Analysis
-
max time kernel
92s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 02:23
Behavioral task
behavioral1
Sample
24f36923dcdd837116fbf08bb19e1120_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
24f36923dcdd837116fbf08bb19e1120_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
24f36923dcdd837116fbf08bb19e1120_NeikiAnalytics.exe
-
Size
366KB
-
MD5
24f36923dcdd837116fbf08bb19e1120
-
SHA1
f5e681c2ad3d47cf52b9c9765c5a281595b21927
-
SHA256
2d33591059e4cb871e035650ca4aa333d5a61051fceb3b1e4bc5aff26ca218d4
-
SHA512
85740eb71df9589fa590960f2e4f586eb0c11e3c192081d694c450b45912968f0ca61637ff2369d0394aa46d7edc988ad12f8829a05786934c67593b32b02987
-
SSDEEP
6144:foJlSosLnLcdpui6yYPaIGckjh/xaSfBJKFbhD7sYQpui6yYPaIGckvN4Ni:wEPcdpV6yYPMLnfBJKFbhDwBpV6yYPyd
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Bnnjen32.exePfhfan32.exeCikglnkj.exeLmccchkn.exeIbojncfj.exeKkfcndce.exePclgkb32.exeCamphf32.exePflplnlg.exeHdbfodfa.exePgmcqggf.exeBeglgani.exeJbaojpgb.exeAjiknpjj.exeHpdfnolo.exeJaimbj32.exeLihpif32.exeNcldnkae.exePjkombfj.exeGkaejf32.exeMmbfpp32.exeHbanme32.exeMjhqjg32.exeLijdhiaa.exeOnklabip.exeDedkdcie.exeFokbim32.exeFkffog32.exeDkkcge32.exeHmmhjm32.exeFljcmlfd.exeKckbqpnj.exeFfpicn32.exeHgelek32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnnjen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfhfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cikglnkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmccchkn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibojncfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkfcndce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pclgkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Camphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pflplnlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdbfodfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgmcqggf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Beglgani.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbaojpgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajiknpjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpdfnolo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaimbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lihpif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncldnkae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjkombfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkaejf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmbfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbanme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjhqjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijdhiaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onklabip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dedkdcie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fokbim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkffog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkcge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmhjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fljcmlfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kckbqpnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffpicn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgelek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule behavioral2/memory/3036-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/4324-8-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Fqhbmqqg.exe family_berbew C:\Windows\SysWOW64\Fhajlc32.exe family_berbew behavioral2/memory/4700-28-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Fcgoilpj.exe family_berbew behavioral2/memory/3532-32-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Fokbim32.exe family_berbew behavioral2/memory/3348-20-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Fjcclf32.exe family_berbew C:\Windows\SysWOW64\Fmapha32.exe family_berbew C:\Windows\SysWOW64\Fqmlhpla.exe family_berbew behavioral2/memory/892-52-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/3844-56-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Fckhdk32.exe family_berbew behavioral2/memory/2568-64-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/3156-40-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Fqohnp32.exe family_berbew behavioral2/memory/4856-72-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Fbqefhpm.exe family_berbew behavioral2/memory/3372-80-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Fijmbb32.exe family_berbew behavioral2/memory/3884-88-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Fqaeco32.exe family_berbew behavioral2/memory/1244-96-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Gimjhafg.exe