Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 21:54
Static task
static1
Behavioral task
behavioral1
Sample
08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe
-
Size
163KB
-
MD5
08411dc581db97808136e5ca7690cfd0
-
SHA1
6ecb0a1a1cf59fd00a7a6373784d183281ff50a0
-
SHA256
86f9bebcff206f4ec578e5884151bc028a79cc1f8d0505ffd8d52c1766d63e66
-
SHA512
a56854aff2c47ced4833156f97ce5127499126b8a8617835d2b699d002ba2fb4cf75a52d52816cc90977e34f550b4617ee47faeb5ce11b821ff92ac763c2d80b
-
SSDEEP
1536:PJni4IiJuvSLRtQ+Y91LMlvwwwwwwwQ2G8TlProNVU4qNVUrk/9QbfBr+7GwKrPb:84IiLhwwwwwwwQLultOrWKDBr+yJb
Malware Config
Extracted
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ehedfo32.exeKmdqgd32.exeLlcpoo32.exeIifokh32.exeIeolehop.exePfjcgn32.exeAcnlgp32.exeDoilmc32.exePagdol32.exeKfoafi32.exeKedoge32.exeJioaqfcc.exeJmknaell.exeKdcbom32.exeNpfkgjdn.exeNcdgcf32.exeCehkhecb.exeDhfajjoj.exeJblpek32.exeKbhoqj32.exeOjjolnaq.exeHioiji32.exeLljfpnjg.exeDeagdn32.exeAhhblemi.exeLfkaag32.exeBaicac32.exeMmbfpp32.exeBaaplhef.exeLdanqkki.exePcppfaka.exeAmbgef32.exeCajcbgml.exeIblfnn32.exeOpakbi32.exeEkcpbj32.exeHihbijhn.exeKdeoemeg.exeMdhdajea.exeNdcdmikd.exeBelebq32.exeGdqgmmjb.exeJfeopj32.exeDobfld32.exeDhocqigp.exeEefhjc32.exeImdgqfbd.exeChpada32.exeChghdqbf.exeGmjlcj32.exeMegdccmb.exePfaigm32.exeCecbmf32.exeNfjjppmm.exeJcllonma.exePdmpje32.exePqdqof32.exeEdkdkplj.exeBehbag32.exePjeoglgc.exePnfdcjkg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehedfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmdqgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llcpoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iifokh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieolehop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfjcgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acnlgp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doilmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pagdol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfoafi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kedoge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jioaqfcc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmknaell.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdcbom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npfkgjdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncdgcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cehkhecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jblpek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbhoqj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojjolnaq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hioiji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdcbom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lljfpnjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deagdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahhblemi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfkaag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baicac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmbfpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baaplhef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldanqkki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcppfaka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ambgef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cajcbgml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iblfnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opakbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekcpbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hihbijhn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdeoemeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdhdajea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndcdmikd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Belebq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdqgmmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfeopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dobfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhocqigp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eefhjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imdgqfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chpada32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chghdqbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmjlcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Megdccmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbfpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfaigm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cecbmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjjppmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcllonma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdmpje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqdqof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edkdkplj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jblpek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Behbag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjeoglgc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfdcjkg.exe -
