Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 19:31
Static task
static1
Behavioral task
behavioral1
Sample
d918916cfe13004ad87a53216838c150_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d918916cfe13004ad87a53216838c150_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
d918916cfe13004ad87a53216838c150_NeikiAnalytics.exe
-
Size
163KB
-
MD5
d918916cfe13004ad87a53216838c150
-
SHA1
3672561ee91d67cc5c6a613273bc0b47c8027a73
-
SHA256
327e08ae77dbaed99429c7f094e1153e3931e47e06c6be9421688445ddd90acf
-
SHA512
74cb82c51a07014f87cc5b23231e8a97756268ac812a0b4f642ad3ee85f698ec4b667a5f1ede490b41287806e881969abff4be5d353499c790c6aeb8b0a362c9
-
SSDEEP
1536:PuOhBx5leX7SpCbd4+mOYRNyiF7V/4lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:HhBblE7okmZb4ltOrWKDBr+yJb
Malware Config
Extracted
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Qagcpljo.exeComimg32.exeFfnphf32.exeGlfhll32.exePphjgfqq.exeBaildokg.exeGeolea32.exeHcplhi32.exeHenidd32.exeChemfl32.exeDbehoa32.exeFmlapp32.exeGmgdddmq.exeIeqeidnl.exeDnlidb32.exeEbedndfa.exeFdapak32.exeGobgcg32.exeAfkbib32.exeAbbbnchb.exeDchali32.exeGbkgnfbd.exeHgbebiao.exeAjdadamj.exeFmekoalh.exeHhmepp32.exeCfbhnaho.exeGkihhhnm.exeHcplhi32.exePjmodopf.exeQnigda32.exeDnilobkm.exeDodonf32.exeEiaiqn32.exeGlaoalkh.exeHellne32.exeCpeofk32.exeCllpkl32.exeHhjhkq32.exeIhoafpmp.exeEgdilkbf.exeFmjejphb.exePlahag32.exeAfdlhchf.exeAlenki32.exeAilkjmpo.exeEmcbkn32.exeEmcbkn32.exeFphafl32.exeFfbicfoc.exeGoddhg32.exeHggomh32.exeBopicc32.exeBnefdp32.exeElmigj32.exeFpdhklkl.exeGelppaof.exeHlfdkoin.exeApcfahio.exeChhjkl32.exeHpapln32.exePfiidobe.exeDhjgal32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qagcpljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glfhll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pphjgfqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baildokg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glfhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geolea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chemfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbehoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlapp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgdddmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieqeidnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebedndfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdapak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gobgcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afkbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abbbnchb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dchali32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkgnfbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajdadamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfbhnaho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkihhhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcplhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmodopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnigda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnilobkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiaiqn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hellne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpeofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cllpkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhjhkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmjejphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plahag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdlhchf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alenki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ailkjmpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emcbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emcbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fphafl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffbicfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hggomh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnefdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elmigj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gelppaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chhjkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfiidobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhjgal32.exe -
Executes dropped EXE 64 IoCs
Processes:
