Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 08:20
Static task
static1
Behavioral task
behavioral1
Sample
ad544b5c99eecaeb119f0773ccf75cb0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
ad544b5c99eecaeb119f0773ccf75cb0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
ad544b5c99eecaeb119f0773ccf75cb0_NeikiAnalytics.exe
-
Size
163KB
-
MD5
ad544b5c99eecaeb119f0773ccf75cb0
-
SHA1
c868167fcc9e0e9b530365bbb2ff0d5b287e90ea
-
SHA256
34e89893e3e49d6116de3f20a4bf81fcdfe0d3bdab3197a9a9c74040469eb083
-
SHA512
0d700f48d0bc1ed22b95efbc4aad2fa5c1a53909d1694e4dee4df409c6593612b3987de80fd283984cbac8711be91ad923a158afb0ce2920ef9bc4c98e5f3c3d
-
SSDEEP
3072:Dza4CvHQHAhZK/P6Lmt1Dj/KbltOrWKDBr+yJb:DW4CvwghZK/P6G+bLOf
Malware Config
Extracted
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ocqnij32.exeOkloegjl.exeQcgffqei.exeMimpolee.exeDmbbhkjf.exeGddbcp32.exeIbcmom32.exeHjlkge32.exeKdmqmc32.exeQchmagie.exePqpgdfnp.exeBeihma32.exeEhljfnpn.exeChjaol32.exeDfnjafap.exeKbceejpf.exeFmikeaap.exeInlihl32.exeOgcpjhoq.exeHcmgfbhd.exeLbmhlihl.exeLingibiq.exeNipekiep.exeNgdfdmdi.exeAijnep32.exeEjdocm32.exeGpaqbbld.exePjmlbbdg.exeBalfaiil.exeJgdhgmep.exePqcjepfo.exeOifeab32.exeOkjnnj32.exeQofcff32.exeIppggbck.exeHbpphi32.exeQbimoo32.exeCehkhecb.exeKplpjn32.exeCikglnkj.exeLkofdbkj.exeEgijmegb.exeFnckpmql.exeMckemg32.exeMoaogand.exeFpmggb32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocqnij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okloegjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcgffqei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mimpolee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmbbhkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gddbcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibcmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjlkge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdmqmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qchmagie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqpgdfnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beihma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehljfnpn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chjaol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnjafap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbceejpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmikeaap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inlihl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogcpjhoq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcmgfbhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbmhlihl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lingibiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nipekiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngdfdmdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aijnep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejdocm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpaqbbld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjmlbbdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Balfaiil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgdhgmep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqcjepfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oifeab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okjnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qofcff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ippggbck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbpphi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbimoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cehkhecb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kplpjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cikglnkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkofdbkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egijmegb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnckpmql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mckemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moaogand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpmggb32.exe -
Executes dropped EXE 64 IoCs
Processes:
