Analysis
-
max time kernel
133s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 20:53
Static task
static1
Behavioral task
behavioral1
Sample
f794120bcff9c121096b1e81fca42a50_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f794120bcff9c121096b1e81fca42a50_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
f794120bcff9c121096b1e81fca42a50_NeikiAnalytics.exe
-
Size
163KB
-
MD5
f794120bcff9c121096b1e81fca42a50
-
SHA1
bd49a78f0cad78525c73a2348999da3958c4136f
-
SHA256
f73ac409e693ee377648fd7e5cf46021060849fd0825a5b4a22a65811d27b891
-
SHA512
fb2d6d8e3e6bfac573f894dfd0e4e6c353327a8378a5d0a6fed6319f65a279e5e02d7559471148c1fb01ba832ae1c4340c40a61da57dd99f30bb5f423c959bf4
-
SSDEEP
3072:0jYJ74esv6I3qRbUcNDE9ltOrWKDBr+yJb:pJ7qvCdm9LOf
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Opplolac.exePaiaplin.exeBfjkphjd.exeHmpbja32.exeOmbddbah.exeQpcjeaad.exeIfpelq32.exeJecnnk32.exeGmgpbf32.exeJghcbjll.exeFonbff32.exeKgocid32.exeKllnhg32.exeEfeoedjo.exeHbghdj32.exeIoiidfon.exeDhgccbhp.exeGmipko32.exePadccpal.exeAeidgbaf.exeHkpnjd32.exeLcadghnk.exeKfggkc32.exeEnmnahnm.exeNknkeg32.exeJjqiok32.exeEgeecf32.exeFqnfkoen.exeAcbnggjo.exeJgkphj32.exeAnpahn32.exeFlhhed32.exeEodicd32.exeKcimhpma.exePhpjnnki.exeIoooiack.exeAhgofi32.exeObjjnkie.exeBdaabk32.exeKnpkhhhg.exePalepb32.exeQhmcmk32.exeKgcnahoo.exePhocfd32.exeGjephakn.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opplolac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paiaplin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfjkphjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpbja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ombddbah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpcjeaad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifpelq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jecnnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgpbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jghcbjll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fonbff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgocid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kllnhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efeoedjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbghdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioiidfon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhgccbhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmipko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padccpal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeidgbaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpnjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcadghnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfggkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enmnahnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nknkeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjqiok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egeecf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqnfkoen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acbnggjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgkphj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anpahn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flhhed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eodicd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcimhpma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phpjnnki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioooiack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahgofi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Objjnkie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdaabk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knpkhhhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Palepb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhmcmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgcnahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phocfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjephakn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad -
Executes dropped EXE 64 IoCs
Processes:
Kmobhmnn.exeLopkjhko.exeLmdkcl32.exeLahmbo32.exeMjcoqdoc.exeMmdgbp32.exeMikhgqbi.exeMbcmpfhi.exeNoemqe32.exeOiakgcnl.exeOdgodl32.exeOpplolac.exeOihqgbhd.exePhpjnnki.exePdgkco32.exePkcpei32.exeQgjqjjll.exeQglmpi32.exeAbhkfg32.exeAnolkh32.exeAeidgbaf.exeAekqmbod.exeAboaff32.exeBnfblgca.exeBmkomchi.exeBgqcjlhp.exeBpnddn32.exeDinklffl.exeEkhkjm32.exeFffefjmi.exeFjdnlhco.exeFcmben32.exeFkhgip32.exeFgohna32.exeFdbhge32.exeGcheib32.exeGegabegc.exeGmbfggdo.exeGiiglhjb.exeGmgpbf32.exeHfpdkl32.exeHinqgg32.exeHhcmhdke.exeHegnahjo.exeHanogipc.exeHlccdboi.exeHfmddp32.exeIdadnd32.exeImiigiab.exeIfampo32.exeIlofhffj.exeIbhndp32.exeIoooiack.exeIfffkncm.exeIoakoq32.exeIapgkl32.exeJkhldafl.exeJbpdeogo.exeJkkija32.exeJaeafklf.exeJkmeoa32.exeJnkakl32.exeJjbbpmgo.exeJplkmgol.exepid process 3056 Kmobhmnn.exe 2696 Lopkjhko.exe 