Executes dropped EXE 64 IoCs
Processes:
Pbmncp32.exePcojkhap.exePbpjhp32.exePcagphom.exePjkombfj.exePaegjl32.exePjmlbbdg.exePagdol32.exeQecppkdm.exeQcepkg32.exeQnnanphk.exeAcjjfggb.exeAjdbcano.exeAanjpk32.exeAhhblemi.exeAelcfilb.exeAjiknpjj.exeAbpcon32.exeAhmlgd32.exeAngddopp.exeAhoimd32.exeAjneip32.exeBlmacb32.exeBnlnon32.exeBeeflhdh.exeBjbndobo.exeBehbag32.exeBlbknaib.exeBblckl32.exeBaocghgi.exeBaaplhef.exeBhkhibmc.exeChmeobkq.exeCliaoq32.exeCafigg32.exeChpada32.exeCknnpm32.exeCecbmf32.exeCdfbibnb.exeClnjjpod.exeColffknh.exeCajcbgml.exeCkcgkldl.exeCamphf32.exeCehkhecb.exeChghdqbf.exeCkedalaj.exeDekhneap.exeDhidjpqc.exeDocmgjhp.exeDemecd32.exeDhkapp32.exeDkjmlk32.exeDadeieea.exeDdbbeade.exeDlijfneg.exeDafbne32.exeDddojq32.exeDojcgi32.exeDdgkpp32.exeDhbgqohi.exeEkacmjgl.exeEefhjc32.exeEhedfo32.exepid process 4460 Pbmncp32.exe 452 Pcojkhap.exe 2200 Pbpjhp32.exe 1692 Pcagphom.exe 3680 Pjkombfj.exe 1520 Paegjl32.exe 2592 Pjmlbbdg.exe 1540 Pagdol32.exe 2000 Qecppkdm.exe 5044 Qcepkg32.exe 1596 Qnnanphk.exe 4620 Acjjfggb.exe 1924 Ajdbcano.exe 3188 Aanjpk32.exe 4664 Ahhblemi.exe 4776 Aelcfilb.exe 1340 Ajiknpjj.exe 1600 Abpcon32.exe 5024 Ahmlgd32.exe 3684 Angddopp.exe 4636 Ahoimd32.exe 4484 Ajneip32.exe 776 Blmacb32.exe 1076 Bnlnon32.exe 3960 Beeflhdh.exe 4952 Bjbndobo.exe 1464 Behbag32.exe 1996 Blbknaib.exe 4372 Bblckl32.exe 2600 Baocghgi.exe 1728 Baaplhef.exe 5016 Bhkhibmc.exe 1188 Chmeobkq.exe 4492 Cliaoq32.exe 3360 Cafigg32.exe 5028 Chpada32.exe 4316 Cknnpm32.exe 4896 Cecbmf32.exe 380 Cdfbibnb.exe 4304 Clnjjpod.exe 2080 Colffknh.exe 4088 Cajcbgml.exe 1952 Ckcgkldl.exe 4940 Camphf32.exe 4644 Cehkhecb.exe 3916 Chghdqbf.exe 4568 Ckedalaj.exe 4884 Dekhneap.exe 2568 Dhidjpqc.exe 2932 Docmgjhp.exe 3536 Demecd32.exe 4416 Dhkapp32.exe 2176 Dkjmlk32.exe 2012 Dadeieea.exe 1276 Ddbbeade.exe 1788 Dlijfneg.exe 5012 Dafbne32.exe 4060 Dddojq32.exe 5116 Dojcgi32.exe 3504 Ddgkpp32.exe 404 Dhbgqohi.exe 1972 Ekacmjgl.exe 4796 Eefhjc32.exe 3200 Ehedfo32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Pjkombfj.exeChghdqbf.exeDojcgi32.exePfaigm32.exeAgoabn32.exeBclhhnca.exeEleiam32.exeOponmilc.exeOneklm32.exePgefeajb.exeOgbipa32.exeCehkhecb.exeBeeoaapl.exeBhhdil32.exeDhkjej32.exeEkjfcipa.exeHoiafcic.exeKlimip32.exeFhcpgmjf.exeImakkfdg.exePcppfaka.exeBelebq32.exeCnnlaehj.exeAelcfilb.exeAhoimd32.exeCliaoq32.exeChpada32.exeIpdqba32.exeHobkfd32.exePcncpbmd.exeCegdnopg.exeAjiknpjj.exeLenamdem.exeLebkhc32.exeLphoelqn.exeCmlcbbcj.exeHmhhehlb.exeJimekgff.exeNjefqo32.exePnlaml32.exeQmmnjfnl.exeAcnlgp32.exeEamhodmf.exeKfckahdj.exeOnhhamgg.exeCjkjpgfi.exeCmqmma32.exeDdmaok32.exePjjhbl32.exeAgeolo32.exeCafigg32.exeLdanqkki.exeNnjlpo32.exeGdeqhl32.exeKebbafoj.exeLlcpoo32.exeNnlhfn32.exeDelnin32.exeEhnglm32.exeHckjacjg.exedescription ioc process File created C:\Windows\SysWOW64\Paegjl32.exe Pjkombfj.exe File created C:\Windows\SysWOW64\Gidjfdep.dll Chghdqbf.exe File opened for modification C:\Windows\SysWOW64\Ddgkpp32.exe Dojcgi32.exe File created C:\Windows\SysWOW64\Hgaoidec.dll Pfaigm32.exe File opened for modification C:\Windows\SysWOW64\Bmkjkd32.exe Agoabn32.exe File created C:\Windows\SysWOW64\Bhhdil32.exe Bclhhnca.exe File created C:\Windows\SysWOW64\Ecoangbg.exe Eleiam32.exe File opened for modification C:\Windows\SysWOW64\Oflgep32.exe Oponmilc.exe File created C:\Windows\SysWOW64\Chmhoe32.dll Oneklm32.exe File created C:\Windows\SysWOW64\Pjcbbmif.exe Pgefeajb.exe File created C:\Windows\SysWOW64\Ojaelm32.exe Ogbipa32.exe File created C:\Windows\SysWOW64\Nnenbk32.dll Cehkhecb.exe File created C:\Windows\SysWOW64\Kbejge32.dll Beeoaapl.exe File opened for modification C:\Windows\SysWOW64\Bjfaeh32.exe Bhhdil32.exe File created C:\Windows\SysWOW64\Dfnjafap.exe Dhkjej32.exe File created C:\Windows\SysWOW64\Eadopc32.exe Ekjfcipa.exe File created C:\Windows\SysWOW64\Mpnaemnl.dll Hoiafcic.exe File created C:\Windows\SysWOW64\Kdqejn32.exe Klimip32.exe File created C:\Windows\SysWOW64\Bchomn32.exe Beeoaapl.exe File opened for modification C:\Windows\SysWOW64\Fkalchij.exe Fhcpgmjf.exe File created C:\Windows\SysWOW64\Ippggbck.exe Imakkfdg.exe File created C:\Windows\SysWOW64\Pfolbmje.exe Pcppfaka.exe File created C:\Windows\SysWOW64\Mmnbeadp.dll Belebq32.exe File created C:\Windows\SysWOW64\Cmqmma32.exe Cnnlaehj.exe File opened for modification C:\Windows\SysWOW64\Ajiknpjj.exe Aelcfilb.exe File opened for modification C:\Windows\SysWOW64\Ajneip32.exe Ahoimd32.exe File opened for modification C:\Windows\SysWOW64\Cafigg32.exe Cliaoq32.exe File created C:\Windows\SysWOW64\Keoakjca.dll Chpada32.exe File created C:\Windows\SysWOW64\Ibcmom32.exe Ipdqba32.exe File created C:\Windows\SysWOW64\Hflcbngh.exe Hobkfd32.exe File created C:\Windows\SysWOW64\Pgioqq32.exe Pcncpbmd.exe File created C:\Windows\SysWOW64\Dhfajjoj.exe Cegdnopg.exe File created C:\Windows\SysWOW64\Abpcon32.exe Ajiknpjj.exe File created C:\Windows\SysWOW64\Oolpjdob.dll Lenamdem.exe File created C:\Windows\SysWOW64\Pkfcej32.dll