Jbocea32.exeJiikak32.exeKpccnefa.exeKbapjafe.exeKkihknfg.exeKdaldd32.exeKinemkko.exeKphmie32.exeKipabjil.exeKagichjo.exeKgdbkohf.exeKibnhjgj.exeKdhbec32.exeKgfoan32.exeLiekmj32.exeLcmofolg.exeLaopdgcg.exeLdmlpbbj.exeLkgdml32.exeLaalifad.exeLgneampk.exeLaciofpa.exeLklnhlfb.exeLcgblncm.exeMahbje32.exeMciobn32.exeMnocof32.exeMcklgm32.exeMjeddggd.exeMdkhapfj.exeMpaifalo.exeMglack32.exeMgnnhk32.exeNacbfdao.exeNgpjnkpf.exeNnjbke32.exeNgcgcjnc.exeNjacpf32.exeNcihikcg.exeNbkhfc32.exeNnaikd32.exeOgjmdigk.exeOqbamo32.exeOcqnij32.exeOkhfjh32.exeOgogoi32.exeObdkma32.exeOgaceh32.exeOkloegjl.exeOnklabip.exeOdednmpm.exeOgcpjhoq.exeOkolkg32.exeOnmhgb32.exeOdgqdlnj.exePgemphmn.exePkaiqf32.exePnpemb32.exePeimil32.exePclneicb.exePjffbc32.exePbmncp32.exePqpnombl.exePgjfkg32.exepid process 876 Jbocea32.exe 1392 Jiikak32.exe 3712 Kpccnefa.exe 1760 Kbapjafe.exe 2380 Kkihknfg.exe 1356 Kdaldd32.exe 4744 Kinemkko.exe 2360 Kphmie32.exe 1056 Kipabjil.exe 1524 Kagichjo.exe 4228 Kgdbkohf.exe 4756 Kibnhjgj.exe 840 Kdhbec32.exe 2260 Kgfoan32.exe 2828 Liekmj32.exe 4680 Lcmofolg.exe 2648 Laopdgcg.exe 4448 Ldmlpbbj.exe 880 Lkgdml32.exe 2236 Laalifad.exe 4176 Lgneampk.exe 1780 Laciofpa.exe 4712 Lklnhlfb.exe 2564 Lcgblncm.exe 1636 Mahbje32.exe 2756 Mciobn32.exe 4724 Mnocof32.exe 1752 Mcklgm32.exe 4848 Mjeddggd.exe 3984 Mdkhapfj.exe 4644 Mpaifalo.exe 224 Mglack32.exe 4560 Mgnnhk32.exe 980 Nacbfdao.exe 4588 Ngpjnkpf.exe 3636 Nnjbke32.exe 2608 Ngcgcjnc.exe 3932 Njacpf32.exe 4244 Ncihikcg.exe 1204 Nbkhfc32.exe 4652 Nnaikd32.exe 4960 Ogjmdigk.exe 1692 Oqbamo32.exe 2916 Ocqnij32.exe 4424 Okhfjh32.exe 4304 Ogogoi32.exe 1684 Obdkma32.exe 1464 Ogaceh32.exe 4640 Okloegjl.exe 396 Onklabip.exe 3128 Odednmpm.exe 2656 Ogcpjhoq.exe 1612 Okolkg32.exe 4388 Onmhgb32.exe 1648 Odgqdlnj.exe 492 Pgemphmn.exe 3284 Pkaiqf32.exe 1496 Pnpemb32.exe 2616 Peimil32.exe 1476 Pclneicb.exe 4844 Pjffbc32.exe 3868 Pbmncp32.exe 2604 Pqpnombl.exe 1924 Pgjfkg32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ffobhg32.exePclgkb32.exeDfjgaq32.exeJdgafjpn.exeMjbogmdb.exeMegljppl.exeDaaicfgd.exeOepifi32.exeOcopdn32.exeAabmqd32.exeLhijijbg.exePgihfj32.exeAimkjp32.exeLmgfda32.exeMgimcebb.exeMglfplgk.exeKgfoan32.exeEcefqnel.exeIkaggmii.exePleaoa32.exeFaenpf32.exeCioilg32.exeEmbddb32.exeCbcilkjg.exeKimnbd32.exeOqbamo32.exeCbjoljdo.exeLjkifn32.exeGdlfhj32.exeQjnkcekm.exeIdkbkl32.exeOfeilobp.exePqmjog32.exeBiadeoce.exeDmbbhkjf.exeDpbdopck.exeIicbehnq.exeNgmgne32.exeObdkma32.exeQbimoo32.exeOebflhaf.exeQgnbaj32.exeAcmflf32.exeMhicpg32.exeCjinkg32.exeLejnmncd.exeEmehdh32.exePjmlbbdg.exeDdpeoafg.exedescription ioc process File created C:\Windows\SysWOW64\Fmikeaap.exe Ffobhg32.exe File created C:\Windows\SysWOW64\Ekphijkm.dll Pclgkb32.exe File created C:\Windows\SysWOW64\Gjkmhmpl.dll Dfjgaq32.exe File opened for modification C:\Windows\SysWOW64\Jgenbfoa.exe Jdgafjpn.exe File opened for modification C:\Windows\SysWOW64\Mbighjdd.exe Mjbogmdb.exe File opened for modification C:\Windows\SysWOW64\Mkadfj32.exe Megljppl.exe File created C:\Windows\SysWOW64\Ddpeoafg.exe Daaicfgd.exe File opened for modification C:\Windows\SysWOW64\Oljaccjf.exe Oepifi32.exe File created C:\Windows\SysWOW64\Ffceip32.exe File created C:\Windows\SysWOW64\Jleijb32.exe File created C:\Windows\SysWOW64\Gdilpd32.dll Ocopdn32.exe File opened for modification C:\Windows\SysWOW64\Ncabfkqo.exe File opened for modification C:\Windows\SysWOW64\Afoeiklb.exe Aabmqd32.exe File created C:\Windows\SysWOW64\Lppbkgcj.exe Lhijijbg.exe File opened for modification C:\Windows\SysWOW64\Pleaoa32.exe Pgihfj32.exe File created C:\Windows\SysWOW64\Impjjbmh.dll Aimkjp32.exe File opened for modification C:\Windows\SysWOW64\Ldanqkki.exe Lmgfda32.exe File created C:\Windows\SysWOW64\Mmbfpp32.exe Mgimcebb.exe File created C:\Windows\SysWOW64\Mminhceb.exe Mglfplgk.exe File opened for modification C:\Windows\SysWOW64\Phfcipoo.exe File opened for modification C:\Windows\SysWOW64\Liekmj32.exe Kgfoan32.exe File created C:\Windows\SysWOW64\Paplcg32.dll Ecefqnel.exe File opened for modification C:\Windows\SysWOW64\Mnjqmpgg.exe File created C:\Windows\SysWOW64\Cqgkec32.dll Ikaggmii.exe File created C:\Windows\SysWOW64\Podmkm32.exe Pleaoa32.exe File created C:\Windows\SysWOW64\Ggebqoki.dll Faenpf32.exe File created C:\Windows\SysWOW64\Jkoepmnk.dll Cioilg32.exe File opened for modification C:\Windows\SysWOW64\Eclmamod.exe Embddb32.exe File created C:\Windows\SysWOW64\Hoaojp32.exe File opened for modification C:\Windows\SysWOW64\Ceaehfjj.exe Cbcilkjg.exe File created C:\Windows\SysWOW64\Ojhnmh32.dll Kimnbd32.exe File opened for modification C:\Windows\SysWOW64\Ocqnij32.exe Oqbamo32.exe File created C:\Windows\SysWOW64\Ejdofn32.dll Cbjoljdo.exe File opened for modification C:\Windows\SysWOW64\Mbbagk32.exe Ljkifn32.exe File created C:\Windows\SysWOW64\Jbfadafe.dll