2848 Lmdkcl32.exe 1984 Lahmbo32.exe 2440 Mjcoqdoc.exe 2944 Mmdgbp32.exe 652 Mikhgqbi.exe 2612 Mbcmpfhi.exe 2460 Noemqe32.exe 1336 Oiakgcnl.exe 2328 Odgodl32.exe 2656 Opplolac.exe 696 Oihqgbhd.exe 2320 Phpjnnki.exe 2868 Pdgkco32.exe 1644 Pkcpei32.exe 2060 Qgjqjjll.exe 952 Qglmpi32.exe 1528 Abhkfg32.exe 1584 Anolkh32.exe 1276 Aeidgbaf.exe 920 Aekqmbod.exe 1444 Aboaff32.exe 560 Bnfblgca.exe 1152 Bmkomchi.exe 1952 Bgqcjlhp.exe 2528 Bpnddn32.exe 2864 Dinklffl.exe 2716 Ekhkjm32.exe 2520 Fffefjmi.exe 2556 Fjdnlhco.exe 2540 Fcmben32.exe 2396 Fkhgip32.exe 1772 Fgohna32.exe 1640 Fdbhge32.exe 2488 Gcheib32.exe 2112 Gegabegc.exe 1832 Gmbfggdo.exe 2480 Giiglhjb.exe 2028 Gmgpbf32.exe 1840 Hfpdkl32.exe 2260 Hinqgg32.exe 1932 Hhcmhdke.exe 2284 Hegnahjo.exe 1576 Hanogipc.exe 3064 Hlccdboi.exe 1316 Hfmddp32.exe 1376 Idadnd32.exe 2900 Imiigiab.exe 608 Ifampo32.exe 1280 Ilofhffj.exe 892 Ibhndp32.exe 900 Ioooiack.exe 3028 Ifffkncm.exe 2116 Ioakoq32.exe 3060 Iapgkl32.exe 2780 Jkhldafl.exe 2728 Jbpdeogo.exe 2604 Jkkija32.exe 580 Jaeafklf.exe 1872 Jkmeoa32.exe 2928 Jnkakl32.exe 2648 Jjbbpmgo.exe 2660 Jplkmgol.exe -
Loads dropped DLL 64 IoCs
Processes:
f794120bcff9c121096b1e81fca42a50_NeikiAnalytics.exeKmobhmnn.exeLopkjhko.exeLmdkcl32.exeLahmbo32.exeMjcoqdoc.exeMmdgbp32.exeMikhgqbi.exeMbcmpfhi.exeNoemqe32.exeOiakgcnl.exeOdgodl32.exeOpplolac.exeOihqgbhd.exePhpjnnki.exePdgkco32.exePkcpei32.exeQgjqjjll.exeQglmpi32.exeAbhkfg32.exeAnolkh32.exeAeidgbaf.exeAekqmbod.exeAboaff32.exeBnfblgca.exeBmkomchi.exeBgqcjlhp.exeBpnddn32.exeDinklffl.exeEkhkjm32.exeFffefjmi.exeFjdnlhco.exepid process 3000 f794120bcff9c121096b1e81fca42a50_NeikiAnalytics.exe 3000 f794120bcff9c121096b1e81fca42a50_NeikiAnalytics.exe 3056 Kmobhmnn.exe 3056 Kmobhmnn.exe 2696 Lopkjhko.exe 2696 Lopkjhko.exe 2848 Lmdkcl32.exe 2848 Lmdkcl32.exe 1984 Lahmbo32.exe 1984 Lahmbo32.exe 2440 Mjcoqdoc.exe 2440 Mjcoqdoc.exe 2944 Mmdgbp32.exe 2944 Mmdgbp32.exe 652 Mikhgqbi.exe 652 Mikhgqbi.exe 2612 Mbcmpfhi.exe 2612 Mbcmpfhi.exe 2460 Noemqe32.exe 2460 Noemqe32.exe 1336 Oiakgcnl.exe 1336 Oiakgcnl.exe 2328 Odgodl32.exe 2328 Odgodl32.exe 2656 Opplolac.exe 2656 Opplolac.exe 696 Oihqgbhd.exe 696 Oihqgbhd.exe 2320 Phpjnnki.exe 2320 Phpjnnki.exe 2868 Pdgkco32.exe 2868 Pdgkco32.exe 1644 Pkcpei32.exe 1644 Pkcpei32.exe 2060 Qgjqjjll.exe 2060 Qgjqjjll.exe 952 Qglmpi32.exe 952 Qglmpi32.exe 1528 Abhkfg32.exe 1528 Abhkfg32.exe 1584 Anolkh32.exe 1584 Anolkh32.exe 1276 Aeidgbaf.exe 1276 Aeidgbaf.exe 920 Aekqmbod.exe 920 Aekqmbod.exe 1444 Aboaff32.exe 1444 Aboaff32.exe 560 Bnfblgca.exe 560 Bnfblgca.exe 1152 Bmkomchi.exe 1152 Bmkomchi.exe 1952 Bgqcjlhp.exe 1952 Bgqcjlhp.exe 2528 Bpnddn32.exe 2528 Bpnddn32.exe 2864 Dinklffl.exe 2864 Dinklffl.exe 2716 Ekhkjm32.exe 2716 Ekhkjm32.exe 2520 Fffefjmi.exe 2520 Fffefjmi.exe 2556 Fjdnlhco.exe 2556 Fjdnlhco.exe -
Drops file in System32 directory 64 IoCs
Processes:
Qcachc32.exeLbicoamh.exeQemldifo.exeKbppdfmk.exeKfjibdbf.exeJhoklnkg.exeLbmpnjai.exeEkdglcmh.exeAnbmbi32.exeFjomhonj.exeIhjcko32.exeBgkbfcck.exeMclgklel.exeCenmfbml.exeGjephakn.exeEaebeoan.exeDgqion32.exeHdqhambg.exeHhlaiccm.exeMiiofn32.exeJfbinf32.exeKhcbpa32.exeJhjbqo32.exeLljkif32.exeBmlbaqfh.exePhocfd32.exeEhmpeb32.exeLgpfpe32.exeDboglhna.exeLqjfpbmm.exePejmfqan.exeGdcjpncm.exeHmdldmja.exeCiihklpj.exeBnfblgca.exePnnfkb32.exeLjnnko32.exeFoahmh32.exeDlbaljhn.exeFgohna32.exedescription ioc process File created C:\Windows\SysWOW64\Cpqmndme.dll Qcachc32.exe File created C:\Windows\SysWOW64\Kfmfchfo.exe File opened for modification C:\Windows\SysWOW64\Micklk32.exe Lbicoamh.exe File created C:\Windows\SysWOW64\Ghgfmi32.dll Qemldifo.exe File created C:\Windows\SysWOW64\Kkhdml32.exe Kbppdfmk.exe File opened for modification C:\Windows\SysWOW64\Kobmkj32.exe Kfjibdbf.exe File opened for modification C:\Windows\SysWOW64\Jagpdd32.exe Jhoklnkg.exe File created C:\Windows\SysWOW64\Hjidml32.dll Lbmpnjai.exe File created C:\Windows\SysWOW64\Ehhgfgla.exe Ekdglcmh.exe File created C:\Windows\SysWOW64\Polakmbi.exe File created C:\Windows\SysWOW64\Eheblj32.exe File created C:\Windows\SysWOW64\Agkako32.exe Anbmbi32.exe File opened for modification C:\Windows\SysWOW64\Fokfqflb.exe Fjomhonj.exe File created C:\Windows\SysWOW64\Ifloeo32.exe File opened for modification C:\Windows\SysWOW64\Iockhigl.exe Ihjcko32.exe File opened for modification C:\Windows\SysWOW64\Bpfgke32.exe Bgkbfcck.exe File opened for modification C:\Windows\SysWOW64\Nljcflbd.exe File opened for modification C:\Windows\SysWOW64\Ekblplgo.exe File created C:\Windows\SysWOW64\Pnpbecig.dll File opened for modification C:\Windows\SysWOW64\Mcodqkbi.exe Mclgklel.exe File opened for modification C:\Windows\SysWOW64\Cofaog32.exe Cenmfbml.exe File opened for modification C:\Windows\SysWOW64\Hmdldmja.exe Gjephakn.exe File created C:\Windows\SysWOW64\Oolelj32.exe File created C:\Windows\SysWOW64\Bohoogbk.exe File created C:\Windows\SysWOW64\Lgdqap32.dll Eaebeoan.exe File