Analysis
-
max time kernel
151s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 16:37
Static task
static1
Behavioral task
behavioral1
Sample
8fdae33001299bb6162d8362540d82c0_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
8fdae33001299bb6162d8362540d82c0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
8fdae33001299bb6162d8362540d82c0_NeikiAnalytics.exe
-
Size
163KB
-
MD5
8fdae33001299bb6162d8362540d82c0
-
SHA1
a5b2dd55fa3fcf04ab49bf429cd4a8eca17be920
-
SHA256
a2b88541258727d139ae7822f32647d3a4c8bda4ece08a741d6e2641350b4c44
-
SHA512
aacf06e9fae3f38298dd1002d6d33292b3b9c73cc003ee81d4a1ce04b29e39daf9a0870cc4c128c4fab2f2d1a0e9029019bb227d79d73c24560dc560a0c6872d
-
SSDEEP
1536:P8Y13fZWeraOwtwKYAzL1plProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:E03fBWp2KYg1pltOrWKDBr+yJb
Malware Config
Extracted
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Kdipce32.exeKaemgn32.exeMplhjabe.exeAflabj32.exeKlapgq32.exeKghjakbl.exeNeafdjak.exeHgokikan.exeMahbck32.exeLfgnkgbf.exeBcdlgnkk.exeNknolaob.exeJpalomaq.exeFbhnec32.exeBcngddao.exeObdkfg32.exeQebpipij.exeFjqgpl32.exeMdckpqod.exeOdooqo32.exeBdfnmhnj.exeAogkhjii.exeHpaibe32.exePacfdila.exeCibagpgg.exeCeihffad.exeGbabblkg.exeIkokkc32.exeFieacc32.exeQjffpe32.exeOnakco32.exeIabodcnj.exeFlmqlg32.exeOgjpld32.exeFjnjjlog.exeGideogil.exeDkokma32.exeFhdfll32.exeCpglgmfa.exeLjmmnf32.exeMngepb32.exeGnjhhpgl.exeBemqcngl.exeIildfd32.exeCoadnlnb.exeJeekeg32.exeOlcbfp32.exeBaickimp.exeKjhlipla.exePmlmdd32.exeNpbceggm.exeFhablf32.exeLeipbg32.exeGnqflhcg.exeDgqqnjea.exeClbhkfdl.exeJdalog32.exeDampal32.exeQnhabp32.exeLoeoei32.exeGgicbe32.exeNdmgnkja.exeMiklkm32.exeBokeai32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdipce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaemgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mplhjabe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aflabj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klapgq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kghjakbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neafdjak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgokikan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mahbck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfgnkgbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcdlgnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nknolaob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpalomaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbhnec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcngddao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obdkfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qebpipij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjqgpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdckpqod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odooqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdfnmhnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aogkhjii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpaibe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pacfdila.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cibagpgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceihffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbabblkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikokkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fieacc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjffpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onakco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabodcnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmqlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogjpld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjnjjlog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gideogil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkokma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhdfll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpglgmfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljmmnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mngepb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnjhhpgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bemqcngl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iildfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coadnlnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeekeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olcbfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baickimp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhlipla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlmdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npbceggm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhablf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leipbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnqflhcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgqqnjea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clbhkfdl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdalog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dampal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnhabp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loeoei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggicbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndmgnkja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miklkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bokeai32.exe -