Onmkio32.exeOkalbc32.exeOnphoo32.exeOqndkj32.exeOiellh32.exeOghlgdgk.exeOkchhc32.exeOjficpfn.exeObnqem32.exeOelmai32.exeOgjimd32.exeOjieip32.exeOenifh32.exeOgmfbd32.exeOfpfnqjp.exePminkk32.exePphjgfqq.exePfbccp32.exePjmodopf.exePaggai32.exePpjglfon.exePfdpip32.exePiblek32.exePlahag32.exePpmdbe32.exePchpbded.exePfflopdh.exePpoqge32.exePfiidobe.exePhjelg32.exePpamme32.exePbpjiphi.exePijbfj32.exeQjknnbed.exeQbbfopeg.exeQeqbkkej.exeQhooggdn.exeQnigda32.exeQagcpljo.exeAdeplhib.exeAfdlhchf.exeAmndem32.exeAplpai32.exeAffhncfc.exeAiedjneg.exeAmpqjm32.exeAdjigg32.exeAbmibdlh.exeAjdadamj.exeAlenki32.exeAdmemg32.exeAfkbib32.exeAiinen32.exeAlhjai32.exeApcfahio.exeAbbbnchb.exeAfmonbqk.exeAilkjmpo.exeAljgfioc.exeBpfcgg32.exeBbdocc32.exeBagpopmj.exeBingpmnl.exeBkodhe32.exepid process 2712 Onmkio32.exe 2516 Okalbc32.exe 2512 Onphoo32.exe 2428 Oqndkj32.exe 2556 Oiellh32.exe 2464 Oghlgdgk.exe 2144 Okchhc32.exe 2644 Ojficpfn.exe 2764 Obnqem32.exe 1508 Oelmai32.exe 1552 Ogjimd32.exe 2380 Ojieip32.exe 2036 Oenifh32.exe 2888 Ogmfbd32.exe 1988 Ofpfnqjp.exe 2200 Pminkk32.exe 2756 Pphjgfqq.exe 1708 Pfbccp32.exe 2076 Pjmodopf.exe 3004 Paggai32.exe 2376 Ppjglfon.exe 804 Pfdpip32.exe 108 Piblek32.exe 568 Plahag32.exe 2296 Ppmdbe32.exe 1652 Pchpbded.exe 2540 Pfflopdh.exe 2964 Ppoqge32.exe 2392 Pfiidobe.exe 2112 Phjelg32.exe 2724 Ppamme32.exe 2420 Pbpjiphi.exe 852 Pijbfj32.exe 1336 Qjknnbed.exe 2612 Qbbfopeg.exe 1544 Qeqbkkej.exe 676 Qhooggdn.exe 1392 Qnigda32.exe 2776 Qagcpljo.exe 2364 Adeplhib.exe 2088 Afdlhchf.exe 2440 Amndem32.exe 2008 Aplpai32.exe 808 Affhncfc.exe 1836 Aiedjneg.exe 1468 Ampqjm32.exe 2664 Adjigg32.exe 2548 Abmibdlh.exe 2976 Ajdadamj.exe 2744 Alenki32.exe 2568 Admemg32.exe 2060 Afkbib32.exe 2268 Aiinen32.exe 1520 Alhjai32.exe 2896 Apcfahio.exe 2300 Abbbnchb.exe 1644 Afmonbqk.exe 1384 Ailkjmpo.exe 1128 Aljgfioc.exe 1916 Bpfcgg32.exe 2100 Bbdocc32.exe 2480 Bagpopmj.exe 1292 Bingpmnl.exe 768 Bkodhe32.exe -
Loads dropped DLL 64 IoCs
Processes:
d918916cfe13004ad87a53216838c150_NeikiAnalytics.exeOnmkio32.exeOkalbc32.exeOnphoo32.exeOqndkj32.exeOiellh32.exeOghlgdgk.exeOkchhc32.exeOjficpfn.exeObnqem32.exeOelmai32.exeOgjimd32.exeOjieip32.exeOenifh32.exeOgmfbd32.exeOfpfnqjp.exePminkk32.exePphjgfqq.exePfbccp32.exePjmodopf.exePaggai32.exePpjglfon.exePfdpip32.exePiblek32.exePlahag32.exePpmdbe32.exePchpbded.exePfflopdh.exePpoqge32.exePfiidobe.exePhjelg32.exePpamme32.exepid process 2476 d918916cfe13004ad87a53216838c150_NeikiAnalytics.exe 2476 d918916cfe13004ad87a53216838c150_NeikiAnalytics.exe 2712 Onmkio32.exe 2712 Onmkio32.exe 2516 Okalbc32.exe 2516 Okalbc32.exe 2512 Onphoo32.exe 2512 Onphoo32.exe 2428 Oqndkj32.exe 2428 Oqndkj32.exe 2556 Oiellh32.exe 2556 Oiellh32.exe 2464 Oghlgdgk.exe 2464 Oghlgdgk.exe 2144 Okchhc32.exe 2144 Okchhc32.exe 2644 Ojficpfn.exe 2644 Ojficpfn.exe 2764 Obnqem32.exe 2764 Obnqem32.exe 1508 Oelmai32.exe 1508 Oelmai32.exe 1552 Ogjimd32.exe 1552 Ogjimd32.exe 2380 Ojieip32.exe 2380 Ojieip32.exe 2036 Oenifh32.exe 2036 Oenifh32.exe 2888 Ogmfbd32.exe 2888 Ogmfbd32.exe 1988 Ofpfnqjp.exe 1988 Ofpfnqjp.exe 2200 Pminkk32.exe 2200 Pminkk32.exe 2756 Pphjgfqq.exe 2756 Pphjgfqq.exe 1708 Pfbccp32.exe 1708 Pfbccp32.exe 2076 Pjmodopf.exe 2076 Pjmodopf.exe 3004 Paggai32.exe 3004 Paggai32.exe 2376 Ppjglfon.exe 2376 Ppjglfon.exe 804 Pfdpip32.exe 804 Pfdpip32.exe 108 Piblek32.exe 108 Piblek32.exe 568 Plahag32.exe 568 Plahag32.exe 2296 Ppmdbe32.exe 2296 Ppmdbe32.exe 1652 Pchpbded.exe 1652 Pchpbded.exe 2540 Pfflopdh.exe 2540 Pfflopdh.exe 2964 Ppoqge32.exe 2964 Ppoqge32.exe 2392 Pfiidobe.exe 2392 Pfiidobe.exe 2112 Phjelg32.exe 2112 Phjelg32.exe 2724 Ppamme32.exe 2724 Ppamme32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Hlcgeo32.exeQnigda32.exeCfbhnaho.exeDcknbh32.exeEkklaj32.exeGhkllmoi.exeHpmgqnfl.exeGoddhg32.exePlahag32.exeAmpqjm32.exeEnihne32.exeEeempocb.exeFaokjpfd.exeFdapak32.exeOkalbc32.exePminkk32.exeGpmjak32.exeGbkgnfbd.exeAfdlhchf.exeDcfdgiid.exeFpdhklkl.exeGkihhhnm.exeHejoiedd.exeQbbfopeg.exeBdhhqk32.exeBegeknan.exeDdeaalpg.exeHgdbhi32.exeFmjejphb.exeHjjddchg.exeOkchhc32.exeDbbkja32.exeDfijnd32.exeEajaoq32.exeEalnephf.exeEeqdep32.exeFnpnndgp.exeFcmgfkeg.exeGhmiam32.exeIaeiieeb.exeBhcdaibd.exeFmekoalh.exeGonnhhln.exeGlfhll32.exeAlenki32.exeBagpopmj.exeDdcdkl32.exeHpapln32.exeHogmmjfo.exeHjhhocjj.exeGieojq32.exed918916cfe13004ad87a53216838c150_NeikiAnalytics.exeBjijdadm.exeDnilobkm.exeEbgacddo.exeFjdbnf32.exeFphafl32.exeHcifgjgc.exeBpafkknm.exeBaqbenep.exedescription ioc process File created C:\Windows\SysWOW64\Hciofb32.dll Hlcgeo32.exe File opened for modification C:\Windows\SysWOW64\Qagcpljo.exe Qnigda32.exe File opened for modification C:\Windows\SysWOW64\Cjndop32.exe Cfbhnaho.exe File opened for modification C:\Windows\SysWOW64\Dgfjbgmh.exe Dcknbh32.exe File opened for modification