Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 09:23
Static task
static1
Behavioral task
behavioral1
Sample
b51dfa17f2fee7930f4d86f884f542c0_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
b51dfa17f2fee7930f4d86f884f542c0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
b51dfa17f2fee7930f4d86f884f542c0_NeikiAnalytics.exe
-
Size
163KB
-
MD5
b51dfa17f2fee7930f4d86f884f542c0
-
SHA1
e192779675bbc56e56ea3facdf9dd223af7cc778
-
SHA256
bbf46772692f1a907c8faeaf864a169fdf71a8a06ef50bdd1211485db8642002
-
SHA512
eb1e85669eef6e78ec228f4d3a5db26dcd79edeb31d93bc02a139f4e2a85a99d2e5ce99341fea21aa0aaa86fa9f68fb24da210b5fb91852e7ed09b8566830cbd
-
SSDEEP
1536:PC/QIWiqfNwz1pm3CDlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:q4JiqfqzPmSDltOrWKDBr+yJb
Malware Config
Extracted
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jnkcogno.exeOebflhaf.exeAflaie32.exeIgbalblk.exeGmiclo32.exeNlkngo32.exeJgpmmp32.exeIcplcpgo.exeHgjljpkm.exeAjkhdp32.exeEhljfnpn.exeLingibiq.exeNpcoakfp.exeOlgemcli.exeEcmeig32.exeCjpckf32.exeKnlleepl.exeDabhdinj.exeLkiqbl32.exeMdjagjco.exeBjodjb32.exeCaienjfd.exeIjfboafl.exeFkffog32.exeDknpmdfc.exeGoedpofl.exeJjamia32.exePhbhcmjl.exeJfaedkdp.exeLdleel32.exeOldamm32.exeIlghlc32.exeAcqimo32.exeEhfcfb32.exeBjpjel32.exeJmbklj32.exeBcebhoii.exeQjoankoi.exeGgahedjn.exeFkalchij.exeIbjjhn32.exeGgilil32.exeOocmii32.exeDfknkg32.exeAcokhc32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnkcogno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oebflhaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aflaie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igbalblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmiclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlkngo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgpmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icplcpgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgjljpkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajkhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehljfnpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lingibiq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npcoakfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olgemcli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecmeig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knlleepl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dabhdinj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkiqbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdjagjco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjodjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caienjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijfboafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkffog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goedpofl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knlleepl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjamia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phbhcmjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfaedkdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldleel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oldamm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilghlc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acqimo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehfcfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjpjel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbklj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcebhoii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjoankoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggahedjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkalchij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibjjhn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggilil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oocmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfknkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acokhc32.exe -
Executes dropped EXE 64 IoCs
Processes:
Hmdedo32.exeHpbaqj32.exeHfljmdjc.exeHjhfnccl.exeHmfbjnbp.exeHpgkkioa.exeHbeghene.exeHmklen32.exeHaggelfd.exeHjolnb32.exeHaidklda.exeIffmccbi.exeIidipnal.exeIbmmhdhm.exeImbaemhc.exeIfjfnb32.exeIjfboafl.exeIdofhfmm.exeIikopmkd.exeIabgaklg.exeIdacmfkj.exeJaedgjjd.exeJmkdlkph.exeJjpeepnb.exeJdhine32.exeJjbako32.exeJmpngk32.exeJfhbppbc.exeJmbklj32.exeJpaghf32.exeJiikak32.exeKdopod32.exeKkihknfg.exeKmgdgjek.exeKpepcedo.exeKgphpo32.exeKinemkko.exeKknafn32.exeKipabjil.exeKmlnbi32.exeKdffocib.exeKkpnlm32.exeKmnjhioc.exeKpmfddnf.exeKgfoan32.exeLalcng32.exeLkdggmlj.exeLpappc32.exeLcpllo32.exeLkgdml32.exeLpcmec32.exeLgneampk.exeLkiqbl32.exeLdaeka32.exeLklnhlfb.exeLaefdf32.exeLphfpbdi.exeMnlfigcc.exeMdfofakp.exeMgekbljc.exeMnocof32.exeMajopeii.exeMkbchk32.exeMpolqa32.exepid process 5104 Hmdedo32.exe 1900 Hpbaqj32.exe 2936 Hfljmdjc.exe 4332 Hjhfnccl.exe 3936 Hmfbjnbp.exe 528 Hpgkkioa.exe 2160 Hbeghene.exe 4980 Hmklen32.exe 4524 Haggelfd.exe 5052 Hjolnb32.exe 5048 Haidklda.exe 4556 Iffmccbi.exe 2084 Iidipnal.exe 4788 Ibmmhdhm.exe 4404 Imbaemhc.exe 2436 Ifjfnb32.exe 4676 Ijfboafl.exe 2764 Idofhfmm.exe 648 Iikopmkd.exe 3456 Iabgaklg.exe 5016 Idacmfkj.exe 2268 Jaedgjjd.exe 812 Jmkdlkph.exe 3620 Jjpeepnb.exe 2140 Jdhine32.exe 3872 Jjbako32.exe 344 Jmpngk32.exe 3316 Jfhbppbc.exe 5044 Jmbklj32.exe 2360 Jpaghf32.exe 5024 Jiikak32.exe 760 Kdopod32.exe 1876 Kkihknfg.exe 1984 Kmgdgjek.exe 4040 Kpepcedo.exe 1372 Kgphpo32.exe 2656 Kinemkko.exe 1992 Kknafn32.exe 3672 Kipabjil.exe 744 Kmlnbi32.exe 4392 Kdffocib.exe 5032 Kkpnlm32.exe 1544 Kmnjhioc.exe 2408 Kpmfddnf.exe 2984 Kgfoan32.exe 4800 Lalcng32.exe 1068 Lkdggmlj.exe 3952 Lpappc32.exe 2596 Lcpllo32.exe 3692 Lkgdml32.exe 1144 Lpcmec32.exe 1736 Lgneampk.exe 4180 Lkiqbl32.exe 1540 Ldaeka32.exe 1944 Lklnhlfb.exe 4092 Laefdf32.exe 4476 Lphfpbdi.exe 640 Mnlfigcc.exe 4572 Mdfofakp.exe 4300 Mgekbljc.exe 1808 Mnocof32.exe 1708 Majopeii.exe 4052 Mkbchk32.exe 4704 Mpolqa32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ahmlgd32.exeMjhqjg32.exeHgmgqc32.exePahpfc32.exeGiqkkf32.exeBgpgng32.exeNjiegl32.exeMelnob32.exeJgnqgqan.exeFdfmlhna.exeKageaj32.exeKkmioc32.exeMhoipb32.exeMnocof32.exeJqiipljg.exeNhbolp32.exeBlhpqhlh.exeEleepoob.exeHodgkc32.exeDobfld32.exeLbkkgl32.exeNckndeni.exeBmomlnjk.exeNcihikcg.exeIgchfiof.exeKqnbkl32.exeNiakfbpa.exeHofmfmhj.exeKepelfam.exeFkllnbjc.exeHgiepjga.exeFcfhof32.exeHlambk32.exeEfkphnbd.exePqbdjfln.exePjjhbl32.exeJjamia32.exeFbhpch32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Ajkhdp32.exe Ahmlgd32.exe File created C:\Windows\SysWOW64\Egaejeej.exe File created C:\Windows\SysWOW64\Mfnlgh32.dll File opened for modification C:\Windows\SysWOW64\Mcpebmkb.exe Mjhqjg32.exe File created C:\Windows\SysWOW64\Hildmn32.exe Hgmgqc32.exe File created C:\Windows\SysWOW64\Lnohlgep.exe File created C:\Windows\SysWOW64\Omgcpokp.exe File created C:\Windows\SysWOW64\Gdmpga32.dll File created C:\Windows\SysWOW64\Gimngjie.dll File created C:\Windows\SysWOW64\Jlmmnd32.dll File created C:\Windows\SysWOW64\Hnoigi32.dll Pahpfc32.exe File opened for modification C:\Windows\SysWOW64\Amqhbe32.exe File created C:\Windows\SysWOW64\Gnlgleef.exe Giqkkf32.exe File opened for modification C:\Windows\SysWOW64\Bjodjb32.exe Bgpgng32.exe File created C:\Windows\SysWOW64\Noeahkfc.exe Njiegl32.exe File created C:\Windows\SysWOW64\Cdecba32.dll File created C:\Windows\SysWOW64\Mmbfpp32.exe Melnob32.exe File opened for modification C:\Windows\SysWOW64\Jpfepf32.exe Jgnqgqan.exe File created C:\Windows\SysWOW64\Kbgbpn32.dll File opened for modification C:\Windows\SysWOW64\Dnmhpg32.exe File created C:\Windows\SysWOW64\Ipaooi32.dll File created C:\Windows\SysWOW64\Kdding32.dll File opened for modification C:\Windows\SysWOW64\Fgeihcme.exe Fdfmlhna.exe File created C:\Windows\SysWOW64\Kecabifp.exe Kageaj32.exe File created C:\Windows\SysWOW64\Obonfmck.dll Kkmioc32.exe File opened for modification C:\Windows\SysWOW64\Mlkepaam.exe Mhoipb32.exe File created C:\Windows\SysWOW64\Mccfdmmo.exe File created C:\Windows\SysWOW64\Ombnni32.dll File created C:\Windows\SysWOW64\Ipjijkpg.dll File created C:\Windows\SysWOW64\Majopeii.exe Mnocof32.exe File created C:\Windows\SysWOW64\Dajkgl32.dll Jqiipljg.exe File opened for modification C:\Windows\SysWOW64\Nolgijpk.exe Nhbolp32.exe File created C:\Windows\SysWOW64\Bfpdin32.exe Blhpqhlh.exe File opened for modification C:\Windows\SysWOW64\Ebommi32.exe Eleepoob.exe File created C:\Windows\SysWOW64\Aabkbono.exe File opened for modification C:\Windows\SysWOW64\Hcpclbfa.exe Hodgkc32.exe File created C:\Windows\SysWOW64\Daqbip32.exe Dobfld32.exe File created C:\Windows\SysWOW64\Lieccf32.exe Lbkkgl32.exe File created C:\Windows\SysWOW64\Nfmifiap.dll File created C:\Windows\SysWOW64\Dannpknl.dll File opened for modification C:\Windows\SysWOW64\Cogddd32.exe File opened for modification