556 4652 Ndbnboqb.exe Nklfoi32.exe PID 4652 wrote to memory of 3556 4652 Ndbnboqb.exe Nklfoi32.exe PID 4652 wrote to memory of 3556 4652 Ndbnboqb.exe Nklfoi32.exe PID 3556 wrote to memory of 2912 3556 Nklfoi32.exe Nafokcol.exe PID 3556 wrote to memory of 2912 3556 Nklfoi32.exe Nafokcol.exe PID 3556 wrote to memory of 2912 3556 Nklfoi32.exe Nafokcol.exe PID 2912 wrote to memory of 4212 2912 Nafokcol.exe Ncgkcl32.exe PID 2912 wrote to memory of 4212 2912 Nafokcol.exe Ncgkcl32.exe PID 2912 wrote to memory of 4212 2912 Nafokcol.exe Ncgkcl32.exe PID 4212 wrote to memory of 3296 4212 Ncgkcl32.exe Njacpf32.exe PID 4212 wrote to memory of 3296 4212 Ncgkcl32.exe Njacpf32.exe PID 4212 wrote to memory of 3296 4212 Ncgkcl32.exe Njacpf32.exe PID 3296 wrote to memory of 1696 3296 Njacpf32.exe Ncihikcg.exe PID 3296 wrote to memory of 1696 3296 Njacpf32.exe Ncihikcg.exe PID 3296 wrote to memory of 1696 3296 Njacpf32.exe Ncihikcg.exe PID 1696 wrote to memory of 4016 1696 Ncihikcg.exe Nnolfdcn.exe PID 1696 wrote to memory of 4016 1696 Ncihikcg.exe Nnolfdcn.exe PID 1696 wrote to memory of 4016 1696 Ncihikcg.exe Nnolfdcn.exe PID 4016 wrote to memory of 4800 4016 Nnolfdcn.exe Ncldnkae.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\248abd4c7e98f9aec219eacb9015f400_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\248abd4c7e98f9aec219eacb9015f400_NeikiAnalytics.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe23⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe24⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe25⤵
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe26⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe27⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe28⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Onholckc.exeC:\Windows\system32\Onholckc.exe29⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe30⤵
- Executes dropped EXE
PID:3344 -
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe31⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe32⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe33⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe34⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe35⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe36⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:716 -
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe38⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe39⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe40⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe41⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe42⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe43⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe44⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe45⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe46⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe48⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:756 -
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe50⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe51⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe52⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe53⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe54⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe55⤵
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe56⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe57⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe58⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe59⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe60⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe61⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe62⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe64⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Aniajnnn.exeC:\Windows\system32\Aniajnnn.exe65⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe66⤵PID:3356
