Analysis
-
max time kernel
159s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 09:11
Static task
static1
Behavioral task
behavioral1
Sample
05699af228b613aba27df056ea544530_NEIKI.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
05699af228b613aba27df056ea544530_NEIKI.exe
Resource
win10v2004-20240226-en
General
-
Target
05699af228b613aba27df056ea544530_NEIKI.exe
-
Size
163KB
-
MD5
05699af228b613aba27df056ea544530
-
SHA1
16e21ff9b64981df8f5dea096b98e4a84e36eca6
-
SHA256
347c139624582b71cee225bd40f16dae2aea8a50fc2bbfedbb772e6493260535
-
SHA512
fe51149082e71e977196a90c02022d9e91dc7b93173fc3a2c217e2983110328cc7ce5c248e3944dfc5fe0dd8fa1ea3fae8191872fecb08d92ee7958843f349e0
-
SSDEEP
1536:PsasWvVnJFs1SP2k5CGwNzqo8lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:Uajv9JFsEPD0Gmq3ltOrWKDBr+yJb
Malware Config
Extracted
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Baohmo32.exeOcgbej32.exeAlcfpm32.exeBchgnoai.exeNlhbja32.exeLjmmnf32.exeCcbanfko.exeMkcjlf32.exeBjkhme32.exeCdoegcfl.exeBoflfiai.exeIpcakd32.exeAmhlpb32.exeEdgbbo32.exeJglkfmmi.exeKelkkpae.exeNlbkjf32.exeAcheqi32.exeAlcfoo32.exeMfnojh32.exeLbddpclj.exeLbngfbdo.exeDiclff32.exeObdbqm32.exeEoaianan.exeNgkjbkem.exeLbghpinc.exeJqdoob32.exeOpnbjk32.exeOfalfi32.exeHkgnpn32.exeKgjggkqi.exeDbicjlji.exeOgqaqigd.exeCcacjgfb.exeIannpa32.exeBjlpcbqo.exeOjmqgd32.exeAelcooap.exeIbdiln32.exeAoifoa32.exeEffffd32.exeIpjocgdm.exeBeqljn32.exeIoopfa32.exeBkeppeii.exeBmceaj32.exeDcpffk32.exeBlhpjnbe.exeFoocegea.exeKndodehf.exeOhfhqd32.exeGkfnnjnl.exeBjqjpp32.exeBqahmhpi.exeNeaokboj.exeJmnakqcc.exeIbhlmgdj.exeMqdcga32.exeLdblon32.exeNppkkj32.exeDdjmkg32.exeDddlfa32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baohmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocgbej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alcfpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bchgnoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlhbja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljmmnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccbanfko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkcjlf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjkhme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdoegcfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boflfiai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boflfiai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipcakd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amhlpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edgbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jglkfmmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kelkkpae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlbkjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acheqi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alcfoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfnojh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbddpclj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbngfbdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diclff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obdbqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoaianan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngkjbkem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbghpinc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqdoob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opnbjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofalfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkgnpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgjggkqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbicjlji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogqaqigd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccacjgfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iannpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjlpcbqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojmqgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aelcooap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibdiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoifoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Effffd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipjocgdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beqljn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioopfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkeppeii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmceaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcpffk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blhpjnbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foocegea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kndodehf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfhqd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkfnnjnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjqjpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqahmhpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neaokboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmnakqcc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibhlmgdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqdcga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldblon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nppkkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddjmkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dddlfa32.exe -
Executes dropped EXE 64 IoCs
Processes:
Hccomh32.exeKblkap32.exeKmaooihb.exeLobhqdec.exeLmkbeg32.exeMclpbqal.exeNlphmafm.exeNfjeej32.exeOfalfi32.exePmbjcb32.exeAlcfpm32.exeApcllk32.exeBjqjpp32.exeBqahmhpi.exeCklffq32.exeCdicje32.exeDncehk32.exeDnhncjom.exeEanqpdgi.exeFlfjjkgi.exeHelkdnaj.exeHecadm32.exeLilbdcfe.exeLnikmjdm.exeMokdllim.exeMfiedfmd.exeMkfnlmkl.exeNeaokboj.exeNppfnige.exeAbjkmqni.exeAemqdk32.exeAebjokda.exeBchgnoai.exeBlqlgdhi.exeBnbeggmi.exeDcpffk32.exeDofgklcb.exeEcnbgian.exeFfahnd32.exeFmkqknci.exeFjanjb32.exeFcnlng32.exeGplbcgbg.exeHnfehm32.exeIdhgkcln.exeIpcakd32.exeKhifno32.exeKnjhae32.exeLhdeinhb.exeLonnfg32.exeLaacmbkm.exeLdblon32.exeMkcjlf32.exeMqpcdn32.exeMkegbfgp.exeMndcnafd.exeNgcngfgl.exeNnmfdpni.exeObdbqm32.exePacahhib.exeQniogl32.exeAaoadg32.exeBpggbm32.exeCcacjgfb.exepid process 1164 Hccomh32.exe 3404 Kblkap32.exe 3880 Kmaooihb.exe 3104 Lobhqdec.exe 3448 Lmkbeg32.exe 3876 Mclpbqal.exe 4184 Nlphmafm.exe 2168 Nfjeej32.exe 4784 Ofalfi32.exe 1592 Pmbjcb32.exe 4548 Alcfpm32.exe 624 Apcllk32.exe 3064 Bjqjpp32.exe 2060 Bqahmhpi.exe 2660 Cklffq32.exe 3616 Cdicje32.exe 1684 Dncehk32.exe 4348 Dnhncjom.exe 224 Eanqpdgi.exe 2784 Flfjjkgi.exe 4976 Helkdnaj.exe 3888 Hecadm32.exe 4580 Lilbdcfe.exe 2124 Lnikmjdm.exe 3896 Mokdllim.exe 3464 Mfiedfmd.exe 3244 Mkfnlmkl.exe 2056 Neaokboj.exe 2656 Nppfnige.exe 3728 Abjkmqni.exe 3468 Aemqdk32.exe 2568 Aebjokda.exe 748 Bchgnoai.exe 4056 Blqlgdhi.exe 4156 Bnbeggmi.exe 4992 Dcpffk32.exe 1732 Dofgklcb.exe 1424 Ecnbgian.exe 4368 Ffahnd32.exe 4440 Fmkqknci.exe 2964 Fjanjb32.exe 3492 Fcnlng32.exe 3780 Gplbcgbg.exe 3704 Hnfehm32.exe 3692 Idhgkcln.exe 2676 Ipcakd32.exe 4696 Khifno32.exe 1304 Knjhae32.exe 2892 Lhdeinhb.exe 3664 Lonnfg32.exe 1172 Laacmbkm.exe 3552 Ldblon32.exe 4884 Mkcjlf32.exe 3388 Mqpcdn32.exe 1160 Mkegbfgp.exe 4172 Mndcnafd.exe 1428 Ngcngfgl.exe 4076 Nnmfdpni.exe 1356 Obdbqm32.exe 2428 Pacahhib.exe 2768 Qniogl32.exe 644 Aaoadg32.exe 3996 Bpggbm32.exe 4644 Ccacjgfb.exe -
Drops file in System32 directory 64 IoCs
Processes:
Alcfpm32.exeEanqpdgi.exeIkndpm32.exeAddabl32.exePaioplob.exeLilbdcfe.exeObdbqm32.exeEopbghnb.exeKblidkhp.exeHelkdnaj.exeIbhlmgdj.exeMcnmccfa.exeOpnbjk32.exeMqpcdn32.exeLbngfbdo.exeDoiabgqc.exePlmmbkdf.exeAabafkgh.exeBlqlgdhi.exeJmnakqcc.exeBeqljn32.exeCjbfdakf.exeAkniofoa.exeFgjhiibl.exeIehfno32.exeOpmaaodc.exeNeoink32.exePhcogice.exeBoflfiai.exeBicjjncd.exeCpajdc32.exeLdblon32.exeGjnnoldm.exeIdpbhc32.exeMjneec32.exeFdiohnek.exeEoaianan.exeCdoegcfl.exeLbgaecjg.exeMhjpnibf.exeOhfhqd32.exeBdkgckal.exeMqdcga32.exeMndhkc32.exeNlbkjf32.exeNoeaaqlq.exeHfcnicjl.exeCkealm32.exeLonnfg32.exeBpggbm32.exeCcbhhl32.exeAjpqhdkl.exeAlcfoo32.exeOjmqgd32.exeMfejme32.exeMagnbnea.exeHpjlgp32.exeGamjea32.exeBfngmd32.exeGlenpb32.exeLaacmbkm.exeJqbbicel.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Apcllk32.exe Alcfpm32.exe File opened for modification C:\Windows\SysWOW64\Flfjjkgi.exe Eanqpdgi.exe File created C:\Windows\SysWOW64\Ibhlmgdj.exe Ikndpm32.exe File created C:\Windows\SysWOW64\Akniofoa.exe Addabl32.exe File created C:\Windows\SysWOW64\Ahjmne32.exe Paioplob.exe File opened for modification C:\Windows\SysWOW64\Lnikmjdm.exe Lilbdcfe.exe File created C:\Windows\SysWOW64\Bfpgnpee.dll Obdbqm32.exe File created C:\Windows\SysWOW64\Gkcbhgii.exe Eopbghnb.exe File created C:\Windows\SysWOW64\Gabfqkan.dll Kblidkhp.exe File opened for modification C:\Windows\SysWOW64\Hecadm32.exe Helkdnaj.exe File created C:\Windows\SysWOW64\Npjjnkkh.dll Ibhlmgdj.exe File opened for modification C:\Windows\SysWOW64\Menimfnd.exe Mcnmccfa.exe File opened for modification C:\Windows\SysWOW64\Paioplob.exe Opnbjk32.exe File created C:\Windows\SysWOW64\Lbikcgbb.dll Mqpcdn32.exe File opened for modification C:\Windows\SysWOW64\Mhjpnibf.exe Lbngfbdo.exe File opened for modification C:\Windows\SysWOW64\Ecpmod32.exe Doiabgqc.exe File created C:\Windows\SysWOW64\Knfkfg32.dll Plmmbkdf.exe File opened for modification C:\Windows\SysWOW64\Aphngglp.exe Aabafkgh.exe File created C:\Windows\SysWOW64\Gcmodc32.dll Blqlgdhi.exe File opened for modification C:\Windows\SysWOW64\Kapclned.exe Jmnakqcc.exe File created C:\Windows\SysWOW64\Dqdgbl32.dll Beqljn32.exe File created C:\Windows\SysWOW64\Mhjpnibf.exe Lbngfbdo.exe File created C:\Windows\SysWOW64\Onohgh32.dll Cjbfdakf.exe File created C:\Windows\SysWOW64\Pmhjhh32.dll Akniofoa.exe File created C:\Windows\SysWOW64\Fqblbo32.exe Fgjhiibl.exe File created C:\Windows\SysWOW64\Ohbfmj32.dll Iehfno32.exe File created C:\Windows\SysWOW64\Onhhkb32.exe Opmaaodc.exe File created C:\Windows\SysWOW64\Nhpbpepo.exe Neoink32.exe File created C:\Windows\SysWOW64\Mcgjkl32.dll Phcogice.exe File created C:\Windows\SysWOW64\Cedcglna.dll Boflfiai.exe File created C:\Windows\SysWOW64\Ppemkhaa.dll Bicjjncd.exe File opened for modification C:\Windows\SysWOW64\Cglbanmo.exe Cpajdc32.exe File created C:\Windows\SysWOW64\Lhbggd32.dll Ldblon32.exe File created C:\Windows\SysWOW64\Bpmgom32.dll Gjnnoldm.exe File created C:\Windows\SysWOW64\Nfmhbang.dll Idpbhc32.exe File opened for modification C:\Windows\SysWOW64\Magnbnea.exe Mjneec32.exe File opened for modification C:\Windows\SysWOW64\Foocegea.exe Fdiohnek.exe File created C:\Windows\SysWOW64\Fdpnpe32.exe Eoaianan.exe File opened for modification C:\Windows\SysWOW64\Cmgjpi32.exe Cdoegcfl.exe File created C:\Windows\SysWOW64\Llcoihmb.exe Lbgaecjg.exe File created C:\Windows\SysWOW64\Bgqppbdk.dll Mhjpnibf.exe File created C:\Windows\SysWOW64\Efmned32.dll Ohfhqd32.exe File created C:\Windows\SysWOW64\Ebdokg32.dll Bdkgckal.exe File opened for modification C:\Windows\SysWOW64\Nmajmaoi.exe Mqdcga32.exe File created C:\Windows\SysWOW64\Jefinlal.dll Mndhkc32.exe File opened for modification C:\Windows\SysWOW64\Nblcgpho.exe Nlbkjf32.exe File opened for modification C:\Windows\SysWOW64\Neoink32.exe Noeaaqlq.exe File created C:\Windows\SysWOW64\Omeocm32.dll Hfcnicjl.exe File created C:\Windows\SysWOW64\Bgcgcg32.dll Ckealm32.exe File created C:\Windows\SysWOW64\Laacmbkm.exe