C:\Windows\SysWOW64\Epfhbign.exe Ekklaj32.exe File created C:\Windows\SysWOW64\Ooghhh32.dll Ghkllmoi.exe File created C:\Windows\SysWOW64\Hdhbam32.exe Hpmgqnfl.exe File opened for modification C:\Windows\SysWOW64\Gmgdddmq.exe Goddhg32.exe File created C:\Windows\SysWOW64\Ppmdbe32.exe Plahag32.exe File created C:\Windows\SysWOW64\Jngohf32.dll Ampqjm32.exe File created C:\Windows\SysWOW64\Hkabadei.dll Enihne32.exe File created C:\Windows\SysWOW64\Eiaiqn32.exe Eeempocb.exe File opened for modification C:\Windows\SysWOW64\Fejgko32.exe Faokjpfd.exe File created C:\Windows\SysWOW64\Fbdqmghm.exe Fdapak32.exe File created C:\Windows\SysWOW64\Lphhoacd.dll Okalbc32.exe File created C:\Windows\SysWOW64\Pphjgfqq.exe Pminkk32.exe File created C:\Windows\SysWOW64\Jgdmei32.dll Gpmjak32.exe File created C:\Windows\SysWOW64\Gangic32.exe Gbkgnfbd.exe File created C:\Windows\SysWOW64\Amndem32.exe Afdlhchf.exe File created C:\Windows\SysWOW64\Hgmhlp32.dll Dcfdgiid.exe File created C:\Windows\SysWOW64\Fdoclk32.exe Fpdhklkl.exe File created C:\Windows\SysWOW64\Goddhg32.exe Gkihhhnm.exe File created C:\Windows\SysWOW64\Gknfklng.dll Hejoiedd.exe File created C:\Windows\SysWOW64\Pofgpn32.dll Qbbfopeg.exe File opened for modification C:\Windows\SysWOW64\Bhcdaibd.exe Bdhhqk32.exe File created C:\Windows\SysWOW64\Bdjefj32.exe Begeknan.exe File created C:\Windows\SysWOW64\Dchali32.exe Ddeaalpg.exe File created C:\Windows\SysWOW64\Bibckiab.dll Eeempocb.exe File created C:\Windows\SysWOW64\Pffgja32.dll Hgdbhi32.exe File created C:\Windows\SysWOW64\Jbelkc32.dll Fmjejphb.exe File created C:\Windows\SysWOW64\Bdhaablp.dll Hjjddchg.exe File created C:\Windows\SysWOW64\Onphoo32.exe Okalbc32.exe File created C:\Windows\SysWOW64\Ojficpfn.exe Okchhc32.exe File created C:\Windows\SysWOW64\Fglhobmg.dll Dbbkja32.exe File opened for modification C:\Windows\SysWOW64\Emcbkn32.exe Dfijnd32.exe File created C:\Windows\SysWOW64\Lonkjenl.dll Eajaoq32.exe File created C:\Windows\SysWOW64\Dlgohm32.dll Ealnephf.exe File created C:\Windows\SysWOW64\Dnoillim.dll Eeqdep32.exe File created C:\Windows\SysWOW64\Fmcoja32.exe Fnpnndgp.exe File opened for modification C:\Windows\SysWOW64\Fhhcgj32.exe Fcmgfkeg.exe File created C:\Windows\SysWOW64\Njgcpp32.dll Ghmiam32.exe File created C:\Windows\SysWOW64\Nfmjcmjd.dll Iaeiieeb.exe File created C:\Windows\SysWOW64\Bkaqmeah.exe Bhcdaibd.exe File created C:\Windows\SysWOW64\Faagpp32.exe Fmekoalh.exe File opened for modification C:\Windows\SysWOW64\Gbijhg32.exe Gonnhhln.exe File created C:\Windows\SysWOW64\Ahcocb32.dll Glfhll32.exe File created C:\Windows\SysWOW64\Jolfcj32.dll Alenki32.exe File opened for modification C:\Windows\SysWOW64\Bingpmnl.exe Bagpopmj.exe File created C:\Windows\SysWOW64\Fkahhbbj.dll Ddcdkl32.exe File created C:\Windows\SysWOW64\Hodpgjha.exe Hpapln32.exe File opened for modification C:\Windows\SysWOW64\Icbimi32.exe Hogmmjfo.exe File opened for modification C:\Windows\SysWOW64\Hdhbam32.exe Hpmgqnfl.exe File created C:\Windows\SysWOW64\Hjhhocjj.exe Hjhhocjj.exe File created C:\Windows\SysWOW64\Ahpjhc32.dll Gieojq32.exe File opened for modification C:\Windows\SysWOW64\Onmkio32.exe d918916cfe13004ad87a53216838c150_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Bnefdp32.exe Bjijdadm.exe File opened for modification C:\Windows\SysWOW64\Dbehoa32.exe Dnilobkm.exe File opened for modification C:\Windows\SysWOW64\Eajaoq32.exe Ebgacddo.exe File created C:\Windows\SysWOW64\Jmloladn.dll Fjdbnf32.exe File opened for modification C:\Windows\SysWOW64\Fddmgjpo.exe Fphafl32.exe File created C:\Windows\SysWOW64\Lnnhje32.dll Gonnhhln.exe File created C:\Windows\SysWOW64\Hgdbhi32.exe Hcifgjgc.exe File created C:\Windows\SysWOW64\Aoipdkgg.dll Bpafkknm.exe File created C:\Windows\SysWOW64\Qinopgfb.dll Baqbenep.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4832 4808 WerFault.exe Iagfoe32.exe -
Modifies registry class 64 IoCs
Processes:
Banepo32.exeChhjkl32.exeEnkece32.exeGelppaof.exeAplpai32.exeAljgfioc.exeBpcbqk32.exeCllpkl32.exeEecqjpee.exeFehjeo32.exeGlaoalkh.exeQeqbkkej.exeFbdqmghm.exeGhkllmoi.exeOkalbc32.exeFjdbnf32.exeHggomh32.exeHenidd32.exeDgdmmgpj.exeFilldb32.exeHgdbhi32.exeOghlgdgk.exeFjilieka.exeHogmmjfo.exeBpafkknm.exeDgodbh32.exeDoobajme.exeEnnaieib.exeHodpgjha.exeOenifh32.exeBingpmnl.exeEjgcdb32.exeEpfhbign.exeFfnphf32.exeGonnhhln.exeHjjddchg.exeAdeplhib.exeCfbhnaho.exeEmcbkn32.exeFbgmbg32.exeHiqbndpb.exeHgilchkf.exePijbfj32.exeFhhcgj32.exeHhjhkq32.exeBokphdld.exeDfgmhd32.exeFlabbihl.exeHckcmjep.exeHhmepp32.exeBdjefj32.exeClcflkic.exeDngoibmo.exeFmhheqje.exeGoddhg32.exeGphmeo32.exeBnefdp32.exeBjijdadm.exeFcmgfkeg.exeHnagjbdf.exeIcbimi32.exeIhoafpmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Banepo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiiek32.dll" Chhjkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enkece32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gelppaof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aplpai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aljgfioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmeohn32.dll" Bpcbqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cllpkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnpmlfkm.dll" Eecqjpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fehjeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qeqbkkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbdqmghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll" Ghkllmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lphhoacd.dll" Okalbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjdbnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll" Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgdmmgpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjdbnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Filldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll" Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imgcddkm.dll" Oghlgdgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjilieka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoipdkgg.dll" Bpafkknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fncann32.dll" Dgodbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cillgpen.dll" Doobajme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ennaieib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahaloofd.dll" Oenifh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bingpmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejgcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecimppi.dll" Epfhbign.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnhje32.dll" Gonnhhln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjjddchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adeplhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglbacld.dll" Cfbhnaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emcbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfekgp32.dll" Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gonnhhln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiqbndpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pijbfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhhcgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhjhkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bokphdld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebagmn32.dll" Dfgmhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll" Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll" Hckcmjep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iegecigk.dll" Bdjefj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clcflkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dngoibmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Febhomkh.dll" Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll" Gphmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooahdmkl.dll" Bnefdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmpcjge.dll" Bjijdadm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcmgfkeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnagjbdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihoafpmp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d918916cfe13004ad87a53216838c150_NeikiAnalytics.exeOnmkio32.exeOkalbc32.exeOnphoo32.exeOqndkj32.exeOiellh32.exeOghlgdgk.exeOkchhc32.exeOjficpfn.exeObnqem32.exeOelmai32.exeOgjimd32.exeOjieip32.exeOenifh32.exeOgmfbd32.exeOfpfnqjp.exedescription pid process target process PID 2476 wrote to memory of 2712 2476 d918916cfe13004ad87a53216838c150_NeikiAnalytics.exe Onmkio32.exe PID 2476 wrote to memory of 2712 2476 d918916cfe13004ad87a53216838c150_NeikiAnalytics.exe Onmkio32.exe PID 2476 wrote to memory of 2712 2476 d918916cfe13004ad87a53216838c150_NeikiAnalytics.exe Onmkio32.exe PID 2476 wrote to memory of 2712 2476 d918916cfe13004ad87a53216838c150_NeikiAnalytics.exe Onmkio32.exe PID 2712 wrote to memory of 2516 2712 Onmkio32.exe Okalbc32.exe PID 2712 wrote to memory of 2516 2712 Onmkio32.exe Okalbc32.exe PID 2712 wrote to memory of 2516 2712 Onmkio32.exe Okalbc32.exe PID 2712 wrote to memory of 2516 2712 Onmkio32.exe Okalbc32.exe PID 2516 wrote to