Executes dropped EXE 64 IoCs
Processes:
Ohcegi32.exePejkmk32.exeAmjillkj.exeAnobgl32.exeBhkmec32.exeBdickcpo.exeCoadnlnb.exeDmlkhofd.exeDnpdegjp.exeEmhkdmlg.exeEpmmqheb.exeFlmqlg32.exeGifkpknp.exeHipmfjee.exeHfhgkmpj.exeHfjdqmng.exeHlglidlo.exeIepaaico.exeImnocf32.exeJmbhoeid.exeJpenfp32.exeKcidmkpq.exeNpbceggm.exeOakbehfe.exeOjfcdnjc.exePnfiplog.exePjmjdm32.exePffgom32.exeQfkqjmdg.exeAmjbbfgo.exeApjkcadp.exeAgdcpkll.exeApodoq32.exeBajqda32.exeCkbemgcp.exeChfegk32.exeEbfign32.exeFdnhih32.exeGicgpelg.exeGndick32.exeHpfbcn32.exeHbldphde.exeIeagmcmq.exeJekjcaef.exeJeocna32.exeJpgdai32.exeKolabf32.exeKplmliko.exeKhiofk32.exeKemooo32.exeLljdai32.exeLllagh32.exeMjidgkog.exeMofmobmo.exeNckkfp32.exeNbphglbe.exeNjjmni32.exeNqfbpb32.exeOcgkan32.exeOcihgnam.exeOmalpc32.exeOcnabm32.exePmkofa32.exePfccogfc.exepid process 2972 Ohcegi32.exe 732 Pejkmk32.exe 4216 Amjillkj.exe 4480 Anobgl32.exe 1708 Bhkmec32.exe 4840 Bdickcpo.exe 2960 Coadnlnb.exe 3612 Dmlkhofd.exe 1792 Dnpdegjp.exe 3680 Emhkdmlg.exe 2260 Epmmqheb.exe 4832 Flmqlg32.exe 3568 Gifkpknp.exe 2044 Hipmfjee.exe 3328 Hfhgkmpj.exe 4500 Hfjdqmng.exe 2344 Hlglidlo.exe 2104 Iepaaico.exe 1444 Imnocf32.exe 4012 Jmbhoeid.exe 1752 Jpenfp32.exe 4056 Kcidmkpq.exe 4044 Npbceggm.exe 2192 Oakbehfe.exe 4804 Ojfcdnjc.exe 1236 Pnfiplog.exe 4820 Pjmjdm32.exe 1140 Pffgom32.exe 844 Qfkqjmdg.exe 2780 Amjbbfgo.exe 5004 Apjkcadp.exe 960 Agdcpkll.exe 372 Apodoq32.exe 928 Bajqda32.exe 5092 Ckbemgcp.exe 1056 Chfegk32.exe 3208 Ebfign32.exe 5084 Fdnhih32.exe 2472 Gicgpelg.exe 4228 Gndick32.exe 1976 Hpfbcn32.exe 4816 Hbldphde.exe 3528 Ieagmcmq.exe 4316 Jekjcaef.exe 2848 Jeocna32.exe 3104 Jpgdai32.exe 4168 Kolabf32.exe 4364 Kplmliko.exe 4892 Khiofk32.exe 4624 Kemooo32.exe 3924 Lljdai32.exe 2568 Lllagh32.exe 2712 Mjidgkog.exe 524 Mofmobmo.exe 1152 Nckkfp32.exe 3852 Nbphglbe.exe 3768 Njjmni32.exe 888 Nqfbpb32.exe 4076 Ocgkan32.exe 1328 Ocihgnam.exe 1680 Omalpc32.exe 2464 Ocnabm32.exe 2836 Pmkofa32.exe 3604 Pfccogfc.exe -
Drops file in System32 directory 64 IoCs
Processes:
Mehcnlie.exePacfdila.exe8fdae33001299bb6162d8362540d82c0_NeikiAnalytics.exeJmmcgbnf.exeKbbodj32.exeJlpklg32.exeMhppcn32.exeHlbcgj32.exeJgfcfajg.exeLogbigbg.exeGddigk32.exeAefjbo32.exeKcidmkpq.exeOkgabpgg.exeOcopncke.exeCjmpeffh.exeEdjgpi32.exePehjfm32.exeOgmiepcf.exePkgaglpp.exeBnclamqe.exeBkglkapo.exeNcdgmkio.exeOfgmdf32.exeNemcca32.exeFjgfgbek.exeDpglmjoj.exeBcngddao.exeJepjbm32.exeAflabj32.exeElkbcf32.exeHmbflc32.exeQnhabp32.exeHnfafpfd.exeCabofaaj.exeGgkiha32.exeOioojh32.exeOlcbfp32.exeOjgbpd32.exeKjblcj32.exeCdoegcfl.exeDmnpah32.exeIhlechfj.exeNeafdjak.exeElnoifjg.exeJakkplbc.exeDcdifdem.exeLmncgh32.exeGmndjf32.exeClgbfe32.exeHnddqp32.exeInnfgb32.exeFjqgpl32.exeEhgqed32.exeJehoemmb.exeBjkacoji.exeNqfbpb32.exeEgbken32.exeEebgqe32.exeBfhhho32.exeJnelha32.exeHdodeedi.exeQebpipij.exedescription ioc process File created C:\Windows\SysWOW64\Nophfa32.exe Mehcnlie.exe File opened for modification C:\Windows\SysWOW64\Poggnnkk.exe Pacfdila.exe File created C:\Windows\SysWOW64\Pmmnjnld.dll 8fdae33001299bb6162d8362540d82c0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Jqbbno32.exe Jmmcgbnf.exe File created C:\Windows\SysWOW64\Mnbofm32.dll Kbbodj32.exe File created C:\Windows\SysWOW64\Jehoemmb.exe Jlpklg32.exe File created C:\Windows\SysWOW64\Plkginal.dll Mhppcn32.exe File created C:\Windows\SysWOW64\Hblkddmn.exe Hlbcgj32.exe File created C:\Windows\SysWOW64\Ofiima32.dll Jgfcfajg.exe File opened for modification C:\Windows\SysWOW64\Lhogamih.exe Logbigbg.exe File opened for modification C:\Windows\SysWOW64\Hojndd32.exe Gddigk32.exe File created C:\Windows\SysWOW64\Aamkgpbi.exe Aefjbo32.exe File created C:\Windows\SysWOW64\Gfkcaoef.dll Kcidmkpq.exe File created C:\Windows\SysWOW64\Noljjg32.dll Okgabpgg.exe File created C:\Windows\SysWOW64\Anaflcjf.dll Ocopncke.exe File created C:\Windows\SysWOW64\Dgqqnjea.exe Cjmpeffh.exe File created C:\Windows\SysWOW64\Gcedcl32.dll Edjgpi32.exe File opened for modification C:\Windows\SysWOW64\Aioebj32.exe Pehjfm32.exe File created C:\Windows\SysWOW64\Cmnciegc.dll Ogmiepcf.exe File opened for modification C:\Windows\SysWOW64\Paaidf32.exe Pkgaglpp.exe File opened for modification C:\Windows\SysWOW64\Bkglkapo.exe Bnclamqe.exe File created C:\Windows\SysWOW64\Decnea32.dll Bkglkapo.exe File created C:\Windows\SysWOW64\Ndcdfnpa.exe Ncdgmkio.exe File created C:\Windows\SysWOW64\Diaiedjk.dll Ofgmdf32.exe File created C:\Windows\SysWOW64\Nbadmege.exe Nemcca32.exe File opened for modification C:\Windows\SysWOW64\Fjjcmbci.exe Fjgfgbek.exe File opened for modification C:\Windows\SysWOW64\Dbgdnelk.exe Dpglmjoj.exe File created C:\Windows\SysWOW64\Hbemgh32.dll Bcngddao.exe File opened for modification C:\Windows\SysWOW64\Jcdjka32.exe Jepjbm32.exe File opened for modification C:\Windows\SysWOW64\Bmfjodgc.exe Aflabj32.exe File created C:\Windows\SysWOW64\Oimceg32.dll Elkbcf32.exe File opened for modification C:\Windows\SysWOW64\Icoodj32.exe Hmbflc32.exe File created C:\Windows\SysWOW64\Afcffb32.exe Qnhabp32.exe File created C:\Windows\SysWOW64\Ihlechfj.exe Hnfafpfd.exe File created C:\Windows\SysWOW64\Cjjcof32.exe Cabofaaj.exe File created C:\Windows\SysWOW64\Gdoiaf32.exe Ggkiha32.exe File created C:\Windows\SysWOW64\Obgccn32.exe Oioojh32.exe File created C:\Windows\SysWOW64\Aioebj32.exe Pehjfm32.exe File created C:\Windows\SysWOW64\Npglho32.dll Olcbfp32.exe File created