Lonnfg32.exe File created C:\Windows\SysWOW64\Lbmekf32.dll Bpggbm32.exe File created C:\Windows\SysWOW64\Gdckfe32.dll Eopbghnb.exe File created C:\Windows\SysWOW64\Hfelgknf.dll Ccbhhl32.exe File created C:\Windows\SysWOW64\Lijoklol.dll Ajpqhdkl.exe File created C:\Windows\SysWOW64\Bcmolimg.exe Alcfoo32.exe File created C:\Windows\SysWOW64\Ogqaqigd.exe Ojmqgd32.exe File created C:\Windows\SysWOW64\Hhbipa32.dll Mfejme32.exe File opened for modification C:\Windows\SysWOW64\Mhafoh32.exe Magnbnea.exe File created C:\Windows\SysWOW64\Jcjkma32.dll Hpjlgp32.exe File created C:\Windows\SysWOW64\Gdkgam32.exe Gamjea32.exe File created C:\Windows\SysWOW64\Blhpjnbe.exe Bfngmd32.exe File created C:\Windows\SysWOW64\Gkfnnjnl.exe Glenpb32.exe File opened for modification C:\Windows\SysWOW64\Ldblon32.exe Laacmbkm.exe File opened for modification C:\Windows\SysWOW64\Jglkfmmi.exe Jqbbicel.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 5240 2904 WerFault.exe Fkjmeggp.exe 3276 2904 WerFault.exe Fkjmeggp.exe -
Modifies registry class 64 IoCs
Processes:
Aabafkgh.exeHccomh32.exeOhdlke32.exePlmmbkdf.exeOpnbjk32.exeCndecn32.exeDfbcek32.exeNdokko32.exeIkndpm32.exeAddabl32.exeKnfeoobh.exeKapclned.exeJhndepbi.exeMhjpnibf.exeMagnbnea.exeCklffq32.exeBqafpc32.exeEnfceefi.exeDofgklcb.exeNlbkjf32.exeLdblon32.exeMqpcdn32.exeCffcilob.exeNgcngfgl.exeOfgmdf32.exeHkobdeok.exeOgqaqigd.exeFcnlng32.exePhekliab.exeAelcooap.exeEfhlan32.exeFdccka32.exeEmhkmcbd.exeAlcfpm32.exeEanqpdgi.exeDcpffk32.exeFfahnd32.exeHmkiqn32.exeAbjkmqni.exeOocmcn32.exeGkdaij32.exeLonnfg32.exeCcacjgfb.exeNeoink32.exeIkickgnf.exeFmkqknci.exeNelmik32.exeEbimqi32.exeIoopfa32.exeCjlijp32.exeHckeikcl.exeHbchnfei.exeOfalfi32.exeBpggbm32.exeDmnpah32.exePknqhh32.exeCglbanmo.exeIpcakd32.exePacahhib.exeBfngmd32.exeGdaomobj.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aabafkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmpcpigl.dll" Hccomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohdlke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plmmbkdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opnbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pagkpifg.dll" Cndecn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfbcek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndokko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikndpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogoane32.dll" Addabl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knfeoobh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kapclned.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhndepbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhjpnibf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Magnbnea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinkjahg.dll" Cklffq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gepbbmjj.dll" Bqafpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enfceefi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dofgklcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlbkjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhbggd32.dll" Ldblon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqpcdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cffcilob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbhjhfh.dll" Ngcngfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjombcn.dll" Ofgmdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkobdeok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogqaqigd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcnlng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phekliab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aelcooap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efhlan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdccka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adblnh32.dll" Emhkmcbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alcfpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eanqpdgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdhcea32.dll" Dcpffk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqdfipld.dll" Ffahnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmkiqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abjkmqni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmgjf32.dll" Abjkmqni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oocmcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkdaij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lonnfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccacjgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neoink32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikickgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkcghbbk.dll" Fmkqknci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmkqknci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nelmik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmnpoa32.dll" Ebimqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glhabiom.dll" Ioopfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjlijp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hckeikcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbchnfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hifijmqd.dll" Ofalfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpggbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmnpah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pknqhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cglbanmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipcakd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pacahhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfngmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbnbgcei.dll" Gdaomobj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eijgnnhg.dll" Hbchnfei.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