Gdlfhj32.exe File created C:\Windows\SysWOW64\Ibaeen32.exe File opened for modification C:\Windows\SysWOW64\Qlmgopjq.exe Qjnkcekm.exe File created C:\Windows\SysWOW64\Ikejgf32.exe Idkbkl32.exe File created C:\Windows\SysWOW64\Pqknig32.exe Ofeilobp.exe File created C:\Windows\SysWOW64\Pclgkb32.exe Pqmjog32.exe File created C:\Windows\SysWOW64\Boklbi32.exe Biadeoce.exe File opened for modification C:\Windows\SysWOW64\Dclkee32.exe Dmbbhkjf.exe File opened for modification C:\Windows\SysWOW64\Dflmlj32.exe Dpbdopck.exe File created C:\Windows\SysWOW64\Lmldgi32.dll Iicbehnq.exe File created C:\Windows\SysWOW64\Nngokoej.exe Ngmgne32.exe File created C:\Windows\SysWOW64\Lfgipd32.exe File opened for modification C:\Windows\SysWOW64\Nmdgikhi.exe File created C:\Windows\SysWOW64\Ogaceh32.exe Obdkma32.exe File created C:\Windows\SysWOW64\Qalnjkgo.exe Qbimoo32.exe File created C:\Windows\SysWOW64\Dedaad32.dll Oebflhaf.exe File created C:\Windows\SysWOW64\Mmgdfa32.dll Qgnbaj32.exe File created C:\Windows\SysWOW64\Ogacbllg.dll File opened for modification C:\Windows\SysWOW64\Hfhgkmpj.exe File created C:\Windows\SysWOW64\Nggdeh32.dll Acmflf32.exe File opened for modification C:\Windows\SysWOW64\Mpqkad32.exe Mhicpg32.exe File opened for modification C:\Windows\SysWOW64\Cabfga32.exe Cjinkg32.exe File opened for modification C:\Windows\SysWOW64\Lhijijbg.exe Lejnmncd.exe File created C:\Windows\SysWOW64\Epcdqd32.exe Emehdh32.exe File created C:\Windows\SysWOW64\Mbbagk32.exe Ljkifn32.exe File created C:\Windows\SysWOW64\Gaakdpkj.dll File opened for modification C:\Windows\SysWOW64\Jngbjd32.exe File opened for modification C:\Windows\SysWOW64\Pagdol32.exe Pjmlbbdg.exe File created C:\Windows\SysWOW64\Dlgmpogj.exe Ddpeoafg.exe File created C:\Windows\SysWOW64\Qodeajbg.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 12516 13280 -
Modifies registry class 64 IoCs
Processes:
Clkndpag.exeIdkbkl32.exeLnadagbm.exeBahmfj32.exeMbighjdd.exeKcndbp32.exeFdgdgnbm.exeGgnedlao.exePolppg32.exeCioilg32.exeJkkjmlan.exeKlifnj32.exeMpieqeko.exeJkomneim.exeQnkdhpjn.exeAlhhhcal.exeMbhamajc.exeKniieo32.exePjbkgfej.exeFacqkg32.exeGigheh32.exeGlldgljg.exeLingibiq.exePleaoa32.exeFjadje32.exeJpfepf32.exeLqpamb32.exeDoeiljfn.exeGbbkaako.exeNlnbgddc.exeQlmgopjq.exeCbeapmll.exeMciobn32.exeOgjmdigk.exePgemphmn.exeAijnep32.exeAllpejfe.exeBbiado32.exeGdlfhj32.exeNdhmhh32.exeFahaplon.exeEmmkiclm.exeQjbena32.exePojcjh32.exeIcnpmp32.exeLihfcm32.exeNgpjnkpf.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clkndpag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qipkmbib.dll" Idkbkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnadagbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlkolh32.dll" Bahmfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flcmfp32.dll" Mbighjdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcndbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aogmoeik.dll" Fdgdgnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggnedlao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Polppg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cioilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nklinjmj.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lobfem32.dll" Jkkjmlan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klifnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpieqeko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jldajape.dll" Jkomneim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijmiq32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnkdhpjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phadlp32.dll" Alhhhcal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqomdf32.dll" Mbhamajc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kniieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjbkgfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kednfemc.dll" Facqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gigheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glldgljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lingibiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pleaoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjadje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpfepf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqpamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flioncbc.dll" Doeiljfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbbkaako.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlnbgddc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlmgopjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbeapmll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abklmb32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll" Mciobn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogjmdigk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgemphmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aijnep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Allpejfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqboip32.dll" Bbiado32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdlfhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhfjcpfb.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndhmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Conjbj32.dll" Fahaplon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emmkiclm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjbena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pojcjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofonqd32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icnpmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lihfcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngpjnkpf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ad544b5c99eecaeb119f0773ccf75cb0_NeikiAnalytics.exeJbocea32.exeJiikak32.exeKpccnefa.exeKbapjafe.exeKkihknfg.exeKdaldd32.exeKinemkko.exeKphmie32.exeKipabjil.exeKagichjo.exeKgdbkohf.exeKibnhjgj.exeKdhbec32.exeKgfoan32.exeLiekmj32.exeLcmofolg.exeLaopdgcg.exeLdmlpbbj.exeLkgdml32.exeLaalifad.exeLgneampk.exedescription pid process target process PID 1164 wrote to memory of 876 1164 ad544b5c99eecaeb119f0773ccf75cb0_NeikiAnalytics.exe Jbocea32.exe PID 1164 wrote to memory of 876 1164 ad544b5c99eecaeb119f0773ccf75cb0_NeikiAnalytics.exe Jbocea32.exe PID 1164 wrote to memory of 876 1164 ad544b5c99eecaeb119f0773ccf75cb0_NeikiAnalytics.exe Jbocea32.exe PID 876 wrote to memory of 1392 876 Jbocea32.exe Jiikak32.exe PID 876 wrote to memory of 1392 876 Jbocea32.exe Jiikak32.exe PID 876 wrote to memory of 1392 876 Jbocea32.exe Jiikak32.exe PID 1392 wrote to memory of 3712 1392 Jiikak32.exe Kpccnefa.exe PID 1392 wrote to memory of 3712 1392 Jiikak32.exe Kpccnefa.exe PID 1392 wrote to memory of 3712 1392 Jiikak32.exe Kpccnefa.exe PID 3712 wrote to memory of 1760 3712 Kpccnefa.exe Kbapjafe.exe PID 3712 wrote to memory of 1760 3712 Kpccnefa.exe Kbapjafe.exe PID 3712 wrote to memory of 1760 3712 Kpccnefa.exe Kbapjafe.exe PID 1760 wrote to memory of 2380 1760 Kbapjafe.exe Kkihknfg.exe PID 1760 wrote to memory of 2380 1760 Kbapjafe.exe Kkihknfg.exe PID 1760 wrote to memory of 2380 1760 Kbapjafe.exe Kkihknfg.exe PID 2380 wrote to memory of 1356 2380 Kkihknfg.exe Kdaldd32.exe PID 2380 wrote to memory of 1356 2380 Kkihknfg.exe Kdaldd32.exe PID 2380 wrote to memory of 1356 2380 Kkihknfg.exe Kdaldd32.exe PID 1356 wrote to memory of 4744 1356 Kdaldd32.exe Kinemkko.exe PID 1356 wrote to memory of 4744 1356 Kdaldd32.exe Kinemkko.exe PID 1356 wrote to memory of 4744 1356 Kdaldd32.exe Kinemkko.exe PID 4744 wrote to memory of 2360 4744 Kinemkko.exe Kphmie32.exe PID 4744 wrote to memory of 2360 4744 Kinemkko.exe Kphmie32.exe PID 4744 wrote to memory of 2360 4744 Kinemkko.exe Kphmie32.exe PID 2360 wrote to memory of 1056 2360 Kphmie32.exe Kipabjil.exe PID 2360 wrote to memory of 1056 2360 Kphmie32.exe Kipabjil.exe PID 2360 wrote to memory of 1056 2360 Kphmie32.exe Kipabjil.exe PID 1056 wrote to memory of 1524 1056 Kipabjil.exe Kagichjo.exe PID 1056 wrote to memory of 1524 1056 Kipabjil.exe Kagichjo.exe PID 1056 wrote to memory of 1524 1056 Kipabjil.exe Kagichjo.exe PID 1524 wrote to memory of 4228 1524 Kagichjo.exe Kgdbkohf.exe PID 1524 wrote to memory of 4228 1524 Kagichjo.exe Kgdbkohf.exe PID 1524 wrote to memory of 4228 1524 Kagichjo.exe Kgdbkohf.exe PID 4228 wrote to memory of 4756 4228 Kgdbkohf.exe Kibnhjgj.exe PID 4228 wrote to memory of 4756 4228 Kgdbkohf.exe Kibnhjgj.exe PID 4228 wrote to memory of 4756 4228 Kgdbkohf.exe Kibnhjgj.exe PID 4756 wrote to memory of 840 4756 Kibnhjgj.exe Kdhbec32.exe PID 4756 wrote to memory of 840 4756 Kibnhjgj.exe Kdhbec32.exe PID 4756 wrote to memory of 840 4756 Kibnhjgj.exe Kdhbec32.exe PID 840 wrote to memory of 2260 840 Kdhbec32.exe Kgfoan32.exe PID 840 wrote to memory of 2260 840 Kdhbec32.exe Kgfoan32.exe PID 840 wrote to memory of 2260 840 Kdhbec32.exe Kgfoan32.exe PID 2260 wrote to memory of 2828 