family_berbew behavioral2/memory/1312-104-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Gqdbiofi.exe family_berbew behavioral2/memory/2292-112-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Gbenqg32.exe family_berbew C:\Windows\SysWOW64\Gbenqg32.exe family_berbew behavioral2/memory/4944-119-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Goiojk32.exe family_berbew behavioral2/memory/3304-128-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Giacca32.exe family_berbew C:\Windows\SysWOW64\Giacca32.exe family_berbew behavioral2/memory/4168-135-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Gpklpkio.exe family_berbew behavioral2/memory/640-143-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Gjapmdid.exe family_berbew behavioral2/memory/2384-152-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Gqkhjn32.exe family_berbew behavioral2/memory/4492-160-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Gbldaffp.exe family_berbew behavioral2/memory/2152-168-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Gjclbc32.exe family_berbew behavioral2/memory/3512-176-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Gppekj32.exe family_berbew behavioral2/memory/4572-184-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Hboagf32.exe family_berbew behavioral2/memory/2224-192-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Hapaemll.exe family_berbew behavioral2/memory/3876-200-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Hbanme32.exe family_berbew behavioral2/memory/1256-208-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Habnjm32.exe family_berbew behavioral2/memory/3612-216-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Hikfip32.exe family_berbew behavioral2/memory/3500-224-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/2064-232-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Hjjbcbqj.exe family_berbew C:\Windows\SysWOW64\Hmioonpn.exe family_berbew C:\Windows\SysWOW64\Hccglh32.exe family_berbew behavioral2/memory/3940-248-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Fhajlc32.exeFqhbmqqg.exeFokbim32.exeFcgoilpj.exeFjcclf32.exeFmapha32.exeFqmlhpla.exeFckhdk32.exeFqohnp32.exeFbqefhpm.exeFijmbb32.exeFqaeco32.exeGimjhafg.exeGqdbiofi.exeGbenqg32.exeGoiojk32.exeGiacca32.exeGpklpkio.exeGjapmdid.exeGqkhjn32.exeGbldaffp.exeGjclbc32.exeGppekj32.exeHboagf32.exeHapaemll.exeHbanme32.exeHikfip32.exeHabnjm32.exeHjjbcbqj.exeHmioonpn.exeHccglh32.exeHippdo32.exeHaggelfd.exeHcedaheh.exeHjolnb32.exeHmmhjm32.exeHaidklda.exeIcgqggce.exeIidipnal.exeImpepm32.exeIpnalhii.exeIcjmmg32.exeIfhiib32.exeIjdeiaio.exeImbaemhc.exeIannfk32.exeIbojncfj.exeIjfboafl.exeIiibkn32.exeImdnklfp.exeIfmcdblq.exeIjhodq32.exeImgkql32.exeIabgaklg.exeIdacmfkj.exeIfopiajn.exeJpgdbg32.exeJbfpobpb.exeJjmhppqd.exeJmkdlkph.exeJagqlj32.exeJdemhe32.exeJbhmdbnp.exeJjpeepnb.exepid process 4324 Fhajlc32.exe 3348 Fqhbmqqg.exe 4700 Fokbim32.exe 3532 Fcgoilpj.exe 3156 Fjcclf32.exe 892 Fmapha32.exe 3844 Fqmlhpla.exe 2568 Fckhdk32.exe 4856 Fqohnp32.exe 3372 Fbqefhpm.exe 3884 Fijmbb32.exe 1244 Fqaeco32.exe 1312 Gimjhafg.exe 2292 Gqdbiofi.exe 4944 Gbenqg32.exe 3304 Goiojk32.exe 4168 Giacca32.exe 640 Gpklpkio.exe 2384 Gjapmdid.exe 4492 Gqkhjn32.exe 2152 Gbldaffp.exe 3512 Gjclbc32.exe 4572 Gppekj32.exe 2224 Hboagf32.exe 3876 Hapaemll.exe 1256 Hbanme32.exe 3612 Hikfip32.exe 3500 Habnjm32.exe 2064 Hjjbcbqj.exe 1472 Hmioonpn.exe 3940 Hccglh32.exe 2044 Hippdo32.exe 696 Haggelfd.exe 2500 Hcedaheh.exe 3588 Hjolnb32.exe 3132 Hmmhjm32.exe 1072 Haidklda.exe 4624 Icgqggce.exe 1664 Iidipnal.exe 3704 Impepm32.exe 4664 Ipnalhii.exe 5064 Icjmmg32.exe 1648 Ifhiib32.exe 2772 Ijdeiaio.exe 3336 Imbaemhc.exe 4396 Iannfk32.exe 2376 Ibojncfj.exe 4452 Ijfboafl.exe 4180 Iiibkn32.exe 1360 Imdnklfp.exe 3740 Ifmcdblq.exe 1404 Ijhodq32.exe 4564 Imgkql32.exe 4912 Iabgaklg.exe 3716 Idacmfkj.exe 1828 Ifopiajn.exe 4956 Jpgdbg32.exe 4148 Jbfpobpb.exe 4372 Jjmhppqd.exe 4364 Jmkdlkph.exe 1568 Jagqlj32.exe 232 Jdemhe32.exe 2620 Jbhmdbnp.exe 4292 Jjpeepnb.exe -
Drops file in System32 directory 64 IoCs
Processes:
Nqmhbpba.exeNggqoj32.exeOdbgim32.exeEemnjbaj.exeFefjfked.exeGhniielm.exeFmapha32.exeIabgaklg.exeMbbagk32.exeGiacca32.exeOeaoab32.exeBhkhibmc.exeAobilkcl.exeDfmcfp32.exeJagqlj32.exeMjqjih32.exeIeliebnf.exeNbgcih32.exeAfgacokc.exeHmhhehlb.exeGkgeoklj.exeFcgoilpj.exeGcagkdba.exeJnpfop32.exePhedhmhi.exedescription ioc process File created C:\Windows\SysWOW64\Dlddhggk.dll Nqmhbpba.exe File created C:\Windows\SysWOW64\Njfmke32.exe Nggqoj32.exe File opened for modification C:\Windows\SysWOW64\Ogaceh32.exe Odbgim32.exe File created C:\Windows\SysWOW64\Ehljfnpn.exe Eemnjbaj.exe File created C:\Windows\SysWOW64\Bpapcb32.dll Fefjfked.exe File created C:\Windows\SysWOW64\Ialqkblh.dll Ghniielm.exe File created C:\Windows\SysWOW64\Jfhlfk32.dll Fmapha32.exe File created C:\Windows\SysWOW64\Idacmfkj.exe Iabgaklg.exe File created C:\Windows\SysWOW64\Bfkegm32.dll File created C:\Windows\SysWOW64\Cajdjn32.dll File created C:\Windows\SysWOW64\Mhbacd32.dll File created C:\Windows\SysWOW64\Jiooia32.dll Mbbagk32.exe File opened for modification C:\Windows\SysWOW64\Kmfhkf32.exe File opened for modification C:\Windows\SysWOW64\Kcejco32.exe File created C:\Windows\SysWOW64\Bhkfkmmg.exe File opened for modification C:\Windows\SysWOW64\Ddifgk32.exe File created C:\Windows\SysWOW64\Mjaonjaj.dll File created C:\Windows\SysWOW64\Olekop32.dll File opened for modification C:\Windows\SysWOW64\Fonnop32.exe Fefjfked.exe File opened for modification C:\Windows\SysWOW64\Ckkiccep.exe File created C:\Windows\SysWOW64\Cboeai32.dll File created C:\Windows\SysWOW64\Gpklpkio.exe Giacca32.exe File created C:\Windows\SysWOW64\Pllgnl32.exe Oeaoab32.exe File created C:\Windows\SysWOW64\Jfcibe32.dll Bhkhibmc.exe File created C:\Windows\SysWOW64\Ploija32.dll Aobilkcl.exe File opened for modification C:\Windows\SysWOW64\Dikpbl32.exe Dfmcfp32.exe File created C:\Windows\SysWOW64\Hmhkgijk.dll File created C:\Windows\SysWOW64\Fgijpe32.dll File opened for modification C:\Windows\SysWOW64\Cnaaib32.exe File created C:\Windows\SysWOW64\Jdemhe32.exe Jagqlj32.exe File created C:\Windows\SysWOW64\Mnlfigcc.exe Mjqjih32.exe File created C:\Windows\SysWOW64\Fkhpfbce.exe File created C:\Windows\SysWOW64\Emlmcm32.dll File opened for modification C:\Windows\SysWOW64\Bheplb32.exe File created C:\Windows\SysWOW64\Ilibdmgp.exe File created C:\Windows\SysWOW64\Piocecgj.exe File created C:\Windows\SysWOW64\Ifleoe32.exe Ieliebnf.exe File opened for modification C:\Windows\SysWOW64\Pehngkcg.exe File created C:\Windows\SysWOW64\Ncabfkqo.exe File created C:\Windows\SysWOW64\Jeciaina.dll File opened for modification C:\Windows\SysWOW64\Mqfpckhm.exe File created C:\Windows\SysWOW64\Klbjgbff.dll File created C:\Windows\SysWOW64\Ceknlgnl.dll File opened for modification C:\Windows\SysWOW64\Binhnomg.exe File opened for modification C:\Windows\SysWOW64\Nefped32.exe Nbgcih32.exe File opened for modification C:\Windows\SysWOW64\Ahenokjf.exe Afgacokc.exe File created C:\Windows\SysWOW64\Ghfqhkbn.dll File created C:\Windows\SysWOW64\Hofdacke.exe Hmhhehlb.exe File created C:\Windows\SysWOW64\Gijekg32.exe Gkgeoklj.exe File created C:\Windows\SysWOW64\Cbpajgmf.exe File opened for modification C:\Windows\SysWOW64\Agdcpkll.exe File opened for modification C:\Windows\SysWOW64\Lllagh32.exe File created C:\Windows\SysWOW64\Oipgkfab.dll File created C:\Windows\SysWOW64\Qfiapa32.dll Fcgoilpj.exe File opened for modification C:\Windows\SysWOW64\Gdcdbl32.exe Gcagkdba.exe File opened for modification C:\Windows\SysWOW64\Mmpmnl32.exe File created C:\Windows\SysWOW64\Cicdai32.dll Jnpfop32.exe File opened for modification C:\Windows\SysWOW64\Akepfpcl.exe File created C:\Windows\SysWOW64\Fomnhddq.dll File created C:\Windows\SysWOW64\Inclga32.dll File created C:\Windows\SysWOW64\Plpqil32.exe Phedhmhi.exe File opened for modification C:\Windows\SysWOW64\Fibhpbea.exe File created C:\Windows\SysWOW64\Lhffmd32.dll File opened for modification C:\Windows\SysWOW64\Imnocf32.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 5732 5600 -
Modifies registry class 64 IoCs
Processes:
Alkdnboj.exeFdialn32.exeMlmbfqoj.exeEhedfo32.exeEhnglm32.exeCnnlaehj.exeIkqqlgem.exeQalnjkgo.exeGochjpho.exeJghabl32.exeFqhbmqqg.exeNcldnkae.exeJianff32.exeChdkoa32.exeBfabnjjp.exeLflgmqhd.exeClpgpp32.exeDpqodfij.exeKinmcg32.exeMjbogmdb.exeAbbkcpma.exeAanjpk32.exeHimldi32.exeBfgjjm32.exeCojjqlpk.exeQebhhp32.exeHhfedm32.exeElgfgl32.exeAjkaii32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Alkdnboj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fdialn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppajlp32.dll" Mlmbfqoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkgmdnki.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ehedfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpaqkn32.dll" Ehnglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll" Cnnlaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kamojc32.dll" Ikqqlgem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qalnjkgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gochjpho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jghabl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fqhbmqqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncldnkae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Habmmpbg.dll" Alkdnboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfnhlp32.dll" Jianff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hockka32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcgdgamg.dll" Chdkoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bfabnjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbponhh.dll" Lflgmqhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Picpfp32.dll" Clpgpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmmcjnkq.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blickdlj.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabcflhd.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpqodfij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kinmcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjqjajoe.dll" Mjbogmdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kemilf32.dll" Abbkcpma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aanjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Himldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgpbnj32.dll" Bfgjjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdmkp32.dll" Cojjqlpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qebhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enhodk32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaqdae32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jklliiom.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hhfedm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Elgfgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajkaii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
24f36923dcdd837116fbf08bb19e1120_NeikiAnalytics.exeFhajlc32.exeFqhbmqqg.exeFokbim32.exeFcgoilpj.exeFjcclf32.exeFmapha32.exeFqmlhpla.exeFckhdk32.exeFqohnp32.exeFbqefhpm.exeFijmbb32.exeFqaeco32.exeGimjhafg.exeGqdbiofi.exeGbenqg32.exeGoiojk32.exeGiacca32.exeGpklpkio.exeGjapmdid.exeGqkhjn32.exeGbldaffp.exedescription pid process target process PID 3036 wrote to memory of 4324 3036 24f36923dcdd837116fbf08bb19e1120_NeikiAnalytics.exe Fhajlc32.exe PID 3036 wrote to memory of 4324 3036 24f36923dcdd837116fbf08bb19e1120_NeikiAnalytics.exe Fhajlc32.exe PID 3036 wrote to memory of 4324 3036 24f36923dcdd837116fbf08bb19e1120_NeikiAnalytics.exe Fhajlc32.exe PID 4324 wrote to memory of 3348 4324 Fhajlc32.exe Fqhbmqqg.exe PID 4324 wrote to memory of 3348 4324 Fhajlc32.exe Fqhbmqqg.exe PID 4324 wrote to memory of 3348 4324 Fhajlc32.exe Fqhbmqqg.exe PID 3348 wrote to memory of 4700 3348 Fqhbmqqg.exe Fokbim32.exe PID 3348 wrote to memory of 4700 3348 Fqhbmqqg.exe Fokbim32.exe PID 3348 wrote to memory of 4700 3348 Fqhbmqqg.exe Fokbim32.exe PID 4700 wrote to memory of 3532 4700 Fokbim32.exe Fcgoilpj.exe PID 4700 wrote to memory of 3532 4700 Fokbim32.exe Fcgoilpj.exe PID 4700 wrote to memory of 3532 4700 Fokbim32.exe Fcgoilpj.exe PID 3532 wrote to memory of 3156 3532 Fcgoilpj.exe Fjcclf32.exe PID 3532 wrote to memory of 3156 3532 Fcgoilpj.exe Fjcclf32.exe PID 3532 wrote to memory of 3156 3532 Fcgoilpj.exe Fjcclf32.exe PID 3156 wrote to memory of 892 3156 Fjcclf32.exe Fmapha32.exe PID 3156 wrote to memory of 892 3156 Fjcclf32.exe Fmapha32.exe PID 3156 wrote to memory of 892 3156 Fjcclf32.exe Fmapha32.exe PID 892 wrote to memory of 3844 892 Fmapha32.exe Fqmlhpla.exe PID 892 wrote to memory of 3844 892 Fmapha32.exe Fqmlhpla.exe PID 892 wrote to memory of 3844 892 Fmapha32.exe Fqmlhpla.exe PID 3844 wrote to memory of 2568 3844 Fqmlhpla.exe Fckhdk32.exe PID 3844 wrote to memory of 2568 3844 Fqmlhpla.exe Fckhdk32.exe PID 3844 wrote to memory of 2568 3844 Fqmlhpla.exe Fckhdk32.exe PID 2568 wrote to memory of 4856 2568 Fckhdk32.exe Fqohnp32.exe PID 2568 wrote to memory of 4856 2568 Fckhdk32.exe Fqohnp32.exe PID 2568 wrote to memory of 4856 2568 Fckhdk32.exe Fqohnp32.exe PID 4856 wrote to memory of 3372 4856 Fqohnp32.exe Fbqefhpm.exe PID 4856 wrote to memory of 3372 4856 Fqohnp32.exe Fbqefhpm.exe PID 4856 wrote to memory of 3372 4856 Fqohnp32.exe Fbqefhpm.exe PID 3372 wrote to memory of 3884 3372 Fbqefhpm.exe Fijmbb32.exe PID 3372 wrote to memory of 3884 3372 Fbqefhpm.exe Fijmbb32.exe PID 3372 wrote to memory of 3884 3372 Fbqefhpm.exe Fijmbb32.exe PID 3884 wrote to memory of 1244 3884 Fijmbb32.exe Fqaeco32.exe PID 3884 wrote to memory of 1244 3884 Fijmbb32.exe Fqaeco32.exe PID 3884 wrote to memory of 1244 3884 Fijmbb32.exe Fqaeco32.exe PID 1244 wrote to memory of 1312 1244 Fqaeco32.exe Gimjhafg.exe PID 1244 wrote to memory of 1312 1244 Fqaeco32.exe Gimjhafg.exe PID 1244 wrote to memory of 1312 1244 Fqaeco32.exe Gimjhafg.exe PID 1312 wrote to memory of 2292 1312 Gimjhafg.exe Gqdbiofi.exe PID 1312 wrote to memory of 2292 1312 Gimjhafg.exe