C:\Windows\SysWOW64\Dnpjpj32.dll Ojgbpd32.exe File opened for modification C:\Windows\SysWOW64\Knpeii32.exe Kjblcj32.exe File created C:\Windows\SysWOW64\Cmgjpi32.exe Cdoegcfl.exe File created C:\Windows\SysWOW64\Jcjaipqd.dll Dmnpah32.exe File created C:\Windows\SysWOW64\Ndpelmaa.dll Ihlechfj.exe File created C:\Windows\SysWOW64\Nknolaob.exe Neafdjak.exe File created C:\Windows\SysWOW64\Ebggep32.exe Elnoifjg.exe File created C:\Windows\SysWOW64\Khnfce32.exe Jakkplbc.exe File created C:\Windows\SysWOW64\Bkibdp32.dll Dcdifdem.exe File opened for modification C:\Windows\SysWOW64\Lbjlpo32.exe Lmncgh32.exe File created C:\Windows\SysWOW64\Fbjicl32.dll Gmndjf32.exe File opened for modification C:\Windows\SysWOW64\Ddbfkh32.exe Clgbfe32.exe File created C:\Windows\SysWOW64\Iobhpakb.dll Hnddqp32.exe File opened for modification C:\Windows\SysWOW64\Jpooimdc.exe Innfgb32.exe File created C:\Windows\SysWOW64\Ffggdmbi.exe Fjqgpl32.exe File created C:\Windows\SysWOW64\Fcckcl32.exe Ehgqed32.exe File opened for modification C:\Windows\SysWOW64\Kdiobd32.exe Jehoemmb.exe File created C:\Windows\SysWOW64\Cnbmaehm.dll Bjkacoji.exe File created C:\Windows\SysWOW64\Ocgkan32.exe Nqfbpb32.exe File created C:\Windows\SysWOW64\Ecikjoep.exe Egbken32.exe File created C:\Windows\SysWOW64\Pfjhdhal.dll Eebgqe32.exe File created C:\Windows\SysWOW64\Ceihffad.exe Bfhhho32.exe File created C:\Windows\SysWOW64\Bdnoniae.dll Jnelha32.exe File opened for modification C:\Windows\SysWOW64\Hphbpehj.exe Hdodeedi.exe File created C:\Windows\SysWOW64\Olopjikl.dll Qebpipij.exe -
Modifies registry class 64 IoCs
Processes:
Nojagf32.exeIohede32.exeCoadnlnb.exeHfjdqmng.exeMllccpfj.exeKkofofbb.exeAhffqk32.exeKdiobd32.exeDcdifdem.exeClmjcfdb.exeGnfhob32.exeNliakd32.exeBeomhm32.exeInjcginc.exeKjipmoai.exeOeqagi32.exeDjkdnool.exeHbldkllm.exeNhnlelfm.exeOepipo32.exeOddmoj32.exeJqbbno32.exeEbpjjk32.exeHojndd32.exeMolefh32.exeMjidgkog.exeBcnleb32.exeMhhcne32.exeCcigpbga.exeCohkinob.exeJmhaek32.exeFmnkdm32.exeCiefpn32.exeJpalomaq.exeEijiak32.exeFpjcpbdn.exePehjfm32.exeNfpled32.exeNcihbaie.exeOgqcon32.exeNemcca32.exeEhaieh32.exeDbkpokhf.exeClbmfm32.exeAdapqk32.exeMeiabh32.exeEgijfjmp.exeIkndpm32.exeNenbdd32.exeMpnngh32.exeLcdjba32.exeOfcaab32.exeDhgoimlo.exeDlpgiebo.exeFbcfan32.exeOhcmpn32.exeFibfbm32.exeGaogja32.exeKjhlipla.exeFfiblg32.exeBdfnmhnj.exeNmmqgo32.exeEhjdejkj.exeQcccom32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqeecp32.dll" Nojagf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqeenpg.dll" Iohede32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coadnlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igcnla32.dll" Hfjdqmng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mllccpfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekakihaj.dll" Kkofofbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahffqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdiobd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkibdp32.dll" Dcdifdem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clmjcfdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnfhob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nliakd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdahkafp.dll" Beomhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Injcginc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddgalbpb.dll" Kjipmoai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeqagi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djkdnool.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfpjlgdl.dll" Hbldkllm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhnlelfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oepipo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkgokhco.dll" Oddmoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqbbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebpjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndfgdmpi.dll" Hojndd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfpcgaqk.dll" Molefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npakijcp.dll" Mjidgkog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcnleb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhhcne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igioikpj.dll" Ccigpbga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cohkinob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmhaek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmnkdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgagcn32.dll" Ciefpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbfdpb32.dll" Jpalomaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eijiak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpjcpbdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pehjfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gakahfoj.dll" Nfpled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnqlfh32.dll" Ncihbaie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqpnlobf.dll" Ogqcon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nemcca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehaieh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbkpokhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeeloaik.dll" Clbmfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adapqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meiabh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egijfjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikndpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nenbdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpnngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcdjba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofcaab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhgoimlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlpgiebo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhkengpl.dll" Fbcfan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohcmpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaegbm32.dll" Fibfbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaogja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjhlipla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffiblg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdfnmhnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmmqgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehjdejkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imikmhae.dll" Qcccom32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8fdae33001299bb6162d8362540d82c0_NeikiAnalytics.exeOhcegi32.exePejkmk32.exeAmjillkj.exeAnobgl32.exeBhkmec32.exeBdickcpo.exeCoadnlnb.exeDmlkhofd.exeDnpdegjp.exeEmhkdmlg.exeEpmmqheb.exeFlmqlg32.exeGifkpknp.exeHipmfjee.exeHfhgkmpj.exeHfjdqmng.exeHlglidlo.exeIepaaico.exeImnocf32.exeJmbhoeid.exeJpenfp32.exedescription pid process target process PID 4412 wrote to memory of 2972 4412 8fdae33001299bb6162d8362540d82c0_NeikiAnalytics.exe Ohcegi32.exe PID 4412 wrote to memory of 2972 4412 8fdae33001299bb6162d8362540d82c0_NeikiAnalytics.exe Ohcegi32.exe PID 4412 wrote to memory of 2972 4412 8fdae33001299bb6162d8362540d82c0_NeikiAnalytics.exe Ohcegi32.exe PID 2972 wrote to memory of 732 2972 Ohcegi32.exe Pejkmk32.exe PID 2972 wrote to memory of 732 2972 Ohcegi32.exe Pejkmk32.exe PID 2972 wrote to memory of 732 2972 Ohcegi32.exe Pejkmk32.exe PID 732 wrote to memory of 4216 732 Pejkmk32.exe Amjillkj.exe PID 732 wrote to memory of 4216 732 Pejkmk32.exe Amjillkj.exe PID 732 wrote to memory of 4216 732 Pejkmk32.exe Amjillkj.exe PID 4216 wrote to memory of 4480 4216 Amjillkj.exe Anobgl32.exe PID 4216 wrote to memory of 4480 4216 Amjillkj.exe Anobgl32.exe PID 4216 wrote to memory of 4480 4216 Amjillkj.exe Anobgl32.exe PID 4480 wrote to memory of 1708 4480 Anobgl32.exe Bhkmec32.exe PID 4480 wrote to memory of 1708 4480 Anobgl32.exe Bhkmec32.exe PID 4480 wrote to memory of 1708 4480 Anobgl32.exe Bhkmec32.exe PID 1708 wrote to memory of 4840 1708 Bhkmec32.exe Bdickcpo.exe PID 1708 wrote to memory of 4840 1708 Bhkmec32.exe Bdickcpo.exe PID 1708 wrote to memory of 4840 1708 Bhkmec32.exe Bdickcpo.exe PID 4840 wrote to memory of 2960 4840 Bdickcpo.exe Coadnlnb.exe PID 4840 wrote to memory of 2960 4840 Bdickcpo.exe Coadnlnb.exe PID 4840 wrote to memory of 2960 4840 Bdickcpo.exe Coadnlnb.exe PID 2960 wrote to memory of 3612 2960 Coadnlnb.exe Dmlkhofd.exe PID 2960 wrote to memory of 3612 2960 Coadnlnb.exe Dmlkhofd.exe PID 2960 wrote to memory of 3612 2960 Coadnlnb.exe Dmlkhofd.exe PID 3612 wrote to memory of 1792 3612 Dmlkhofd.exe Dnpdegjp.exe PID 3612 wrote to memory of 1792 3612 Dmlkhofd.exe Dnpdegjp.exe PID 3612 wrote to memory of 1792 3612 Dmlkhofd.exe Dnpdegjp.exe PID 1792 wrote to memory of 3680 1792 Dnpdegjp.exe Emhkdmlg.exe PID 1792 wrote to memory of 3680 1792 Dnpdegjp.exe Emhkdmlg.exe PID 1792 wrote to memory of 3680 1792 Dnpdegjp.exe Emhkdmlg.exe PID 3680 wrote to memory of 2260 3680 Emhkdmlg.exe Epmmqheb.exe PID 3680 wrote to memory of 2260 3680 Emhkdmlg.exe Epmmqheb.exe PID 3680 wrote to memory of 2260 3680 Emhkdmlg.exe Epmmqheb.exe PID 2260 wrote to memory of 4832 2260 Epmmqheb.exe Flmqlg32.exe PID 2260 wrote to memory of 4832 2260 Epmmqheb.exe Flmqlg32.exe PID 2260 wrote to memory of 4832 2260 Epmmqheb.exe Flmqlg32.exe PID 4832 wrote to memory of 3568 4832 Flmqlg32.exe Gifkpknp.exe PID 4832 wrote to memory of 3568 4832 Flmqlg32.exe Gifkpknp.exe PID 4832 wrote to memory of 3568 4832 Flmqlg32.exe Gifkpknp.exe PID 3568 wrote to memory of 2044 3568 Gifkpknp.exe Hipmfjee.exe PID 3568 wrote to memory of 2044 3568 Gifkpknp.exe Hipmfjee.exe PID 3568 wrote to memory of 2044 3568 Gifkpknp.exe Hipmfjee.exe PID 2044 wrote to memory of 3328 2044 Hipmfjee.exe Hfhgkmpj.exe PID 2044 wrote to memory of 3328 2044 Hipmfjee.exe Hfhgkmpj.exe PID 2044 wrote to memory of 3328 2044 Hipmfjee.exe Hfhgkmpj.exe PID 3328 wrote to memory of 4500 3328 Hfhgkmpj.exe Hfjdqmng.exe PID 3328 wrote to memory of 4500 3328 Hfhgkmpj.exe Hfjdqmng.exe PID 3328 wrote to memory of 4500 3328 Hfhgkmpj.exe Hfjdqmng.exe PID 4500 wrote to memory of 2344 4500 Hfjdqmng.exe Hlglidlo.exe PID 4500 wrote to memory of 2344 4500 Hfjdqmng.exe Hlglidlo.exe PID 4500 wrote to memory of 2344 4500 Hfjdqmng.exe Hlglidlo.exe PID 2344 wrote to memory of 2104 2344 Hlglidlo.exe Iepaaico.exe PID 2344 wrote to memory of 2104 2344 Hlglidlo.exe Iepaaico.exe PID 2344 wrote to memory of 2104 2344 Hlglidlo.exe Iepaaico.exe PID 2104 wrote to memory of 1444 2104 Iepaaico.exe Imnocf32.exe PID 2104 wrote to memory of 1444 2104 Iepaaico.exe Imnocf32.exe PID 2104 wrote to memory of 1444 2104 Iepaaico.exe Imnocf32.exe PID 1444 wrote to memory of 4012 1444 Imnocf32.exe Jmbhoeid.exe PID 1444 wrote to memory of 4012 1444 Imnocf32.exe Jmbhoeid.exe PID 1444 wrote to memory of 4012 1444 Imnocf32.exe Jmbhoeid.exe PID 4012 wrote to memory of 1752 4012 Jmbhoeid.exe Jpenfp32.exe PID 4012 wrote to memory of 1752 4012 Jmbhoeid.exe Jpenfp32.exe PID 4012 wrote to memory of 1752 4012 Jmbhoeid.exe Jpenfp32.exe PID 1752 wrote to memory of 4056 1752 Jpenfp32.exe Kcidmkpq.