Lebkhc32.exe File opened for modification C:\Windows\SysWOW64\Mdckfk32.exe Lphoelqn.exe File opened for modification C:\Windows\SysWOW64\Ojaelm32.exe Ogbipa32.exe File created C:\Windows\SysWOW64\Echdno32.dll Cmlcbbcj.exe File opened for modification C:\Windows\SysWOW64\Hofdacke.exe Hmhhehlb.exe File created C:\Windows\SysWOW64\Jmhale32.exe Jimekgff.exe File opened for modification C:\Windows\SysWOW64\Oponmilc.exe Njefqo32.exe File created C:\Windows\SysWOW64\Elocna32.dll Pnlaml32.exe File created C:\Windows\SysWOW64\Qgcbgo32.exe Qmmnjfnl.exe File opened for modification C:\Windows\SysWOW64\Andqdh32.exe Acnlgp32.exe File opened for modification C:\Windows\SysWOW64\Edkdkplj.exe Eamhodmf.exe File created C:\Windows\SysWOW64\Nhgaocmg.dll Kfckahdj.exe File created C:\Windows\SysWOW64\Hiclgb32.dll Onhhamgg.exe File opened for modification C:\Windows\SysWOW64\Cmiflbel.exe Cjkjpgfi.exe File created C:\Windows\SysWOW64\Mgcail32.dll Cmqmma32.exe File created C:\Windows\SysWOW64\Nbgngp32.dll Ddmaok32.exe File opened for modification C:\Windows\SysWOW64\Ippggbck.exe Imakkfdg.exe File created C:\Windows\SysWOW64\Lnlden32.dll Pjjhbl32.exe File opened for modification C:\Windows\SysWOW64\Afhohlbj.exe Ageolo32.exe File created C:\Windows\SysWOW64\Nqbjqh32.dll Cafigg32.exe File opened for modification C:\Windows\SysWOW64\Lbdolh32.exe Ldanqkki.exe File created C:\Windows\SysWOW64\Jlingkpe.dll Nnjlpo32.exe File created C:\Windows\SysWOW64\Ldjicq32.dll Gdeqhl32.exe File opened for modification C:\Windows\SysWOW64\Kimnbd32.exe Kebbafoj.exe File opened for modification C:\Windows\SysWOW64\Lpnlpnih.exe Llcpoo32.exe File created C:\Windows\SysWOW64\Hddeok32.dll Nnlhfn32.exe File created C:\Windows\SysWOW64\Dhkjej32.exe Delnin32.exe File opened for modification C:\Windows\SysWOW64\Cknnpm32.exe Chpada32.exe File created C:\Windows\SysWOW64\Fohoigfh.exe Ehnglm32.exe File created C:\Windows\SysWOW64\Hfifmnij.exe Hckjacjg.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 10892 10812 WerFault.exe Dmllipeg.exe -
Modifies registry class 64 IoCs
Processes:
Gbbkaako.exeMplhql32.exeMnebeogl.exeOlfobjbg.exeOgbipa32.exeBmkjkd32.exeBhkhibmc.exeGdeqhl32.exeJefbfgig.exeMlefklpj.exeNgbpidjh.exeQnjnnj32.exeGkkojgao.exeHbeqmoji.exeIcifbang.exeJfoiokfb.exeKmdqgd32.exeKpbmco32.exeOdapnf32.exeHijooifk.exeKebbafoj.exeAcnlgp32.exeKfoafi32.exeCdfbibnb.exeHcpclbfa.exe08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exeEadopc32.exeJcioiood.exeMcmabg32.exeMcpnhfhf.exeNnneknob.exeEkjfcipa.exeKlimip32.exeOneklm32.exePagdol32.exeDmcibama.exeFbnafb32.exeFfkjlp32.exeDodbbdbb.exeEamhodmf.exeFdgdgnbm.exeGdqgmmjb.exeIfefimom.exeEcoangbg.exeDdbbeade.exeIppggbck.exeJbjcolha.exeMmpijp32.exeCagobalc.exeAbpcon32.exeHckjacjg.exeKdqejn32.exeKmncnb32.exeOlkhmi32.exePnfdcjkg.exeDddojq32.exeJmhale32.exeKedoge32.exeIfllil32.exeAhhblemi.exeBblckl32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbbkaako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aihbcp32.dll" Mplhql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnebeogl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olfobjbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogbipa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll" Bmkjkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhkhibmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldjicq32.dll" Gdeqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmamoe32.dll" Jefbfgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlefklpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngbpidjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll" Qnjnnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkkojgao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbeqmoji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icifbang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooajidfn.dll" Jfoiokfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmdqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpbmco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odapnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hijooifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdfog32.dll" Kebbafoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll" Acnlgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpnnd32.dll" Kfoafi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdfbibnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcpclbfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inlekh32.dll" Eadopc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcioiood.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kebbafoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlihfed.dll" Mcmabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcpnhfhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnneknob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekjfcipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlplhfon.dll" Klimip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oneklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdmlkkap.dll" Pagdol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll" Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipeomnnj.dll" Fbnafb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffkjlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll" Dodbbdbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eamhodmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdgdgnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikhen32.dll" Gdqgmmjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifefimom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecoangbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipenkiei.dll" Ddbbeade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ippggbck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbjcolha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmpijp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchdhnom.dll" Mcpnhfhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aklmno32.dll" Abpcon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hckjacjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdqejn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okokppbk.dll" Kmncnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olkhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll" Pnfdcjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dddojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abckpb32.dll" Jmhale32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kedoge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkblkg32.dll" Ifllil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahhblemi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bblckl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klimip32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exePbmncp32.exePcojkhap.exePbpjhp32.exePcagphom.exePjkombfj.exePaegjl32.exePjmlbbdg.exePagdol32.exeQecppkdm.exeQcepkg32.exeQnnanphk.exeAcjjfggb.exeAjdbcano.exeAanjpk32.exeAhhblemi.exeAelcfilb.exeAjiknpjj.exeAbpcon32.exeAhmlgd32.exeAngddopp.exeAhoimd32.exedescription pid process target process PID 4880 wrote to memory of 4460 4880 08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe Pbmncp32.exe PID 4880 wrote to memory of 4460 4880 08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe Pbmncp32.exe PID 4880 wrote to memory of 4460 4880 08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe Pbmncp32.exe PID 4460 wrote to memory of 452 4460 Pbmncp32.exe Pcojkhap.exe PID 4460 wrote to memory of 452 4460 Pbmncp32.exe Pcojkhap.exe PID 4460 wrote to memory of 452 4460 Pbmncp32.exe Pcojkhap.exe PID 452 wrote to memory of 2200 452 Pcojkhap.exe Pbpjhp32.exe PID 452 wrote to memory of 2200 452 Pcojkhap.exe Pbpjhp32.exe PID 452 wrote to memory of 2200 452 Pcojkhap.exe Pbpjhp32.exe PID 2200 wrote to memory of 1692 2200 Pbpjhp32.exe Pcagphom.exe PID 2200 wrote to memory of 1692 2200 Pbpjhp32.exe Pcagphom.exe PID 2200 wrote to memory of 1692 2200 Pbpjhp32.exe Pcagphom.exe PID 1692 wrote to memory of 3680 1692 Pcagphom.exe Pjkombfj.exe PID 1692 wrote to memory of 3680 1692 Pcagphom.exe Pjkombfj.exe PID 1692 wrote to memory of 3680 1692 Pcagphom.exe Pjkombfj.exe PID 3680 wrote to memory of 1520 3680 Pjkombfj.exe Paegjl32.exe PID 3680 wrote to memory of 1520 3680 Pjkombfj.exe Paegjl32.exe PID 3680 wrote to memory of 1520 3680 Pjkombfj.exe Paegjl32.exe PID 1520 wrote to memory of 2592 1520 Paegjl32.exe Pjmlbbdg.exe PID 1520 wrote to memory of 2592 1520 Paegjl32.exe Pjmlbbdg.exe PID 1520 wrote to memory of 2592 1520 Paegjl32.exe Pjmlbbdg.exe PID 2592 wrote to memory of 1540 2592 Pjmlbbdg.exe Pagdol32.exe PID 2592 wrote to memory of 1540 2592 Pjmlbbdg.exe Pagdol32.exe PID 2592 wrote to memory of 1540 2592 Pjmlbbdg.exe Pagdol32.exe PID 1540 wrote to memory of 2000 1540 Pagdol32.exe Qecppkdm.exe PID 1540 wrote to memory of 2000 1540 Pagdol32.exe Qecppkdm.exe PID 1540 wrote to memory of 2000 1540 Pagdol32.exe Qecppkdm.exe PID 2000 wrote to memory of 5044 2000 Qecppkdm.exe Qcepkg32.exe PID 2000 wrote to memory of 5044 2000 Qecppkdm.exe Qcepkg32.exe PID 2000 wrote to memory of 5044 2000 Qecppkdm.exe Qcepkg32.exe PID 5044 wrote to memory of 1596 5044 Qcepkg32.exe Qnnanphk.exe PID 5044 wrote to memory of 1596 5044 Qcepkg32.exe Qnnanphk.exe PID 5044 wrote to memory of 1596 5044 Qcepkg32.exe Qnnanphk.exe PID 1596 wrote to memory of 4620 1596 Qnnanphk.exe Acjjfggb.exe PID 1596 wrote to memory of 4620 1596 Qnnanphk.exe Acjjfggb.exe PID 1596 wrote to memory of 4620 1596 Qnnanphk.exe Acjjfggb.exe PID 4620 wrote to memory of 1924 4620 Acjjfggb.exe Ajdbcano.exe PID 4620 wrote to memory of 1924 4620 Acjjfggb.exe Ajdbcano.exe PID 4620 wrote to memory of 1924 4620 Acjjfggb.exe Ajdbcano.exe PID 1924 wrote to memory of 3188 1924 Ajdbcano.exe Aanjpk32.exe PID 1924 wrote to memory of 3188 1924 Ajdbcano.exe Aanjpk32.exe PID 1924 wrote to memory of 3188 1924 Ajdbcano.exe Aanjpk32.exe PID 3188 wrote to memory of 4664 3188 Aanjpk32.exe Ahhblemi.exe PID 3188 wrote to memory of 4664 3188 Aanjpk32.exe Ahhblemi.exe PID 3188 