Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 21:54
Static task
static1
Behavioral task
behavioral1
Sample
3f707897d1d7d509755f5c5f15b482e0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3f707897d1d7d509755f5c5f15b482e0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
3f707897d1d7d509755f5c5f15b482e0_NeikiAnalytics.exe
-
Size
163KB
-
MD5
3f707897d1d7d509755f5c5f15b482e0
-
SHA1
f2d435bf8220689f61721693a8916bfd476496d9
-
SHA256
efeecad655ebfb9093247d6047b4cff7649f57ef0780080f6c2cbf30348a7b8c
-
SHA512
39918b1db6ae8fc027267f4703727638a8abfda489f84e85543b8d965ff22126e3890bc0db50b1420338689cb6c1c71832f908857f4a7f707ffd2dc659ba048c
-
SSDEEP
1536:PJ4a/uTP5k+GXwZX6bvVHsp2SL/wQEflProNVU4qNVUrk/9QbfBr+7GwKrPAsqNy:mDu+G6cvVHsp2SrEfltOrWKDBr+yJb
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Gomakdcp.exeLfkaag32.exeFmocba32.exeFodeolof.exeClnjjpod.exeKdgljmcd.exeGjocgdkg.exeJibeql32.exeAelcfilb.exeGcojed32.exeJidklf32.exeDjnaji32.exeJangmibi.exeLgpagm32.exeFafkecel.exeKepelfam.exeCpedjf32.exeDagiil32.exeIjaida32.exePcppfaka.exeBfdodjhm.exeFijmbb32.exeGkoiefmj.exeAmbgef32.exeCoojfa32.exeDomfgpca.exeJbkjjblm.exeEcandfpd.exeJioaqfcc.exeKmnjhioc.exeBhdbhcck.exeBmemac32.exeAedpaoif.exeFihqmb32.exePgopffec.exeGbbkaako.exeHobkfd32.exeAhblmjhj.exeBbgipldd.exeCklaknjd.exeCagobalc.exeChagok32.exePqbdjfln.exeChgoogfa.exeMpolqa32.exeAjdbcano.exeGkkojgao.exeKboljk32.exeChnlihnl.exeEhonfc32.exeAaqgek32.exeKpbmco32.exeOgkcpbam.exeKgphpo32.exeLcbiao32.exePmdkch32.exeDodbbdbb.exeGqkhjn32.exeJplmmfmi.exeJmpngk32.exeAbkjdnoa.exeCedihl32.exePcncpbmd.exeCdfkolkf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gomakdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfkaag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmocba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fodeolof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clnjjpod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdgljmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjocgdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jibeql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aelcfilb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcojed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jidklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djnaji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jangmibi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgpagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fafkecel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kepelfam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpedjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dagiil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijaida32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcppfaka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfdodjhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fijmbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkoiefmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ambgef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coojfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Domfgpca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbkjjblm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecandfpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jioaqfcc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmnjhioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhdbhcck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmemac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aedpaoif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fihqmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgopffec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbbkaako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hobkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahblmjhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbgipldd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cklaknjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chagok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqbdjfln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chgoogfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpolqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajdbcano.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkkojgao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kboljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chnlihnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehonfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaqgek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpbmco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogkcpbam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgphpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcbiao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmdkch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodbbdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqkhjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jplmmfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmpngk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abkjdnoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cedihl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcncpbmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfkolkf.exe -