05699af228b613aba27df056ea544530_NEIKI.exeHccomh32.exeKblkap32.exeKmaooihb.exeLobhqdec.exeLmkbeg32.exeMclpbqal.exeNlphmafm.exeNfjeej32.exeOfalfi32.exePmbjcb32.exeAlcfpm32.exeApcllk32.exeBjqjpp32.exeBqahmhpi.exeCklffq32.exeCdicje32.exeDncehk32.exeDnhncjom.exeEanqpdgi.exeFlfjjkgi.exeHelkdnaj.exedescription pid process target process PID 3324 wrote to memory of 1164 3324 05699af228b613aba27df056ea544530_NEIKI.exe Hccomh32.exe PID 3324 wrote to memory of 1164 3324 05699af228b613aba27df056ea544530_NEIKI.exe Hccomh32.exe PID 3324 wrote to memory of 1164 3324 05699af228b613aba27df056ea544530_NEIKI.exe Hccomh32.exe PID 1164 wrote to memory of 3404 1164 Hccomh32.exe Kblkap32.exe PID 1164 wrote to memory of 3404 1164 Hccomh32.exe Kblkap32.exe PID 1164 wrote to memory of 3404 1164 Hccomh32.exe Kblkap32.exe PID 3404 wrote to memory of 3880 3404 Kblkap32.exe Kmaooihb.exe PID 3404 wrote to memory of 3880 3404 Kblkap32.exe Kmaooihb.exe PID 3404 wrote to memory of 3880 3404 Kblkap32.exe Kmaooihb.exe PID 3880 wrote to memory of 3104 3880 Kmaooihb.exe Lobhqdec.exe PID 3880 wrote to memory of 3104 3880 Kmaooihb.exe Lobhqdec.exe PID 3880 wrote to memory of 3104 3880 Kmaooihb.exe Lobhqdec.exe PID 3104 wrote to memory of 3448 3104 Lobhqdec.exe Lmkbeg32.exe PID 3104 wrote to memory of 3448 3104 Lobhqdec.exe Lmkbeg32.exe PID 3104 wrote to memory of 3448 3104 Lobhqdec.exe Lmkbeg32.exe PID 3448 wrote to memory of 3876 3448 Lmkbeg32.exe Mclpbqal.exe PID 3448 wrote to memory of 3876 3448 Lmkbeg32.exe Mclpbqal.exe PID 3448 wrote to memory of 3876 3448 Lmkbeg32.exe Mclpbqal.exe PID 3876 wrote to memory of 4184 3876 Mclpbqal.exe Nlphmafm.exe PID 3876 wrote to memory of 4184 3876 Mclpbqal.exe Nlphmafm.exe PID 3876 wrote to memory of 4184 3876 Mclpbqal.exe Nlphmafm.exe PID 4184 wrote to memory of 2168 4184 Nlphmafm.exe Fdpnpe32.exe PID 4184 wrote to memory of 2168 4184 Nlphmafm.exe Fdpnpe32.exe PID 4184 wrote to memory of 2168 4184 Nlphmafm.exe Fdpnpe32.exe PID 2168 wrote to memory of 4784 2168 Nfjeej32.exe Ofalfi32.exe PID 2168 wrote to memory of 4784 2168 Nfjeej32.exe Ofalfi32.exe PID 2168 wrote to memory of 4784 2168 Nfjeej32.exe Ofalfi32.exe PID 4784 wrote to memory of 1592 4784 Ofalfi32.exe Pmbjcb32.exe PID 4784 wrote to memory of 1592 4784 Ofalfi32.exe Pmbjcb32.exe PID 4784 wrote to memory of 1592 4784 Ofalfi32.exe Pmbjcb32.exe PID 1592 wrote to memory of 4548 1592 Pmbjcb32.exe Gfngke32.exe PID 1592 wrote to memory of 4548 1592 Pmbjcb32.exe Gfngke32.exe PID 1592 wrote to memory of 4548 1592 Pmbjcb32.exe Gfngke32.exe PID 4548 wrote to memory of 624 4548 Alcfpm32.exe Apcllk32.exe PID 4548 wrote to memory of 624 4548 Alcfpm32.exe Apcllk32.exe PID 4548 wrote to memory of 624 4548 Alcfpm32.exe Apcllk32.exe PID 624 wrote to memory of 3064 624 Apcllk32.exe Bjqjpp32.exe PID 624 wrote to memory of 3064 624 Apcllk32.exe Bjqjpp32.exe PID 624 wrote to memory of 3064 624 Apcllk32.exe Bjqjpp32.exe PID 3064 wrote to memory of 2060 3064 Bjqjpp32.exe Bqahmhpi.exe PID 3064 wrote to memory of 2060 3064 Bjqjpp32.exe Bqahmhpi.exe PID 3064 wrote to memory of 2060 3064 Bjqjpp32.exe Bqahmhpi.exe PID 2060 wrote to memory of 2660 2060 Bqahmhpi.exe Cklffq32.exe PID 2060 wrote to memory of 2660 2060 Bqahmhpi.exe Cklffq32.exe PID 2060 wrote to memory of 2660 2060 Bqahmhpi.exe Cklffq32.exe PID 2660 wrote to memory of 3616 2660 Cklffq32.exe Cdicje32.exe PID 2660 wrote to memory of 3616 2660 Cklffq32.exe Cdicje32.exe PID 2660 wrote to memory of 3616 2660 Cklffq32.exe Cdicje32.exe PID 3616 wrote to memory of 1684 3616 Cdicje32.exe Dncehk32.exe PID 3616 wrote to memory of 1684 3616 Cdicje32.exe Dncehk32.exe PID 3616 wrote to memory of 1684 3616 Cdicje32.exe Dncehk32.exe PID 1684 wrote to memory of 4348 1684 Dncehk32.exe Dnhncjom.exe PID 1684 wrote to memory of 4348 1684 Dncehk32.exe Dnhncjom.exe PID 1684 wrote to memory of 4348 1684 Dncehk32.exe Dnhncjom.exe PID 4348 wrote to memory of 224 4348 Dnhncjom.exe Eanqpdgi.exe PID 4348 wrote to memory of 224 4348 Dnhncjom.exe Eanqpdgi.exe PID 4348 wrote to memory of 224 4348 Dnhncjom.exe Eanqpdgi.exe PID 224 wrote to memory of 2784 224 Eanqpdgi.exe Flfjjkgi.exe PID 224 wrote to memory of 2784 224 Eanqpdgi.exe Flfjjkgi.exe PID 224 wrote to memory of 2784 224 Eanqpdgi.exe Flfjjkgi.exe PID 2784 wrote to memory of 4976 2784 Flfjjkgi.exe Helkdnaj.exe PID 2784 wrote to memory of 4976 2784 Flfjjkgi.exe Helkdnaj.exe PID 2784 wrote to memory of 4976 2784 Flfjjkgi.exe Helkdnaj.exe PID 4976 wrote to memory of 3888 4976 Helkdnaj.exe Onhhkb32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05699af228b613aba27df056ea544530_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\05699af228b613aba27df056ea544530_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\Hccomh32.exeC:\Windows\system32\Hccomh32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Kblkap32.exeC:\Windows\system32\Kblkap32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\Kmaooihb.exeC:\Windows\system32\Kmaooihb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SysWOW64\Lobhqdec.exeC:\Windows\system32\Lobhqdec.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\Lmkbeg32.exeC:\Windows\system32\Lmkbeg32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\Mclpbqal.exeC:\Windows\system32\Mclpbqal.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\Nlphmafm.exeC:\Windows\system32\Nlphmafm.