2260 Kgfoan32.exe Liekmj32.exe PID 2260 wrote to memory of 2828 2260 Kgfoan32.exe Liekmj32.exe PID 2260 wrote to memory of 2828 2260 Kgfoan32.exe Liekmj32.exe PID 2828 wrote to memory of 4680 2828 Liekmj32.exe Lcmofolg.exe PID 2828 wrote to memory of 4680 2828 Liekmj32.exe Lcmofolg.exe PID 2828 wrote to memory of 4680 2828 Liekmj32.exe Lcmofolg.exe PID 4680 wrote to memory of 2648 4680 Lcmofolg.exe Laopdgcg.exe PID 4680 wrote to memory of 2648 4680 Lcmofolg.exe Laopdgcg.exe PID 4680 wrote to memory of 2648 4680 Lcmofolg.exe Laopdgcg.exe PID 2648 wrote to memory of 4448 2648 Laopdgcg.exe Ldmlpbbj.exe PID 2648 wrote to memory of 4448 2648 Laopdgcg.exe Ldmlpbbj.exe PID 2648 wrote to memory of 4448 2648 Laopdgcg.exe Ldmlpbbj.exe PID 4448 wrote to memory of 880 4448 Ldmlpbbj.exe Lkgdml32.exe PID 4448 wrote to memory of 880 4448 Ldmlpbbj.exe Lkgdml32.exe PID 4448 wrote to memory of 880 4448 Ldmlpbbj.exe Lkgdml32.exe PID 880 wrote to memory of 2236 880 Lkgdml32.exe Laalifad.exe PID 880 wrote to memory of 2236 880 Lkgdml32.exe Laalifad.exe PID 880 wrote to memory of 2236 880 Lkgdml32.exe Laalifad.exe PID 2236 wrote to memory of 4176 2236 Laalifad.exe Lgneampk.exe PID 2236 wrote to memory of 4176 2236 Laalifad.exe Lgneampk.exe PID 2236 wrote to memory of 4176 2236 Laalifad.exe Lgneampk.exe PID 4176 wrote to memory of 1780 4176 Lgneampk.exe Laciofpa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad544b5c99eecaeb119f0773ccf75cb0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ad544b5c99eecaeb119f0773ccf75cb0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Kdaldd32.exeC:\Windows\system32\Kdaldd32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Liekmj32.exeC:\Windows\system32\Liekmj32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe23⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Lklnhlfb.exeC:\Windows\system32\Lklnhlfb.exe24⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe25⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe26⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe28⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe29⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe30⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe31⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe32⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe33⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe34⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe35⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4588 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe37⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe38⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe39⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe40⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe41⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe42⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:4960 -
C:\Windows\SysWOW64\Oqbamo32.exeC:\Windows\system32\Oqbamo32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe46⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe47⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe49⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe51⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe52⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe54⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe55⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe56⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:492 -
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe58⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe59⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe60⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe61⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe62⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe63⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe64⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe65⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Pjhbgb32.exeC:\Windows\system32\Pjhbgb32.exe66⤵PID:2492
-
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe67⤵PID:3812
-
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe68⤵PID:464
-
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe69⤵PID:2620
-
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe70⤵PID:4536
-
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe71⤵PID:3596
-
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe72⤵PID:1368
-