wrote to memory of 4664 3188 Aanjpk32.exe Ahhblemi.exe PID 4664 wrote to memory of 4776 4664 Ahhblemi.exe Aelcfilb.exe PID 4664 wrote to memory of 4776 4664 Ahhblemi.exe Aelcfilb.exe PID 4664 wrote to memory of 4776 4664 Ahhblemi.exe Aelcfilb.exe PID 4776 wrote to memory of 1340 4776 Aelcfilb.exe Ajiknpjj.exe PID 4776 wrote to memory of 1340 4776 Aelcfilb.exe Ajiknpjj.exe PID 4776 wrote to memory of 1340 4776 Aelcfilb.exe Ajiknpjj.exe PID 1340 wrote to memory of 1600 1340 Ajiknpjj.exe Abpcon32.exe PID 1340 wrote to memory of 1600 1340 Ajiknpjj.exe Abpcon32.exe PID 1340 wrote to memory of 1600 1340 Ajiknpjj.exe Abpcon32.exe PID 1600 wrote to memory of 5024 1600 Abpcon32.exe Ahmlgd32.exe PID 1600 wrote to memory of 5024 1600 Abpcon32.exe Ahmlgd32.exe PID 1600 wrote to memory of 5024 1600 Abpcon32.exe Ahmlgd32.exe PID 5024 wrote to memory of 3684 5024 Ahmlgd32.exe Angddopp.exe PID 5024 wrote to memory of 3684 5024 Ahmlgd32.exe Angddopp.exe PID 5024 wrote to memory of 3684 5024 Ahmlgd32.exe Angddopp.exe PID 3684 wrote to memory of 4636 3684 Angddopp.exe Ahoimd32.exe PID 3684 wrote to memory of 4636 3684 Angddopp.exe Ahoimd32.exe PID 3684 wrote to memory of 4636 3684 Angddopp.exe Ahoimd32.exe PID 4636 wrote to memory of 4484 4636 Ahoimd32.exe Ajneip32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\08411dc581db97808136e5ca7690cfd0_NeikiAnalytics.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe23⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe24⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe25⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe26⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe27⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe29⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:4372 -
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe31⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:5016 -
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe34⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4492 -
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3360 -
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5028 -
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe38⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:380 -
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe41⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe42⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Ckcgkldl.exeC:\Windows\system32\Ckcgkldl.exe44⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe45⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4644 -
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3916 -
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe48⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe49⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe50⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe51⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Demecd32.exeC:\Windows\system32\Demecd32.exe52⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe53⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe54⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Dadeieea.exeC:\Windows\system32\Dadeieea.exe55⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Ddbbeade.exeC:\Windows\system32\Ddbbeade.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1276 -
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe57⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe58⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:4060 -
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5116 -
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe61⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Dhbgqohi.exeC:\Windows\system32\Dhbgqohi.exe62⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe63⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Eefhjc32.exeC:\Windows\system32\Eefhjc32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Ekcpbj32.exeC:\Windows\system32\Ekcpbj32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3192 -
C:\Windows\SysWOW64\Eamhodmf.exeC:\Windows\system32\Eamhodmf.exe67⤵
- Drops file in System32 directory
- Modifies registry class
PID:4808 -
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2468 -
C:\Windows\SysWOW64\Eapedd32.exeC:\Windows\system32\Eapedd32.exe69⤵PID:2356
-
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe70⤵PID:4688
-
C:\Windows\SysWOW64\Ehimanbq.exeC:\Windows\system32\Ehimanbq.exe71⤵PID:3596
-
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe72⤵
- Drops file in System32 directory
PID:4064 -
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe73⤵
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe74⤵PID:808
-
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe76⤵
- Modifies registry class
PID:680 -
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe77⤵PID:3280
-
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe78⤵
- Drops file in System32 directory
PID:3656 -
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe79⤵PID:3528
-