opened for modification C:\Windows\SysWOW64\Dnjalhpp.exe Dgqion32.exe File created C:\Windows\SysWOW64\Olbfgj32.dll Hdqhambg.exe File opened for modification C:\Windows\SysWOW64\Peapmhnk.exe File opened for modification C:\Windows\SysWOW64\Jpfcohfk.exe File created C:\Windows\SysWOW64\Hadfah32.exe Hhlaiccm.exe File opened for modification C:\Windows\SysWOW64\Mdoccg32.exe Miiofn32.exe File created C:\Windows\SysWOW64\Mnpfkfcn.dll Jfbinf32.exe File created C:\Windows\SysWOW64\Oqfgbf32.dll Khcbpa32.exe File created C:\Windows\SysWOW64\Gpkckneh.exe File opened for modification C:\Windows\SysWOW64\Jchhhjjg.exe File created C:\Windows\SysWOW64\Makpje32.dll Jhjbqo32.exe File created C:\Windows\SysWOW64\Piihaccl.dll Lljkif32.exe File opened for modification C:\Windows\SysWOW64\Bbikig32.exe Bmlbaqfh.exe File created C:\Windows\SysWOW64\Ofdqhh32.dll Phocfd32.exe File opened for modification C:\Windows\SysWOW64\Jkpfcnoe.exe File created C:\Windows\SysWOW64\Mchdpibh.dll Ehmpeb32.exe File created C:\Windows\SysWOW64\Doebph32.dll Lgpfpe32.exe File created C:\Windows\SysWOW64\Jlpfci32.dll Dboglhna.exe File created C:\Windows\SysWOW64\Bpkphm32.dll Lqjfpbmm.exe File created C:\Windows\SysWOW64\Anfggicl.exe File opened for modification C:\Windows\SysWOW64\Qnebjc32.exe Pejmfqan.exe File created C:\Windows\SysWOW64\Gagkjbaf.exe Gdcjpncm.exe File opened for modification C:\Windows\SysWOW64\Hpbhphie.exe Hmdldmja.exe File opened for modification C:\Windows\SysWOW64\Fnplgl32.exe File created C:\Windows\SysWOW64\Megohpba.dll File created C:\Windows\SysWOW64\Cocphf32.exe Ciihklpj.exe File opened for modification C:\Windows\SysWOW64\Mbgela32.exe File created C:\Windows\SysWOW64\Gfbjnb32.dll File created C:\Windows\SysWOW64\Bmkomchi.exe Bnfblgca.exe File opened for modification C:\Windows\SysWOW64\Palbgn32.exe Pnnfkb32.exe File created C:\Windows\SysWOW64\Bfmphlbc.dll File opened for modification C:\Windows\SysWOW64\Cfknjfbl.exe File opened for modification C:\Windows\SysWOW64\Lqhfhigj.exe Ljnnko32.exe File created C:\Windows\SysWOW64\Jplagm32.dll Foahmh32.exe File opened for modification C:\Windows\SysWOW64\Mfngbq32.exe File created C:\Windows\SysWOW64\Dhibakmb.exe Dlbaljhn.exe File created C:\Windows\SysWOW64\Gmcmgp32.dll Fjomhonj.exe File opened for modification C:\Windows\SysWOW64\Hiblmldn.exe File opened for modification C:\Windows\SysWOW64\Fdbhge32.exe Fgohna32.exe -
Modifies registry class 64 IoCs
Processes:
Gbhbdi32.exePaknelgk.exePhpjnnki.exeFgohna32.exeKkhdml32.exeNomphm32.exeDjlfma32.exeLcedne32.exePncljmko.exeHbknmicj.exeFpokjd32.exeHijhhl32.exeGlbdnbpk.exeDdpbfl32.exeJlekja32.exeHbgjmcba.exeHlccdboi.exeLlkbcl32.exeNcnlnaim.exeLgkhdddo.exeEhmpeb32.exeHmkiobge.exeEihgfd32.exeEaebeoan.exeDlhdjh32.exeKlhbdclg.exeNcpdbohb.exeHkmjjn32.exeOmqjgl32.exeAkphfbbl.exeLghlndfa.exeHnpgloog.exeBbannb32.exeCkpckece.exeFiebnjbg.exeDdaemh32.exeKdmban32.exeIblola32.exeIklfia32.exePeqhgmdd.exeBakdjn32.exeDchpnd32.exeEkhkjm32.exeEfedga32.exeEfpbih32.exeLiaeleak.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eligcnhi.dll" Gbhbdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cofdbf32.dll" Paknelgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjligacm.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phpjnnki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgohna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlfii32.dll" Kkhdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nomphm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djlfma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdfolo32.dll" Lcedne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idoqdcmi.dll" Pncljmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbknmicj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcpdjga.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpokjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pagmgi32.dll" Hijhhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobiicng.dll" Glbdnbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddpbfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joapmk32.dll" Jlekja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbgjmcba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlccdboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaakbg32.dll" Llkbcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdmhhh32.dll" Ncnlnaim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmeggj32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgkhdddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchdpibh.dll" Ehmpeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pncljmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieileaop.dll" Hmkiobge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpjhgkof.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjjof32.dll" Eihgfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eaebeoan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlhdjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cblaaajo.dll" Klhbdclg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncpdbohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loimal32.dll" Hkmjjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omqjgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akphfbbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lghlndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnpgloog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbannb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obckihng.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghhpkmjg.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnenmnck.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pofhpf32.dll" Ckpckece.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiebnjbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddaemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdmban32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iblola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldecmgc.dll" Iklfia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peqhgmdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpomlhqo.dll" Bakdjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dchpnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckcpfp32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfamefoo.dll" Ekhkjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efedga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efpbih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liaeleak.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f794120bcff9c121096b1e81fca42a50_NeikiAnalytics.exeKmobhmnn.exeLopkjhko.exeLmdkcl32.exeLahmbo32.exeMjcoqdoc.exeMmdgbp32.exeMikhgqbi.exeMbcmpfhi.exeNoemqe32.exeOiakgcnl.exeOdgodl32.exeOpplolac.exeOihqgbhd.exePhpjnnki.exePdgkco32.exedescription pid process target process PID 3000 wrote to memory of 3056 3000 f794120bcff9c121096b1e81fca42a50_NeikiAnalytics.exe Kmobhmnn.exe PID 3000 wrote to memory of 3056 3000 f794120bcff9c121096b1e81fca42a50_NeikiAnalytics.exe Kmobhmnn.exe PID 3000 wrote to memory of 3056 3000 f794120bcff9c121096b1e81fca42a50_NeikiAnalytics.exe Kmobhmnn.exe PID 3000 wrote to memory of 3056 3000 f794120bcff9c121096b1e81fca42a50_NeikiAnalytics.exe Kmobhmnn.exe PID 3056 wrote to memory of 2696 3056 Kmobhmnn.exe Lopkjhko.exe PID 3056 wrote to memory of 2696 3056 Kmobhmnn.exe Lopkjhko.exe PID 3056 wrote to memory of 2696 3056 Kmobhmnn.exe Lopkjhko.exe PID 3056 wrote to memory of 2696 3056 Kmobhmnn.exe Lopkjhko.exe PID 2696 wrote to memory of 2848 2696 Lopkjhko.exe Lmdkcl32.exe PID 2696 wrote to memory of 2848 2696 Lopkjhko.exe Lmdkcl32.exe PID 2696 wrote to memory of 2848 2696 Lopkjhko.exe Lmdkcl32.exe PID 2696 wrote to memory of 2848 2696 Lopkjhko.exe Lmdkcl32.exe PID 2848 wrote to memory of 1984 2848 Lmdkcl32.exe Lahmbo32.exe PID 2848 wrote to memory of 1984 2848 Lmdkcl32.exe Lahmbo32.exe PID 2848 wrote to memory of 1984 2848 Lmdkcl32.exe Lahmbo32.exe PID 2848 wrote to memory of 1984 2848 Lmdkcl32.exe Lahmbo32.exe PID 1984 wrote to memory of 2440 1984 Lahmbo32.exe Mjcoqdoc.exe PID 1984 wrote to memory of 2440 1984 Lahmbo32.exe Mjcoqdoc.exe PID 1984 wrote to memory of 2440 1984 Lahmbo32.exe Mjcoqdoc.exe PID 1984 wrote to memory of 2440 1984 Lahmbo32.exe Mjcoqdoc.exe PID 2440 wrote to memory of 2944 2440 Mjcoqdoc.exe Mmdgbp32.exe PID 2440 wrote to memory of 2944 2440 Mjcoqdoc.exe Mmdgbp32.exe PID 2440 wrote to memory of 2944 2440 Mjcoqdoc.exe Mmdgbp32.exe PID 2440 wrote to memory of 2944 2440 Mjcoqdoc.exe Mmdgbp32.exe PID 2944 wrote to memory of 652 2944 Mmdgbp32.exe Mikhgqbi.exe PID 2944 wrote to memory of 652 2944 Mmdgbp32.exe Mikhgqbi.exe PID 2944 wrote to memory of 652 2944 Mmdgbp32.exe Mikhgqbi.exe PID 2944 wrote to memory of 652 2944 Mmdgbp32.exe Mikhgqbi.exe PID 652 wrote to memory of 2612 652 Mikhgqbi.exe Mbcmpfhi.exe PID 652 wrote to memory of 2612 652 Mikhgqbi.exe Mbcmpfhi.exe PID 652 wrote to memory of 2612 652 Mikhgqbi.exe Mbcmpfhi.exe PID 652 wrote to memory of 2612 652 Mikhgqbi.exe Mbcmpfhi.exe PID 2612 wrote to memory of 2460 2612 Mbcmpfhi.exe Noemqe32.exe PID 2612 wrote to memory of 2460 2612 Mbcmpfhi.exe Noemqe32.exe PID 2612 wrote to memory of 2460 2612 Mbcmpfhi.exe Noemqe32.exe PID 2612 wrote to memory of 2460 2612 Mbcmpfhi.exe Noemqe32.exe PID 2460 wrote to memory of 1336 2460 Noemqe32.exe Oiakgcnl.exe PID 2460 wrote to memory of 1336 2460 Noemqe32.exe Oiakgcnl.exe PID 2460 wrote to memory of 1336 2460 Noemqe32.exe Oiakgcnl.exe PID 2460 wrote to memory of 1336 2460 Noemqe32.exe Oiakgcnl.exe PID 1336 wrote to memory of 2328 1336 Oiakgcnl.exe Odgodl32.exe PID 1336 wrote to memory of 2328 1336 Oiakgcnl.exe Odgodl32.exe PID 1336 wrote to memory of 2328 1336 Oiakgcnl.exe Odgodl32.exe PID 1336 wrote to memory of 2328 1336 Oiakgcnl.exe Odgodl32.exe PID 2328 wrote to memory