Executes dropped EXE 64 IoCs
Processes:
Alkkhi32.exeAbedecjb.exeAahdqp32.exeAedpaoif.exeAhblmjhj.exeBlnhni32.exeBoldjd32.exeBbhqjchp.exeBibigmpl.exeBlpechop.exeBpladg32.exeBbjmpb32.exeBehiln32.exeBidemmnj.exeBlbaihmn.exeBoanecla.exeBekfan32.exeBlennh32.exeBockjc32.exeBbofkbbh.exeBiiohl32.exeBlgkdg32.exeBbacqape.exeBeppmmoi.exeChnlihnl.exeCpedjf32.exeCccpfa32.exeCeblbm32.exeCimhckeo.exeCpgqpe32.exeCcfmla32.exeCedihl32.exeCipehkcl.exeCpjmee32.exeCommqb32.exeCakjmm32.exeCefemliq.exeClqnjf32.exeCpljkdig.exeCoojfa32.exeCamfbm32.exeCeibclgn.exeChgoogfa.exeClckpf32.exeCoagla32.exeCapchmmb.exeCekohk32.exeDigkijmd.exeDlegeemh.exeDpacfd32.exeDcopbp32.exeDabpnlkp.exeDiihojkb.exeDhlhjf32.exeDpcpkc32.exeDadlclim.exeDephckaf.exeDhnepfpj.exeDpemacql.exeDohmlp32.exeDagiil32.exeDjnaji32.exeDllmfd32.exeDphifcoi.exepid process 3052 Alkkhi32.exe 3920 Abedecjb.exe 4696 Aahdqp32.exe 4820 Aedpaoif.exe 2188 Ahblmjhj.exe 2340 Blnhni32.exe 1188 Boldjd32.exe 5064 Bbhqjchp.exe 3552 Bibigmpl.exe 1640 Blpechop.exe 1004 Bpladg32.exe 3720 Bbjmpb32.exe 4068 Behiln32.exe 2096 Bidemmnj.exe 4320 Blbaihmn.exe 3240 Boanecla.exe 4780 Bekfan32.exe 640 Blennh32.exe 4772 Bockjc32.exe 4928 Bbofkbbh.exe 2668 Biiohl32.exe 332 Blgkdg32.exe 4904 Bbacqape.exe 3948 Beppmmoi.exe 4368 Chnlihnl.exe 2176 Cpedjf32.exe 1156 Cccpfa32.exe 840 Ceblbm32.exe 2388 Cimhckeo.exe 4996 Cpgqpe32.exe 1664 Ccfmla32.exe 1172 Cedihl32.exe 3704 Cipehkcl.exe 2904 Cpjmee32.exe 2080 Commqb32.exe 1948 Cakjmm32.exe 3528 Cefemliq.exe 4548 Clqnjf32.exe 432 Cpljkdig.exe 1512 Coojfa32.exe 4496 Camfbm32.exe 2676 Ceibclgn.exe 3184 Chgoogfa.exe 4404 Clckpf32.exe 3820 Coagla32.exe 4184 Capchmmb.exe 4604 Cekohk32.exe 2940 Digkijmd.exe 4464 Dlegeemh.exe 4792 Dpacfd32.exe 3956 Dcopbp32.exe 3076 Dabpnlkp.exe 3308 Diihojkb.exe 3444 Dhlhjf32.exe 4836 Dpcpkc32.exe 4856 Dadlclim.exe 5080 Dephckaf.exe 4596 Dhnepfpj.exe 2168 Dpemacql.exe 5084 Dohmlp32.exe 4396 Dagiil32.exe 644 Djnaji32.exe 724 Dllmfd32.exe 2000 Dphifcoi.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ffekegon.exeFijmbb32.exeKbdmpqcb.exeOkhfjh32.exeOkolkg32.exeDdakjkqi.exePabkdmpi.exeAjanck32.exeBmemac32.exeCjpckf32.exeGppekj32.exeJagqlj32.exeEhljfnpn.exeBoldjd32.exeHbhdmd32.exeMpaifalo.exeFdlnbm32.exeBebblb32.exeCakjmm32.exeGcggpj32.exeLfkaag32.exeCommqb32.exeKmlnbi32.exeNcnadk32.exeOlcbmj32.exeAfmhck32.exeCfpnph32.exeBlnhni32.exeAqppkd32.exeEhjdldfl.exeJbocea32.exeMmpijp32.exeBnkgeg32.exeEhhgfdho.exeFqhbmqqg.exeMkpgck32.exeCeaehfjj.exeCafigg32.exePncgmkmj.exeCklaknjd.exeFhcpgmjf.exeIpknlb32.exeNloiakho.exeAlkkhi32.exeCapchmmb.exePbbgnpgl.exeHelfik32.exeJbeidl32.exeBpladg32.exeHbeqmoji.exeBgehcmmm.exeEofinnkf.exeJdmcidam.exeKkpnlm32.exe3f707897d1d7d509755f5c5f15b482e0_NeikiAnalytics.exeKphmie32.exeEkjfcipa.exePggbkagp.exeHfljmdjc.exeAjiknpjj.exedescription ioc process File created C:\Windows\SysWOW64\Ddhbep32.dll Ffekegon.exe File opened for modification C:\Windows\SysWOW64\Fmficqpc.exe Fijmbb32.exe File opened for modification C:\Windows\SysWOW64\Kgphpo32.exe Kbdmpqcb.exe File created C:\Windows\SysWOW64\Ojjffddl.exe Okhfjh32.exe File created C:\Windows\SysWOW64\Cdicgd32.dll Okolkg32.exe File created C:\Windows\SysWOW64\Kmdjdl32.dll Ddakjkqi.exe File created C:\Windows\SysWOW64\Pmjqhl32.dll Pabkdmpi.exe File opened for modification C:\Windows\SysWOW64\Ampkof32.exe Ajanck32.exe File created C:\Windows\SysWOW64\Belebq32.exe Bmemac32.exe File created C:\Windows\SysWOW64\Ffpmlcim.dll Cjpckf32.exe File opened for modification C:\Windows\SysWOW64\Hboagf32.exe Gppekj32.exe File created C:\Windows\SysWOW64\Jpjqhgol.exe Jagqlj32.exe File created C:\Windows\SysWOW64\Ekjfcipa.exe Ehljfnpn.exe File opened for modification C:\Windows\SysWOW64\Bbhqjchp.exe Boldjd32.exe File created C:\Windows\SysWOW64\Mlmpolji.dll Hbhdmd32.exe File opened for modification C:\Windows\SysWOW64\Mglack32.exe Mpaifalo.exe File opened for modification C:\Windows\SysWOW64\Foabofnn.exe Fdlnbm32.exe File created C:\Windows\SysWOW64\Glbandkm.dll Bebblb32.exe File created C:\Windows\SysWOW64\Cefemliq.exe Cakjmm32.exe File created C:\Windows\SysWOW64\Gfedle32.exe Gcggpj32.exe File opened for modification C:\Windows\SysWOW64\Lmdina32.exe Lfkaag32.exe File created C:\Windows\SysWOW64\Cakjmm32.exe Commqb32.exe File opened for modification C:\Windows\SysWOW64\Kagichjo.exe Kmlnbi32.exe File created C:\Windows\SysWOW64\Cepkeokh.dll Ncnadk32.exe File created C:\Windows\SysWOW64\Knfoif32.dll Olcbmj32.exe File created C:\Windows\SysWOW64\Echegpbb.dll Afmhck32.exe File created C:\Windows\SysWOW64\Lfjhbihm.dll Cfpnph32.exe File created C:\Windows\SysWOW64\Boldjd32.exe Blnhni32.exe File created C:\Windows\SysWOW64\Acnlgp32.exe Aqppkd32.exe File created C:\Windows\SysWOW64\Eodlho32.exe Ehjdldfl.exe File created C:\Windows\SysWOW64\Mfpoqooh.dll Jbocea32.exe File created C:\Windows\SysWOW64\Mgimcebb.exe Mmpijp32.exe File created C:\Windows\SysWOW64\Bmngqdpj.exe Bnkgeg32.exe File created C:\Windows\SysWOW64\Diblfl32.dll Blnhni32.exe File opened for modification C:\Windows\SysWOW64\Epopgbia.exe Ehhgfdho.exe File created C:\Windows\SysWOW64\Fokbim32.exe Fqhbmqqg.exe File created C:\Windows\SysWOW64\Mjcgohig.exe Mkpgck32.exe File created C:\Windows\SysWOW64\Cddecc32.exe Ceaehfjj.exe File created C:\Windows\SysWOW64\Ceaehfjj.exe Cafigg32.exe File opened for modification C:\Windows\SysWOW64\Pqbdjfln.exe