C:\Windows\SysWOW64\Nfjjppmm.exe Nckndeni.exe File created C:\Windows\SysWOW64\Gnknpnlf.dll Bmomlnjk.exe File opened for modification C:\Windows\SysWOW64\Kjeiodek.exe File opened for modification C:\Windows\SysWOW64\Jlbejloe.exe File opened for modification C:\Windows\SysWOW64\Njcpee32.exe Ncihikcg.exe File created C:\Windows\SysWOW64\Mgbalagn.dll Igchfiof.exe File opened for modification C:\Windows\SysWOW64\Kghjhemo.exe Kqnbkl32.exe File created C:\Windows\SysWOW64\Lepein32.dll Niakfbpa.exe File created C:\Windows\SysWOW64\Hfpecg32.exe Hofmfmhj.exe File created C:\Windows\SysWOW64\Eikdngcl.dll Kepelfam.exe File created C:\Windows\SysWOW64\Fafdkmap.exe Fkllnbjc.exe File opened for modification C:\Windows\SysWOW64\Hjhalefe.exe Hgiepjga.exe File opened for modification C:\Windows\SysWOW64\Bpdnjple.exe File opened for modification C:\Windows\SysWOW64\Cancekeo.exe File created C:\Windows\SysWOW64\Naqcfnjk.dll Fcfhof32.exe File created C:\Windows\SysWOW64\Hdhedh32.exe Hlambk32.exe File created C:\Windows\SysWOW64\Ifmqfm32.exe File created C:\Windows\SysWOW64\Nabbod32.dll Efkphnbd.exe File created C:\Windows\SysWOW64\Hmmblqfc.dll Pqbdjfln.exe File created C:\Windows\SysWOW64\Pqdqof32.exe Pjjhbl32.exe File created C:\Windows\SysWOW64\Gengjl32.dll Jjamia32.exe File opened for modification C:\Windows\SysWOW64\Fibhpbea.exe Fbhpch32.exe File created C:\Windows\SysWOW64\Ilcldb32.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 5164 4940 -
Modifies registry class 64 IoCs
Processes:
Hjolnb32.exeMenjdbgj.exeHkhdqoac.exeIoopml32.exeCibmlmeb.exeHaoimcgg.exeQhngolpo.exeHildmn32.exeCdfkolkf.exeOcopdn32.exePjdilcla.exeFeocelll.exeNcbknfed.exeFgjccb32.exeIgcoqocb.exeJiikak32.exeKlljnp32.exeBfdodjhm.exeNomncpcg.exeBgpgng32.exeHajpbckl.exeNdaggimg.exeKfcdfbqo.exeNlleaeff.exeJmknaell.exeAnogiicl.exeGekcaj32.exeBljlfh32.exeDjqblj32.exeNiipjj32.exePaegjl32.exeGlhonj32.exeDihlbf32.exeBjpaooda.exeOjaelm32.exeHammhcij.exeIpjedh32.exeHaidklda.exeNgdmod32.exeDimenegi.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjolnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olcjhi32.dll" Menjdbgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkhdqoac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioopml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aojjhafd.dll" Cibmlmeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haoimcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhngolpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgdojhec.dll" Hildmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdfkolkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioopml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocopdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlkefpan.dll" Pjdilcla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feocelll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncbknfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbbpccql.dll" Fgjccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phcebinc.dll" Igcoqocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbepb32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jiikak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klljnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfdodjhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiejjepo.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nomncpcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgpgng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hajpbckl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll" Ndaggimg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfcdfbqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmeffoid.dll" Nlleaeff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpolbbim.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libmeq32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmknaell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anogiicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dipidh32.dll" Gekcaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bljlfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khacqh32.dll" Djqblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niipjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djqblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcmhel32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehjgecbe.dll" Paegjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkpjkai.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpiaib32.dll" Glhonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dihlbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjpaooda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojaelm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hammhcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abakhdbk.dll" Ipjedh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haidklda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngdmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcmhh32.dll" Dimenegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kioghlbd.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqjpajgi.dll" -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b51dfa17f2fee7930f4d86f884f542c0_NeikiAnalytics.exeHmdedo32.exeHpbaqj32.exeHfljmdjc.exeHjhfnccl.exeHmfbjnbp.exeHpgkkioa.exeHbeghene.exeHmklen32.exeHaggelfd.exeHjolnb32.exeHaidklda.exeIffmccbi.exeIidipnal.exeIbmmhdhm.exeImbaemhc.exeIfjfnb32.exeIjfboafl.exeIdofhfmm.exeIikopmkd.exeIabgaklg.exeIdacmfkj.exedescription pid process target process PID 3400 wrote to memory of 5104 3400 b51dfa17f2fee7930f4d86f884f542c0_NeikiAnalytics.exe Hmdedo32.exe PID 3400 wrote to memory of 5104 3400 b51dfa17f2fee7930f4d86f884f542c0_NeikiAnalytics.exe Hmdedo32.exe PID 3400 wrote to memory of 5104 3400 b51dfa17f2fee7930f4d86f884f542c0_NeikiAnalytics.exe Hmdedo32.exe PID 5104 wrote to memory of 1900 5104 Hmdedo32.exe Hpbaqj32.exe PID 5104 wrote to memory of 1900 5104 Hmdedo32.exe Hpbaqj32.exe PID 5104 wrote to memory of 1900 5104 Hmdedo32.exe Hpbaqj32.exe PID 1900 wrote to memory of 2936 1900 Hpbaqj32.exe Hfljmdjc.exe PID 1900 wrote to memory of 2936 1900 Hpbaqj32.exe Hfljmdjc.exe PID 1900 wrote to memory of 2936 1900 Hpbaqj32.exe Hfljmdjc.exe PID 2936 wrote to memory of 4332 2936 Hfljmdjc.exe Hjhfnccl.exe PID 2936 wrote to memory of 4332 2936 Hfljmdjc.exe Hjhfnccl.exe PID 2936 wrote to memory of 4332 2936 Hfljmdjc.exe Hjhfnccl.exe PID 4332 wrote to memory of 3936 4332 Hjhfnccl.exe Hmfbjnbp.exe PID 4332 wrote to memory of 3936 4332 Hjhfnccl.exe Hmfbjnbp.exe PID 4332 wrote to memory of 3936 4332 Hjhfnccl.exe Hmfbjnbp.exe PID 3936 wrote to memory of 528 3936 Hmfbjnbp.exe Hpgkkioa.exe PID 3936 wrote to memory of 528 3936 Hmfbjnbp.exe Hpgkkioa.exe PID 3936 wrote to memory of 528 3936 Hmfbjnbp.exe Hpgkkioa.exe PID 528 wrote to memory of 2160 528 Hpgkkioa.exe Hbeghene.exe PID 528 wrote to memory of 2160 528 Hpgkkioa.exe Hbeghene.exe PID 528 wrote to memory of 2160 528 Hpgkkioa.exe Hbeghene.exe PID 2160 wrote to memory of 4980 2160 Hbeghene.exe Hmklen32.exe PID 2160 wrote to memory of 4980 2160 Hbeghene.exe Hmklen32.exe PID 2160 wrote to memory of 4980 2160 Hbeghene.exe Hmklen32.exe PID 4980 wrote to memory of 4524 4980 Hmklen32.exe Haggelfd.exe PID 4980 wrote to memory of 4524 4980 Hmklen32.exe Haggelfd.exe PID 4980 wrote to memory of 4524 4980 Hmklen32.exe Haggelfd.exe PID 4524 wrote to memory of 5052 4524 Haggelfd.exe Hjolnb32.exe PID 4524 wrote to memory of 5052 4524 Haggelfd.exe Hjolnb32.exe PID 4524 wrote to memory of 5052 4524 Haggelfd.exe Hjolnb32.exe PID 5052 wrote to memory of 5048 5052 Hjolnb32.exe Haidklda.exe PID 5052 wrote to memory of 5048 5052 Hjolnb32.exe Haidklda.exe PID 5052 wrote to memory of 5048 5052 Hjolnb32.exe Haidklda.exe PID 5048 wrote to memory of 4556 5048 Haidklda.exe Iffmccbi.exe PID 5048 wrote to memory of 4556 5048 Haidklda.exe Iffmccbi.exe PID 5048 wrote to memory of 4556 5048 Haidklda.exe Iffmccbi.exe PID 4556 wrote to memory of 2084 4556 Iffmccbi.exe Iidipnal.exe PID 4556 wrote to memory of 2084 4556 Iffmccbi.exe Iidipnal.exe PID 4556 wrote to memory of 2084 4556 Iffmccbi.exe Iidipnal.exe PID 2084 wrote to memory of 4788 2084 Iidipnal.exe Ibmmhdhm.exe PID 2084 wrote to memory of 4788 2084 Iidipnal.exe Ibmmhdhm.exe PID 2084 wrote to memory of 4788 2084 Iidipnal.exe Ibmmhdhm.exe PID 4788 wrote to memory of 4404 4788 Ibmmhdhm.exe Imbaemhc.exe PID 4788 wrote to memory of 4404 4788 Ibmmhdhm.exe Imbaemhc.exe PID 4788 wrote to memory of 4404 4788 Ibmmhdhm.exe Imbaemhc.exe PID 4404 wrote to memory of 2436 4404 Imbaemhc.exe Ifjfnb32.exe PID 4404 wrote to memory of 2436 4404 Imbaemhc.exe Ifjfnb32.exe PID 4404 wrote to memory of 2436 4404 Imbaemhc.exe Ifjfnb32.exe PID 2436 wrote to memory of 4676 2436 Ifjfnb32.exe Ijfboafl.exe PID 2436 wrote to memory of 4676 2436 Ifjfnb32.exe Ijfboafl.exe PID 2436 wrote to memory of 4676 