C:\Windows\SysWOW64\Fcckif32.exeC:\Windows\system32\Fcckif32.exe80⤵PID:4912
-
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe81⤵PID:844
-
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe82⤵PID:1736
-
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe83⤵
- Modifies registry class
PID:464 -
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe84⤵
- Drops file in System32 directory
PID:5132 -
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe85⤵PID:5180
-
C:\Windows\SysWOW64\Fakdpb32.exeC:\Windows\system32\Fakdpb32.exe86⤵PID:5224
-
C:\Windows\SysWOW64\Fooeif32.exeC:\Windows\system32\Fooeif32.exe87⤵PID:5268
-
C:\Windows\SysWOW64\Fbnafb32.exeC:\Windows\system32\Fbnafb32.exe88⤵
- Modifies registry class
PID:5308 -
C:\Windows\SysWOW64\Fdlnbm32.exeC:\Windows\system32\Fdlnbm32.exe89⤵PID:5352
-
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe90⤵PID:5392
-
C:\Windows\SysWOW64\Ffkjlp32.exeC:\Windows\system32\Ffkjlp32.exe91⤵
- Modifies registry class
PID:5432 -
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe92⤵PID:5476
-
C:\Windows\SysWOW64\Gkhbdg32.exeC:\Windows\system32\Gkhbdg32.exe93⤵PID:5516
-
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe94⤵PID:5560
-
C:\Windows\SysWOW64\Gbbkaako.exeC:\Windows\system32\Gbbkaako.exe95⤵
- Modifies registry class
PID:5600 -
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5664 -
C:\Windows\SysWOW64\Gkkojgao.exeC:\Windows\system32\Gkkojgao.exe97⤵
- Modifies registry class
PID:5704 -
C:\Windows\SysWOW64\Gbdgfa32.exeC:\Windows\system32\Gbdgfa32.exe98⤵PID:5772
-
C:\Windows\SysWOW64\Gdcdbl32.exeC:\Windows\system32\Gdcdbl32.exe99⤵PID:5824
-
C:\Windows\SysWOW64\Gmjlcj32.exeC:\Windows\system32\Gmjlcj32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5884 -
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe101⤵PID:5928
-
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe102⤵PID:5976
-
C:\Windows\SysWOW64\Gdeqhl32.exeC:\Windows\system32\Gdeqhl32.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:6028 -
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe104⤵PID:6072
-
C:\Windows\SysWOW64\Gmlhii32.exeC:\Windows\system32\Gmlhii32.exe105⤵PID:6140
-
C:\Windows\SysWOW64\Gokdeeec.exeC:\Windows\system32\Gokdeeec.exe106⤵PID:5164
-
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe107⤵PID:5200
-
C:\Windows\SysWOW64\Gdhmnlcj.exeC:\Windows\system32\Gdhmnlcj.exe108⤵PID:5360
-
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe109⤵PID:5440
-
C:\Windows\SysWOW64\Gdjjckag.exeC:\Windows\system32\Gdjjckag.exe110⤵PID:5504
-
C:\Windows\SysWOW64\Hiefcj32.exeC:\Windows\system32\Hiefcj32.exe111⤵PID:5592
-
C:\Windows\SysWOW64\Hkdbpe32.exeC:\Windows\system32\Hkdbpe32.exe112⤵PID:5696
-
C:\Windows\SysWOW64\Hckjacjg.exeC:\Windows\system32\Hckjacjg.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:5820 -
C:\Windows\SysWOW64\Hfifmnij.exeC:\Windows\system32\Hfifmnij.exe114⤵PID:5864
-
C:\Windows\SysWOW64\Hihbijhn.exeC:\Windows\system32\Hihbijhn.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5960 -
C:\Windows\SysWOW64\Hmcojh32.exeC:\Windows\system32\Hmcojh32.exe116⤵PID:6052
-
C:\Windows\SysWOW64\Hobkfd32.exeC:\Windows\system32\Hobkfd32.exe117⤵
- Drops file in System32 directory
PID:5124 -
C:\Windows\SysWOW64\Hflcbngh.exeC:\Windows\system32\Hflcbngh.exe118⤵PID:5140
-
C:\Windows\SysWOW64\Hijooifk.exeC:\Windows\system32\Hijooifk.exe119⤵
- Modifies registry class
PID:5244 -
C:\Windows\SysWOW64\Hcpclbfa.exeC:\Windows\system32\Hcpclbfa.exe120⤵
- Modifies registry class
PID:5332 -
C:\Windows\SysWOW64\Hfnphn32.exeC:\Windows\system32\Hfnphn32.exe121⤵PID:5672
-
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe122⤵
- Drops file in System32 directory
PID:5876 -
C:\Windows\SysWOW64\Hofdacke.exeC:\Windows\system32\Hofdacke.exe123⤵PID:5956
-
C:\Windows\SysWOW64\Hbeqmoji.exeC:\Windows\system32\Hbeqmoji.exe124⤵
- Modifies registry class
PID:6128 -
C:\Windows\SysWOW64\Hioiji32.exeC:\Windows\system32\Hioiji32.exe125⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5248 -
C:\Windows\SysWOW64\Hoiafcic.exeC:\Windows\system32\Hoiafcic.exe126⤵
- Drops file in System32 directory
PID:5524 -
C:\Windows\SysWOW64\Hbgmcnhf.exeC:\Windows\system32\Hbgmcnhf.exe127⤵PID:5628
-
C:\Windows\SysWOW64\Ipknlb32.exeC:\Windows\system32\Ipknlb32.exe128⤵PID:6136
-
C:\Windows\SysWOW64\Ifefimom.exeC:\Windows\system32\Ifefimom.exe129⤵
- Modifies registry class
PID:5340 -
C:\Windows\SysWOW64\Ikbnacmd.exeC:\Windows\system32\Ikbnacmd.exe130⤵PID:5428
-
C:\Windows\SysWOW64\Icifbang.exeC:\Windows\system32\Icifbang.exe131⤵
- Modifies registry class
PID:6068 -
C:\Windows\SysWOW64\Iblfnn32.exeC:\Windows\system32\Iblfnn32.exe132⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5468 -
C:\Windows\SysWOW64\Ifgbnlmj.exeC:\Windows\system32\Ifgbnlmj.exe133⤵PID:5416
-
C:\Windows\SysWOW64\Iifokh32.exeC:\Windows\system32\Iifokh32.exe134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5472 -
C:\Windows\SysWOW64\Imakkfdg.exeC:\Windows\system32\Imakkfdg.exe135⤵
- Drops file in System32 directory
PID:6160 -
C:\Windows\SysWOW64\Ippggbck.exeC:\Windows\system32\Ippggbck.exe136⤵