Pncgmkmj.exe File opened for modification C:\Windows\SysWOW64\Andqdh32.exe Afmhck32.exe File created C:\Windows\SysWOW64\Hefffnbk.dll Kmlnbi32.exe File created C:\Windows\SysWOW64\Gohibf32.dll Cklaknjd.exe File created C:\Windows\SysWOW64\Fchddejl.exe Fhcpgmjf.exe File created C:\Windows\SysWOW64\Iehfdi32.exe Ipknlb32.exe File created C:\Windows\SysWOW64\Njciko32.exe Nloiakho.exe File created C:\Windows\SysWOW64\Abedecjb.exe Alkkhi32.exe File created C:\Windows\SysWOW64\Cekohk32.exe Capchmmb.exe File created C:\Windows\SysWOW64\Dnhqigge.dll Pbbgnpgl.exe File opened for modification C:\Windows\SysWOW64\Hobkfd32.exe Helfik32.exe File created C:\Windows\SysWOW64\Jioaqfcc.exe Jbeidl32.exe File created C:\Windows\SysWOW64\Ehabgbnk.dll Bpladg32.exe File opened for modification C:\Windows\SysWOW64\Hkmefd32.exe Hbeqmoji.exe File created C:\Windows\SysWOW64\Bjddphlq.exe Bgehcmmm.exe File opened for modification C:\Windows\SysWOW64\Ejlmkgkl.exe Eofinnkf.exe File created C:\Windows\SysWOW64\Jbocea32.exe Jdmcidam.exe File opened for modification C:\Windows\SysWOW64\Kmnjhioc.exe Kkpnlm32.exe File opened for modification C:\Windows\SysWOW64\Alkkhi32.exe 3f707897d1d7d509755f5c5f15b482e0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Ppaaagol.dll Kphmie32.exe File created C:\Windows\SysWOW64\Bejfanad.dll Ekjfcipa.exe File created C:\Windows\SysWOW64\Mfilim32.dll Pggbkagp.exe File created C:\Windows\SysWOW64\Hjhfnccl.exe Hfljmdjc.exe File created C:\Windows\SysWOW64\Andgoobc.exe Ajiknpjj.exe File created C:\Windows\SysWOW64\Ocljjj32.dll Nloiakho.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 13664 14168 WerFault.exe Dmllipeg.exe -
Modifies registry class 64 IoCs
Processes:
Clckpf32.exeCekohk32.exeHmklen32.exeKdgljmcd.exeBidemmnj.exeLcgblncm.exeCmlcbbcj.exeEoapbo32.exeDlncan32.exeGbiaapdf.exeEjgdpg32.exeGjapmdid.exeHbhdmd32.exeOnholckc.exePbkamqmd.exeChpada32.exeOcgmpccl.exeGameonno.exeNgbpidjh.exeIpnalhii.exeFlqimk32.exeDaqbip32.exeDcopbp32.exeKgbefoji.exeQgcbgo32.exeDhnepfpj.exeEhjdldfl.exeFbgbpihg.exeJjmhppqd.exeNnhfee32.exeHkmefd32.exeFohoigfh.exeChagok32.exeDephckaf.exeHmfbjnbp.exeIbagcc32.exeKmjqmi32.exeEaklidoi.exeJeaikh32.exeKlljnp32.exeEjjqeg32.exeHmioonpn.exeBoanecla.exeDphifcoi.exeHjolnb32.exeBekfan32.exeEfneehef.exeHmdedo32.exeLgkhlnbn.exeAjkhdp32.exeKpeiioac.exeDlegeemh.exeHobkfd32.exeIfopiajn.exeJfkoeppq.exeCfpnph32.exeCmqmma32.exeHpbaqj32.exeIfjfnb32.exeJangmibi.exeGbbkaako.exeDllmfd32.exeFijmbb32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clckpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cekohk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmklen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdgljmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgjnbc32.dll" Bidemmnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll" Lcgblncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmlcbbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoapbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlncan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbiaapdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejgdpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjapmdid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbhdmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onholckc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbkamqmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keoakjca.dll" Chpada32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocgmpccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gameonno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngbpidjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipnalhii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flqimk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daqbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkdqfii.dll" Dcopbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgbefoji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgcbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjmif32.dll" Dhnepfpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjgbh32.dll" Ehjdldfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbgbpihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjmhppqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjljbfog.dll" Flqimk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkmefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fohoigfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chagok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dephckaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmfbjnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibagcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmjqmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eaklidoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifbkgjd.dll" Jeaikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canidb32.dll" Klljnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmaid32.dll" Ejjqeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmioonpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boanecla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dphifcoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjolnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bekfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopeje32.dll" Efneehef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbamkcqa.dll" Hmdedo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgkhlnbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajkhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpeiioac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlegeemh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjegoo32.dll" Hobkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifopiajn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll" Jfkoeppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll" Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmqmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll" Hpbaqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifjfnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jangmibi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbbkaako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dllmfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahgndd32.dll" Fijmbb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3f707897d1d7d509755f5c5f15b482e0_NeikiAnalytics.exeAlkkhi32.exeAbedecjb.exeAahdqp32.exeAedpaoif.exeAhblmjhj.exeBlnhni32.exeBoldjd32.exeBbhqjchp.exeBibigmpl.exeBlpechop.exeBpladg32.exeBbjmpb32.exeBehiln32.exeBidemmnj.exeBlbaihmn.exeBoanecla.exeBekfan32.exeBlennh32.exeBockjc32.exeBbofkbbh.exeBiiohl32.exedescription pid process target process PID 4080 wrote to memory of 3052 4080 3f707897d1d7d509755f5c5f15b482e0_NeikiAnalytics.exe Alkkhi32.exe PID 4080 wrote to memory of 3052 4080 3f707897d1d7d509755f5c5f15b482e0_NeikiAnalytics.exe Alkkhi32.exe PID 4080 wrote to memory of 3052 4080 3f707897d1d7d509755f5c5f15b482e0_NeikiAnalytics.exe Alkkhi32.exe PID 3052 wrote to memory of 3920 3052 Alkkhi32.exe Abedecjb.exe PID 3052 wrote to memory of 3920 3052 Alkkhi32.exe Abedecjb.exe PID 3052 wrote to memory of 3920 3052 Alkkhi32.exe Abedecjb.exe PID 3920 wrote to memory of 4696 3920 Abedecjb.exe Aahdqp32.exe PID 3920 wrote to memory of 4696 3920 Abedecjb.exe Aahdqp32.exe PID 3920 wrote to memory of 4696 3920 Abedecjb.exe Aahdqp32.exe PID 4696 wrote to memory of 4820 4696 Aahdqp32.exe Aedpaoif.exe PID 4696 wrote to memory of 4820 4696 Aahdqp32.exe Aedpaoif.exe PID 4696 wrote to memory of 4820 4696 Aahdqp32.exe Aedpaoif.exe PID 4820 wrote to memory of 2188 4820 Aedpaoif.exe Ahblmjhj.exe PID 4820 wrote to memory of 2188 4820 Aedpaoif.exe Ahblmjhj.exe PID 4820 wrote to memory of 2188 4820 Aedpaoif.exe Ahblmjhj.exe PID 2188 wrote to memory of 2340 2188 Ahblmjhj.exe Blnhni32.exe PID 2188 wrote to memory of 2340 2188 Ahblmjhj.exe Blnhni32.exe PID 2188 wrote to memory of 2340 2188 Ahblmjhj.exe Blnhni32.exe PID 2340 wrote to memory of 1188 2340 Blnhni32.exe Boldjd32.exe PID 2340 wrote to memory of 1188 2340 Blnhni32.exe Boldjd32.exe PID 2340 wrote to memory of 1188 2340 Blnhni32.exe Boldjd32.exe PID 1188 wrote to memory of 5064 1188 Boldjd32.exe Bbhqjchp.exe PID 1188 wrote to memory of 5064 1188 Boldjd32.exe Bbhqjchp.exe PID 1188 wrote to memory of 5064 1188 Boldjd32.exe Bbhqjchp.exe PID 5064 wrote to memory of 3552 5064 Bbhqjchp.exe Bibigmpl.exe PID 5064 wrote to memory of 3552 5064 Bbhqjchp.exe Bibigmpl.exe PID 5064 wrote to memory of 3552 5064 Bbhqjchp.exe Bibigmpl.exe PID 3552 wrote to memory of 1640 3552 Bibigmpl.exe Blpechop.exe PID 3552 wrote to memory of 1640 3552 Bibigmpl.exe Blpechop.exe PID 3552 wrote to memory of 1640 3552 Bibigmpl.exe Blpechop.exe PID 1640 wrote to memory of 1004 1640 Blpechop.exe Bpladg32.exe PID 1640 wrote to memory of 1004 1640 Blpechop.exe Bpladg32.exe PID 1640 wrote to memory of 1004 1640 Blpechop.exe Bpladg32.exe PID 1004 wrote to memory of 3720 1004 Bpladg32.exe Bbjmpb32.exe PID 1004 wrote to memory of 3720 1004 Bpladg32.exe Bbjmpb32.exe PID 1004 wrote to memory of 3720 1004 Bpladg32.exe Bbjmpb32.exe PID 3720 wrote to memory of 4068 3720 Bbjmpb32.exe Behiln32.exe PID 3720 wrote to memory of 4068 3720 Bbjmpb32.exe Behiln32.exe PID 3720 wrote to memory of 4068 3720 Bbjmpb32.exe Behiln32.exe PID 4068 wrote to memory of 2096 4068 Behiln32.exe Bidemmnj.exe PID 4068 wrote to memory of 2096 4068 Behiln32.exe Bidemmnj.exe PID 4068 wrote to memory of 2096 4068 Behiln32.exe Bidemmnj.exe PID 2096 wrote to memory of 4320 2096 Bidemmnj.exe Blbaihmn.exe PID 2096 wrote to memory of 4320 2096 Bidemmnj.exe Blbaihmn.exe PID 2096 wrote to memory of 4320 2096 Bidemmnj.exe Blbaihmn.exe PID 4320 wrote to memory of 3240 4320 Blbaihmn.exe Boanecla.exe PID 4320 wrote to memory of 3240 4320 Blbaihmn.exe Boanecla.exe PID 4320 wrote to memory of 3240 4320 Blbaihmn.exe Boanecla.exe PID 3240 wrote to memory of 4780 3240 Boanecla.exe Bekfan32.exe PID 3240 wrote to memory of 4780 3240 Boanecla.exe Bekfan32.exe PID 3240 wrote to memory of 4780 3240 Boanecla.exe Bekfan32.exe PID 4780 wrote to memory of 640 4780 Bekfan32.exe Blennh32.exe PID 4780 wrote to memory of 640 4780 Bekfan32.exe Blennh32.exe PID 4780 wrote to memory of 640 4780 Bekfan32.exe Blennh32.exe PID 640 wrote to memory of 4772 640 Blennh32.exe Bockjc32.exe PID 640 wrote to memory of 4772 640 Blennh32.exe Bockjc32.exe PID 640 wrote to memory of 4772 640 Blennh32.exe Bockjc32.exe PID 4772 wrote to memory of 4928 4772 Bockjc32.exe Bbofkbbh.exe PID 4772 wrote to memory of 4928 4772 Bockjc32.exe Bbofkbbh.exe PID 4772 wrote to