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fdae33001299bb6162d8362540d82c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8fdae33001299bb6162d8362540d82c0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Ohcegi32.exeC:\Windows\system32\Ohcegi32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Pejkmk32.exeC:\Windows\system32\Pejkmk32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SysWOW64\Amjillkj.exeC:\Windows\system32\Amjillkj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\Anobgl32.exeC:\Windows\system32\Anobgl32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Bhkmec32.exeC:\Windows\system32\Bhkmec32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Bdickcpo.exeC:\Windows\system32\Bdickcpo.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Coadnlnb.exeC:\Windows\system32\Coadnlnb.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Dmlkhofd.exeC:\Windows\system32\Dmlkhofd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\Dnpdegjp.exeC:\Windows\system32\Dnpdegjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Emhkdmlg.exeC:\Windows\system32\Emhkdmlg.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\Epmmqheb.exeC:\Windows\system32\Epmmqheb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Flmqlg32.exeC:\Windows\system32\Flmqlg32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Gifkpknp.exeC:\Windows\system32\Gifkpknp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\Hipmfjee.exeC:\Windows\system32\Hipmfjee.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Hfhgkmpj.exeC:\Windows\system32\Hfhgkmpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\Hfjdqmng.exeC:\Windows\system32\Hfjdqmng.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Hlglidlo.exeC:\Windows\system32\Hlglidlo.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Iepaaico.exeC:\Windows\system32\Iepaaico.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Imnocf32.exeC:\Windows\system32\Imnocf32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Jmbhoeid.exeC:\Windows\system32\Jmbhoeid.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Jpenfp32.exeC:\Windows\system32\Jpenfp32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Kcidmkpq.exeC:\Windows\system32\Kcidmkpq.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4056 -
C:\Windows\SysWOW64\Npbceggm.exeC:\Windows\system32\Npbceggm.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Oakbehfe.exeC:\Windows\system32\Oakbehfe.exe25⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Ojfcdnjc.exeC:\Windows\system32\Ojfcdnjc.exe26⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Pnfiplog.exeC:\Windows\system32\Pnfiplog.exe27⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Pjmjdm32.exeC:\Windows\system32\Pjmjdm32.exe28⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Pffgom32.exeC:\Windows\system32\Pffgom32.exe29⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Qfkqjmdg.exeC:\Windows\system32\Qfkqjmdg.exe30⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Amjbbfgo.exeC:\Windows\system32\Amjbbfgo.exe31⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Apjkcadp.exeC:\Windows\system32\Apjkcadp.exe32⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Agdcpkll.exeC:\Windows\system32\Agdcpkll.exe33⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Apodoq32.exeC:\Windows\system32\Apodoq32.exe34⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Bajqda32.exeC:\Windows\system32\Bajqda32.exe35⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Ckbemgcp.exeC:\Windows\system32\Ckbemgcp.exe36⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Chfegk32.exeC:\Windows\system32\Chfegk32.exe37⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Ebfign32.exeC:\Windows\system32\Ebfign32.exe38⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Fdnhih32.exeC:\Windows\system32\Fdnhih32.exe39⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Gicgpelg.exeC:\Windows\system32\Gicgpelg.exe40⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Gndick32.exeC:\Windows\system32\Gndick32.exe41⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Hpfbcn32.exeC:\Windows\system32\Hpfbcn32.exe42⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Hbldphde.exeC:\Windows\system32\Hbldphde.exe43⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Ieagmcmq.exeC:\Windows\system32\Ieagmcmq.exe44⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Jekjcaef.exeC:\Windows\system32\Jekjcaef.exe45⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Jeocna32.exeC:\Windows\system32\Jeocna32.exe46⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Jpgdai32.exeC:\Windows\system32\Jpgdai32.exe47⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Kolabf32.exeC:\Windows\system32\Kolabf32.exe48⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Kplmliko.exeC:\Windows\system32\Kplmliko.exe49⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Khiofk32.exeC:\Windows\system32\Khiofk32.exe50⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Kemooo32.exeC:\Windows\system32\Kemooo32.exe51⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Lljdai32.exeC:\Windows\system32\Lljdai32.exe52⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Lllagh32.exeC:\Windows\system32\Lllagh32.exe53⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Mjidgkog.exeC:\Windows\system32\Mjidgkog.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Mofmobmo.exeC:\Windows\system32\Mofmobmo.exe55⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\Nckkfp32.exeC:\Windows\system32\Nckkfp32.exe56⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Nbphglbe.exeC:\Windows\system32\Nbphglbe.exe57⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Njjmni32.exeC:\Windows\system32\Njjmni32.exe58⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\Nqfbpb32.exeC:\Windows\system32\Nqfbpb32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:888 -