- Modifies registry class
PID:6204 -
C:\Windows\SysWOW64\Ibnccmbo.exeC:\Windows\system32\Ibnccmbo.exe137⤵PID:6248
-
C:\Windows\SysWOW64\Iemppiab.exeC:\Windows\system32\Iemppiab.exe138⤵PID:6288
-
C:\Windows\SysWOW64\Imdgqfbd.exeC:\Windows\system32\Imdgqfbd.exe139⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6328 -
C:\Windows\SysWOW64\Ipbdmaah.exeC:\Windows\system32\Ipbdmaah.exe140⤵PID:6368
-
C:\Windows\SysWOW64\Ibqpimpl.exeC:\Windows\system32\Ibqpimpl.exe141⤵PID:6412
-
C:\Windows\SysWOW64\Ifllil32.exeC:\Windows\system32\Ifllil32.exe142⤵
- Modifies registry class
PID:6448 -
C:\Windows\SysWOW64\Ieolehop.exeC:\Windows\system32\Ieolehop.exe143⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6496 -
C:\Windows\SysWOW64\Iikhfg32.exeC:\Windows\system32\Iikhfg32.exe144⤵PID:6536
-
C:\Windows\SysWOW64\Imfdff32.exeC:\Windows\system32\Imfdff32.exe145⤵PID:6576
-
C:\Windows\SysWOW64\Ipdqba32.exeC:\Windows\system32\Ipdqba32.exe146⤵
- Drops file in System32 directory
PID:6616 -
C:\Windows\SysWOW64\Ibcmom32.exeC:\Windows\system32\Ibcmom32.exe147⤵PID:6656
-
C:\Windows\SysWOW64\Jfoiokfb.exeC:\Windows\system32\Jfoiokfb.exe148⤵
- Modifies registry class
PID:6700 -
C:\Windows\SysWOW64\Jimekgff.exeC:\Windows\system32\Jimekgff.exe149⤵
- Drops file in System32 directory
PID:6740 -
C:\Windows\SysWOW64\Jmhale32.exeC:\Windows\system32\Jmhale32.exe150⤵
- Modifies registry class
PID:6784 -
C:\Windows\SysWOW64\Jpgmha32.exeC:\Windows\system32\Jpgmha32.exe151⤵PID:6824
-
C:\Windows\SysWOW64\Jbeidl32.exeC:\Windows\system32\Jbeidl32.exe152⤵PID:6864
-
C:\Windows\SysWOW64\Jfaedkdp.exeC:\Windows\system32\Jfaedkdp.exe153⤵PID:6908
-
C:\Windows\SysWOW64\Jioaqfcc.exeC:\Windows\system32\Jioaqfcc.exe154⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6944 -
C:\Windows\SysWOW64\Jmknaell.exeC:\Windows\system32\Jmknaell.exe155⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6984 -
C:\Windows\SysWOW64\Jpijnqkp.exeC:\Windows\system32\Jpijnqkp.exe156⤵PID:7028
-
C:\Windows\SysWOW64\Jcefno32.exeC:\Windows\system32\Jcefno32.exe157⤵PID:7072
-
C:\Windows\SysWOW64\Jfcbjk32.exeC:\Windows\system32\Jfcbjk32.exe158⤵PID:7120
-
C:\Windows\SysWOW64\Jefbfgig.exeC:\Windows\system32\Jefbfgig.exe159⤵
- Modifies registry class
PID:7160 -
C:\Windows\SysWOW64\Jmmjgejj.exeC:\Windows\system32\Jmmjgejj.exe160⤵PID:5984
-
C:\Windows\SysWOW64\Jlpkba32.exeC:\Windows\system32\Jlpkba32.exe161⤵PID:6296
-
C:\Windows\SysWOW64\Jbjcolha.exeC:\Windows\system32\Jbjcolha.exe162⤵
- Modifies registry class
PID:6376 -
C:\Windows\SysWOW64\Jfeopj32.exeC:\Windows\system32\Jfeopj32.exe163⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6440 -
C:\Windows\SysWOW64\Jidklf32.exeC:\Windows\system32\Jidklf32.exe164⤵PID:6504
-
C:\Windows\SysWOW64\Jlbgha32.exeC:\Windows\system32\Jlbgha32.exe165⤵PID:6560
-
C:\Windows\SysWOW64\Jcioiood.exeC:\Windows\system32\Jcioiood.exe166⤵
- Modifies registry class
PID:6632 -
C:\Windows\SysWOW64\Jblpek32.exeC:\Windows\system32\Jblpek32.exe167⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6688 -
C:\Windows\SysWOW64\Jeklag32.exeC:\Windows\system32\Jeklag32.exe168⤵PID:6772
-
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe169⤵PID:6832
-
C:\Windows\SysWOW64\Jlednamo.exeC:\Windows\system32\Jlednamo.exe170⤵PID:6884
-
C:\Windows\SysWOW64\Jcllonma.exeC:\Windows\system32\Jcllonma.exe171⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6952 -
C:\Windows\SysWOW64\Kboljk32.exeC:\Windows\system32\Kboljk32.exe172⤵PID:7020
-
C:\Windows\SysWOW64\Kiidgeki.exeC:\Windows\system32\Kiidgeki.exe173⤵PID:7064
-
C:\Windows\SysWOW64\Kmdqgd32.exeC:\Windows\system32\Kmdqgd32.exe174⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:7144 -
C:\Windows\SysWOW64\Kpbmco32.exeC:\Windows\system32\Kpbmco32.exe175⤵
- Modifies registry class
PID:6280 -
C:\Windows\SysWOW64\Kbaipkbi.exeC:\Windows\system32\Kbaipkbi.exe176⤵PID:6364
-
C:\Windows\SysWOW64\Kikame32.exeC:\Windows\system32\Kikame32.exe177⤵PID:6476
-
C:\Windows\SysWOW64\Kmfmmcbo.exeC:\Windows\system32\Kmfmmcbo.exe178⤵PID:6600
-
C:\Windows\SysWOW64\Klimip32.exeC:\Windows\system32\Klimip32.exe179⤵
- Drops file in System32 directory
- Modifies registry class
PID:6752 -
C:\Windows\SysWOW64\Kdqejn32.exeC:\Windows\system32\Kdqejn32.exe180⤵
- Modifies registry class
PID:6668 -
C:\Windows\SysWOW64\Kfoafi32.exeC:\Windows\system32\Kfoafi32.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6968 -
C:\Windows\SysWOW64\Kebbafoj.exeC:\Windows\system32\Kebbafoj.exe182⤵
- Drops file in System32 directory
- Modifies registry class
PID:7080 -
C:\Windows\SysWOW64\Kimnbd32.exeC:\Windows\system32\Kimnbd32.exe183⤵PID:6152
-
C:\Windows\SysWOW64\Klljnp32.exeC:\Windows\system32\Klljnp32.exe184⤵PID:6352
-
C:\Windows\SysWOW64\Kdcbom32.exeC:\Windows\system32\Kdcbom32.exe185⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6544 -
C:\Windows\SysWOW64\Kbfbkj32.exeC:\Windows\system32\Kbfbkj32.exe186⤵PID:6708
-
C:\Windows\SysWOW64\Kedoge32.exeC:\Windows\system32\Kedoge32.exe187⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6932 -