of 2656 2328 Odgodl32.exe Opplolac.exe PID 2328 wrote to memory of 2656 2328 Odgodl32.exe Opplolac.exe PID 2328 wrote to memory of 2656 2328 Odgodl32.exe Opplolac.exe PID 2328 wrote to memory of 2656 2328 Odgodl32.exe Opplolac.exe PID 2656 wrote to memory of 696 2656 Opplolac.exe Oihqgbhd.exe PID 2656 wrote to memory of 696 2656 Opplolac.exe Oihqgbhd.exe PID 2656 wrote to memory of 696 2656 Opplolac.exe Oihqgbhd.exe PID 2656 wrote to memory of 696 2656 Opplolac.exe Oihqgbhd.exe PID 696 wrote to memory of 2320 696 Oihqgbhd.exe Phpjnnki.exe PID 696 wrote to memory of 2320 696 Oihqgbhd.exe Phpjnnki.exe PID 696 wrote to memory of 2320 696 Oihqgbhd.exe Phpjnnki.exe PID 696 wrote to memory of 2320 696 Oihqgbhd.exe Phpjnnki.exe PID 2320 wrote to memory of 2868 2320 Phpjnnki.exe Pdgkco32.exe PID 2320 wrote to memory of 2868 2320 Phpjnnki.exe Pdgkco32.exe PID 2320 wrote to memory of 2868 2320 Phpjnnki.exe Pdgkco32.exe PID 2320 wrote to memory of 2868 2320 Phpjnnki.exe Pdgkco32.exe PID 2868 wrote to memory of 1644 2868 Pdgkco32.exe Pkcpei32.exe PID 2868 wrote to memory of 1644 2868 Pdgkco32.exe Pkcpei32.exe PID 2868 wrote to memory of 1644 2868 Pdgkco32.exe Pkcpei32.exe PID 2868 wrote to memory of 1644 2868 Pdgkco32.exe Pkcpei32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f794120bcff9c121096b1e81fca42a50_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\f794120bcff9c121096b1e81fca42a50_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Kmobhmnn.exeC:\Windows\system32\Kmobhmnn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Lmdkcl32.exeC:\Windows\system32\Lmdkcl32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Lahmbo32.exeC:\Windows\system32\Lahmbo32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Mjcoqdoc.exeC:\Windows\system32\Mjcoqdoc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Mmdgbp32.exeC:\Windows\system32\Mmdgbp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Mikhgqbi.exeC:\Windows\system32\Mikhgqbi.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\Mbcmpfhi.exeC:\Windows\system32\Mbcmpfhi.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Oiakgcnl.exeC:\Windows\system32\Oiakgcnl.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\Phpjnnki.exeC:\Windows\system32\Phpjnnki.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Pdgkco32.exeC:\Windows\system32\Pdgkco32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Pkcpei32.exeC:\Windows\system32\Pkcpei32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Qgjqjjll.exeC:\Windows\system32\Qgjqjjll.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Qglmpi32.exeC:\Windows\system32\Qglmpi32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:952 -
C:\Windows\SysWOW64\Abhkfg32.exeC:\Windows\system32\Abhkfg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Aeidgbaf.exeC:\Windows\system32\Aeidgbaf.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1276 -
C:\Windows\SysWOW64\Aekqmbod.exeC:\Windows\system32\Aekqmbod.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:920 -
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1444 -
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:560 -
C:\Windows\SysWOW64\Bmkomchi.exeC:\Windows\system32\Bmkomchi.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1152 -
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Bpnddn32.exeC:\Windows\system32\Bpnddn32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Dinklffl.exeC:\Windows\system32\Dinklffl.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Ekhkjm32.exeC:\Windows\system32\Ekhkjm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Fjdnlhco.exeC:\Windows\system32\Fjdnlhco.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Fcmben32.exeC:\Windows\system32\Fcmben32.exe33⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Fkhgip32.exeC:\Windows\system32\Fkhgip32.exe34⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Fgohna32.exeC:\Windows\system32\Fgohna32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe36⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe37⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe38⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe39⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Giiglhjb.exeC:\Windows\system32\Giiglhjb.exe40⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe42⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe43⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Hhcmhdke.exeC:\Windows\system32\Hhcmhdke.exe44⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe45⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Hanogipc.exeC:\Windows\system32\Hanogipc.exe46⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Hlccdboi.exeC:\Windows\system32\Hlccdboi.