C:\Windows\SysWOW64\Ocgkan32.exeC:\Windows\system32\Ocgkan32.exe60⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Ocihgnam.exeC:\Windows\system32\Ocihgnam.exe61⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Omalpc32.exeC:\Windows\system32\Omalpc32.exe62⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Ocnabm32.exeC:\Windows\system32\Ocnabm32.exe63⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Pmkofa32.exeC:\Windows\system32\Pmkofa32.exe64⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Pfccogfc.exeC:\Windows\system32\Pfccogfc.exe65⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Ppnenlka.exeC:\Windows\system32\Ppnenlka.exe66⤵PID:4628
-
C:\Windows\SysWOW64\Pfhmjf32.exeC:\Windows\system32\Pfhmjf32.exe67⤵PID:632
-
C:\Windows\SysWOW64\Qjffpe32.exeC:\Windows\system32\Qjffpe32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4224 -
C:\Windows\SysWOW64\Aimogakj.exeC:\Windows\system32\Aimogakj.exe69⤵PID:232
-
C:\Windows\SysWOW64\Afappe32.exeC:\Windows\system32\Afappe32.exe70⤵PID:4860
-
C:\Windows\SysWOW64\Adepji32.exeC:\Windows\system32\Adepji32.exe71⤵PID:1548
-
C:\Windows\SysWOW64\Ajaelc32.exeC:\Windows\system32\Ajaelc32.exe72⤵PID:3440
-
C:\Windows\SysWOW64\Afhfaddk.exeC:\Windows\system32\Afhfaddk.exe73⤵PID:404
-
C:\Windows\SysWOW64\Bdocph32.exeC:\Windows\system32\Bdocph32.exe74⤵PID:4576
-
C:\Windows\SysWOW64\Bipecnkd.exeC:\Windows\system32\Bipecnkd.exe75⤵PID:868
-
C:\Windows\SysWOW64\Bgdemb32.exeC:\Windows\system32\Bgdemb32.exe76⤵PID:4024
-
C:\Windows\SysWOW64\Ckdkhq32.exeC:\Windows\system32\Ckdkhq32.exe77⤵PID:4540
-
C:\Windows\SysWOW64\Cdmoafdb.exeC:\Windows\system32\Cdmoafdb.exe78⤵PID:5152
-
C:\Windows\SysWOW64\Ckidcpjl.exeC:\Windows\system32\Ckidcpjl.exe79⤵PID:5192
-
C:\Windows\SysWOW64\Cdaile32.exeC:\Windows\system32\Cdaile32.exe80⤵PID:5236
-
C:\Windows\SysWOW64\Dmjmekgn.exeC:\Windows\system32\Dmjmekgn.exe81⤵PID:5276
-
C:\Windows\SysWOW64\Dgbanq32.exeC:\Windows\system32\Dgbanq32.exe82⤵PID:5316
-
C:\Windows\SysWOW64\Dajbaika.exeC:\Windows\system32\Dajbaika.exe83⤵PID:5364
-
C:\Windows\SysWOW64\Edoencdm.exeC:\Windows\system32\Edoencdm.exe84⤵PID:5412
-
C:\Windows\SysWOW64\Epffbd32.exeC:\Windows\system32\Epffbd32.exe85⤵PID:5460
-
C:\Windows\SysWOW64\Egbken32.exeC:\Windows\system32\Egbken32.exe86⤵
- Drops file in System32 directory
PID:5508 -
C:\Windows\SysWOW64\Ecikjoep.exeC:\Windows\system32\Ecikjoep.exe87⤵PID:5548
-
C:\Windows\SysWOW64\Fdbkja32.exeC:\Windows\system32\Fdbkja32.exe88⤵PID:5592
-
C:\Windows\SysWOW64\Gnmlhf32.exeC:\Windows\system32\Gnmlhf32.exe89⤵PID:5640
-
C:\Windows\SysWOW64\Gkhbbi32.exeC:\Windows\system32\Gkhbbi32.exe90⤵PID:5696
-
C:\Windows\SysWOW64\Ieeimlep.exeC:\Windows\system32\Ieeimlep.exe91⤵PID:5752
-
C:\Windows\SysWOW64\Jhfbog32.exeC:\Windows\system32\Jhfbog32.exe92⤵PID:5812
-
C:\Windows\SysWOW64\Jnpjlajn.exeC:\Windows\system32\Jnpjlajn.exe93⤵PID:5860
-
C:\Windows\SysWOW64\Jejbhk32.exeC:\Windows\system32\Jejbhk32.exe94⤵PID:5896
-
C:\Windows\SysWOW64\Jjgkab32.exeC:\Windows\system32\Jjgkab32.exe95⤵PID:5936
-
C:\Windows\SysWOW64\Jdopjh32.exeC:\Windows\system32\Jdopjh32.exe96⤵PID:5984
-
C:\Windows\SysWOW64\Jjihfbno.exeC:\Windows\system32\Jjihfbno.exe97⤵PID:6028
-
C:\Windows\SysWOW64\Jdalog32.exeC:\Windows\system32\Jdalog32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6072 -
C:\Windows\SysWOW64\Jhoeef32.exeC:\Windows\system32\Jhoeef32.exe99⤵PID:6124
-
C:\Windows\SysWOW64\Kajfdk32.exeC:\Windows\system32\Kajfdk32.exe100⤵PID:1300
-
C:\Windows\SysWOW64\Kongmo32.exeC:\Windows\system32\Kongmo32.exe101⤵PID:5200
-
C:\Windows\SysWOW64\Klbgfc32.exeC:\Windows\system32\Klbgfc32.exe102⤵PID:5264
-
C:\Windows\SysWOW64\Khihld32.exeC:\Windows\system32\Khihld32.exe103⤵PID:5340
-
C:\Windows\SysWOW64\Kocphojh.exeC:\Windows\system32\Kocphojh.exe104⤵PID:4984
-
C:\Windows\SysWOW64\Lacijjgi.exeC:\Windows\system32\Lacijjgi.exe105⤵PID:5408
-
C:\Windows\SysWOW64\Llimgb32.exeC:\Windows\system32\Llimgb32.exe106⤵PID:5480
-
C:\Windows\SysWOW64\Lhdggb32.exeC:\Windows\system32\Lhdggb32.exe107⤵PID:5532
-
C:\Windows\SysWOW64\Mklfjm32.exeC:\Windows\system32\Mklfjm32.exe108⤵PID:5608
-
C:\Windows\SysWOW64\Mllccpfj.exeC:\Windows\system32\Mllccpfj.exe109⤵
- Modifies registry class
PID:5684 -
C:\Windows\SysWOW64\Mcfkpjng.exeC:\Windows\system32\Mcfkpjng.exe110⤵PID:5732
-
C:\Windows\SysWOW64\Nomlek32.exeC:\Windows\system32\Nomlek32.exe111⤵PID:4208
-
C:\Windows\SysWOW64\Napameoi.exeC:\Windows\system32\Napameoi.exe112⤵PID:5820
-
C:\Windows\SysWOW64\Ohcmpn32.exeC:\Windows\system32\Ohcmpn32.exe113⤵
- Modifies registry class
PID:5908 -
C:\Windows\SysWOW64\Pbbgicnd.exeC:\Windows\system32\Pbbgicnd.exe114⤵PID:5976
-
C:\Windows\SysWOW64\Pilpfm32.exeC:\Windows\system32\Pilpfm32.exe115⤵PID:6060
-