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\SysWOW64\Nfjeej32.exeC:\Windows\system32\Nfjeej32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Ofalfi32.exeC:\Windows\system32\Ofalfi32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Pmbjcb32.exeC:\Windows\system32\Pmbjcb32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Alcfpm32.exeC:\Windows\system32\Alcfpm32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\Apcllk32.exeC:\Windows\system32\Apcllk32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Bjqjpp32.exeC:\Windows\system32\Bjqjpp32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Bqahmhpi.exeC:\Windows\system32\Bqahmhpi.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Cklffq32.exeC:\Windows\system32\Cklffq32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Cdicje32.exeC:\Windows\system32\Cdicje32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\Dncehk32.exeC:\Windows\system32\Dncehk32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Dnhncjom.exeC:\Windows\system32\Dnhncjom.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\Eanqpdgi.exeC:\Windows\system32\Eanqpdgi.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Flfjjkgi.exeC:\Windows\system32\Flfjjkgi.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Helkdnaj.exeC:\Windows\system32\Helkdnaj.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Hecadm32.exeC:\Windows\system32\Hecadm32.exe23⤵
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Lilbdcfe.exeC:\Windows\system32\Lilbdcfe.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4580 -
C:\Windows\SysWOW64\Lnikmjdm.exeC:\Windows\system32\Lnikmjdm.exe25⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Mokdllim.exeC:\Windows\system32\Mokdllim.exe26⤵
- Executes dropped EXE
PID:3896 -
C:\Windows\SysWOW64\Mfiedfmd.exeC:\Windows\system32\Mfiedfmd.exe27⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Mkfnlmkl.exeC:\Windows\system32\Mkfnlmkl.exe28⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Neaokboj.exeC:\Windows\system32\Neaokboj.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Nppfnige.exeC:\Windows\system32\Nppfnige.exe30⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Abjkmqni.exeC:\Windows\system32\Abjkmqni.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:3728 -
C:\Windows\SysWOW64\Aemqdk32.exeC:\Windows\system32\Aemqdk32.exe32⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Aebjokda.exeC:\Windows\system32\Aebjokda.exe33⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Bchgnoai.exeC:\Windows\system32\Bchgnoai.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Blqlgdhi.exeC:\Windows\system32\Blqlgdhi.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4056 -
C:\Windows\SysWOW64\Bnbeggmi.exeC:\Windows\system32\Bnbeggmi.exe36⤵
- Executes dropped EXE
PID:4156 -
C:\Windows\SysWOW64\Dcpffk32.exeC:\Windows\system32\Dcpffk32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4992 -
C:\Windows\SysWOW64\Dofgklcb.exeC:\Windows\system32\Dofgklcb.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Ecnbgian.exeC:\Windows\system32\Ecnbgian.exe39⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Ffahnd32.exeC:\Windows\system32\Ffahnd32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:4368 -
C:\Windows\SysWOW64\Fmkqknci.exeC:\Windows\system32\Fmkqknci.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:4440 -
C:\Windows\SysWOW64\Fjanjb32.exeC:\Windows\system32\Fjanjb32.exe42⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Fcnlng32.exeC:\Windows\system32\Fcnlng32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:3492 -
C:\Windows\SysWOW64\Gplbcgbg.exeC:\Windows\system32\Gplbcgbg.exe44⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Hnfehm32.exeC:\Windows\system32\Hnfehm32.exe45⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Idhgkcln.exeC:\Windows\system32\Idhgkcln.exe46⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Ipcakd32.exeC:\Windows\system32\Ipcakd32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Khifno32.exeC:\Windows\system32\Khifno32.exe48⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Knjhae32.exeC:\Windows\system32\Knjhae32.exe49⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Lhdeinhb.exeC:\Windows\system32\Lhdeinhb.exe50⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Lonnfg32.exeC:\Windows\system32\Lonnfg32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3664 -
C:\Windows\SysWOW64\Laacmbkm.exeC:\Windows\system32\Laacmbkm.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1172 -
C:\Windows\SysWOW64\Ldblon32.exeC:\Windows\system32\Ldblon32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3552 -
C:\Windows\SysWOW64\Mkcjlf32.exeC:\Windows\system32\Mkcjlf32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Mqpcdn32.exeC:\Windows\system32\Mqpcdn32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3388 -
C:\Windows\SysWOW64\Mkegbfgp.exeC:\Windows\system32\Mkegbfgp.exe56⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Mndcnafd.exeC:\Windows\system32\Mndcnafd.exe57⤵
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\Ngcngfgl.exeC:\Windows\system32\Ngcngfgl.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1428 -
C:\Windows\SysWOW64\Nnmfdpni.exeC:\Windows\system32\Nnmfdpni.exe59⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Obdbqm32.exeC:\Windows\system32\Obdbqm32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1356 -
C:\Windows\SysWOW64\Pacahhib.exeC:\Windows\system32\Pacahhib.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Qniogl32.exeC:\Windows\system32\Qniogl32.exe62⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Aaoadg32.exeC:\Windows\system32\Aaoadg32.exe63⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Bpggbm32.exeC:\Windows\system32\Bpggbm32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3996 -