-
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe67⤵PID:1992
-
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe68⤵PID:2324
-
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe69⤵PID:4684
-
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe70⤵PID:488
-
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe71⤵PID:4028
-
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe72⤵PID:5016
-
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe73⤵PID:3228
-
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe74⤵PID:2468
-
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe75⤵PID:3004
-
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe76⤵PID:4944
-
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe77⤵PID:1816
-
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe78⤵PID:4520
-
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe79⤵PID:2036
-
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe80⤵PID:3752
-
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe81⤵PID:1912
-
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe82⤵PID:4540
-
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe83⤵PID:4892
-
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe84⤵PID:784
-
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe85⤵PID:992
-
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe86⤵PID:1796
-
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe87⤵PID:1032
-
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe88⤵PID:5028
-
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe89⤵PID:4004
-
C:\Windows\SysWOW64\Cbjoljdo.exeC:\Windows\system32\Cbjoljdo.exe90⤵PID:4300
-
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe91⤵PID:5132
-
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe92⤵PID:5168
-
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe93⤵PID:5220
-
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe94⤵PID:5264
-
C:\Windows\SysWOW64\Dlgmpogj.exeC:\Windows\system32\Dlgmpogj.exe95⤵PID:5308
-
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe96⤵PID:5352
-
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe97⤵PID:5400
-
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe98⤵PID:5444
-
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe99⤵PID:5488
-
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe100⤵PID:5524
-
C:\Windows\SysWOW64\Dkoggkjo.exeC:\Windows\system32\Dkoggkjo.exe101⤵PID:5572
-
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe102⤵PID:5616
-
C:\Windows\SysWOW64\Dhbgqohi.exeC:\Windows\system32\Dhbgqohi.exe103⤵PID:5664
-
C:\Windows\SysWOW64\Eolpmi32.exeC:\Windows\system32\Eolpmi32.exe104⤵PID:5704
-
C:\Windows\SysWOW64\Eaklidoi.exeC:\Windows\system32\Eaklidoi.exe105⤵PID:5748
-
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe106⤵PID:5792
-
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe107⤵PID:5832
-
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe108⤵PID:5876
-
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe109⤵PID:5924
-
C:\Windows\SysWOW64\Ecmeig32.exeC:\Windows\system32\Ecmeig32.exe110⤵PID:5968
-
C:\Windows\SysWOW64\Ekhjmiad.exeC:\Windows\system32\Ekhjmiad.exe111⤵PID:6020
-
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe112⤵PID:6060
-
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe113⤵PID:6104