Gqdbiofi.exe PID 1312 wrote to memory of 2292 1312 Gimjhafg.exe Gqdbiofi.exe PID 2292 wrote to memory of 4944 2292 Gqdbiofi.exe Gbenqg32.exe PID 2292 wrote to memory of 4944 2292 Gqdbiofi.exe Gbenqg32.exe PID 2292 wrote to memory of 4944 2292 Gqdbiofi.exe Gbenqg32.exe PID 4944 wrote to memory of 3304 4944 Gbenqg32.exe Goiojk32.exe PID 4944 wrote to memory of 3304 4944 Gbenqg32.exe Goiojk32.exe PID 4944 wrote to memory of 3304 4944 Gbenqg32.exe Goiojk32.exe PID 3304 wrote to memory of 4168 3304 Goiojk32.exe Giacca32.exe PID 3304 wrote to memory of 4168 3304 Goiojk32.exe Giacca32.exe PID 3304 wrote to memory of 4168 3304 Goiojk32.exe Giacca32.exe PID 4168 wrote to memory of 640 4168 Giacca32.exe Gpklpkio.exe PID 4168 wrote to memory of 640 4168 Giacca32.exe Gpklpkio.exe PID 4168 wrote to memory of 640 4168 Giacca32.exe Gpklpkio.exe PID 640 wrote to memory of 2384 640 Gpklpkio.exe Gjapmdid.exe PID 640 wrote to memory of 2384 640 Gpklpkio.exe Gjapmdid.exe PID 640 wrote to memory of 2384 640 Gpklpkio.exe Gjapmdid.exe PID 2384 wrote to memory of 4492 2384 Gjapmdid.exe Gqkhjn32.exe PID 2384 wrote to memory of 4492 2384 Gjapmdid.exe Gqkhjn32.exe PID 2384 wrote to memory of 4492 2384 Gjapmdid.exe Gqkhjn32.exe PID 4492 wrote to memory of 2152 4492 Gqkhjn32.exe Gbldaffp.exe PID 4492 wrote to memory of 2152 4492 Gqkhjn32.exe Gbldaffp.exe PID 4492 wrote to memory of 2152 4492 Gqkhjn32.exe Gbldaffp.exe PID 2152 wrote to memory of 3512 2152 Gbldaffp.exe Gjclbc32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\24f36923dcdd837116fbf08bb19e1120_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\24f36923dcdd837116fbf08bb19e1120_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Fhajlc32.exeC:\Windows\system32\Fhajlc32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\Fqhbmqqg.exeC:\Windows\system32\Fqhbmqqg.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Fjcclf32.exeC:\Windows\system32\Fjcclf32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\Fmapha32.exeC:\Windows\system32\Fmapha32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\Fckhdk32.exeC:\Windows\system32\Fckhdk32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Fbqefhpm.exeC:\Windows\system32\Fbqefhpm.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\Fqaeco32.exeC:\Windows\system32\Fqaeco32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Gimjhafg.exeC:\Windows\system32\Gimjhafg.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Gbenqg32.exeC:\Windows\system32\Gbenqg32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Goiojk32.exeC:\Windows\system32\Goiojk32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\Gpklpkio.exeC:\Windows\system32\Gpklpkio.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Gjapmdid.exeC:\Windows\system32\Gjapmdid.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Gqkhjn32.exeC:\Windows\system32\Gqkhjn32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\Gbldaffp.exeC:\Windows\system32\Gbldaffp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe23⤵
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe24⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe25⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Hapaemll.exeC:\Windows\system32\Hapaemll.exe26⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Hikfip32.exeC:\Windows\system32\Hikfip32.exe28⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe29⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Hjjbcbqj.exeC:\Windows\system32\Hjjbcbqj.exe30⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe31⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe32⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe33⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe34⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe35⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe36⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe38⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Icgqggce.exeC:\Windows\system32\Icgqggce.exe39⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe40⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe41⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Ipnalhii.exeC:\Windows\system32\Ipnalhii.exe42⤵
- Executes dropped EXE
PID:4664 -
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe43⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe44⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Ijdeiaio.exeC:\Windows\system32\Ijdeiaio.exe45⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Imbaemhc.exeC:\Windows\system32\Imbaemhc.exe46⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe47⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Ibojncfj.exeC:\Windows\system32\Ibojncfj.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe49⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe50⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Imdnklfp.exeC:\Windows\system32\Imdnklfp.exe51⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe52⤵