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe48⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe49⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe50⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe51⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe52⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe53⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe55⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe56⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Iapgkl32.exeC:\Windows\system32\Iapgkl32.exe57⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe58⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe59⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe60⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe61⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe62⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe63⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe64⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Jplkmgol.exeC:\Windows\system32\Jplkmgol.exe65⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe66⤵PID:1428
-
C:\Windows\SysWOW64\Kghpoa32.exeC:\Windows\system32\Kghpoa32.exe67⤵PID:2872
-
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe68⤵PID:844
-
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe69⤵PID:1928
-
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe70⤵PID:1808
-
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe71⤵PID:1604
-
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe72⤵PID:2196
-
C:\Windows\SysWOW64\Kkmand32.exeC:\Windows\system32\Kkmand32.exe73⤵PID:2908
-
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe74⤵PID:904
-
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2912 -
C:\Windows\SysWOW64\Kfebambf.exeC:\Windows\system32\Kfebambf.exe76⤵PID:1296
-
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe77⤵PID:2752
-
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe78⤵PID:2444
-
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe79⤵
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe80⤵PID:2484
-
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe81⤵
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe82⤵PID:1232
-
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe83⤵PID:1244
-
C:\Windows\SysWOW64\Ljkaeo32.exeC:\Windows\system32\Ljkaeo32.exe84⤵PID:2024
-
C:\Windows\SysWOW64\Lohjnf32.exeC:\Windows\system32\Lohjnf32.exe85⤵PID:1768
-
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe86⤵
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe87⤵PID:1980
-
C:\Windows\SysWOW64\Lbicoamh.exeC:\Windows\system32\Lbicoamh.exe88⤵
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe89⤵PID:1360
-
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe90⤵PID:1400
-
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe91⤵PID:1968
-
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe92⤵PID:2152
-
C:\Windows\SysWOW64\Mpamde32.exeC:\Windows\system32\Mpamde32.exe93⤵PID:1992
-
C:\Windows\SysWOW64\Meoell32.exeC:\Windows\system32\Meoell32.exe94⤵PID:2552
-
C:\Windows\SysWOW64\Mngjeamd.exeC:\Windows\system32\Mngjeamd.exe95⤵PID:2740
-
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe96⤵PID:2584
-
C:\Windows\SysWOW64\Nmlgfnal.exeC:\Windows\system32\Nmlgfnal.exe97⤵PID:2420
-
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe98⤵PID:2932
-
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe99⤵PID:1800
-
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe100⤵PID:2624
-
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe101⤵PID:1824
-
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe102⤵PID:1756
-
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:768 -
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe104⤵PID:2860
-
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe105⤵
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\Qnebjc32.exeC:\Windows\system32\Qnebjc32.exe106⤵PID:1060
-
C:\Windows\SysWOW64\Qododfek.exeC:\Windows\system32\Qododfek.exe107⤵PID:1556
-
C:\Windows\SysWOW64\Qhmcmk32.exeC:\Windows\system32\Qhmcmk32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1684 -
C:\Windows\SysWOW64\Aqhhanig.exeC:\Windows\system32\Aqhhanig.exe109⤵PID:1736
-
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe110⤵PID:1876
-
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe111⤵PID:3016
-
C:\Windows\SysWOW64\Anneqafn.exeC:\Windows\system32\Anneqafn.exe112⤵PID:2104
-
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe113⤵PID:2808
-
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe114⤵PID:2532
-
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe115⤵PID:1708
-
C:\Windows\SysWOW64\Bbbgod32.exeC:\Windows\system32\Bbbgod32.exe116⤵PID:2424
-
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe117⤵PID:2800
-
C:\Windows\SysWOW64\Biolanld.exeC:\Windows\system32\Biolanld.exe118⤵PID:2200
-
C:\Windows\SysWOW64\Bnnaoe32.exeC:\Windows\system32\Bnnaoe32.exe119⤵PID:2508
-
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe120⤵PID:1048
-
C:\Windows\SysWOW64\Bjebdfnn.exeC:\Windows\system32\Bjebdfnn.exe121⤵PID:2724
-