2436 Ifjfnb32.exe Ijfboafl.exe PID 4676 wrote to memory of 2764 4676 Ijfboafl.exe Idofhfmm.exe PID 4676 wrote to memory of 2764 4676 Ijfboafl.exe Idofhfmm.exe PID 4676 wrote to memory of 2764 4676 Ijfboafl.exe Idofhfmm.exe PID 2764 wrote to memory of 648 2764 Idofhfmm.exe Iikopmkd.exe PID 2764 wrote to memory of 648 2764 Idofhfmm.exe Iikopmkd.exe PID 2764 wrote to memory of 648 2764 Idofhfmm.exe Iikopmkd.exe PID 648 wrote to memory of 3456 648 Iikopmkd.exe Iabgaklg.exe PID 648 wrote to memory of 3456 648 Iikopmkd.exe Iabgaklg.exe PID 648 wrote to memory of 3456 648 Iikopmkd.exe Iabgaklg.exe PID 3456 wrote to memory of 5016 3456 Iabgaklg.exe Idacmfkj.exe PID 3456 wrote to memory of 5016 3456 Iabgaklg.exe Idacmfkj.exe PID 3456 wrote to memory of 5016 3456 Iabgaklg.exe Idacmfkj.exe PID 5016 wrote to memory of 2268 5016 Idacmfkj.exe Jaedgjjd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b51dfa17f2fee7930f4d86f884f542c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b51dfa17f2fee7930f4d86f884f542c0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\Hmdedo32.exeC:\Windows\system32\Hmdedo32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\Hmfbjnbp.exeC:\Windows\system32\Hmfbjnbp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Hpgkkioa.exeC:\Windows\system32\Hpgkkioa.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\Hbeghene.exeC:\Windows\system32\Hbeghene.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\Imbaemhc.exeC:\Windows\system32\Imbaemhc.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Idofhfmm.exeC:\Windows\system32\Idofhfmm.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Jaedgjjd.exeC:\Windows\system32\Jaedgjjd.exe23⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Jmkdlkph.exeC:\Windows\system32\Jmkdlkph.exe24⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe25⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Jdhine32.exeC:\Windows\system32\Jdhine32.exe26⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe27⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe28⤵
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Jfhbppbc.exeC:\Windows\system32\Jfhbppbc.exe29⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Jmbklj32.exeC:\Windows\system32\Jmbklj32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe31⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:5024 -
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe33⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe34⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe35⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe36⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Kgphpo32.exeC:\Windows\system32\Kgphpo32.exe37⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe38⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe39⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe40⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe41⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe42⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe43⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe44⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe45⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe46⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe47⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe48⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe49⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe50⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe51⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe52⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe53⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe55⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Lklnhlfb.exeC:\Windows\system32\Lklnhlfb.exe56⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe57⤵
- Executes dropped EXE
PID:4092 -
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe58⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe59⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe60⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe61⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe63⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe64⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe65⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe66⤵PID:4380
-
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe67⤵
- Drops file in System32 directory