C:\Windows\SysWOW64\Pfppoa32.exeC:\Windows\system32\Pfppoa32.exe116⤵PID:6132
-
C:\Windows\SysWOW64\Poidhg32.exeC:\Windows\system32\Poidhg32.exe117⤵PID:5180
-
C:\Windows\SysWOW64\Pehjfm32.exeC:\Windows\system32\Pehjfm32.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:5300 -
C:\Windows\SysWOW64\Aioebj32.exeC:\Windows\system32\Aioebj32.exe119⤵PID:5404
-
C:\Windows\SysWOW64\Abgjkpll.exeC:\Windows\system32\Abgjkpll.exe120⤵PID:5544
-
C:\Windows\SysWOW64\Aiabhj32.exeC:\Windows\system32\Aiabhj32.exe121⤵PID:5664
-
C:\Windows\SysWOW64\Acgfec32.exeC:\Windows\system32\Acgfec32.exe122⤵PID:5772
-
C:\Windows\SysWOW64\Bcnleb32.exeC:\Windows\system32\Bcnleb32.exe123⤵
- Modifies registry class
PID:5892 -
C:\Windows\SysWOW64\Bliajd32.exeC:\Windows\system32\Bliajd32.exe124⤵PID:5968
-
C:\Windows\SysWOW64\Bimach32.exeC:\Windows\system32\Bimach32.exe125⤵PID:5224
-
C:\Windows\SysWOW64\Epeohn32.exeC:\Windows\system32\Epeohn32.exe126⤵PID:2004
-
C:\Windows\SysWOW64\Eebgqe32.exeC:\Windows\system32\Eebgqe32.exe127⤵
- Drops file in System32 directory
PID:3304 -
C:\Windows\SysWOW64\Ephlnn32.exeC:\Windows\system32\Ephlnn32.exe128⤵PID:5656
-
C:\Windows\SysWOW64\Egbdjhlp.exeC:\Windows\system32\Egbdjhlp.exe129⤵PID:1956
-
C:\Windows\SysWOW64\Enllgbcl.exeC:\Windows\system32\Enllgbcl.exe130⤵PID:5540
-
C:\Windows\SysWOW64\Egdqph32.exeC:\Windows\system32\Egdqph32.exe131⤵PID:6020
-
C:\Windows\SysWOW64\Fnnimbaj.exeC:\Windows\system32\Fnnimbaj.exe132⤵PID:6040
-
C:\Windows\SysWOW64\Fcmnkh32.exeC:\Windows\system32\Fcmnkh32.exe133⤵PID:2704
-
C:\Windows\SysWOW64\Fjgfgbek.exeC:\Windows\system32\Fjgfgbek.exe134⤵
- Drops file in System32 directory
PID:5268 -
C:\Windows\SysWOW64\Fjjcmbci.exeC:\Windows\system32\Fjjcmbci.exe135⤵PID:2152
-
C:\Windows\SysWOW64\Fpckjlje.exeC:\Windows\system32\Fpckjlje.exe136⤵PID:2728
-
C:\Windows\SysWOW64\Fjlpbb32.exeC:\Windows\system32\Fjlpbb32.exe137⤵PID:5748
-
C:\Windows\SysWOW64\Fdadpk32.exeC:\Windows\system32\Fdadpk32.exe138⤵PID:5956
-
C:\Windows\SysWOW64\Fgpplf32.exeC:\Windows\system32\Fgpplf32.exe139⤵PID:4480
-
C:\Windows\SysWOW64\Gnjhhpgl.exeC:\Windows\system32\Gnjhhpgl.exe140⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6056 -
C:\Windows\SysWOW64\Gggfme32.exeC:\Windows\system32\Gggfme32.exe141⤵PID:5424
-
C:\Windows\SysWOW64\Ggicbe32.exeC:\Windows\system32\Ggicbe32.exe142⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6100 -
C:\Windows\SysWOW64\Hfcinq32.exeC:\Windows\system32\Hfcinq32.exe143⤵PID:6136
-
C:\Windows\SysWOW64\Hcgjhega.exeC:\Windows\system32\Hcgjhega.exe144⤵PID:4008
-
C:\Windows\SysWOW64\Jmdqbg32.exeC:\Windows\system32\Jmdqbg32.exe145⤵PID:6068
-
C:\Windows\SysWOW64\Jfmekm32.exeC:\Windows\system32\Jfmekm32.exe146⤵PID:5496
-
C:\Windows\SysWOW64\Jglaepim.exeC:\Windows\system32\Jglaepim.exe147⤵PID:6012
-
C:\Windows\SysWOW64\Jmijnfgd.exeC:\Windows\system32\Jmijnfgd.exe148⤵PID:5360
-
C:\Windows\SysWOW64\Kmlgcf32.exeC:\Windows\system32\Kmlgcf32.exe149⤵PID:4840
-
C:\Windows\SysWOW64\Khakqo32.exeC:\Windows\system32\Khakqo32.exe150⤵PID:2104
-
C:\Windows\SysWOW64\Kaioidkh.exeC:\Windows\system32\Kaioidkh.exe151⤵PID:3076
-
C:\Windows\SysWOW64\Kallod32.exeC:\Windows\system32\Kallod32.exe152⤵PID:6036
-
C:\Windows\SysWOW64\Kfidgk32.exeC:\Windows\system32\Kfidgk32.exe153⤵PID:5172
-
C:\Windows\SysWOW64\Khhaanop.exeC:\Windows\system32\Khhaanop.exe154⤵PID:3568
-
C:\Windows\SysWOW64\Lhjnfn32.exeC:\Windows\system32\Lhjnfn32.exe155⤵PID:1756
-
C:\Windows\SysWOW64\Lacbpccn.exeC:\Windows\system32\Lacbpccn.exe156⤵PID:4952
-
C:\Windows\SysWOW64\Logbigbg.exeC:\Windows\system32\Logbigbg.exe157⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Lhogamih.exeC:\Windows\system32\Lhogamih.exe158⤵PID:1444
-
C:\Windows\SysWOW64\Ldfhgn32.exeC:\Windows\system32\Ldfhgn32.exe159⤵PID:2680
-
C:\Windows\SysWOW64\Lmnlpcel.exeC:\Windows\system32\Lmnlpcel.exe160⤵PID:5764
-
C:\Windows\SysWOW64\Moiheebb.exeC:\Windows\system32\Moiheebb.exe161⤵PID:5920
-
C:\Windows\SysWOW64\Najagp32.exeC:\Windows\system32\Najagp32.exe162⤵PID:6160
-
C:\Windows\SysWOW64\Nggjog32.exeC:\Windows\system32\Nggjog32.exe163⤵PID:6200
-
C:\Windows\SysWOW64\Ngifef32.exeC:\Windows\system32\Ngifef32.exe164⤵PID:6240
-
C:\Windows\SysWOW64\Ndmgnkja.exeC:\Windows\system32\Ndmgnkja.exe165⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6280 -
C:\Windows\SysWOW64\Nnfkgp32.exeC:\Windows\system32\Nnfkgp32.exe166⤵PID:6340
-
C:\Windows\SysWOW64\Onhhmpoo.exeC:\Windows\system32\Onhhmpoo.exe167⤵PID:6380
-
C:\Windows\SysWOW64\Oklifdmi.exeC:\Windows\system32\Oklifdmi.exe168⤵PID:6424
-
C:\Windows\SysWOW64\Oddmoj32.exeC:\Windows\system32\Oddmoj32.exe169⤵
- Modifies registry class
PID:6464 -
C:\Windows\SysWOW64\Okneldkf.exeC:\Windows\system32\Okneldkf.exe170⤵PID:6504
-
C:\Windows\SysWOW64\Ononmo32.exeC:\Windows\system32\Ononmo32.exe171⤵PID:6552
-
C:\Windows\SysWOW64\Onakco32.exeC:\Windows\system32\Onakco32.exe172⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6600 -
C:\Windows\SysWOW64\Ogjpld32.exeC:\Windows\system32\Ogjpld32.exe173⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6656 -
C:\Windows\SysWOW64\Philfgdh.exeC:\Windows\system32\Philfgdh.exe174⤵PID:6712
-
C:\Windows\SysWOW64\Pdpmkhjl.exeC:\Windows\system32\Pdpmkhjl.exe175⤵PID:6748
-
C:\Windows\SysWOW64\Pkjegb32.exeC:\Windows\system32\Pkjegb32.exe176⤵PID:6800
-
C:\Windows\SysWOW64\Pdeffgff.exeC:\Windows\system32\Pdeffgff.exe177⤵PID:6896
-
C:\Windows\SysWOW64\Abgcqjhp.exeC:\Windows\system32\Abgcqjhp.exe178⤵PID:6960
-