memory of 2512 2516 Okalbc32.exe Onphoo32.exe PID 2516 wrote to memory of 2512 2516 Okalbc32.exe Onphoo32.exe PID 2516 wrote to memory of 2512 2516 Okalbc32.exe Onphoo32.exe PID 2516 wrote to memory of 2512 2516 Okalbc32.exe Onphoo32.exe PID 2512 wrote to memory of 2428 2512 Onphoo32.exe Oqndkj32.exe PID 2512 wrote to memory of 2428 2512 Onphoo32.exe Oqndkj32.exe PID 2512 wrote to memory of 2428 2512 Onphoo32.exe Oqndkj32.exe PID 2512 wrote to memory of 2428 2512 Onphoo32.exe Oqndkj32.exe PID 2428 wrote to memory of 2556 2428 Oqndkj32.exe Oiellh32.exe PID 2428 wrote to memory of 2556 2428 Oqndkj32.exe Oiellh32.exe PID 2428 wrote to memory of 2556 2428 Oqndkj32.exe Oiellh32.exe PID 2428 wrote to memory of 2556 2428 Oqndkj32.exe Oiellh32.exe PID 2556 wrote to memory of 2464 2556 Oiellh32.exe Oghlgdgk.exe PID 2556 wrote to memory of 2464 2556 Oiellh32.exe Oghlgdgk.exe PID 2556 wrote to memory of 2464 2556 Oiellh32.exe Oghlgdgk.exe PID 2556 wrote to memory of 2464 2556 Oiellh32.exe Oghlgdgk.exe PID 2464 wrote to memory of 2144 2464 Oghlgdgk.exe Okchhc32.exe PID 2464 wrote to memory of 2144 2464 Oghlgdgk.exe Okchhc32.exe PID 2464 wrote to memory of 2144 2464 Oghlgdgk.exe Okchhc32.exe PID 2464 wrote to memory of 2144 2464 Oghlgdgk.exe Okchhc32.exe PID 2144 wrote to memory of 2644 2144 Okchhc32.exe Ojficpfn.exe PID 2144 wrote to memory of 2644 2144 Okchhc32.exe Ojficpfn.exe PID 2144 wrote to memory of 2644 2144 Okchhc32.exe Ojficpfn.exe PID 2144 wrote to memory of 2644 2144 Okchhc32.exe Ojficpfn.exe PID 2644 wrote to memory of 2764 2644 Ojficpfn.exe Obnqem32.exe PID 2644 wrote to memory of 2764 2644 Ojficpfn.exe Obnqem32.exe PID 2644 wrote to memory of 2764 2644 Ojficpfn.exe Obnqem32.exe PID 2644 wrote to memory of 2764 2644 Ojficpfn.exe Obnqem32.exe PID 2764 wrote to memory of 1508 2764 Obnqem32.exe Oelmai32.exe PID 2764 wrote to memory of 1508 2764 Obnqem32.exe Oelmai32.exe PID 2764 wrote to memory of 1508 2764 Obnqem32.exe Oelmai32.exe PID 2764 wrote to memory of 1508 2764 Obnqem32.exe Oelmai32.exe PID 1508 wrote to memory of 1552 1508 Oelmai32.exe Ogjimd32.exe PID 1508 wrote to memory of 1552 1508 Oelmai32.exe Ogjimd32.exe PID 1508 wrote to memory of 1552 1508 Oelmai32.exe Ogjimd32.exe PID 1508 wrote to memory of 1552 1508 Oelmai32.exe Ogjimd32.exe PID 1552 wrote to memory of 2380 1552 Ogjimd32.exe Ojieip32.exe PID 1552 wrote to memory of 2380 1552 Ogjimd32.exe Ojieip32.exe PID 1552 wrote to memory of 2380 1552 Ogjimd32.exe Ojieip32.exe PID 1552 wrote to memory of 2380 1552 Ogjimd32.exe Ojieip32.exe PID 2380 wrote to memory of 2036 2380 Ojieip32.exe Oenifh32.exe PID 2380 wrote to memory of 2036 2380 Ojieip32.exe Oenifh32.exe PID 2380 wrote to memory of 2036 2380 Ojieip32.exe Oenifh32.exe PID 2380 wrote to memory of 2036 2380 Ojieip32.exe Oenifh32.exe PID 2036 wrote to memory of 2888 2036 Oenifh32.exe Ogmfbd32.exe PID 2036 wrote to memory of 2888 2036 Oenifh32.exe Ogmfbd32.exe PID 2036 wrote to memory of 2888 2036 Oenifh32.exe Ogmfbd32.exe PID 2036 wrote to memory of 2888 2036 Oenifh32.exe Ogmfbd32.exe PID 2888 wrote to memory of 1988 2888 Ogmfbd32.exe Ofpfnqjp.exe PID 2888 wrote to memory of 1988 2888 Ogmfbd32.exe Ofpfnqjp.exe PID 2888 wrote to memory of 1988 2888 Ogmfbd32.exe Ofpfnqjp.exe PID 2888 wrote to memory of 1988 2888 Ogmfbd32.exe Ofpfnqjp.exe PID 1988 wrote to memory of 2200 1988 Ofpfnqjp.exe Pminkk32.exe PID 1988 wrote to memory of 2200 1988 Ofpfnqjp.exe Pminkk32.exe PID 1988 wrote to memory of 2200 1988 Ofpfnqjp.exe Pminkk32.exe PID 1988 wrote to memory of 2200 1988 Ofpfnqjp.exe Pminkk32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d918916cfe13004ad87a53216838c150_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d918916cfe13004ad87a53216838c150_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:804 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:108 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:568 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2540 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe33⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe35⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe38⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1392 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe43⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe45⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe46⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1468 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe48⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe49⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe52⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe54⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe55⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe58⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1128 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe61⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe62⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1292 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe65⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe66⤵