PID:4868 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe68⤵PID:2308
-
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe69⤵PID:3368
-
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe70⤵PID:2696
-
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe71⤵PID:4776
-
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe72⤵PID:3444
-
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe73⤵PID:5096
-
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe74⤵PID:4828
-
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe75⤵PID:1628
-
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe76⤵PID:2176
-
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe77⤵
- Drops file in System32 directory
PID:4544 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe78⤵PID:2248
-
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe79⤵PID:5092
-
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe80⤵PID:1400
-
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe81⤵PID:3356
-
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe82⤵PID:2372
-
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe83⤵PID:3884
-
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe84⤵PID:3104
-
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe85⤵PID:4936
-
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe86⤵PID:4548
-
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe87⤵PID:4240
-
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe88⤵PID:1508
-
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe89⤵PID:3776
-
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe90⤵PID:2940
-
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe91⤵PID:4464
-
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe92⤵
- Modifies registry class
PID:4288 -
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe93⤵PID:3216
-
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe94⤵PID:4236
-
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe95⤵PID:2544
-
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe96⤵PID:1856
-
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe97⤵PID:4516
-
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe98⤵PID:1780
-
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe99⤵PID:3296
-
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe100⤵PID:3324
-
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe101⤵PID:4256
-
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe102⤵
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe103⤵PID:3880
-
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe104⤵PID:3992
-
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe105⤵PID:3940
-
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe106⤵PID:1060
-
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe107⤵PID:208
-
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe108⤵PID:5132
-
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe109⤵PID:5180
-
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe110⤵PID:5220
-
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe111⤵PID:5264
-
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe112⤵PID:5308
-
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe113⤵PID:5348
-
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe114⤵PID:5392
-
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe115⤵PID:5436
-
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe116⤵PID:5480
-
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe117⤵PID:5520
-
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe118⤵PID:5560
-
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe119⤵
- Drops file in System32 directory
PID:5600 -
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5640 -
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe121⤵PID:5680
-
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe122⤵PID:5724
-
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe123⤵PID:5768
-
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe124⤵PID:5812
-
C:\Windows\SysWOW64\Bjpaooda.exeC:\Windows\system32\Bjpaooda.exe125⤵
- Modifies registry class
PID:5856 -
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe126⤵PID:5900
-
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe127⤵PID:5944
-
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe128⤵PID:5984
-
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe129⤵PID:6028
-
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe130⤵PID:6072