-
C:\Windows\SysWOW64\Ecandfpd.exeC:\Windows\system32\Ecandfpd.exe114⤵PID:3720
-
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5180 -
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe116⤵PID:5256
-
C:\Windows\SysWOW64\Febgea32.exeC:\Windows\system32\Febgea32.exe117⤵PID:5316
-
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe118⤵PID:5396
-
C:\Windows\SysWOW64\Faihkbci.exeC:\Windows\system32\Faihkbci.exe119⤵PID:5456
-
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe120⤵PID:5532
-
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe121⤵PID:5600
-
C:\Windows\SysWOW64\Fakdpb32.exeC:\Windows\system32\Fakdpb32.exe122⤵PID:5656
-
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe123⤵PID:5740
-
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe124⤵PID:5820
-
C:\Windows\SysWOW64\Fbnafb32.exeC:\Windows\system32\Fbnafb32.exe125⤵PID:5916
-
C:\Windows\SysWOW64\Fhgjblfq.exeC:\Windows\system32\Fhgjblfq.exe126⤵PID:5984
-
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe127⤵PID:6048
-
C:\Windows\SysWOW64\Fcmnpe32.exeC:\Windows\system32\Fcmnpe32.exe128⤵PID:6116
-
C:\Windows\SysWOW64\Ffkjlp32.exeC:\Windows\system32\Ffkjlp32.exe129⤵PID:5156
-
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe130⤵PID:5296
-
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe131⤵PID:5392
-
C:\Windows\SysWOW64\Gfngap32.exeC:\Windows\system32\Gfngap32.exe132⤵PID:5508
-
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe133⤵PID:5608
-
C:\Windows\SysWOW64\Gcagkdba.exeC:\Windows\system32\Gcagkdba.exe134⤵PID:5732
-
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe135⤵PID:448
-
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe136⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5844 -
C:\Windows\SysWOW64\Gkmlofol.exeC:\Windows\system32\Gkmlofol.exe137⤵
- Modifies registry class
PID:5964 -
C:\Windows\SysWOW64\Gcddpdpo.exeC:\Windows\system32\Gcddpdpo.exe138⤵PID:6100
-
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe139⤵
- Modifies registry class
PID:5212 -
C:\Windows\SysWOW64\Gokdeeec.exeC:\Windows\system32\Gokdeeec.exe140⤵PID:5388
-
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe141⤵PID:5580
-
C:\Windows\SysWOW64\Gicinj32.exeC:\Windows\system32\Gicinj32.exe142⤵PID:2536
-
C:\Windows\SysWOW64\Gkaejf32.exeC:\Windows\system32\Gkaejf32.exe143⤵PID:5892
-
C:\Windows\SysWOW64\Gcimkc32.exeC:\Windows\system32\Gcimkc32.exe144⤵PID:6088
-
C:\Windows\SysWOW64\Gdjjckag.exeC:\Windows\system32\Gdjjckag.exe145⤵
- Modifies registry class
PID:5432 -
C:\Windows\SysWOW64\Hkdbpe32.exeC:\Windows\system32\Hkdbpe32.exe146⤵PID:5692
-
C:\Windows\SysWOW64\Hbnjmp32.exeC:\Windows\system32\Hbnjmp32.exe147⤵PID:5912
-
C:\Windows\SysWOW64\Helfik32.exeC:\Windows\system32\Helfik32.exe148⤵PID:5232
-
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe149⤵PID:2540
-
C:\Windows\SysWOW64\Hcmgfbhd.exeC:\Windows\system32\Hcmgfbhd.exe150⤵PID:6008
-
C:\Windows\SysWOW64\Heocnk32.exeC:\Windows\system32\Heocnk32.exe151⤵PID:6028
-
C:\Windows\SysWOW64\Hmfkoh32.exeC:\Windows\system32\Hmfkoh32.exe152⤵PID:5944
-
C:\Windows\SysWOW64\Hodgkc32.exeC:\Windows\system32\Hodgkc32.exe153⤵PID:6152
-
C:\Windows\SysWOW64\Hbbdholl.exeC:\Windows\system32\Hbbdholl.exe154⤵PID:6196
-
C:\Windows\SysWOW64\Heapdjlp.exeC:\Windows\system32\Heapdjlp.exe155⤵PID:6240
-
C:\Windows\SysWOW64\Hkkhqd32.exeC:\Windows\system32\Hkkhqd32.exe156⤵PID:6284
-
C:\Windows\SysWOW64\Hbeqmoji.exeC:\Windows\system32\Hbeqmoji.exe157⤵PID:6324
-
C:\Windows\SysWOW64\Hoiafcic.exeC:\Windows\system32\Hoiafcic.exe158⤵PID:6368
-
C:\Windows\SysWOW64\Hbgmcnhf.exeC:\Windows\system32\Hbgmcnhf.exe159⤵PID:6408
-