C:\Windows\SysWOW64\Anncek32.exeC:\Windows\system32\Anncek32.exe179⤵PID:7028
-
C:\Windows\SysWOW64\Bgfhnpde.exeC:\Windows\system32\Bgfhnpde.exe180⤵PID:7076
-
C:\Windows\SysWOW64\Bghddp32.exeC:\Windows\system32\Bghddp32.exe181⤵PID:7148
-
C:\Windows\SysWOW64\Ceehcc32.exeC:\Windows\system32\Ceehcc32.exe182⤵PID:4280
-
C:\Windows\SysWOW64\Clbmfm32.exeC:\Windows\system32\Clbmfm32.exe183⤵
- Modifies registry class
PID:3848 -
C:\Windows\SysWOW64\Dpglmjoj.exeC:\Windows\system32\Dpglmjoj.exe184⤵
- Drops file in System32 directory
PID:6368 -
C:\Windows\SysWOW64\Dbgdnelk.exeC:\Windows\system32\Dbgdnelk.exe185⤵PID:6436
-
C:\Windows\SysWOW64\Eimlgnij.exeC:\Windows\system32\Eimlgnij.exe186⤵PID:6512
-
C:\Windows\SysWOW64\Epgdch32.exeC:\Windows\system32\Epgdch32.exe187⤵PID:6584
-
C:\Windows\SysWOW64\Fbhnec32.exeC:\Windows\system32\Fbhnec32.exe188⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6588 -
C:\Windows\SysWOW64\Fibfbm32.exeC:\Windows\system32\Fibfbm32.exe189⤵
- Modifies registry class
PID:4800 -
C:\Windows\SysWOW64\Fplnogmb.exeC:\Windows\system32\Fplnogmb.exe190⤵PID:6744
-
C:\Windows\SysWOW64\Flboch32.exeC:\Windows\system32\Flboch32.exe191⤵PID:3016
-
C:\Windows\SysWOW64\Fhllni32.exeC:\Windows\system32\Fhllni32.exe192⤵PID:6848
-
C:\Windows\SysWOW64\Gegchl32.exeC:\Windows\system32\Gegchl32.exe193⤵PID:6872
-
C:\Windows\SysWOW64\Glqkefff.exeC:\Windows\system32\Glqkefff.exe194⤵PID:4356
-
C:\Windows\SysWOW64\Ggfobofl.exeC:\Windows\system32\Ggfobofl.exe195⤵PID:6984
-
C:\Windows\SysWOW64\Hcaibo32.exeC:\Windows\system32\Hcaibo32.exe196⤵PID:6980
-
C:\Windows\SysWOW64\Hhobjf32.exeC:\Windows\system32\Hhobjf32.exe197⤵PID:7036
-
C:\Windows\SysWOW64\Hhaope32.exeC:\Windows\system32\Hhaope32.exe198⤵PID:7108
-
C:\Windows\SysWOW64\Iqfcbahb.exeC:\Windows\system32\Iqfcbahb.exe199⤵PID:6192
-
C:\Windows\SysWOW64\Jmmcgbnf.exeC:\Windows\system32\Jmmcgbnf.exe200⤵
- Drops file in System32 directory
PID:4140 -
C:\Windows\SysWOW64\Jqbbno32.exeC:\Windows\system32\Jqbbno32.exe201⤵
- Modifies registry class
PID:6292 -
C:\Windows\SysWOW64\Kfcdaehf.exeC:\Windows\system32\Kfcdaehf.exe202⤵PID:6456
-
C:\Windows\SysWOW64\Kgemahmg.exeC:\Windows\system32\Kgemahmg.exe203⤵PID:4740
-
C:\Windows\SysWOW64\Kggjghkd.exeC:\Windows\system32\Kggjghkd.exe204⤵PID:6720
-
C:\Windows\SysWOW64\Ljoiibbm.exeC:\Windows\system32\Ljoiibbm.exe205⤵PID:1056
-
C:\Windows\SysWOW64\Mpnngh32.exeC:\Windows\system32\Mpnngh32.exe206⤵
- Modifies registry class
PID:972 -
C:\Windows\SysWOW64\Mhhcne32.exeC:\Windows\system32\Mhhcne32.exe207⤵
- Modifies registry class
PID:3280 -
C:\Windows\SysWOW64\Mpchbhjl.exeC:\Windows\system32\Mpchbhjl.exe208⤵PID:6952
-
C:\Windows\SysWOW64\Mfmpob32.exeC:\Windows\system32\Mfmpob32.exe209⤵PID:6808
-
C:\Windows\SysWOW64\Miklkm32.exeC:\Windows\system32\Miklkm32.exe210⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7068 -
C:\Windows\SysWOW64\Mjkiephp.exeC:\Windows\system32\Mjkiephp.exe211⤵PID:4228
-
C:\Windows\SysWOW64\Njmejp32.exeC:\Windows\system32\Njmejp32.exe212⤵PID:7164
-
C:\Windows\SysWOW64\Ndejcemn.exeC:\Windows\system32\Ndejcemn.exe213⤵PID:6264
-
C:\Windows\SysWOW64\Nkpbpp32.exeC:\Windows\system32\Nkpbpp32.exe214⤵PID:6276
-
C:\Windows\SysWOW64\Nmedmj32.exeC:\Windows\system32\Nmedmj32.exe215⤵PID:3100
-
C:\Windows\SysWOW64\Ogmiepcf.exeC:\Windows\system32\Ogmiepcf.exe216⤵
- Drops file in System32 directory
PID:1296 -
C:\Windows\SysWOW64\Oileakbj.exeC:\Windows\system32\Oileakbj.exe217⤵PID:6416
-
C:\Windows\SysWOW64\Opfnne32.exeC:\Windows\system32\Opfnne32.exe218⤵PID:6592
-
C:\Windows\SysWOW64\Odfcjc32.exeC:\Windows\system32\Odfcjc32.exe219⤵PID:6728
-
C:\Windows\SysWOW64\Pkgaglpp.exeC:\Windows\system32\Pkgaglpp.exe220⤵
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Paaidf32.exeC:\Windows\system32\Paaidf32.exe221⤵PID:1208
-
C:\Windows\SysWOW64\Pkinmlnm.exeC:\Windows\system32\Pkinmlnm.exe222⤵PID:6908
-
C:\Windows\SysWOW64\Pphckb32.exeC:\Windows\system32\Pphckb32.exe223⤵PID:6968
-
C:\Windows\SysWOW64\Pgbkgmao.exeC:\Windows\system32\Pgbkgmao.exe224⤵PID:3088
-
C:\Windows\SysWOW64\Bkamdi32.exeC:\Windows\system32\Bkamdi32.exe225⤵PID:5032
-
C:\Windows\SysWOW64\Bqpbboeg.exeC:\Windows\system32\Bqpbboeg.exe226⤵PID:4116
-
C:\Windows\SysWOW64\Bkefphem.exeC:\Windows\system32\Bkefphem.exe227⤵PID:6560
-
C:\Windows\SysWOW64\Cbiabq32.exeC:\Windows\system32\Cbiabq32.exe228⤵PID:2684
-
C:\Windows\SysWOW64\Ckfofe32.exeC:\Windows\system32\Ckfofe32.exe229⤵PID:4168
-
C:\Windows\SysWOW64\Dbphcpog.exeC:\Windows\system32\Dbphcpog.exe230⤵PID:6684
-
C:\Windows\SysWOW64\Djklgb32.exeC:\Windows\system32\Djklgb32.exe231⤵PID:6916
-
C:\Windows\SysWOW64\Elaobdmm.exeC:\Windows\system32\Elaobdmm.exe232⤵PID:2040
-
C:\Windows\SysWOW64\Eejcki32.exeC:\Windows\system32\Eejcki32.exe233⤵PID:5024
-
C:\Windows\SysWOW64\Eelpqi32.exeC:\Windows\system32\Eelpqi32.exe234⤵PID:4464
-
C:\Windows\SysWOW64\Elfhmc32.exeC:\Windows\system32\Elfhmc32.exe235⤵PID:7092
-
C:\Windows\SysWOW64\Ebpqjmpd.exeC:\Windows\system32\Ebpqjmpd.exe236⤵PID:4448
-
C:\Windows\SysWOW64\Eijigg32.exeC:\Windows\system32\Eijigg32.exe237⤵PID:6272
-
C:\Windows\SysWOW64\Fbjcplhj.exeC:\Windows\system32\Fbjcplhj.exe238⤵PID:4300
-
C:\Windows\SysWOW64\Ficlmf32.exeC:\Windows\system32\Ficlmf32.exe239⤵PID:3292
-
C:\Windows\SysWOW64\Fkehdnee.exeC:\Windows\system32\Fkehdnee.exe240⤵PID:4360
-
C:\Windows\SysWOW64\Fkgejncb.exeC:\Windows\system32\Fkgejncb.exe241⤵PID:3760
-
C:\Windows\SysWOW64\Facjlhil.exeC:\Windows\system32\Facjlhil.exe242⤵PID:4364