memory of 4928 4772 Bockjc32.exe Bbofkbbh.exe PID 4928 wrote to memory of 2668 4928 Bbofkbbh.exe Biiohl32.exe PID 4928 wrote to memory of 2668 4928 Bbofkbbh.exe Biiohl32.exe PID 4928 wrote to memory of 2668 4928 Bbofkbbh.exe Biiohl32.exe PID 2668 wrote to memory of 332 2668 Biiohl32.exe Blgkdg32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f707897d1d7d509755f5c5f15b482e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3f707897d1d7d509755f5c5f15b482e0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\Alkkhi32.exeC:\Windows\system32\Alkkhi32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Abedecjb.exeC:\Windows\system32\Abedecjb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\Aahdqp32.exeC:\Windows\system32\Aahdqp32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Aedpaoif.exeC:\Windows\system32\Aedpaoif.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Ahblmjhj.exeC:\Windows\system32\Ahblmjhj.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Blnhni32.exeC:\Windows\system32\Blnhni32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Boldjd32.exeC:\Windows\system32\Boldjd32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Bbhqjchp.exeC:\Windows\system32\Bbhqjchp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\Bibigmpl.exeC:\Windows\system32\Bibigmpl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\Blpechop.exeC:\Windows\system32\Blpechop.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Bpladg32.exeC:\Windows\system32\Bpladg32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Bbjmpb32.exeC:\Windows\system32\Bbjmpb32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\Behiln32.exeC:\Windows\system32\Behiln32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Bidemmnj.exeC:\Windows\system32\Bidemmnj.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Blbaihmn.exeC:\Windows\system32\Blbaihmn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\Boanecla.exeC:\Windows\system32\Boanecla.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\SysWOW64\Bekfan32.exeC:\Windows\system32\Bekfan32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Blennh32.exeC:\Windows\system32\Blennh32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Bockjc32.exeC:\Windows\system32\Bockjc32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\Bbofkbbh.exeC:\Windows\system32\Bbofkbbh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\Biiohl32.exeC:\Windows\system32\Biiohl32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Blgkdg32.exeC:\Windows\system32\Blgkdg32.exe23⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Bbacqape.exeC:\Windows\system32\Bbacqape.exe24⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Beppmmoi.exeC:\Windows\system32\Beppmmoi.exe25⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Chnlihnl.exeC:\Windows\system32\Chnlihnl.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Cpedjf32.exeC:\Windows\system32\Cpedjf32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Cccpfa32.exeC:\Windows\system32\Cccpfa32.exe28⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Ceblbm32.exeC:\Windows\system32\Ceblbm32.exe29⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Cimhckeo.exeC:\Windows\system32\Cimhckeo.exe30⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Cpgqpe32.exeC:\Windows\system32\Cpgqpe32.exe31⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Ccfmla32.exeC:\Windows\system32\Ccfmla32.exe32⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Cedihl32.exeC:\Windows\system32\Cedihl32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Cipehkcl.exeC:\Windows\system32\Cipehkcl.exe34⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Cpjmee32.exeC:\Windows\system32\Cpjmee32.exe35⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Commqb32.exeC:\Windows\system32\Commqb32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Cakjmm32.exeC:\Windows\system32\Cakjmm32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Cefemliq.exeC:\Windows\system32\Cefemliq.exe38⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Clqnjf32.exeC:\Windows\system32\Clqnjf32.exe39⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Cpljkdig.exeC:\Windows\system32\Cpljkdig.exe40⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Coojfa32.exeC:\Windows\system32\Coojfa32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Camfbm32.exeC:\Windows\system32\Camfbm32.exe42⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Ceibclgn.exeC:\Windows\system32\Ceibclgn.exe43⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Chgoogfa.exeC:\Windows\system32\Chgoogfa.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Clckpf32.exeC:\Windows\system32\Clckpf32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4404 -
C:\Windows\SysWOW64\Coagla32.exeC:\Windows\system32\Coagla32.exe46⤵
- Executes dropped EXE
PID:3820 -
C:\Windows\SysWOW64\Capchmmb.exeC:\Windows\system32\Capchmmb.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4184 -
C:\Windows\SysWOW64\Cekohk32.exeC:\Windows\system32\Cekohk32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:4604 -
C:\Windows\SysWOW64\Digkijmd.exeC:\Windows\system32\Digkijmd.exe49⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Dlegeemh.exeC:\Windows\system32\Dlegeemh.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4464 -