C:\Windows\SysWOW64\Kipkhdeq.exeC:\Windows\system32\Kipkhdeq.exe188⤵PID:7140
-
C:\Windows\SysWOW64\Kmkfhc32.exeC:\Windows\system32\Kmkfhc32.exe189⤵PID:6488
-
C:\Windows\SysWOW64\Kpjcdn32.exeC:\Windows\system32\Kpjcdn32.exe190⤵PID:6732
-
C:\Windows\SysWOW64\Kdeoemeg.exeC:\Windows\system32\Kdeoemeg.exe191⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6816 -
C:\Windows\SysWOW64\Kbhoqj32.exeC:\Windows\system32\Kbhoqj32.exe192⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6976 -
C:\Windows\SysWOW64\Kfckahdj.exeC:\Windows\system32\Kfckahdj.exe193⤵
- Drops file in System32 directory
PID:6456 -
C:\Windows\SysWOW64\Kibgmdcn.exeC:\Windows\system32\Kibgmdcn.exe194⤵PID:7172
-
C:\Windows\SysWOW64\Kmncnb32.exeC:\Windows\system32\Kmncnb32.exe195⤵
- Modifies registry class
PID:7212 -
C:\Windows\SysWOW64\Klqcioba.exeC:\Windows\system32\Klqcioba.exe196⤵PID:7248
-
C:\Windows\SysWOW64\Kdgljmcd.exeC:\Windows\system32\Kdgljmcd.exe197⤵PID:7292
-
C:\Windows\SysWOW64\Lbjlfi32.exeC:\Windows\system32\Lbjlfi32.exe198⤵PID:7332
-
C:\Windows\SysWOW64\Lffhfh32.exeC:\Windows\system32\Lffhfh32.exe199⤵PID:7372
-
C:\Windows\SysWOW64\Liddbc32.exeC:\Windows\system32\Liddbc32.exe200⤵PID:7412
-
C:\Windows\SysWOW64\Llcpoo32.exeC:\Windows\system32\Llcpoo32.exe201⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7452 -
C:\Windows\SysWOW64\Lpnlpnih.exeC:\Windows\system32\Lpnlpnih.exe202⤵PID:7492
-
C:\Windows\SysWOW64\Ldjhpl32.exeC:\Windows\system32\Ldjhpl32.exe203⤵PID:7528
-
C:\Windows\SysWOW64\Lekehdgp.exeC:\Windows\system32\Lekehdgp.exe204⤵PID:7584
-
C:\Windows\SysWOW64\Ligqhc32.exeC:\Windows\system32\Ligqhc32.exe205⤵PID:7644
-
C:\Windows\SysWOW64\Llemdo32.exeC:\Windows\system32\Llemdo32.exe206⤵PID:7684
-
C:\Windows\SysWOW64\Lfkaag32.exeC:\Windows\system32\Lfkaag32.exe207⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7720 -
C:\Windows\SysWOW64\Lenamdem.exeC:\Windows\system32\Lenamdem.exe208⤵
- Drops file in System32 directory
PID:7760 -
C:\Windows\SysWOW64\Liimncmf.exeC:\Windows\system32\Liimncmf.exe209⤵PID:7796
-
C:\Windows\SysWOW64\Lmdina32.exeC:\Windows\system32\Lmdina32.exe210⤵PID:7836
-
C:\Windows\SysWOW64\Lpcfkm32.exeC:\Windows\system32\Lpcfkm32.exe211⤵PID:7872
-
C:\Windows\SysWOW64\Ldoaklml.exeC:\Windows\system32\Ldoaklml.exe212⤵PID:7908
-
C:\Windows\SysWOW64\Lgmngglp.exeC:\Windows\system32\Lgmngglp.exe213⤵PID:7944
-
C:\Windows\SysWOW64\Lepncd32.exeC:\Windows\system32\Lepncd32.exe214⤵PID:7980
-
C:\Windows\SysWOW64\Lmgfda32.exeC:\Windows\system32\Lmgfda32.exe215⤵PID:8024
-
C:\Windows\SysWOW64\Lljfpnjg.exeC:\Windows\system32\Lljfpnjg.exe216⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8060 -
C:\Windows\SysWOW64\Ldanqkki.exeC:\Windows\system32\Ldanqkki.exe217⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:8104 -
C:\Windows\SysWOW64\Lbdolh32.exeC:\Windows\system32\Lbdolh32.exe218⤵PID:8140
-
C:\Windows\SysWOW64\Lebkhc32.exeC:\Windows\system32\Lebkhc32.exe219⤵
- Drops file in System32 directory
PID:8184 -
C:\Windows\SysWOW64\Lingibiq.exeC:\Windows\system32\Lingibiq.exe220⤵PID:7208
-
C:\Windows\SysWOW64\Lmiciaaj.exeC:\Windows\system32\Lmiciaaj.exe221⤵PID:7260
-
C:\Windows\SysWOW64\Lphoelqn.exeC:\Windows\system32\Lphoelqn.exe222⤵
- Drops file in System32 directory
PID:7324 -
C:\Windows\SysWOW64\Mdckfk32.exeC:\Windows\system32\Mdckfk32.exe223⤵PID:7396
-
C:\Windows\SysWOW64\Mgagbf32.exeC:\Windows\system32\Mgagbf32.exe224⤵PID:7448
-
C:\Windows\SysWOW64\Medgncoe.exeC:\Windows\system32\Medgncoe.exe225⤵PID:7536
-
C:\Windows\SysWOW64\Mipcob32.exeC:\Windows\system32\Mipcob32.exe226⤵PID:7612
-
C:\Windows\SysWOW64\Mlopkm32.exeC:\Windows\system32\Mlopkm32.exe227⤵PID:7672
-
C:\Windows\SysWOW64\Mpjlklok.exeC:\Windows\system32\Mpjlklok.exe228⤵PID:7748
-
C:\Windows\SysWOW64\Mchhggno.exeC:\Windows\system32\Mchhggno.exe229⤵PID:7828
-
C:\Windows\SysWOW64\Megdccmb.exeC:\Windows\system32\Megdccmb.exe230⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7896 -
C:\Windows\SysWOW64\Mmnldp32.exeC:\Windows\system32\Mmnldp32.exe231⤵PID:8008
-
C:\Windows\SysWOW64\Mplhql32.exeC:\Windows\system32\Mplhql32.exe232⤵
- Modifies registry class
PID:8080 -
C:\Windows\SysWOW64\Mdhdajea.exeC:\Windows\system32\Mdhdajea.exe233⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8128 -
C:\Windows\SysWOW64\Mckemg32.exeC:\Windows\system32\Mckemg32.exe234⤵PID:6684
-
C:\Windows\SysWOW64\Mgfqmfde.exeC:\Windows\system32\Mgfqmfde.exe235⤵PID:6852
-
C:\Windows\SysWOW64\Miemjaci.exeC:\Windows\system32\Miemjaci.exe236⤵PID:6320
-
C:\Windows\SysWOW64\Mmpijp32.exeC:\Windows\system32\Mmpijp32.exe237⤵
- Modifies registry class
PID:7468 -
C:\Windows\SysWOW64\Mlcifmbl.exeC:\Windows\system32\Mlcifmbl.exe238⤵PID:7512
-
C:\Windows\SysWOW64\Mdjagjco.exeC:\Windows\system32\Mdjagjco.exe239⤵PID:7596
-
C:\Windows\SysWOW64\Mcmabg32.exeC:\Windows\system32\Mcmabg32.exe240⤵
- Modifies registry class
PID:7740 -
C:\Windows\SysWOW64\Mgimcebb.exeC:\Windows\system32\Mgimcebb.exe241⤵PID:7880
-
C:\Windows\SysWOW64\Mmbfpp32.exeC:\Windows\system32\Mmbfpp32.exe242⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7300