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4396 -
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe74⤵PID:888
-
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe75⤵
- Modifies registry class
PID:4792 -
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe76⤵PID:1724
-
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3448 -
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe78⤵
- Modifies registry class
PID:4572 -
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3380 -
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe80⤵PID:4984
-
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe81⤵PID:4940
-
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe82⤵PID:2084
-
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe83⤵
- Drops file in System32 directory
PID:1880 -
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe84⤵PID:1604
-
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe85⤵PID:3412
-
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe86⤵PID:5028
-
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe87⤵PID:3084
-
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe88⤵PID:2204
-
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe89⤵PID:3164
-
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe90⤵
- Modifies registry class
PID:3900 -
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe91⤵PID:3864
-
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe92⤵PID:764
-
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe93⤵PID:4636
-
C:\Windows\SysWOW64\Aniajnnn.exeC:\Windows\system32\Aniajnnn.exe94⤵PID:2308
-
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe95⤵
- Modifies registry class
PID:4660 -
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe96⤵PID:4752
-
C:\Windows\SysWOW64\Bjpaooda.exeC:\Windows\system32\Bjpaooda.exe97⤵PID:3340
-
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe98⤵PID:4740
-
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe99⤵PID:1040
-
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe100⤵PID:3248
-
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe101⤵PID:2712
-
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe102⤵PID:5128
-
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe103⤵PID:5168
-
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5212 -
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe105⤵PID:5256
-
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe106⤵PID:5296
-
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe107⤵PID:5336
-
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe108⤵PID:5376
-
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe109⤵PID:5416
-
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe110⤵PID:5464
-
C:\Windows\SysWOW64\Bobcpmfc.exeC:\Windows\system32\Bobcpmfc.exe111⤵PID:5508
-
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe112⤵PID:5548
-
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe113⤵PID:5588
-
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe114⤵PID:5632
-
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe115⤵PID:5676
-
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe116⤵PID:5712
-
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe117⤵PID:5760
-
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe118⤵PID:5796
-
C:\Windows\SysWOW64\Cdainc32.exeC:\Windows\system32\Cdainc32.exe119⤵PID:5836
-
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe120⤵PID:5876
-
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe121⤵PID:5924
-
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe122⤵PID:5964
-
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe123⤵
- Drops file in System32 directory
PID:6004 -
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe124⤵PID:6044
-
C:\Windows\SysWOW64\Cddecc32.exeC:\Windows\system32\Cddecc32.exe125⤵PID:6080
-
C:\Windows\SysWOW64\Clkndpag.exeC:\Windows\system32\Clkndpag.exe126⤵
- Modifies registry class
PID:6132 -
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe127⤵PID:5160
-
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe128⤵PID:5196
-
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe129⤵PID:5272
-
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe130⤵PID:5328
-
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe131⤵PID:5396
-
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe132⤵PID:5452
-
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe133⤵PID:5536
-
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe134⤵PID:5596