C:\Windows\SysWOW64\Dpacfd32.exeC:\Windows\system32\Dpacfd32.exe51⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Dcopbp32.exeC:\Windows\system32\Dcopbp32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:3956 -
C:\Windows\SysWOW64\Dabpnlkp.exeC:\Windows\system32\Dabpnlkp.exe53⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Diihojkb.exeC:\Windows\system32\Diihojkb.exe54⤵
- Executes dropped EXE
PID:3308 -
C:\Windows\SysWOW64\Dhlhjf32.exeC:\Windows\system32\Dhlhjf32.exe55⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Dpcpkc32.exeC:\Windows\system32\Dpcpkc32.exe56⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Dadlclim.exeC:\Windows\system32\Dadlclim.exe57⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Dephckaf.exeC:\Windows\system32\Dephckaf.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:5080 -
C:\Windows\SysWOW64\Dhnepfpj.exeC:\Windows\system32\Dhnepfpj.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:4596 -
C:\Windows\SysWOW64\Dpemacql.exeC:\Windows\system32\Dpemacql.exe60⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Dohmlp32.exeC:\Windows\system32\Dohmlp32.exe61⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Dagiil32.exeC:\Windows\system32\Dagiil32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Djnaji32.exeC:\Windows\system32\Djnaji32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Dllmfd32.exeC:\Windows\system32\Dllmfd32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:724 -
C:\Windows\SysWOW64\Dphifcoi.exeC:\Windows\system32\Dphifcoi.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Dcfebonm.exeC:\Windows\system32\Dcfebonm.exe66⤵PID:684
-
C:\Windows\SysWOW64\Daifnk32.exeC:\Windows\system32\Daifnk32.exe67⤵PID:2816
-
C:\Windows\SysWOW64\Djpnohej.exeC:\Windows\system32\Djpnohej.exe68⤵PID:1996
-
C:\Windows\SysWOW64\Dlojkddn.exeC:\Windows\system32\Dlojkddn.exe69⤵PID:2864
-
C:\Windows\SysWOW64\Domfgpca.exeC:\Windows\system32\Domfgpca.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4544 -
C:\Windows\SysWOW64\Dchbhn32.exeC:\Windows\system32\Dchbhn32.exe71⤵PID:3572
-
C:\Windows\SysWOW64\Efgodj32.exeC:\Windows\system32\Efgodj32.exe72⤵PID:4392
-
C:\Windows\SysWOW64\Ehekqe32.exeC:\Windows\system32\Ehekqe32.exe73⤵PID:1836
-
C:\Windows\SysWOW64\Epmcab32.exeC:\Windows\system32\Epmcab32.exe74⤵PID:2160
-
C:\Windows\SysWOW64\Eoocmoao.exeC:\Windows\system32\Eoocmoao.exe75⤵PID:4008
-
C:\Windows\SysWOW64\Efikji32.exeC:\Windows\system32\Efikji32.exe76⤵PID:2540
-
C:\Windows\SysWOW64\Ehhgfdho.exeC:\Windows\system32\Ehhgfdho.exe77⤵
- Drops file in System32 directory
PID:4260 -
C:\Windows\SysWOW64\Epopgbia.exeC:\Windows\system32\Epopgbia.exe78⤵PID:2720
-
C:\Windows\SysWOW64\Eoapbo32.exeC:\Windows\system32\Eoapbo32.exe79⤵
- Modifies registry class
PID:4784 -
C:\Windows\SysWOW64\Ebploj32.exeC:\Windows\system32\Ebploj32.exe80⤵PID:4808
-
C:\Windows\SysWOW64\Ejgdpg32.exeC:\Windows\system32\Ejgdpg32.exe81⤵
- Modifies registry class
PID:4324 -
C:\Windows\SysWOW64\Ehjdldfl.exeC:\Windows\system32\Ehjdldfl.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:3508 -
C:\Windows\SysWOW64\Eodlho32.exeC:\Windows\system32\Eodlho32.exe83⤵PID:5156
-
C:\Windows\SysWOW64\Ecphimfb.exeC:\Windows\system32\Ecphimfb.exe84⤵PID:5200
-
C:\Windows\SysWOW64\Efneehef.exeC:\Windows\system32\Efneehef.exe85⤵
- Modifies registry class
PID:5240 -
C:\Windows\SysWOW64\Ejjqeg32.exeC:\Windows\system32\Ejjqeg32.exe86⤵
- Modifies registry class
PID:5280 -
C:\Windows\SysWOW64\Elhmablc.exeC:\Windows\system32\Elhmablc.exe87⤵PID:5324
-
C:\Windows\SysWOW64\Eofinnkf.exeC:\Windows\system32\Eofinnkf.exe88⤵
- Drops file in System32 directory
PID:5380 -
C:\Windows\SysWOW64\Ejlmkgkl.exeC:\Windows\system32\Ejlmkgkl.exe89⤵PID:5424
-
C:\Windows\SysWOW64\Ehonfc32.exeC:\Windows\system32\Ehonfc32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5464 -
C:\Windows\SysWOW64\Eqfeha32.exeC:\Windows\system32\Eqfeha32.exe91⤵PID:5508
-
C:\Windows\SysWOW64\Ecdbdl32.exeC:\Windows\system32\Ecdbdl32.exe92⤵PID:5548
-
C:\Windows\SysWOW64\Fbgbpihg.exeC:\Windows\system32\Fbgbpihg.exe93⤵
- Modifies registry class
PID:5584 -
C:\Windows\SysWOW64\Fhajlc32.exeC:\Windows\system32\Fhajlc32.exe94⤵PID:5652
-
C:\Windows\SysWOW64\Fqhbmqqg.exeC:\Windows\system32\Fqhbmqqg.exe95⤵
- Drops file in System32 directory
PID:5696 -
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe96⤵PID:5736
-
C:\Windows\SysWOW64\Fbioei32.exeC:\Windows\system32\Fbioei32.exe97⤵PID:5776
-
C:\Windows\SysWOW64\Ffekegon.exeC:\Windows\system32\Ffekegon.exe98⤵
- Drops file in System32 directory
PID:5836 -
C:\Windows\SysWOW64\Ficgacna.exeC:\Windows\system32\Ficgacna.exe99⤵PID:5880
-
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5920 -
C:\Windows\SysWOW64\Fcikolnh.exeC:\Windows\system32\Fcikolnh.exe101⤵PID:5964
-
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe102⤵PID:6008
-
C:\Windows\SysWOW64\Fjcclf32.exeC:\Windows\system32\Fjcclf32.exe103⤵PID:6048
-
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe104⤵PID:6088
-
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe105⤵PID:6136
-
C:\Windows\SysWOW64\Fckhdk32.exeC:\Windows\system32\Fckhdk32.exe106⤵PID:2304
-
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe107⤵PID:2328
-
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe108⤵PID:5332
-
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5432 -