C:\Windows\SysWOW64\Ccacjgfb.exeC:\Windows\system32\Ccacjgfb.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4644 -
C:\Windows\SysWOW64\Fihqfh32.exeC:\Windows\system32\Fihqfh32.exe66⤵PID:4680
-
C:\Windows\SysWOW64\Iannpa32.exeC:\Windows\system32\Iannpa32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3936 -
C:\Windows\SysWOW64\Jmnakqcc.exeC:\Windows\system32\Jmnakqcc.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Kapclned.exeC:\Windows\system32\Kapclned.exe69⤵
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Nkncno32.exeC:\Windows\system32\Nkncno32.exe70⤵PID:3348
-
C:\Windows\SysWOW64\Pgjfdm32.exeC:\Windows\system32\Pgjfdm32.exe71⤵PID:4820
-
C:\Windows\SysWOW64\Ajphagha.exeC:\Windows\system32\Ajphagha.exe72⤵PID:3604
-
C:\Windows\SysWOW64\Achmjmnb.exeC:\Windows\system32\Achmjmnb.exe73⤵PID:4040
-
C:\Windows\SysWOW64\Aelcooap.exeC:\Windows\system32\Aelcooap.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Bjkhme32.exeC:\Windows\system32\Bjkhme32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1668 -
C:\Windows\SysWOW64\Beqljn32.exeC:\Windows\system32\Beqljn32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5044 -
C:\Windows\SysWOW64\Baocpnmf.exeC:\Windows\system32\Baocpnmf.exe77⤵PID:4332
-
C:\Windows\SysWOW64\Eoaianan.exeC:\Windows\system32\Eoaianan.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\Fdpnpe32.exeC:\Windows\system32\Fdpnpe32.exe79⤵PID:2168
-
C:\Windows\SysWOW64\Gfngke32.exeC:\Windows\system32\Gfngke32.exe80⤵PID:4548
-
C:\Windows\SysWOW64\Hkaedk32.exeC:\Windows\system32\Hkaedk32.exe81⤵PID:3460
-
C:\Windows\SysWOW64\Iehfno32.exeC:\Windows\system32\Iehfno32.exe82⤵
- Drops file in System32 directory
PID:4604 -
C:\Windows\SysWOW64\Lbmheomi.exeC:\Windows\system32\Lbmheomi.exe83⤵PID:3744
-
C:\Windows\SysWOW64\Ngkjbkem.exeC:\Windows\system32\Ngkjbkem.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3972 -
C:\Windows\SysWOW64\Nlhbja32.exeC:\Windows\system32\Nlhbja32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1396 -
C:\Windows\SysWOW64\Ndokko32.exeC:\Windows\system32\Ndokko32.exe86⤵
- Modifies registry class
PID:4364 -
C:\Windows\SysWOW64\Nepgcgje.exeC:\Windows\system32\Nepgcgje.exe87⤵PID:920
-
C:\Windows\SysWOW64\Ofgmdf32.exeC:\Windows\system32\Ofgmdf32.exe88⤵
- Modifies registry class
PID:4344 -
C:\Windows\SysWOW64\Opmaaodc.exeC:\Windows\system32\Opmaaodc.exe89⤵
- Drops file in System32 directory
PID:4420 -
C:\Windows\SysWOW64\Onhhkb32.exeC:\Windows\system32\Onhhkb32.exe90⤵PID:3888
-
C:\Windows\SysWOW64\Pnlafaio.exeC:\Windows\system32\Pnlafaio.exe91⤵PID:4668
-
C:\Windows\SysWOW64\Qnhabp32.exeC:\Windows\system32\Qnhabp32.exe92⤵PID:4948
-
C:\Windows\SysWOW64\Bglefdke.exeC:\Windows\system32\Bglefdke.exe93⤵PID:2328
-
C:\Windows\SysWOW64\Bjmnho32.exeC:\Windows\system32\Bjmnho32.exe94⤵PID:1516
-
C:\Windows\SysWOW64\Bfhhho32.exeC:\Windows\system32\Bfhhho32.exe95⤵PID:3268
-
C:\Windows\SysWOW64\Cdoegcfl.exeC:\Windows\system32\Cdoegcfl.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Cmgjpi32.exeC:\Windows\system32\Cmgjpi32.exe97⤵PID:820
-
C:\Windows\SysWOW64\Cdabmcdi.exeC:\Windows\system32\Cdabmcdi.exe98⤵PID:2796
-
C:\Windows\SysWOW64\Dmnpah32.exeC:\Windows\system32\Dmnpah32.exe99⤵
- Modifies registry class
PID:3896 -
C:\Windows\SysWOW64\Eoilfidj.exeC:\Windows\system32\Eoilfidj.exe100⤵PID:3728
-
C:\Windows\SysWOW64\Eopbghnb.exeC:\Windows\system32\Eopbghnb.exe101⤵
- Drops file in System32 directory
PID:3636 -
C:\Windows\SysWOW64\Gkcbhgii.exeC:\Windows\system32\Gkcbhgii.exe102⤵PID:1828
-
C:\Windows\SysWOW64\Gamjea32.exeC:\Windows\system32\Gamjea32.exe103⤵
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Gdkgam32.exeC:\Windows\system32\Gdkgam32.exe104⤵PID:2960
-
C:\Windows\SysWOW64\Goqkne32.exeC:\Windows\system32\Goqkne32.exe105⤵PID:1248
-
C:\Windows\SysWOW64\Hkobdeok.exeC:\Windows\system32\Hkobdeok.exe106⤵
- Modifies registry class
PID:4384 -
C:\Windows\SysWOW64\Hdpicj32.exeC:\Windows\system32\Hdpicj32.exe107⤵PID:376
-
C:\Windows\SysWOW64\Ikjapden.exeC:\Windows\system32\Ikjapden.exe108⤵PID:2904
-
C:\Windows\SysWOW64\Ibdiln32.exeC:\Windows\system32\Ibdiln32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3592 -
C:\Windows\SysWOW64\Iiehjgnp.exeC:\Windows\system32\Iiehjgnp.exe110⤵PID:3452
-
C:\Windows\SysWOW64\Ioopfa32.exeC:\Windows\system32\Ioopfa32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:780 -
C:\Windows\SysWOW64\Ibnlbm32.exeC:\Windows\system32\Ibnlbm32.exe112⤵PID:3740
-
C:\Windows\SysWOW64\Jgjekc32.exeC:\Windows\system32\Jgjekc32.exe113⤵PID:4992
-
C:\Windows\SysWOW64\Jndmgn32.exeC:\Windows\system32\Jndmgn32.exe114⤵PID:2012
-
C:\Windows\SysWOW64\Jnnpnl32.exeC:\Windows\system32\Jnnpnl32.exe115⤵PID:4348
-
C:\Windows\SysWOW64\Kicdke32.exeC:\Windows\system32\Kicdke32.exe116⤵PID:3944
-
C:\Windows\SysWOW64\Klapgq32.exeC:\Windows\system32\Klapgq32.exe117⤵PID:4764
-
C:\Windows\SysWOW64\Kblidkhp.exeC:\Windows\system32\Kblidkhp.exe118⤵
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Kpfonnab.exeC:\Windows\system32\Kpfonnab.exe119⤵PID:1836
-
C:\Windows\SysWOW64\Lfqgjh32.exeC:\Windows\system32\Lfqgjh32.exe120⤵PID:2156
-
C:\Windows\SysWOW64\Lhbdbpnm.exeC:\Windows\system32\Lhbdbpnm.exe121⤵PID:2592
-
C:\Windows\SysWOW64\Lbghpinc.exeC:\Windows\system32\Lbghpinc.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4984 -
C:\Windows\SysWOW64\Mlpeol32.exeC:\Windows\system32\Mlpeol32.exe123⤵PID:4532
-
C:\Windows\SysWOW64\Mfejme32.exeC:\Windows\system32\Mfejme32.exe124⤵
- Drops file in System32 directory
PID:3652 -
C:\Windows\SysWOW64\Mhgfdmle.exeC:\Windows\system32\Mhgfdmle.exe125⤵PID:3776
-
C:\Windows\SysWOW64\Nppkkj32.exeC:\Windows\system32\Nppkkj32.exe126⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5112 -
C:\Windows\SysWOW64\Nemcca32.exeC:\Windows\system32\Nemcca32.exe127⤵PID:2648