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe122⤵PID:2128
-
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe123⤵PID:2876
-
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe124⤵PID:1880
-
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe125⤵PID:1272
-
C:\Windows\SysWOW64\Cjlheehe.exeC:\Windows\system32\Cjlheehe.exe126⤵PID:1320
-
C:\Windows\SysWOW64\Ccdmnj32.exeC:\Windows\system32\Ccdmnj32.exe127⤵PID:2352
-
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe128⤵PID:1492
-
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe129⤵PID:2924
-
C:\Windows\SysWOW64\Copjdhib.exeC:\Windows\system32\Copjdhib.exe130⤵PID:2468
-
C:\Windows\SysWOW64\Daacecfc.exeC:\Windows\system32\Daacecfc.exe131⤵PID:2620
-
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe132⤵PID:2948
-
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe133⤵PID:896
-
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe134⤵PID:2180
-
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe135⤵PID:2168
-
C:\Windows\SysWOW64\Dkqnoh32.exeC:\Windows\system32\Dkqnoh32.exe136⤵PID:2032
-
C:\Windows\SysWOW64\Eclbcj32.exeC:\Windows\system32\Eclbcj32.exe137⤵PID:2088
-
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe138⤵PID:2360
-
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe139⤵
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe140⤵PID:792
-
C:\Windows\SysWOW64\Eogmcjef.exeC:\Windows\system32\Eogmcjef.exe141⤵PID:3024
-
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe142⤵PID:1560
-
C:\Windows\SysWOW64\Enlidg32.exeC:\Windows\system32\Enlidg32.exe143⤵PID:2560
-
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe144⤵PID:1884
-
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe145⤵PID:2416
-
C:\Windows\SysWOW64\Fnacpffh.exeC:\Windows\system32\Fnacpffh.exe146⤵PID:2324
-
C:\Windows\SysWOW64\Fncpef32.exeC:\Windows\system32\Fncpef32.exe147⤵PID:2676
-
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe148⤵PID:1600
-
C:\Windows\SysWOW64\Fmkilb32.exeC:\Windows\system32\Fmkilb32.exe149⤵PID:2588
-
C:\Windows\SysWOW64\Gbhbdi32.exeC:\Windows\system32\Gbhbdi32.exe150⤵
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Gkpfmnlb.exeC:\Windows\system32\Gkpfmnlb.exe151⤵PID:320
-
C:\Windows\SysWOW64\Gfejjgli.exeC:\Windows\system32\Gfejjgli.exe152⤵PID:1012
-
C:\Windows\SysWOW64\Gkephn32.exeC:\Windows\system32\Gkephn32.exe153⤵PID:2516
-
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe154⤵PID:1568
-
C:\Windows\SysWOW64\Ggnmbn32.exeC:\Windows\system32\Ggnmbn32.exe155⤵PID:2496
-
C:\Windows\SysWOW64\Hebnlb32.exeC:\Windows\system32\Hebnlb32.exe156⤵PID:1720
-
C:\Windows\SysWOW64\Hfcjdkpg.exeC:\Windows\system32\Hfcjdkpg.exe157⤵PID:2652
-
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe158⤵PID:964
-
C:\Windows\SysWOW64\Mfjann32.exeC:\Windows\system32\Mfjann32.exe159⤵PID:764
-
C:\Windows\SysWOW64\Ohncbdbd.exeC:\Windows\system32\Ohncbdbd.exe160⤵PID:2984
-
C:\Windows\SysWOW64\Oekjjl32.exeC:\Windows\system32\Oekjjl32.exe161⤵PID:2568
-
C:\Windows\SysWOW64\Oococb32.exeC:\Windows\system32\Oococb32.exe162⤵PID:2764
-
C:\Windows\SysWOW64\Pofkha32.exeC:\Windows\system32\Pofkha32.exe163⤵PID:2788
-
C:\Windows\SysWOW64\Pdbdqh32.exeC:\Windows\system32\Pdbdqh32.exe164⤵PID:2432
-
C:\Windows\SysWOW64\Pebpkk32.exeC:\Windows\system32\Pebpkk32.exe165⤵PID:1040
-
C:\Windows\SysWOW64\Paiaplin.exeC:\Windows\system32\Paiaplin.exe166⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2316 -
C:\Windows\SysWOW64\Pgfjhcge.exeC:\Windows\system32\Pgfjhcge.exe167⤵PID:2356
-
C:\Windows\SysWOW64\Paknelgk.exeC:\Windows\system32\Paknelgk.exe168⤵
- Modifies registry class
PID:1112 -
C:\Windows\SysWOW64\Pkcbnanl.exeC:\Windows\system32\Pkcbnanl.exe169⤵PID:820
-
C:\Windows\SysWOW64\Qcogbdkg.exeC:\Windows\system32\Qcogbdkg.exe170⤵PID:2672
-
C:\Windows\SysWOW64\Qcachc32.exeC:\Windows\system32\Qcachc32.exe171⤵
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Apedah32.exeC:\Windows\system32\Apedah32.exe172⤵PID:1860
-
C:\Windows\SysWOW64\Agolnbok.exeC:\Windows\system32\Agolnbok.exe173⤵PID:800
-
C:\Windows\SysWOW64\Apgagg32.exeC:\Windows\system32\Apgagg32.exe174⤵PID:2472
-
C:\Windows\SysWOW64\Ajpepm32.exeC:\Windows\system32\Ajpepm32.exe175⤵PID:3040
-
C:\Windows\SysWOW64\Achjibcl.exeC:\Windows\system32\Achjibcl.exe176⤵PID:2632
-
C:\Windows\SysWOW64\Alqnah32.exeC:\Windows\system32\Alqnah32.exe177⤵PID:1648
-
C:\Windows\SysWOW64\Ahgofi32.exeC:\Windows\system32\Ahgofi32.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2228 -
C:\Windows\SysWOW64\Andgop32.exeC:\Windows\system32\Andgop32.exe179⤵PID:2692
-
C:\Windows\SysWOW64\Bhjlli32.exeC:\Windows\system32\Bhjlli32.exe180⤵PID:2976
-
C:\Windows\SysWOW64\Bbbpenco.exeC:\Windows\system32\Bbbpenco.exe181⤵PID:1588
-
C:\Windows\SysWOW64\Bccmmf32.exeC:\Windows\system32\Bccmmf32.exe182⤵PID:1300
-
C:\Windows\SysWOW64\Bdcifi32.exeC:\Windows\system32\Bdcifi32.exe183⤵PID:1564
-
C:\Windows\SysWOW64\Bnknoogp.exeC:\Windows\system32\Bnknoogp.exe184⤵PID:2820