C:\Windows\SysWOW64\Fmclmabe.exeC:\Windows\system32\Fmclmabe.exe110⤵PID:3544
-
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe111⤵PID:5556
-
C:\Windows\SysWOW64\Fcnejk32.exeC:\Windows\system32\Fcnejk32.exe112⤵PID:5660
-
C:\Windows\SysWOW64\Fbqefhpm.exeC:\Windows\system32\Fbqefhpm.exe113⤵PID:5732
-
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe114⤵PID:5808
-
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5872 -
C:\Windows\SysWOW64\Fmficqpc.exeC:\Windows\system32\Fmficqpc.exe116⤵PID:5400
-
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5348 -
C:\Windows\SysWOW64\Gcpapkgp.exeC:\Windows\system32\Gcpapkgp.exe118⤵PID:6072
-
C:\Windows\SysWOW64\Gfnnlffc.exeC:\Windows\system32\Gfnnlffc.exe119⤵PID:5180
-
C:\Windows\SysWOW64\Gjjjle32.exeC:\Windows\system32\Gjjjle32.exe120⤵PID:5228
-
C:\Windows\SysWOW64\Gmhfhp32.exeC:\Windows\system32\Gmhfhp32.exe121⤵PID:3716
-
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe122⤵PID:5644
-
C:\Windows\SysWOW64\Gcbnejem.exeC:\Windows\system32\Gcbnejem.exe123⤵PID:1868
-
C:\Windows\SysWOW64\Gbenqg32.exeC:\Windows\system32\Gbenqg32.exe124⤵PID:5944
-
C:\Windows\SysWOW64\Gjlfbd32.exeC:\Windows\system32\Gjlfbd32.exe125⤵PID:5184
-
C:\Windows\SysWOW64\Goiojk32.exeC:\Windows\system32\Goiojk32.exe126⤵PID:5388
-
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe127⤵PID:5220
-
C:\Windows\SysWOW64\Gfcgge32.exeC:\Windows\system32\Gfcgge32.exe128⤵PID:5888
-
C:\Windows\SysWOW64\Gjocgdkg.exeC:\Windows\system32\Gjocgdkg.exe129⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5996 -
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe130⤵PID:4860
-
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe131⤵PID:5460
-
C:\Windows\SysWOW64\Gpklpkio.exeC:\Windows\system32\Gpklpkio.exe132⤵PID:5532
-
C:\Windows\SysWOW64\Gcggpj32.exeC:\Windows\system32\Gcggpj32.exe133⤵
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Gfedle32.exeC:\Windows\system32\Gfedle32.exe134⤵PID:6168
-
C:\Windows\SysWOW64\Gjapmdid.exeC:\Windows\system32\Gjapmdid.exe135⤵
- Modifies registry class
PID:6204 -
C:\Windows\SysWOW64\Gidphq32.exeC:\Windows\system32\Gidphq32.exe136⤵PID:6252
-
C:\Windows\SysWOW64\Gmoliohh.exeC:\Windows\system32\Gmoliohh.exe137⤵PID:6296
-
C:\Windows\SysWOW64\Gqkhjn32.exeC:\Windows\system32\Gqkhjn32.exe138⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6340 -
C:\Windows\SysWOW64\Gpnhekgl.exeC:\Windows\system32\Gpnhekgl.exe139⤵PID:6376
-
C:\Windows\SysWOW64\Gcidfi32.exeC:\Windows\system32\Gcidfi32.exe140⤵PID:6420
-
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe141⤵PID:6460
-
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe142⤵PID:6504
-
C:\Windows\SysWOW64\Gifmnpnl.exeC:\Windows\system32\Gifmnpnl.exe143⤵PID:6540
-
C:\Windows\SysWOW64\Gameonno.exeC:\Windows\system32\Gameonno.exe144⤵
- Modifies registry class
PID:6592 -
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe145⤵
- Drops file in System32 directory
PID:6632 -
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe146⤵PID:6672
-
C:\Windows\SysWOW64\Hfjmgdlf.exeC:\Windows\system32\Hfjmgdlf.exe147⤵PID:6712
-
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe148⤵PID:6752
-
C:\Windows\SysWOW64\Hmdedo32.exeC:\Windows\system32\Hmdedo32.exe149⤵
- Modifies registry class
PID:6796 -
C:\Windows\SysWOW64\Hapaemll.exeC:\Windows\system32\Hapaemll.exe150⤵PID:6836
-
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe151⤵
- Modifies registry class
PID:6876 -
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe152⤵PID:6924
-
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe153⤵
- Drops file in System32 directory
PID:6968 -
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe154⤵PID:7004
-
C:\Windows\SysWOW64\Hmfbjnbp.exeC:\Windows\system32\Hmfbjnbp.exe155⤵
- Modifies registry class
PID:7048 -
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe156⤵PID:7092
-
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe157⤵PID:7132
-
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe158⤵PID:5260
-
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe159⤵PID:6196
-
C:\Windows\SysWOW64\Hjjbcbqj.exeC:\Windows\system32\Hjjbcbqj.exe160⤵PID:6276
-
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe161⤵PID:6336
-
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe162⤵
- Modifies registry class
PID:6412 -
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe163⤵PID:6476
-
C:\Windows\SysWOW64\Hpgkkioa.exeC:\Windows\system32\Hpgkkioa.exe164⤵PID:6560
-
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe165⤵PID:6616
-
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe166⤵PID:6660
-
C:\Windows\SysWOW64\Hjmoibog.exeC:\Windows\system32\Hjmoibog.exe167⤵PID:6760
-
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe168⤵PID:6792
-
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe169⤵
- Modifies registry class
PID:6872 -
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe170⤵PID:6920
-
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe171⤵PID:6996
-
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe172⤵
- Drops file in System32 directory
- Modifies registry class
PID:7044 -
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe173⤵PID:7100
-
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe174⤵
- Modifies registry class
PID:7160 -
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe175⤵PID:6240