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Ijhodq32.exeC:\Windows\system32\Ijhodq32.exe53⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Imgkql32.exeC:\Windows\system32\Imgkql32.exe54⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4912 -
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe56⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Ifopiajn.exeC:\Windows\system32\Ifopiajn.exe57⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe58⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe59⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe60⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Jmkdlkph.exeC:\Windows\system32\Jmkdlkph.exe61⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Jagqlj32.exeC:\Windows\system32\Jagqlj32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Jdemhe32.exeC:\Windows\system32\Jdemhe32.exe63⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe64⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe65⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe66⤵PID:3760
-
C:\Windows\SysWOW64\Jaimbj32.exeC:\Windows\system32\Jaimbj32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3988 -
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe68⤵PID:2164
-
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe69⤵PID:1148
-
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe70⤵PID:1592
-
C:\Windows\SysWOW64\Jidbflcj.exeC:\Windows\system32\Jidbflcj.exe71⤵PID:384
-
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe72⤵PID:5092
-
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe73⤵PID:1776
-
C:\Windows\SysWOW64\Jfhbppbc.exeC:\Windows\system32\Jfhbppbc.exe74⤵PID:4632
-
C:\Windows\SysWOW64\Jmbklj32.exeC:\Windows\system32\Jmbklj32.exe75⤵PID:4024
-
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe76⤵PID:796
-
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe77⤵PID:4208
-
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe78⤵PID:4852
-
C:\Windows\SysWOW64\Jfkoeppq.exeC:\Windows\system32\Jfkoeppq.exe79⤵PID:4152
-
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe80⤵PID:792
-
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe81⤵PID:4348
-
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe82⤵PID:3664
-
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe83⤵PID:764
-
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe84⤵PID:4288
-
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe85⤵PID:2380
-
C:\Windows\SysWOW64\Kdaldd32.exeC:\Windows\system32\Kdaldd32.exe86⤵PID:4876
-
C:\Windows\SysWOW64\Kgphpo32.exeC:\Windows\system32\Kgphpo32.exe87⤵PID:2200
-
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe88⤵PID:3140
-
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe89⤵PID:3068
-
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe90⤵PID:3776
-
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe91⤵PID:2672
-
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe92⤵PID:988
-
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe93⤵PID:336
-
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe94⤵PID:4532
-
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe95⤵PID:2136
-
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe96⤵PID:1964
-
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe97⤵PID:4060
-
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe98⤵PID:4612
-
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe99⤵PID:3772
-
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1908 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe101⤵PID:5136
-
C:\Windows\SysWOW64\Liekmj32.exeC:\Windows\system32\Liekmj32.exe102⤵PID:5188
-
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe103⤵PID:5232
-
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe104⤵PID:5272
-
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe105⤵PID:5312
-
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe106⤵PID:5364
-
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5404 -
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe108⤵PID:5448
-
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe109⤵PID:5496
-
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe110⤵PID:5540
-
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe111⤵PID:5580
-
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5628 -
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe113⤵PID:5664