-
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe131⤵PID:6116
-
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe132⤵PID:5140
-
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe133⤵PID:5196
-
C:\Windows\SysWOW64\Bldgdago.exeC:\Windows\system32\Bldgdago.exe134⤵PID:5256
-
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe135⤵PID:5344
-
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe136⤵PID:5388
-
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe137⤵PID:5468
-
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe138⤵PID:5544
-
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe139⤵PID:5620
-
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe140⤵PID:5672
-
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe141⤵PID:5752
-
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe142⤵PID:5836
-
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe143⤵PID:5896
-
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe144⤵PID:5968
-
C:\Windows\SysWOW64\Chdkoa32.exeC:\Windows\system32\Chdkoa32.exe145⤵PID:6044
-
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe146⤵PID:6108
-
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe147⤵PID:5168
-
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe148⤵PID:5292
-
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe149⤵PID:5376
-
C:\Windows\SysWOW64\Dboigi32.exeC:\Windows\system32\Dboigi32.exe150⤵PID:5508
-
C:\Windows\SysWOW64\Ddpeoafg.exeC:\Windows\system32\Ddpeoafg.exe151⤵PID:5588
-
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe152⤵PID:5764
-
C:\Windows\SysWOW64\Dbaemi32.exeC:\Windows\system32\Dbaemi32.exe153⤵PID:5824
-
C:\Windows\SysWOW64\Dhnnep32.exeC:\Windows\system32\Dhnnep32.exe154⤵PID:5936
-
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe155⤵PID:6012
-
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe156⤵PID:5188
-
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe157⤵PID:5276
-
C:\Windows\SysWOW64\Dllfkn32.exeC:\Windows\system32\Dllfkn32.exe158⤵PID:5476
-
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe159⤵PID:5624
-
C:\Windows\SysWOW64\Dhbgqohi.exeC:\Windows\system32\Dhbgqohi.exe160⤵PID:5804
-
C:\Windows\SysWOW64\Eolpmi32.exeC:\Windows\system32\Eolpmi32.exe161⤵PID:5960
-
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe162⤵PID:6100
-
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe163⤵PID:5340
-
C:\Windows\SysWOW64\Ekcpbj32.exeC:\Windows\system32\Ekcpbj32.exe164⤵PID:5556
-
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe165⤵PID:5820
-
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe166⤵PID:6036
-
C:\Windows\SysWOW64\Ehgqln32.exeC:\Windows\system32\Ehgqln32.exe167⤵PID:5424
-
C:\Windows\SysWOW64\Ecmeig32.exeC:\Windows\system32\Ecmeig32.exe168⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5884 -
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe169⤵PID:5464
-
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe170⤵PID:5252
-
C:\Windows\SysWOW64\Eocenh32.exeC:\Windows\system32\Eocenh32.exe171⤵PID:5296
-
C:\Windows\SysWOW64\Eabbjc32.exeC:\Windows\system32\Eabbjc32.exe172⤵PID:6184
-
C:\Windows\SysWOW64\Ehljfnpn.exeC:\Windows\system32\Ehljfnpn.exe173⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6220 -
C:\Windows\SysWOW64\Eofbch32.exeC:\Windows\system32\Eofbch32.exe174⤵PID:6260
-
C:\Windows\SysWOW64\Eepjpb32.exeC:\Windows\system32\Eepjpb32.exe175⤵PID:6300
-
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe176⤵PID:6336
-
C:\Windows\SysWOW64\Fkmchi32.exeC:\Windows\system32\Fkmchi32.exe177⤵PID:6376
-
C:\Windows\SysWOW64\Fcckif32.exeC:\Windows\system32\Fcckif32.exe178⤵PID:6416
-
C:\Windows\SysWOW64\Fdegandp.exeC:\Windows\system32\Fdegandp.exe179⤵PID:6456
-
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe180⤵PID:6496
-
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe181⤵
- Drops file in System32 directory
PID:6536 -
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe182⤵PID:6576
-
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe183⤵PID:6616
-
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe184⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6652 -
C:\Windows\SysWOW64\Fakdpb32.exeC:\Windows\system32\Fakdpb32.exe185⤵PID:6692
-
C:\Windows\SysWOW64\Flqimk32.exeC:\Windows\system32\Flqimk32.exe186⤵PID:6736
-
C:\Windows\SysWOW64\Fooeif32.exeC:\Windows\system32\Fooeif32.exe187⤵PID:6772
-
C:\Windows\SysWOW64\Fbnafb32.exeC:\Windows\system32\Fbnafb32.exe188⤵PID:6812