-
C:\Windows\SysWOW64\Phcogice.exeC:\Windows\system32\Phcogice.exe128⤵
- Drops file in System32 directory
PID:4172 -
C:\Windows\SysWOW64\Phekliab.exeC:\Windows\system32\Phekliab.exe129⤵
- Modifies registry class
PID:4440 -
C:\Windows\SysWOW64\Qlhnng32.exeC:\Windows\system32\Qlhnng32.exe130⤵PID:636
-
C:\Windows\SysWOW64\Aoifoa32.exeC:\Windows\system32\Aoifoa32.exe131⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2284 -
C:\Windows\SysWOW64\Bqafpc32.exeC:\Windows\system32\Bqafpc32.exe132⤵
- Modifies registry class
PID:4276 -
C:\Windows\SysWOW64\Cameka32.exeC:\Windows\system32\Cameka32.exe133⤵PID:984
-
C:\Windows\SysWOW64\Ccbhhl32.exeC:\Windows\system32\Ccbhhl32.exe134⤵
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Diicfa32.exeC:\Windows\system32\Diicfa32.exe135⤵PID:644
-
C:\Windows\SysWOW64\Effffd32.exeC:\Windows\system32\Effffd32.exe136⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1428 -
C:\Windows\SysWOW64\Gjnnoldm.exeC:\Windows\system32\Gjnnoldm.exe137⤵
- Drops file in System32 directory
PID:5132 -
C:\Windows\SysWOW64\Hhoomd32.exeC:\Windows\system32\Hhoomd32.exe138⤵PID:5172
-
C:\Windows\SysWOW64\Hjqkel32.exeC:\Windows\system32\Hjqkel32.exe139⤵PID:5224
-
C:\Windows\SysWOW64\Hkeajn32.exeC:\Windows\system32\Hkeajn32.exe140⤵PID:5264
-
C:\Windows\SysWOW64\Hncmfj32.exeC:\Windows\system32\Hncmfj32.exe141⤵PID:5300
-
C:\Windows\SysWOW64\Hdmecdlh.exeC:\Windows\system32\Hdmecdlh.exe142⤵PID:5340
-
C:\Windows\SysWOW64\Hkgnpn32.exeC:\Windows\system32\Hkgnpn32.exe143⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5380 -
C:\Windows\SysWOW64\Inejlibi.exeC:\Windows\system32\Inejlibi.exe144⤵PID:5416
-
C:\Windows\SysWOW64\Idpbhc32.exeC:\Windows\system32\Idpbhc32.exe145⤵
- Drops file in System32 directory
PID:5456 -
C:\Windows\SysWOW64\Ikijenab.exeC:\Windows\system32\Ikijenab.exe146⤵PID:5496
-
C:\Windows\SysWOW64\Iacbbh32.exeC:\Windows\system32\Iacbbh32.exe147⤵PID:5552
-
C:\Windows\SysWOW64\Iqipcd32.exeC:\Windows\system32\Iqipcd32.exe148⤵PID:5596
-
C:\Windows\SysWOW64\Ikndpm32.exeC:\Windows\system32\Ikndpm32.exe149⤵
- Drops file in System32 directory
- Modifies registry class
PID:5640 -
C:\Windows\SysWOW64\Ibhlmgdj.exeC:\Windows\system32\Ibhlmgdj.exe150⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5684 -
C:\Windows\SysWOW64\Ihbdja32.exeC:\Windows\system32\Ihbdja32.exe151⤵PID:5732
-
C:\Windows\SysWOW64\Jjhjli32.exeC:\Windows\system32\Jjhjli32.exe152⤵PID:5784
-
C:\Windows\SysWOW64\Jqbbicel.exeC:\Windows\system32\Jqbbicel.exe153⤵
- Drops file in System32 directory
PID:5828 -
C:\Windows\SysWOW64\Jglkfmmi.exeC:\Windows\system32\Jglkfmmi.exe154⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5884 -
C:\Windows\SysWOW64\Jqdoob32.exeC:\Windows\system32\Jqdoob32.exe155⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5924 -
C:\Windows\SysWOW64\Jjmcghjj.exeC:\Windows\system32\Jjmcghjj.exe156⤵PID:5968
-
C:\Windows\SysWOW64\Jbdliejl.exeC:\Windows\system32\Jbdliejl.exe157⤵PID:6008
-
C:\Windows\SysWOW64\Jhndepbi.exeC:\Windows\system32\Jhndepbi.exe158⤵
- Modifies registry class
PID:6052 -
C:\Windows\SysWOW64\Jjopmh32.exeC:\Windows\system32\Jjopmh32.exe159⤵PID:6100
-
C:\Windows\SysWOW64\Knabne32.exeC:\Windows\system32\Knabne32.exe160⤵PID:2108
-
C:\Windows\SysWOW64\Kelkkpae.exeC:\Windows\system32\Kelkkpae.exe161⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5164 -
C:\Windows\SysWOW64\Kgjggkqi.exeC:\Windows\system32\Kgjggkqi.exe162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5244 -
C:\Windows\SysWOW64\Kndodehf.exeC:\Windows\system32\Kndodehf.exe163⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5288 -
C:\Windows\SysWOW64\Kengqo32.exeC:\Windows\system32\Kengqo32.exe164⤵PID:5404
-
C:\Windows\SysWOW64\Ljmmnf32.exeC:\Windows\system32\Ljmmnf32.exe165⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5480 -
C:\Windows\SysWOW64\Lbddpclj.exeC:\Windows\system32\Lbddpclj.exe166⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5528 -
C:\Windows\SysWOW64\Linmlm32.exeC:\Windows\system32\Linmlm32.exe167⤵PID:2544
-
C:\Windows\SysWOW64\Ljpideje.exeC:\Windows\system32\Ljpideje.exe168⤵PID:5672
-
C:\Windows\SysWOW64\Lbgaecjg.exeC:\Windows\system32\Lbgaecjg.exe169⤵
- Drops file in System32 directory
PID:5720 -
C:\Windows\SysWOW64\Llcoihmb.exeC:\Windows\system32\Llcoihmb.exe170⤵PID:5752
-
C:\Windows\SysWOW64\Lbngfbdo.exeC:\Windows\system32\Lbngfbdo.exe171⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5816 -
C:\Windows\SysWOW64\Mhjpnibf.exeC:\Windows\system32\Mhjpnibf.exe172⤵
- Drops file in System32 directory
- Modifies registry class
PID:4708 -
C:\Windows\SysWOW64\Mndhkc32.exeC:\Windows\system32\Mndhkc32.exe173⤵
- Drops file in System32 directory
PID:5908 -
C:\Windows\SysWOW64\Menpgmap.exeC:\Windows\system32\Menpgmap.exe174⤵PID:6048
-
C:\Windows\SysWOW64\Milinkgf.exeC:\Windows\system32\Milinkgf.exe175⤵PID:6116
-
C:\Windows\SysWOW64\Mjneec32.exeC:\Windows\system32\Mjneec32.exe176⤵
- Drops file in System32 directory
PID:5184 -
C:\Windows\SysWOW64\Magnbnea.exeC:\Windows\system32\Magnbnea.exe177⤵
- Drops file in System32 directory
- Modifies registry class
PID:4656 -
C:\Windows\SysWOW64\Mhafoh32.exeC:\Windows\system32\Mhafoh32.exe178⤵PID:5584
-
C:\Windows\SysWOW64\Mjbopcip.exeC:\Windows\system32\Mjbopcip.exe179⤵PID:5680
-
C:\Windows\SysWOW64\Mehcnlie.exeC:\Windows\system32\Mehcnlie.exe180⤵PID:5776
-
C:\Windows\SysWOW64\Nlbkjf32.exeC:\Windows\system32\Nlbkjf32.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5892 -
C:\Windows\SysWOW64\Nblcgpho.exeC:\Windows\system32\Nblcgpho.exe182⤵PID:6044
-
C:\Windows\SysWOW64\Nelmik32.exeC:\Windows\system32\Nelmik32.exe183⤵
- Modifies registry class
PID:6124 -
C:\Windows\SysWOW64\Nlfeeelm.exeC:\Windows\system32\Nlfeeelm.exe184⤵PID:5376