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1948 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe68⤵
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe69⤵
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe70⤵PID:2120
-
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe71⤵PID:1728
-
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe72⤵PID:1304
-
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe73⤵
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe74⤵
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe75⤵PID:560
-
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1920 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe77⤵
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe79⤵PID:1540
-
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe80⤵PID:528
-
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe83⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe84⤵
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe85⤵PID:2336
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe86⤵PID:2304
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe87⤵PID:2652
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe88⤵PID:628
-
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2192 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe90⤵PID:2892
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe91⤵PID:2164
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1212 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe93⤵PID:2316
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe94⤵PID:2176
-
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe96⤵PID:2396
-
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe97⤵PID:280
-
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe98⤵PID:2596
-
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe99⤵PID:2816
-
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe100⤵PID:2244
-
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1420 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe102⤵PID:2972
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe103⤵PID:1984
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe104⤵PID:2768
-
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2560 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe106⤵PID:700
-
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe107⤵PID:1352
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe108⤵PID:2564
-
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe109⤵PID:2280
-
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe110⤵PID:2024
-
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe112⤵
- Modifies registry class
PID:788 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe113⤵PID:1844
-
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe114⤵PID:2084
-
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe115⤵PID:2984
-
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe116⤵PID:1660
-
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe117⤵PID:2716
-
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe118⤵PID:764
-
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2400 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe120⤵PID:2416
-
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe121⤵PID:2500
-
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe122⤵PID:992
-
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe123⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:856 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe124⤵
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe125⤵
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe126⤵PID:652
-
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe127⤵PID:2996
-
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe128⤵PID:2132
-
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe129⤵
- Modifies registry class
PID:480 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe130⤵PID:2484
-
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe131⤵PID:2948
-