-
C:\Windows\SysWOW64\Fhgjblfq.exeC:\Windows\system32\Fhgjblfq.exe189⤵PID:6852
-
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe190⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6888 -
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe191⤵PID:6928
-
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe192⤵PID:6964
-
C:\Windows\SysWOW64\Glebhjlg.exeC:\Windows\system32\Glebhjlg.exe193⤵PID:7004
-
C:\Windows\SysWOW64\Gbbkaako.exeC:\Windows\system32\Gbbkaako.exe194⤵PID:7044
-
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe195⤵PID:7084
-
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe196⤵
- Modifies registry class
PID:7120 -
C:\Windows\SysWOW64\Gofkje32.exeC:\Windows\system32\Gofkje32.exe197⤵PID:5940
-
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe198⤵PID:6192
-
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe199⤵PID:6268
-
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe200⤵PID:6332
-
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe201⤵PID:6400
-
C:\Windows\SysWOW64\Gdeqhl32.exeC:\Windows\system32\Gdeqhl32.exe202⤵PID:6452
-
C:\Windows\SysWOW64\Gmlhii32.exeC:\Windows\system32\Gmlhii32.exe203⤵PID:6524
-
C:\Windows\SysWOW64\Gbiaapdf.exeC:\Windows\system32\Gbiaapdf.exe204⤵PID:6584
-
C:\Windows\SysWOW64\Gdhmnlcj.exeC:\Windows\system32\Gdhmnlcj.exe205⤵PID:6644
-
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe206⤵PID:6720
-
C:\Windows\SysWOW64\Gomakdcp.exeC:\Windows\system32\Gomakdcp.exe207⤵PID:6788
-
C:\Windows\SysWOW64\Gblngpbd.exeC:\Windows\system32\Gblngpbd.exe208⤵PID:6848
-
C:\Windows\SysWOW64\Hiefcj32.exeC:\Windows\system32\Hiefcj32.exe209⤵PID:6920
-
C:\Windows\SysWOW64\Hopnqdan.exeC:\Windows\system32\Hopnqdan.exe210⤵PID:6992
-
C:\Windows\SysWOW64\Hfifmnij.exeC:\Windows\system32\Hfifmnij.exe211⤵PID:7064
-
C:\Windows\SysWOW64\Hmcojh32.exeC:\Windows\system32\Hmcojh32.exe212⤵PID:7140
-
C:\Windows\SysWOW64\Hobkfd32.exeC:\Windows\system32\Hobkfd32.exe213⤵PID:6204
-
C:\Windows\SysWOW64\Hbpgbo32.exeC:\Windows\system32\Hbpgbo32.exe214⤵PID:6324
-
C:\Windows\SysWOW64\Hijooifk.exeC:\Windows\system32\Hijooifk.exe215⤵PID:6440
-
C:\Windows\SysWOW64\Hodgkc32.exeC:\Windows\system32\Hodgkc32.exe216⤵
- Drops file in System32 directory
PID:6568 -
C:\Windows\SysWOW64\Hcpclbfa.exeC:\Windows\system32\Hcpclbfa.exe217⤵PID:6684
-
C:\Windows\SysWOW64\Heapdjlp.exeC:\Windows\system32\Heapdjlp.exe218⤵PID:6800
-
C:\Windows\SysWOW64\Hkkhqd32.exeC:\Windows\system32\Hkkhqd32.exe219⤵PID:6916
-
C:\Windows\SysWOW64\Hcbpab32.exeC:\Windows\system32\Hcbpab32.exe220⤵PID:7028
-
C:\Windows\SysWOW64\Hecmijim.exeC:\Windows\system32\Hecmijim.exe221⤵PID:7128
-
C:\Windows\SysWOW64\Hioiji32.exeC:\Windows\system32\Hioiji32.exe222⤵PID:6292
-
C:\Windows\SysWOW64\Hkmefd32.exeC:\Windows\system32\Hkmefd32.exe223⤵PID:6408
-
C:\Windows\SysWOW64\Hbgmcnhf.exeC:\Windows\system32\Hbgmcnhf.exe224⤵PID:6636
-
C:\Windows\SysWOW64\Iiaephpc.exeC:\Windows\system32\Iiaephpc.exe225⤵PID:6844
-
C:\Windows\SysWOW64\Ikpaldog.exeC:\Windows\system32\Ikpaldog.exe226⤵PID:7020
-
C:\Windows\SysWOW64\Ibjjhn32.exeC:\Windows\system32\Ibjjhn32.exe227⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6176 -
C:\Windows\SysWOW64\Iehfdi32.exeC:\Windows\system32\Iehfdi32.exe228⤵PID:6532
-
C:\Windows\SysWOW64\Imoneg32.exeC:\Windows\system32\Imoneg32.exe229⤵PID:6764
-
C:\Windows\SysWOW64\Iblfnn32.exeC:\Windows\system32\Iblfnn32.exe230⤵PID:6004
-
C:\Windows\SysWOW64\Iejcji32.exeC:\Windows\system32\Iejcji32.exe231⤵PID:6668
-
C:\Windows\SysWOW64\Imakkfdg.exeC:\Windows\system32\Imakkfdg.exe232⤵PID:7072
-
C:\Windows\SysWOW64\Ickchq32.exeC:\Windows\system32\Ickchq32.exe233⤵PID:6768
-
C:\Windows\SysWOW64\Ifjodl32.exeC:\Windows\system32\Ifjodl32.exe234⤵PID:7104
-
C:\Windows\SysWOW64\Iihkpg32.exeC:\Windows\system32\Iihkpg32.exe235⤵PID:7212
-
C:\Windows\SysWOW64\Ilghlc32.exeC:\Windows\system32\Ilghlc32.exe236⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7248 -
C:\Windows\SysWOW64\Icnpmp32.exeC:\Windows\system32\Icnpmp32.exe237⤵PID:7292
-
C:\Windows\SysWOW64\Ieolehop.exeC:\Windows\system32\Ieolehop.exe238⤵PID:7332
-
C:\Windows\SysWOW64\Iikhfg32.exeC:\Windows\system32\Iikhfg32.exe239⤵PID:7376
-
C:\Windows\SysWOW64\Icplcpgo.exeC:\Windows\system32\Icplcpgo.exe240⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7416 -
C:\Windows\SysWOW64\Ibcmom32.exeC:\Windows\system32\Ibcmom32.exe241⤵PID:7456
-
C:\Windows\SysWOW64\Jlkagbej.exeC:\Windows\system32\Jlkagbej.exe242⤵PID:7500