-
C:\Windows\SysWOW64\Bchfhfeh.exeC:\Windows\system32\Bchfhfeh.exe185⤵PID:2156
-
C:\Windows\SysWOW64\Bjbndpmd.exeC:\Windows\system32\Bjbndpmd.exe186⤵PID:1956
-
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe187⤵PID:2804
-
C:\Windows\SysWOW64\Bkegah32.exeC:\Windows\system32\Bkegah32.exe188⤵PID:1136
-
C:\Windows\SysWOW64\Ciihklpj.exeC:\Windows\system32\Ciihklpj.exe189⤵
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Cocphf32.exeC:\Windows\system32\Cocphf32.exe190⤵PID:1936
-
C:\Windows\SysWOW64\Cfmhdpnc.exeC:\Windows\system32\Cfmhdpnc.exe191⤵PID:1580
-
C:\Windows\SysWOW64\Cpfmmf32.exeC:\Windows\system32\Cpfmmf32.exe192⤵PID:3076
-
C:\Windows\SysWOW64\Cagienkb.exeC:\Windows\system32\Cagienkb.exe193⤵PID:3136
-
C:\Windows\SysWOW64\Cgaaah32.exeC:\Windows\system32\Cgaaah32.exe194⤵PID:3184
-
C:\Windows\SysWOW64\Ceebklai.exeC:\Windows\system32\Ceebklai.exe195⤵PID:3228
-
C:\Windows\SysWOW64\Cnmfdb32.exeC:\Windows\system32\Cnmfdb32.exe196⤵PID:3268
-
C:\Windows\SysWOW64\Cegoqlof.exeC:\Windows\system32\Cegoqlof.exe197⤵PID:3308
-
C:\Windows\SysWOW64\Dnpciaef.exeC:\Windows\system32\Dnpciaef.exe198⤵PID:3348
-
C:\Windows\SysWOW64\Dhhhbg32.exeC:\Windows\system32\Dhhhbg32.exe199⤵PID:3392
-
C:\Windows\SysWOW64\Diidjpbe.exeC:\Windows\system32\Diidjpbe.exe200⤵PID:3432
-
C:\Windows\SysWOW64\Dpcmgi32.exeC:\Windows\system32\Dpcmgi32.exe201⤵PID:3472
-
C:\Windows\SysWOW64\Dilapopb.exeC:\Windows\system32\Dilapopb.exe202⤵PID:3512
-
C:\Windows\SysWOW64\Ddaemh32.exeC:\Windows\system32\Ddaemh32.exe203⤵
- Modifies registry class
PID:3596 -
C:\Windows\SysWOW64\Dokfme32.exeC:\Windows\system32\Dokfme32.exe204⤵PID:3644
-
C:\Windows\SysWOW64\Dipjkn32.exeC:\Windows\system32\Dipjkn32.exe205⤵PID:3684
-
C:\Windows\SysWOW64\Dbiocd32.exeC:\Windows\system32\Dbiocd32.exe206⤵PID:3724
-
C:\Windows\SysWOW64\Eibgpnjk.exeC:\Windows\system32\Eibgpnjk.exe207⤵PID:3764
-
C:\Windows\SysWOW64\Ebklic32.exeC:\Windows\system32\Ebklic32.exe208⤵PID:3804
-
C:\Windows\SysWOW64\Elcpbigl.exeC:\Windows\system32\Elcpbigl.exe209⤵PID:3844
-
C:\Windows\SysWOW64\Eeldkonl.exeC:\Windows\system32\Eeldkonl.exe210⤵PID:3884
-
C:\Windows\SysWOW64\Eodicd32.exeC:\Windows\system32\Eodicd32.exe211⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3924 -
C:\Windows\SysWOW64\Ehlmljkm.exeC:\Windows\system32\Ehlmljkm.exe212⤵PID:3964
-
C:\Windows\SysWOW64\Eaebeoan.exeC:\Windows\system32\Eaebeoan.exe213⤵
- Drops file in System32 directory
- Modifies registry class
PID:4004 -
C:\Windows\SysWOW64\Eipgjaoi.exeC:\Windows\system32\Eipgjaoi.exe214⤵PID:4044
-
C:\Windows\SysWOW64\Fgdgcfmb.exeC:\Windows\system32\Fgdgcfmb.exe215⤵PID:4084
-
C:\Windows\SysWOW64\Fplllkdc.exeC:\Windows\system32\Fplllkdc.exe216⤵PID:3120
-
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe217⤵PID:3180
-
C:\Windows\SysWOW64\Foahmh32.exeC:\Windows\system32\Foahmh32.exe218⤵
- Drops file in System32 directory
PID:3220 -
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe219⤵PID:3276
-
C:\Windows\SysWOW64\Fhljkm32.exeC:\Windows\system32\Fhljkm32.exe220⤵PID:3328
-
C:\Windows\SysWOW64\Gdcjpncm.exeC:\Windows\system32\Gdcjpncm.exe221⤵
- Drops file in System32 directory
PID:3380 -
C:\Windows\SysWOW64\Gagkjbaf.exeC:\Windows\system32\Gagkjbaf.exe222⤵PID:3420
-
C:\Windows\SysWOW64\Gqlhkofn.exeC:\Windows\system32\Gqlhkofn.exe223⤵PID:3444
-
C:\Windows\SysWOW64\Gcmamj32.exeC:\Windows\system32\Gcmamj32.exe224⤵PID:3544
-
C:\Windows\SysWOW64\Haqnea32.exeC:\Windows\system32\Haqnea32.exe225⤵PID:3608
-
C:\Windows\SysWOW64\Ieofkp32.exeC:\Windows\system32\Ieofkp32.exe226⤵PID:3632
-
C:\Windows\SysWOW64\Ijkocg32.exeC:\Windows\system32\Ijkocg32.exe227⤵PID:3700
-
C:\Windows\SysWOW64\Icdcllpc.exeC:\Windows\system32\Icdcllpc.exe228⤵PID:3760
-
C:\Windows\SysWOW64\Imlhebfc.exeC:\Windows\system32\Imlhebfc.exe229⤵PID:3776
-
C:\Windows\SysWOW64\Ibipmiek.exeC:\Windows\system32\Ibipmiek.exe230⤵PID:3840
-
C:\Windows\SysWOW64\Ipmqgmcd.exeC:\Windows\system32\Ipmqgmcd.exe231⤵PID:3900
-
C:\Windows\SysWOW64\Imaapa32.exeC:\Windows\system32\Imaapa32.exe232⤵PID:3960
-
C:\Windows\SysWOW64\Jhjbqo32.exeC:\Windows\system32\Jhjbqo32.exe233⤵
- Drops file in System32 directory
PID:3992 -
C:\Windows\SysWOW64\Jenbjc32.exeC:\Windows\system32\Jenbjc32.exe234⤵PID:4028
-
C:\Windows\SysWOW64\Joggci32.exeC:\Windows\system32\Joggci32.exe235⤵PID:1864
-
C:\Windows\SysWOW64\Jhoklnkg.exeC:\Windows\system32\Jhoklnkg.exe236⤵
- Drops file in System32 directory
PID:3152 -
C:\Windows\SysWOW64\Jagpdd32.exeC:\Windows\system32\Jagpdd32.exe237⤵PID:3236
-
C:\Windows\SysWOW64\Jokqnhpa.exeC:\Windows\system32\Jokqnhpa.exe238⤵PID:3288
-
C:\Windows\SysWOW64\Jfgebjnm.exeC:\Windows\system32\Jfgebjnm.exe239⤵PID:3340
-
C:\Windows\SysWOW64\Kalipcmb.exeC:\Windows\system32\Kalipcmb.exe240⤵PID:3404
-
C:\Windows\SysWOW64\Kigndekn.exeC:\Windows\system32\Kigndekn.exe241⤵PID:3460
-
C:\Windows\SysWOW64\Kdmban32.exeC:\Windows\system32\Kdmban32.exe242⤵
- Modifies registry class
PID:3528