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe132⤵PID:2460
-
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe133⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2736 -
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe135⤵PID:1784
-
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe136⤵
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe137⤵
- Drops file in System32 directory
PID:356 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe138⤵PID:2020
-
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe139⤵PID:1996
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe140⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3024 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe141⤵PID:2012
-
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe142⤵PID:1524
-
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe143⤵
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe144⤵PID:2588
-
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe145⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2436 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe146⤵
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe147⤵
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe148⤵PID:1504
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe149⤵PID:2208
-
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe150⤵PID:1440
-
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe151⤵
- Modifies registry class
PID:1452 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe152⤵PID:1636
-
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe153⤵
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe154⤵PID:2452
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe155⤵
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe157⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2492 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe158⤵PID:1840
-
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe159⤵PID:1608
-
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe160⤵PID:920
-
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe161⤵PID:2900
-
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe162⤵PID:1992
-
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe163⤵
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe164⤵PID:2520
-
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe165⤵PID:2356
-
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe166⤵PID:2720
-
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe167⤵PID:1592
-
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe168⤵PID:344
-
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe169⤵
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe170⤵PID:2432
-
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe171⤵PID:3104
-
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe172⤵
- Drops file in System32 directory
PID:3144 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe173⤵
- Modifies registry class
PID:3184 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe174⤵
- Drops file in System32 directory
PID:3224 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe175⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3264 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe176⤵PID:3304
-
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe177⤵
- Modifies registry class
PID:3344 -
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe178⤵PID:3384
-
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe179⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3424 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe180⤵PID:3464
-
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe181⤵
- Modifies registry class
PID:3504 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe182⤵
- Drops file in System32 directory
PID:3544 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe183⤵
- Drops file in System32 directory
PID:3584 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe184⤵
- Drops file in System32 directory
PID:3624 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe185⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3664 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe186⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3704 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe187⤵PID:3744
-
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe188⤵PID:3772
-
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe189⤵
- Modifies registry class
PID:3796 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe190⤵
- Drops file in System32 directory