-
C:\Windows\SysWOW64\Noeaaqlq.exeC:\Windows\system32\Noeaaqlq.exe185⤵
- Drops file in System32 directory
PID:5488 -
C:\Windows\SysWOW64\Neoink32.exeC:\Windows\system32\Neoink32.exe186⤵
- Drops file in System32 directory
- Modifies registry class
PID:5768 -
C:\Windows\SysWOW64\Nhpbpepo.exeC:\Windows\system32\Nhpbpepo.exe187⤵PID:6032
-
C:\Windows\SysWOW64\Oolgbpei.exeC:\Windows\system32\Oolgbpei.exe188⤵PID:5292
-
C:\Windows\SysWOW64\Ohdlke32.exeC:\Windows\system32\Ohdlke32.exe189⤵
- Modifies registry class
PID:5580 -
C:\Windows\SysWOW64\Okbhgq32.exeC:\Windows\system32\Okbhgq32.exe190⤵PID:5844
-
C:\Windows\SysWOW64\Oampdkbj.exeC:\Windows\system32\Oampdkbj.exe191⤵PID:6084
-
C:\Windows\SysWOW64\Ohfhqd32.exeC:\Windows\system32\Ohfhqd32.exe192⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5636 -
C:\Windows\SysWOW64\Oocmcn32.exeC:\Windows\system32\Oocmcn32.exe193⤵
- Modifies registry class
PID:5976 -
C:\Windows\SysWOW64\Oemephgn.exeC:\Windows\system32\Oemephgn.exe194⤵PID:5576
-
C:\Windows\SysWOW64\Ohkbldfa.exeC:\Windows\system32\Ohkbldfa.exe195⤵PID:5740
-
C:\Windows\SysWOW64\Ooejhn32.exeC:\Windows\system32\Ooejhn32.exe196⤵PID:4944
-
C:\Windows\SysWOW64\Phddbbnf.exeC:\Windows\system32\Phddbbnf.exe197⤵PID:6156
-
C:\Windows\SysWOW64\Poomom32.exeC:\Windows\system32\Poomom32.exe198⤵PID:6200
-
C:\Windows\SysWOW64\Pamikh32.exeC:\Windows\system32\Pamikh32.exe199⤵PID:6240
-
C:\Windows\SysWOW64\Poajdlcq.exeC:\Windows\system32\Poajdlcq.exe200⤵PID:6292
-
C:\Windows\SysWOW64\Qemoff32.exeC:\Windows\system32\Qemoff32.exe201⤵PID:6336
-
C:\Windows\SysWOW64\Qhlkbaho.exeC:\Windows\system32\Qhlkbaho.exe202⤵PID:6384
-
C:\Windows\SysWOW64\Allpnplb.exeC:\Windows\system32\Allpnplb.exe203⤵PID:6444
-
C:\Windows\SysWOW64\Acfhkj32.exeC:\Windows\system32\Acfhkj32.exe204⤵PID:6488
-
C:\Windows\SysWOW64\Ajpqhdkl.exeC:\Windows\system32\Ajpqhdkl.exe205⤵
- Drops file in System32 directory
PID:6532 -
C:\Windows\SysWOW64\Akamol32.exeC:\Windows\system32\Akamol32.exe206⤵PID:6568
-
C:\Windows\SysWOW64\Acheqi32.exeC:\Windows\system32\Acheqi32.exe207⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6612 -
C:\Windows\SysWOW64\Ajbmmcii.exeC:\Windows\system32\Ajbmmcii.exe208⤵PID:6652
-
C:\Windows\SysWOW64\Aoofej32.exeC:\Windows\system32\Aoofej32.exe209⤵PID:6708
-
C:\Windows\SysWOW64\Ajdjcc32.exeC:\Windows\system32\Ajdjcc32.exe210⤵PID:6752
-
C:\Windows\SysWOW64\Alcfoo32.exeC:\Windows\system32\Alcfoo32.exe211⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6792 -
C:\Windows\SysWOW64\Bcmolimg.exeC:\Windows\system32\Bcmolimg.exe212⤵PID:6836
-
C:\Windows\SysWOW64\Bfngmd32.exeC:\Windows\system32\Bfngmd32.exe213⤵
- Drops file in System32 directory
- Modifies registry class
PID:6888 -
C:\Windows\SysWOW64\Blhpjnbe.exeC:\Windows\system32\Blhpjnbe.exe214⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6928 -
C:\Windows\SysWOW64\Boflfiai.exeC:\Windows\system32\Boflfiai.exe215⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6972 -
C:\Windows\SysWOW64\Bjlpcbqo.exeC:\Windows\system32\Bjlpcbqo.exe216⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7032 -
C:\Windows\SysWOW64\Bicjjncd.exeC:\Windows\system32\Bicjjncd.exe217⤵
- Drops file in System32 directory
PID:7088 -
C:\Windows\SysWOW64\Combgh32.exeC:\Windows\system32\Combgh32.exe218⤵PID:7136
-
C:\Windows\SysWOW64\Cjbfdakf.exeC:\Windows\system32\Cjbfdakf.exe219⤵
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Ccbanfko.exeC:\Windows\system32\Ccbanfko.exe220⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6252 -
C:\Windows\SysWOW64\Cjlijp32.exeC:\Windows\system32\Cjlijp32.exe221⤵
- Modifies registry class
PID:6324 -
C:\Windows\SysWOW64\Doiabgqc.exeC:\Windows\system32\Doiabgqc.exe222⤵
- Drops file in System32 directory
PID:3284 -
C:\Windows\SysWOW64\Ecpmod32.exeC:\Windows\system32\Ecpmod32.exe223⤵PID:6440
-
C:\Windows\SysWOW64\Efhlan32.exeC:\Windows\system32\Efhlan32.exe224⤵
- Modifies registry class
PID:6528 -
C:\Windows\SysWOW64\Fmbdnhme.exeC:\Windows\system32\Fmbdnhme.exe225⤵PID:6600
-
C:\Windows\SysWOW64\Fdqffaql.exeC:\Windows\system32\Fdqffaql.exe226⤵PID:6640
-
C:\Windows\SysWOW64\Fdccka32.exeC:\Windows\system32\Fdccka32.exe227⤵
- Modifies registry class
PID:6740 -
C:\Windows\SysWOW64\Gkdaij32.exeC:\Windows\system32\Gkdaij32.exe228⤵
- Modifies registry class
PID:6816 -
C:\Windows\SysWOW64\Glenpb32.exeC:\Windows\system32\Glenpb32.exe229⤵
- Drops file in System32 directory
PID:6872 -
C:\Windows\SysWOW64\Gkfnnjnl.exeC:\Windows\system32\Gkfnnjnl.exe230⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6924 -
C:\Windows\SysWOW64\Gdaomobj.exeC:\Windows\system32\Gdaomobj.exe231⤵
- Modifies registry class
PID:6956 -
C:\Windows\SysWOW64\Hpjlgp32.exeC:\Windows\system32\Hpjlgp32.exe232⤵
- Drops file in System32 directory
PID:7028 -
C:\Windows\SysWOW64\Hckeikcl.exeC:\Windows\system32\Hckeikcl.exe233⤵
- Modifies registry class
PID:6468 -
C:\Windows\SysWOW64\Ikickgnf.exeC:\Windows\system32\Ikickgnf.exe234⤵
- Modifies registry class
PID:7164 -
C:\Windows\SysWOW64\Jncobabm.exeC:\Windows\system32\Jncobabm.exe235⤵PID:6344
-
C:\Windows\SysWOW64\Knfeoobh.exeC:\Windows\system32\Knfeoobh.exe236⤵
- Modifies registry class
PID:6396 -
C:\Windows\SysWOW64\Lddgghfo.exeC:\Windows\system32\Lddgghfo.exe237⤵PID:6464
-
C:\Windows\SysWOW64\Mcnmccfa.exeC:\Windows\system32\Mcnmccfa.exe238⤵
- Drops file in System32 directory
PID:6564 -
C:\Windows\SysWOW64\Menimfnd.exeC:\Windows\system32\Menimfnd.exe239⤵PID:6672
-
C:\Windows\SysWOW64\Onicbi32.exeC:\Windows\system32\Onicbi32.exe240⤵PID:2684
-
C:\Windows\SysWOW64\Pdalfo32.exeC:\Windows\system32\Pdalfo32.exe241⤵PID:6984
-
C:\Windows\SysWOW64\Pknqhh32.exeC:\Windows\system32\Pknqhh32.exe242⤵
- Modifies registry class
PID:5060