-
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe176⤵PID:6328
-
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe177⤵PID:6452
-
C:\Windows\SysWOW64\Icgqggce.exeC:\Windows\system32\Icgqggce.exe178⤵PID:6536
-
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe179⤵PID:6652
-
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe180⤵PID:6780
-
C:\Windows\SysWOW64\Ijaida32.exeC:\Windows\system32\Ijaida32.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5712 -
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe182⤵PID:6960
-
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe183⤵PID:7084
-
C:\Windows\SysWOW64\Ipnalhii.exeC:\Windows\system32\Ipnalhii.exe184⤵
- Modifies registry class
PID:6164 -
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe185⤵PID:6320
-
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe186⤵PID:6588
-
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe187⤵PID:6720
-
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe188⤵PID:6868
-
C:\Windows\SysWOW64\Imbaemhc.exeC:\Windows\system32\Imbaemhc.exe189⤵PID:7060
-
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe190⤵PID:6260
-
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe191⤵PID:6612
-
C:\Windows\SysWOW64\Ibojncfj.exeC:\Windows\system32\Ibojncfj.exe192⤵PID:6856
-
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe193⤵
- Modifies registry class
PID:7080 -
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe194⤵PID:6448
-
C:\Windows\SysWOW64\Imdnklfp.exeC:\Windows\system32\Imdnklfp.exe195⤵PID:7036
-
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe196⤵PID:6916
-
C:\Windows\SysWOW64\Idofhfmm.exeC:\Windows\system32\Idofhfmm.exe197⤵PID:6532
-
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe198⤵
- Modifies registry class
PID:7208 -
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe199⤵PID:7244
-
C:\Windows\SysWOW64\Ijhodq32.exeC:\Windows\system32\Ijhodq32.exe200⤵PID:7280
-
C:\Windows\SysWOW64\Imgkql32.exeC:\Windows\system32\Imgkql32.exe201⤵PID:7324
-
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe202⤵PID:7360
-
C:\Windows\SysWOW64\Ipegmg32.exeC:\Windows\system32\Ipegmg32.exe203⤵PID:7400
-
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe204⤵PID:7436
-
C:\Windows\SysWOW64\Ifopiajn.exeC:\Windows\system32\Ifopiajn.exe205⤵
- Modifies registry class
PID:7476 -
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe206⤵PID:7512
-
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe207⤵PID:7552
-
C:\Windows\SysWOW64\Jdcpcf32.exeC:\Windows\system32\Jdcpcf32.exe208⤵PID:7588
-
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe209⤵PID:7628
-
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe210⤵PID:7668
-
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe211⤵
- Modifies registry class
PID:7704 -
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe212⤵PID:7744
-
C:\Windows\SysWOW64\Jagqlj32.exeC:\Windows\system32\Jagqlj32.exe213⤵
- Drops file in System32 directory
PID:7784 -
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe214⤵PID:7820
-
C:\Windows\SysWOW64\Jdemhe32.exeC:\Windows\system32\Jdemhe32.exe215⤵PID:7864
-
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe216⤵PID:7904
-
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe217⤵PID:7944
-
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe218⤵PID:7980
-
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe219⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8024 -
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe220⤵PID:8060
-
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe221⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8100 -
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe222⤵PID:8124
-
C:\Windows\SysWOW64\Jdhine32.exeC:\Windows\system32\Jdhine32.exe223⤵PID:8160
-
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7176 -
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe225⤵PID:7236
-
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe226⤵PID:7308
-
C:\Windows\SysWOW64\Jidbflcj.exeC:\Windows\system32\Jidbflcj.exe227⤵PID:7000
-
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe228⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7432 -
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe229⤵PID:7500
-
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe230⤵PID:7572
-
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe231⤵PID:7636
-
C:\Windows\SysWOW64\Jfhbppbc.exeC:\Windows\system32\Jfhbppbc.exe232⤵PID:7696
-
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe233⤵PID:7768
-
C:\Windows\SysWOW64\Jigollag.exeC:\Windows\system32\Jigollag.exe234⤵PID:7840
-
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe235⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:7896 -
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe236⤵PID:7964
-
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe237⤵
- Drops file in System32 directory
PID:8016 -
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe238⤵
- Drops file in System32 directory
PID:8088 -
C:\Windows\SysWOW64\Jfkoeppq.exeC:\Windows\system32\Jfkoeppq.exe239⤵
- Modifies registry class
PID:8156 -
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe240⤵PID:7228
-
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe241⤵PID:7352
-
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe242⤵PID:7460