C:\Windows\SysWOW64\Iefioj32.exeC:\Windows\system32\Iefioj32.exe160⤵PID:6444
-
C:\Windows\SysWOW64\Immapg32.exeC:\Windows\system32\Immapg32.exe161⤵PID:6496
-
C:\Windows\SysWOW64\Icgjmapi.exeC:\Windows\system32\Icgjmapi.exe162⤵PID:6536
-
C:\Windows\SysWOW64\Ifefimom.exeC:\Windows\system32\Ifefimom.exe163⤵PID:6568
-
C:\Windows\SysWOW64\Iicbehnq.exeC:\Windows\system32\Iicbehnq.exe164⤵
- Modifies registry class
PID:6616 -
C:\Windows\SysWOW64\Ipnjab32.exeC:\Windows\system32\Ipnjab32.exe165⤵PID:6660
-
C:\Windows\SysWOW64\Iblfnn32.exeC:\Windows\system32\Iblfnn32.exe166⤵PID:6704
-
C:\Windows\SysWOW64\Iifokh32.exeC:\Windows\system32\Iifokh32.exe167⤵PID:6748
-
C:\Windows\SysWOW64\Ippggbck.exeC:\Windows\system32\Ippggbck.exe168⤵PID:6792
-
C:\Windows\SysWOW64\Ibnccmbo.exeC:\Windows\system32\Ibnccmbo.exe169⤵PID:6836
-
C:\Windows\SysWOW64\Iemppiab.exeC:\Windows\system32\Iemppiab.exe170⤵PID:6884
-
C:\Windows\SysWOW64\Imdgqfbd.exeC:\Windows\system32\Imdgqfbd.exe171⤵PID:6924
-
C:\Windows\SysWOW64\Ipbdmaah.exeC:\Windows\system32\Ipbdmaah.exe172⤵PID:6964
-
C:\Windows\SysWOW64\Ifllil32.exeC:\Windows\system32\Ifllil32.exe173⤵PID:7012
-
C:\Windows\SysWOW64\Imfdff32.exeC:\Windows\system32\Imfdff32.exe174⤵PID:7056
-
C:\Windows\SysWOW64\Ipdqba32.exeC:\Windows\system32\Ipdqba32.exe175⤵PID:7100
-
C:\Windows\SysWOW64\Ibcmom32.exeC:\Windows\system32\Ibcmom32.exe176⤵PID:7144
-
C:\Windows\SysWOW64\Jimekgff.exeC:\Windows\system32\Jimekgff.exe177⤵PID:5816
-
C:\Windows\SysWOW64\Jlkagbej.exeC:\Windows\system32\Jlkagbej.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6212 -
C:\Windows\SysWOW64\Jcbihpel.exeC:\Windows\system32\Jcbihpel.exe179⤵PID:6304
-
C:\Windows\SysWOW64\Jioaqfcc.exeC:\Windows\system32\Jioaqfcc.exe180⤵
- Modifies registry class
PID:6360 -
C:\Windows\SysWOW64\Jlnnmb32.exeC:\Windows\system32\Jlnnmb32.exe181⤵PID:6440
-
C:\Windows\SysWOW64\Jbhfjljd.exeC:\Windows\system32\Jbhfjljd.exe182⤵PID:6480
-
C:\Windows\SysWOW64\Jianff32.exeC:\Windows\system32\Jianff32.exe183⤵
- Drops file in System32 directory
PID:6564 -
C:\Windows\SysWOW64\Jlpkba32.exeC:\Windows\system32\Jlpkba32.exe184⤵PID:6644
-
C:\Windows\SysWOW64\Jbjcolha.exeC:\Windows\system32\Jbjcolha.exe185⤵
- Modifies registry class
PID:6696 -
C:\Windows\SysWOW64\Jehokgge.exeC:\Windows\system32\Jehokgge.exe186⤵PID:6784
-
C:\Windows\SysWOW64\Jmpgldhg.exeC:\Windows\system32\Jmpgldhg.exe187⤵PID:6872
-
C:\Windows\SysWOW64\Jcioiood.exeC:\Windows\system32\Jcioiood.exe188⤵PID:6916
-
C:\Windows\SysWOW64\Jblpek32.exeC:\Windows\system32\Jblpek32.exe189⤵PID:7000
-
C:\Windows\SysWOW64\Jifhaenk.exeC:\Windows\system32\Jifhaenk.exe190⤵PID:7064
-
C:\Windows\SysWOW64\Jlednamo.exeC:\Windows\system32\Jlednamo.exe191⤵
- Drops file in System32 directory
PID:7136 -
C:\Windows\SysWOW64\Jcllonma.exeC:\Windows\system32\Jcllonma.exe192⤵
- Modifies registry class
PID:7160 -
C:\Windows\SysWOW64\Kfjhkjle.exeC:\Windows\system32\Kfjhkjle.exe193⤵
- Drops file in System32 directory
PID:6292 -
C:\Windows\SysWOW64\Kmdqgd32.exeC:\Windows\system32\Kmdqgd32.exe194⤵PID:6396
-
C:\Windows\SysWOW64\Kpbmco32.exeC:\Windows\system32\Kpbmco32.exe195⤵PID:6524
-
C:\Windows\SysWOW64\Kbaipkbi.exeC:\Windows\system32\Kbaipkbi.exe196⤵PID:6600
-
C:\Windows\SysWOW64\Kepelfam.exeC:\Windows\system32\Kepelfam.exe197⤵PID:6776
-
C:\Windows\SysWOW64\Kmfmmcbo.exeC:\Windows\system32\Kmfmmcbo.exe198⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6820 -
C:\Windows\SysWOW64\Kdqejn32.exeC:\Windows\system32\Kdqejn32.exe199⤵PID:6952
-
C:\Windows\SysWOW64\Kfoafi32.exeC:\Windows\system32\Kfoafi32.exe200⤵PID:7076
-
C:\Windows\SysWOW64\Kimnbd32.exeC:\Windows\system32\Kimnbd32.exe201⤵PID:6204