PID:3836 -
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe191⤵PID:3876
-
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe192⤵
- Modifies registry class
PID:3904 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe193⤵PID:3928
-
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe194⤵
- Modifies registry class
PID:3968 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe195⤵
- Drops file in System32 directory
- Modifies registry class
PID:4008 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe196⤵
- Drops file in System32 directory
PID:4048 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe197⤵PID:4088
-
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe198⤵
- Drops file in System32 directory
PID:3088 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe199⤵PID:3136
-
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe200⤵
- Drops file in System32 directory
- Modifies registry class
PID:3196 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe201⤵
- Modifies registry class
PID:3240 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe202⤵PID:3296
-
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe203⤵PID:3352
-
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe204⤵PID:3396
-
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe205⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1160 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe206⤵PID:3492
-
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe207⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3540 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe208⤵PID:3012
-
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe209⤵PID:3636
-
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe210⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3688 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe211⤵
- Modifies registry class
PID:3732 -
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe212⤵
- Modifies registry class
PID:3784 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe213⤵
- Modifies registry class
PID:3828 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe214⤵PID:3888
-
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe215⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3936 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe216⤵
- Modifies registry class
PID:3980 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe217⤵PID:4032
-
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe218⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4080 -
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe219⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3100 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe220⤵PID:2260
-
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe221⤵
- Modifies registry class
PID:3220 -
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe222⤵PID:3272
-
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe223⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3856 -
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe224⤵PID:3380
-
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe225⤵PID:3448
-
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe226⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3760 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe227⤵PID:3576
-
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe228⤵PID:3648
-
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe229⤵
- Drops file in System32 directory
- Modifies registry class
PID:3712 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe230⤵PID:1168
-
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe231⤵PID:3808
-
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe232⤵PID:3860
-
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe233⤵PID:3564
-
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe234⤵PID:3368
-
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe235⤵
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe236⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4028 -
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe237⤵
- Drops file in System32 directory
PID:3312 -
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe238⤵PID:3080
-
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe239⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3168 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe240⤵PID:2456
-
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe241⤵PID:2928
-
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe242⤵PID:3340