-
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe114⤵PID:5716
-
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe115⤵PID:5756
-
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe116⤵PID:5808
-
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe117⤵PID:5848
-
C:\Windows\SysWOW64\Lilanioo.exeC:\Windows\system32\Lilanioo.exe118⤵PID:5888
-
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe119⤵PID:5924
-
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe120⤵PID:5968
-
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe121⤵PID:6016
-
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe122⤵PID:6052
-
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe123⤵PID:6100
-
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe124⤵PID:6136
-
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe125⤵PID:5164
-
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe126⤵PID:5204
-
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe127⤵PID:5268
-
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe128⤵
- Drops file in System32 directory
PID:5324 -
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe129⤵PID:5388
-
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe130⤵PID:5444
-
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe131⤵PID:5524
-
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe132⤵PID:5592
-
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe133⤵PID:5620
-
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe134⤵PID:5712
-
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe135⤵PID:5800
-
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe136⤵PID:5864
-
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe137⤵PID:5980
-
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe138⤵PID:6048
-
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe139⤵PID:6124
-
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe140⤵PID:5428
-
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe141⤵PID:5260
-
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe142⤵PID:5356
-
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe143⤵PID:3108
-
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe144⤵PID:5560
-
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe145⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5636 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe146⤵PID:5764
-
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe147⤵PID:5896
-
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe148⤵PID:6040
-
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe149⤵PID:6128
-
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe150⤵PID:3248
-
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe151⤵PID:5436
-
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe152⤵PID:2736
-
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe153⤵PID:5772
-
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe154⤵PID:6024
-
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe155⤵PID:5148
-
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe156⤵PID:5432
-
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe157⤵PID:972
-
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe158⤵PID:4928
-
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe159⤵PID:5964
-
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe160⤵PID:5648
-
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe161⤵PID:5612
-
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe162⤵PID:5868
-
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe163⤵PID:5416
-
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe164⤵PID:3088
-
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe165⤵PID:5532
-
C:\Windows\SysWOW64\Nkncdifl.exeC:\Windows\system32\Nkncdifl.exe166⤵PID:4904
-
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe167⤵PID:5676
-
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe168⤵PID:6168
-
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe169⤵PID:6216
-
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe170⤵PID:6252
-
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe171⤵PID:6296
-
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe172⤵PID:6348
-
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe173⤵PID:6384
-
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe174⤵
- Drops file in System32 directory
PID:6428 -
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe175⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6468 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe176⤵
- Drops file in System32 directory
PID:6504 -
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe177⤵PID:6552
-