-
C:\Windows\SysWOW64\Cefoce32.exeC:\Windows\system32\Cefoce32.exe135⤵PID:5660
-
C:\Windows\SysWOW64\Chdkoa32.exeC:\Windows\system32\Chdkoa32.exe136⤵PID:5724
-
C:\Windows\SysWOW64\Ckcgkldl.exeC:\Windows\system32\Ckcgkldl.exe137⤵PID:5804
-
C:\Windows\SysWOW64\Cbjoljdo.exeC:\Windows\system32\Cbjoljdo.exe138⤵
- Drops file in System32 directory
PID:5884 -
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe139⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5940 -
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe140⤵PID:6012
-
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe141⤵PID:6092
-
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe142⤵PID:3176
-
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe143⤵PID:5244
-
C:\Windows\SysWOW64\Dboigi32.exeC:\Windows\system32\Dboigi32.exe144⤵PID:5384
-
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe145⤵
- Drops file in System32 directory
PID:5476 -
C:\Windows\SysWOW64\Ddpeoafg.exeC:\Windows\system32\Ddpeoafg.exe146⤵
- Drops file in System32 directory
PID:5568 -
C:\Windows\SysWOW64\Dlgmpogj.exeC:\Windows\system32\Dlgmpogj.exe147⤵PID:5704
-
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe148⤵
- Modifies registry class
PID:5784 -
C:\Windows\SysWOW64\Dadeieea.exeC:\Windows\system32\Dadeieea.exe149⤵PID:5908
-
C:\Windows\SysWOW64\Ddbbeade.exeC:\Windows\system32\Ddbbeade.exe150⤵PID:5984
-
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe151⤵PID:2056
-
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe152⤵PID:6032
-
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe153⤵PID:6124
-
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe154⤵PID:5264
-
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe155⤵PID:1904
-
C:\Windows\SysWOW64\Eefhjc32.exeC:\Windows\system32\Eefhjc32.exe156⤵PID:5608
-
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe157⤵PID:5820
-
C:\Windows\SysWOW64\Ekcpbj32.exeC:\Windows\system32\Ekcpbj32.exe158⤵PID:5952
-
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe159⤵PID:1384
-
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe160⤵PID:6072
-
C:\Windows\SysWOW64\Ekhjmiad.exeC:\Windows\system32\Ekhjmiad.exe161⤵PID:5252
-
C:\Windows\SysWOW64\Ehljfnpn.exeC:\Windows\system32\Ehljfnpn.exe162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5544 -
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe163⤵PID:5872
-
C:\Windows\SysWOW64\Febgea32.exeC:\Windows\system32\Febgea32.exe164⤵PID:2020
-
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe165⤵PID:5220
-
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe166⤵
- Modifies registry class
PID:5624 -
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe167⤵PID:1748
-
C:\Windows\SysWOW64\Ffgqqaip.exeC:\Windows\system32\Ffgqqaip.exe168⤵PID:5496
-
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe169⤵PID:3212
-
C:\Windows\SysWOW64\Fckajehi.exeC:\Windows\system32\Fckajehi.exe170⤵PID:5896
-
C:\Windows\SysWOW64\Fdlnbm32.exeC:\Windows\system32\Fdlnbm32.exe171⤵PID:5344
-
C:\Windows\SysWOW64\Fcmnpe32.exeC:\Windows\system32\Fcmnpe32.exe172⤵PID:6168
-
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe173⤵PID:6208
-
C:\Windows\SysWOW64\Gbbkaako.exeC:\Windows\system32\Gbbkaako.exe174⤵
- Modifies registry class
PID:6248 -
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe175⤵PID:6288
-
C:\Windows\SysWOW64\Gofkje32.exeC:\Windows\system32\Gofkje32.exe176⤵PID:6328
-
C:\Windows\SysWOW64\Gkmlofol.exeC:\Windows\system32\Gkmlofol.exe177⤵PID:6372
-
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe178⤵PID:6412
-
C:\Windows\SysWOW64\Gokdeeec.exeC:\Windows\system32\Gokdeeec.exe179⤵PID:6456
-
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe180⤵PID:6496
-
C:\Windows\SysWOW64\Gblngpbd.exeC:\Windows\system32\Gblngpbd.exe181⤵PID:6532
-
C:\Windows\SysWOW64\Gdjjckag.exeC:\Windows\system32\Gdjjckag.exe182⤵PID:6572
-
C:\Windows\SysWOW64\Hckjacjg.exeC:\Windows\system32\Hckjacjg.exe183⤵PID:6612
-
C:\Windows\SysWOW64\Hmcojh32.exeC:\Windows\system32\Hmcojh32.exe184⤵PID:6656
-
C:\Windows\SysWOW64\Hcmgfbhd.exeC:\Windows\system32\Hcmgfbhd.exe185⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6696 -
C:\Windows\SysWOW64\Hkikkeeo.exeC:\Windows\system32\Hkikkeeo.exe186⤵PID:6736
-
C:\Windows\SysWOW64\Hodgkc32.exeC:\Windows\system32\Hodgkc32.exe187⤵PID:6776
-
C:\Windows\SysWOW64\Heapdjlp.exeC:\Windows\system32\Heapdjlp.exe188⤵PID:6816
-
C:\Windows\SysWOW64\Hofdacke.exeC:\Windows\system32\Hofdacke.exe189⤵PID:6860
-