-
C:\Windows\SysWOW64\Kpgfooop.exeC:\Windows\system32\Kpgfooop.exe202⤵PID:6260
-
C:\Windows\SysWOW64\Kbfbkj32.exeC:\Windows\system32\Kbfbkj32.exe203⤵PID:6476
-
C:\Windows\SysWOW64\Kedoge32.exeC:\Windows\system32\Kedoge32.exe204⤵
- Drops file in System32 directory
PID:6584 -
C:\Windows\SysWOW64\Kipkhdeq.exeC:\Windows\system32\Kipkhdeq.exe205⤵PID:6816
-
C:\Windows\SysWOW64\Kdeoemeg.exeC:\Windows\system32\Kdeoemeg.exe206⤵PID:7052
-
C:\Windows\SysWOW64\Kfckahdj.exeC:\Windows\system32\Kfckahdj.exe207⤵PID:7096
-
C:\Windows\SysWOW64\Kefkme32.exeC:\Windows\system32\Kefkme32.exe208⤵PID:6376
-
C:\Windows\SysWOW64\Klqcioba.exeC:\Windows\system32\Klqcioba.exe209⤵PID:6680
-
C:\Windows\SysWOW64\Lffhfh32.exeC:\Windows\system32\Lffhfh32.exe210⤵PID:6960
-
C:\Windows\SysWOW64\Lmppcbjd.exeC:\Windows\system32\Lmppcbjd.exe211⤵
- Modifies registry class
PID:5860 -
C:\Windows\SysWOW64\Lpnlpnih.exeC:\Windows\system32\Lpnlpnih.exe212⤵PID:6484
-
C:\Windows\SysWOW64\Lfhdlh32.exeC:\Windows\system32\Lfhdlh32.exe213⤵PID:7124
-
C:\Windows\SysWOW64\Lboeaifi.exeC:\Windows\system32\Lboeaifi.exe214⤵PID:6432
-
C:\Windows\SysWOW64\Lenamdem.exeC:\Windows\system32\Lenamdem.exe215⤵PID:6280
-
C:\Windows\SysWOW64\Lmdina32.exeC:\Windows\system32\Lmdina32.exe216⤵PID:6352
-
C:\Windows\SysWOW64\Ldoaklml.exeC:\Windows\system32\Ldoaklml.exe217⤵PID:7208
-
C:\Windows\SysWOW64\Lgmngglp.exeC:\Windows\system32\Lgmngglp.exe218⤵PID:7252
-
C:\Windows\SysWOW64\Likjcbkc.exeC:\Windows\system32\Likjcbkc.exe219⤵PID:7296
-
C:\Windows\SysWOW64\Lljfpnjg.exeC:\Windows\system32\Lljfpnjg.exe220⤵PID:7360
-
C:\Windows\SysWOW64\Ldanqkki.exeC:\Windows\system32\Ldanqkki.exe221⤵
- Drops file in System32 directory
PID:7428 -
C:\Windows\SysWOW64\Lgokmgjm.exeC:\Windows\system32\Lgokmgjm.exe222⤵PID:7492
-
C:\Windows\SysWOW64\Lingibiq.exeC:\Windows\system32\Lingibiq.exe223⤵
- Drops file in System32 directory
PID:7532 -
C:\Windows\SysWOW64\Lllcen32.exeC:\Windows\system32\Lllcen32.exe224⤵PID:7616
-
C:\Windows\SysWOW64\Lphoelqn.exeC:\Windows\system32\Lphoelqn.exe225⤵PID:7668
-
C:\Windows\SysWOW64\Mbfkbhpa.exeC:\Windows\system32\Mbfkbhpa.exe226⤵PID:7724
-
C:\Windows\SysWOW64\Mgagbf32.exeC:\Windows\system32\Mgagbf32.exe227⤵
- Drops file in System32 directory
PID:7760 -
C:\Windows\SysWOW64\Medgncoe.exeC:\Windows\system32\Medgncoe.exe228⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7800 -
C:\Windows\SysWOW64\Mipcob32.exeC:\Windows\system32\Mipcob32.exe229⤵PID:7836
-
C:\Windows\SysWOW64\Mpjlklok.exeC:\Windows\system32\Mpjlklok.exe230⤵PID:7900
-
C:\Windows\SysWOW64\Mdehlk32.exeC:\Windows\system32\Mdehlk32.exe231⤵PID:7952
-
C:\Windows\SysWOW64\Megdccmb.exeC:\Windows\system32\Megdccmb.exe232⤵
- Drops file in System32 directory
PID:8000 -
C:\Windows\SysWOW64\Mlampmdo.exeC:\Windows\system32\Mlampmdo.exe233⤵PID:8040
-
C:\Windows\SysWOW64\Mckemg32.exeC:\Windows\system32\Mckemg32.exe234⤵PID:8080
-
C:\Windows\SysWOW64\Miemjaci.exeC:\Windows\system32\Miemjaci.exe235⤵PID:8120
-
C:\Windows\SysWOW64\Mlcifmbl.exeC:\Windows\system32\Mlcifmbl.exe236⤵PID:8164
-
C:\Windows\SysWOW64\Melnob32.exeC:\Windows\system32\Melnob32.exe237⤵PID:6556
-
C:\Windows\SysWOW64\Mdmnlj32.exeC:\Windows\system32\Mdmnlj32.exe238⤵PID:7244
-
C:\Windows\SysWOW64\Menjdbgj.exeC:\Windows\system32\Menjdbgj.exe239⤵PID:7332
-
C:\Windows\SysWOW64\Miifeq32.exeC:\Windows\system32\Miifeq32.exe240⤵PID:7420
-
C:\Windows\SysWOW64\Npcoakfp.exeC:\Windows\system32\Npcoakfp.exe241⤵
- Modifies registry class
PID:7488 -
C:\Windows\SysWOW64\Nepgjaeg.exeC:\Windows\system32\Nepgjaeg.exe242⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7604