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe178⤵PID:6588
-
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe179⤵PID:6640
-
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe180⤵PID:6692
-
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe181⤵PID:6760
-
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe182⤵PID:6816
-
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe183⤵PID:6872
-
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe184⤵PID:6920
-
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe185⤵PID:6960
-
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe186⤵PID:7008
-
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe187⤵PID:7076
-
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe188⤵PID:7132
-
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe189⤵PID:6188
-
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe190⤵PID:6248
-
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe191⤵PID:6320
-
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe192⤵PID:6412
-
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe193⤵PID:6496
-
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe194⤵
- Drops file in System32 directory
PID:6560 -
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe195⤵PID:6628
-
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe196⤵PID:6740
-
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe197⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6852 -
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe198⤵PID:6948
-
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe199⤵PID:6992
-
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe200⤵PID:7116
-
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe201⤵PID:6200
-
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe202⤵PID:6332
-
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe203⤵PID:6476
-
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe204⤵PID:6532
-
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe205⤵PID:6672
-
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe206⤵PID:6884
-
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe207⤵PID:6972
-
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe208⤵PID:7124
-
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe209⤵PID:6328
-
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe210⤵PID:6536
-
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe211⤵PID:6844
-
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe212⤵PID:6728
-
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe213⤵PID:6304
-
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe214⤵PID:6600
-
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe215⤵PID:7036
-
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe216⤵PID:6164
-
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe217⤵PID:7072
-
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe218⤵PID:6952
-
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe219⤵PID:6544
-
C:\Windows\SysWOW64\Pjhbgb32.exeC:\Windows\system32\Pjhbgb32.exe220⤵PID:7192
-
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe221⤵PID:7240
-
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe222⤵PID:7280
-
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe223⤵PID:7328
-
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe224⤵PID:7364
-
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe225⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7408 -
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe226⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7448 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe227⤵PID:7496
-
C:\Windows\SysWOW64\Pbbgnpgl.exeC:\Windows\system32\Pbbgnpgl.exe228⤵PID:7532
-
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe229⤵PID:7580
-
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe230⤵PID:7620
-
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe231⤵PID:7656
-
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe232⤵PID:7704
-
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe233⤵PID:7740
-
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe234⤵PID:7792
-
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe235⤵PID:7832
-
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe236⤵PID:7876
-
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe237⤵PID:7916
-
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe238⤵PID:7960
-
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe239⤵PID:8000
-
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe240⤵PID:8036
-
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe241⤵PID:8076
-
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe242⤵PID:8116