C:\Windows\SysWOW64\Hioiji32.exeC:\Windows\system32\Hioiji32.exe190⤵PID:6900
-
C:\Windows\SysWOW64\Hoiafcic.exeC:\Windows\system32\Hoiafcic.exe191⤵PID:6932
-
C:\Windows\SysWOW64\Iefioj32.exeC:\Windows\system32\Iefioj32.exe192⤵PID:6976
-
C:\Windows\SysWOW64\Ikpaldog.exeC:\Windows\system32\Ikpaldog.exe193⤵PID:7016
-
C:\Windows\SysWOW64\Ifefimom.exeC:\Windows\system32\Ifefimom.exe194⤵PID:7056
-
C:\Windows\SysWOW64\Iicbehnq.exeC:\Windows\system32\Iicbehnq.exe195⤵
- Drops file in System32 directory
PID:7092 -
C:\Windows\SysWOW64\Ikbnacmd.exeC:\Windows\system32\Ikbnacmd.exe196⤵PID:7132
-
C:\Windows\SysWOW64\Iblfnn32.exeC:\Windows\system32\Iblfnn32.exe197⤵PID:6156
-
C:\Windows\SysWOW64\Iejcji32.exeC:\Windows\system32\Iejcji32.exe198⤵PID:6204
-
C:\Windows\SysWOW64\Imakkfdg.exeC:\Windows\system32\Imakkfdg.exe199⤵PID:6272
-
C:\Windows\SysWOW64\Ippggbck.exeC:\Windows\system32\Ippggbck.exe200⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6324 -
C:\Windows\SysWOW64\Ibnccmbo.exeC:\Windows\system32\Ibnccmbo.exe201⤵PID:6400
-
C:\Windows\SysWOW64\Imdgqfbd.exeC:\Windows\system32\Imdgqfbd.exe202⤵PID:6452
-
C:\Windows\SysWOW64\Ipbdmaah.exeC:\Windows\system32\Ipbdmaah.exe203⤵PID:6520
-
C:\Windows\SysWOW64\Icnpmp32.exeC:\Windows\system32\Icnpmp32.exe204⤵
- Modifies registry class
PID:6608 -
C:\Windows\SysWOW64\Ieolehop.exeC:\Windows\system32\Ieolehop.exe205⤵PID:6672
-
C:\Windows\SysWOW64\Ilidbbgl.exeC:\Windows\system32\Ilidbbgl.exe206⤵PID:6744
-
C:\Windows\SysWOW64\Ibcmom32.exeC:\Windows\system32\Ibcmom32.exe207⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6808 -
C:\Windows\SysWOW64\Jimekgff.exeC:\Windows\system32\Jimekgff.exe208⤵PID:6872
-
C:\Windows\SysWOW64\Jpgmha32.exeC:\Windows\system32\Jpgmha32.exe209⤵PID:6928
-
C:\Windows\SysWOW64\Jcbihpel.exeC:\Windows\system32\Jcbihpel.exe210⤵PID:7012
-
C:\Windows\SysWOW64\Jfaedkdp.exeC:\Windows\system32\Jfaedkdp.exe211⤵PID:7052
-
C:\Windows\SysWOW64\Jioaqfcc.exeC:\Windows\system32\Jioaqfcc.exe212⤵PID:7140
-
C:\Windows\SysWOW64\Jcefno32.exeC:\Windows\system32\Jcefno32.exe213⤵PID:6200
-
C:\Windows\SysWOW64\Jbhfjljd.exeC:\Windows\system32\Jbhfjljd.exe214⤵PID:6308
-
C:\Windows\SysWOW64\Jianff32.exeC:\Windows\system32\Jianff32.exe215⤵PID:6440
-
C:\Windows\SysWOW64\Jlpkba32.exeC:\Windows\system32\Jlpkba32.exe216⤵PID:6540
-
C:\Windows\SysWOW64\Jbjcolha.exeC:\Windows\system32\Jbjcolha.exe217⤵PID:6664
-
C:\Windows\SysWOW64\Jfeopj32.exeC:\Windows\system32\Jfeopj32.exe218⤵PID:6768
-
C:\Windows\SysWOW64\Jlbgha32.exeC:\Windows\system32\Jlbgha32.exe219⤵PID:6868
-
C:\Windows\SysWOW64\Jcioiood.exeC:\Windows\system32\Jcioiood.exe220⤵PID:6988
-
C:\Windows\SysWOW64\Jfhlejnh.exeC:\Windows\system32\Jfhlejnh.exe221⤵PID:7120
-
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe222⤵PID:6256
-
C:\Windows\SysWOW64\Jpppnp32.exeC:\Windows\system32\Jpppnp32.exe223⤵PID:6424
-
C:\Windows\SysWOW64\Kfjhkjle.exeC:\Windows\system32\Kfjhkjle.exe224⤵PID:6600
-
C:\Windows\SysWOW64\Kiidgeki.exeC:\Windows\system32\Kiidgeki.exe225⤵PID:6848
-
C:\Windows\SysWOW64\Kpbmco32.exeC:\Windows\system32\Kpbmco32.exe226⤵PID:7048
-
C:\Windows\SysWOW64\Kbaipkbi.exeC:\Windows\system32\Kbaipkbi.exe227⤵PID:6296
-
C:\Windows\SysWOW64\Kepelfam.exeC:\Windows\system32\Kepelfam.exe228⤵PID:6504
-
C:\Windows\SysWOW64\Kikame32.exeC:\Windows\system32\Kikame32.exe229⤵PID:6924
-
C:\Windows\SysWOW64\Kdqejn32.exeC:\Windows\system32\Kdqejn32.exe230⤵PID:7128
-
C:\Windows\SysWOW64\Kbceejpf.exeC:\Windows\system32\Kbceejpf.exe231⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6784 -
C:\Windows\SysWOW64\Kimnbd32.exeC:\Windows\system32\Kimnbd32.exe232⤵
- Drops file in System32 directory
PID:6516 -
C:\Windows\SysWOW64\Kpgfooop.exeC:\Windows\system32\Kpgfooop.exe233⤵PID:6528
-
C:\Windows\SysWOW64\Kbfbkj32.exeC:\Windows\system32\Kbfbkj32.exe234⤵PID:7176
-
C:\Windows\SysWOW64\Kipkhdeq.exeC:\Windows\system32\Kipkhdeq.exe235⤵PID:7224
-
C:\Windows\SysWOW64\Kmkfhc32.exeC:\Windows\system32\Kmkfhc32.exe236⤵PID:7268
-
C:\Windows\SysWOW64\Kdeoemeg.exeC:\Windows\system32\Kdeoemeg.exe237⤵PID:7308
-
C:\Windows\SysWOW64\Kbhoqj32.exeC:\Windows\system32\Kbhoqj32.exe238⤵PID:7352
-
C:\Windows\SysWOW64\Kibgmdcn.exeC:\Windows\system32\Kibgmdcn.exe239⤵PID:7396
-
C:\Windows\SysWOW64\Kplpjn32.exeC:\Windows\system32\Kplpjn32.exe240⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7436 -
C:\Windows\SysWOW64\Lbjlfi32.exeC:\Windows\system32\Lbjlfi32.exe241⤵PID:7484
-
C:\Windows\SysWOW64\Lmppcbjd.exeC:\Windows\system32\Lmppcbjd.exe242⤵PID:7524