Analysis
-
max time kernel
143s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 13:09
Static task
static1
Behavioral task
behavioral1
Sample
d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exe
-
Size
163KB
-
MD5
d37cb66a46d1a39651f71053d9e0da70
-
SHA1
8ac3283b53e9712127695709ee9a50249faf1bcd
-
SHA256
b8f88c84657a05e7bb99c1fa0038b1dc2f516f57e69d6f6012bab77eb8b39ba2
-
SHA512
71e84880ec23408b7ec8eecf59f6738cfbfa3f65d8bcbed6aff6600703dee69f334068231bbad5dfc54652fe6e0c07ff45fe6b6ecf6c27ee8175b023219a4732
-
SSDEEP
1536:PNkLkUrpjRZd6weru5HvgCYbXs1lNilProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:lkLksl+FK4elEltOrWKDBr+yJb
Malware Config
Extracted
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Nledoj32.exeQdlggg32.exeKcdjoaee.exeCnckjddd.exeIdadnd32.exeMhjcec32.exeKhgkpl32.exeNnjicjbf.exeLnecigcp.exePkofjijm.exePljlbf32.exeDbdehdfc.exeDomccejd.exeEipgjaoi.exeIfpcchai.exeBkmhnjlh.exeDklddhka.exeFhgppnan.exeHmlkfo32.exeBjbeofpp.exeDkqnoh32.exeDpcmgi32.exeFgocmc32.exeEkfpmf32.exeOmckoi32.exeIdfnicfl.exeCeeieced.exeNidmfh32.exeBdqlajbb.exeKbjbge32.exeCjljnn32.exeKoaqcn32.exeAndgop32.exeClgbno32.exeElfcbo32.exeMjaddn32.exed37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exeFdnolfon.exeHjacjifm.exeHjofdi32.exeNipdkieg.exeOehdan32.exeCeebklai.exeKekkiq32.exeOpqoge32.exeJhjphfgi.exeHmjoqo32.exeLonibk32.exeMmccqbpm.exeBnqned32.exeLoefnpnn.exeHgqlafap.exeAmaelomh.exeKdnild32.exeKfaalh32.exeJhoice32.exeBiaign32.exeDfbnoc32.exeMfllkece.exeIphecepe.exeNcpdbohb.exeOhdfqbio.exePfnmmn32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nledoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdlggg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdjoaee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnckjddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idadnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhjcec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khgkpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnjicjbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnecigcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkofjijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pljlbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbdehdfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Domccejd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eipgjaoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifpcchai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkmhnjlh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dklddhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhgppnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmlkfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbeofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkqnoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpcmgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgocmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekfpmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omckoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idfnicfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceeieced.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nidmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdqlajbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbjbge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjljnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koaqcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Andgop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clgbno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elfcbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjaddn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdnolfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjacjifm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjofdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nipdkieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oehdan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceebklai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kekkiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opqoge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhjphfgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmjoqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lonibk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmccqbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnqned32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loefnpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgqlafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amaelomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdnild32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfaalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhoice32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biaign32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfbnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfllkece.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iphecepe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iphecepe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncpdbohb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohdfqbio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfnmmn32.exe -
Executes dropped EXE 64 IoCs
Processes:
Lnlnlc32.exeMfllkece.exeMabphn32.exeNianhplq.exeNidkmojn.exeNledoj32.exeNadimacd.exeOgcnkgoh.exeOdgodl32.exeOifdbb32.exePoeipifl.exePohfehdi.exePkofjijm.exePdihiook.exeQglmpi32.exeQmifhq32.exeAojojl32.exeAgjmim32.exeAboaff32.exeBnhoag32.exeBpjkiogm.exeBmnlbcfg.exeBlchcpko.exeBmbemb32.exeBbonei32.exeClgbno32.exeChnbcpmn.exeCmmhaf32.exeEamilh32.exeEjkkfjkj.exeEgokonjc.exeEdclib32.exeFchijone.exeFbmfkkbm.exeFdnolfon.exeFnfcel32.exeFindhdcb.exeGcheib32.exeGfhnjm32.exeGcmoda32.exeGaqomeke.exeGbaken32.exeGljpncgc.exeHmjlhfof.exeHbfepmmn.exeHeealhla.exeHeikgh32.exeHjfcpo32.exeIdadnd32.exeIphecepe.exeIbfaopoi.exeIdfnicfl.exeIegjqk32.exeIoooiack.exeIhhcbf32.exeIoakoq32.exeJhjphfgi.exeJabdql32.exeJofejpmc.exeJhoice32.exeJagnlkjd.exeJgdfdbhk.exeJplkmgol.exeJgfcja32.exepid process 2012 Lnlnlc32.exe 2148 Mfllkece.exe 2516 Mabphn32.exe 2408 Nianhplq.exe 1724 Nidkmojn.exe 2504 Nledoj32.exe 836 Nadimacd.exe 112 Ogcnkgoh.exe 2596 Odgodl32.exe 2724 Oifdbb32.exe 1300 Poeipifl.exe 2212 Pohfehdi.exe 2852 Pkofjijm.exe 1388 Pdihiook.exe 1736 Qglmpi32.exe 2756 Qmifhq32.exe 3064 Aojojl32.exe 1108 Agjmim32.exe 940 Aboaff32.exe 1604 Bnhoag32.exe 2200 Bpjkiogm.exe 1520 Bmnlbcfg.exe 1052 Blchcpko.exe 1632 Bmbemb32.exe 568 Bbonei32.exe 2868 Clgbno32.exe 2000 Chnbcpmn.exe 1592 Cmmhaf32.exe 2900 Eamilh32.exe 2608 Ejkkfjkj.exe 2156 Egokonjc.exe 1644 Edclib32.exe 2444 Fchijone.exe 2820 Fbmfkkbm.exe 1812 Fdnolfon.exe 1332 Fnfcel32.exe 2652 Findhdcb.exe 1196 Gcheib32.exe 1916 Gfhnjm32.exe 2284 Gcmoda32.exe 2356 Gaqomeke.exe 756 Gbaken32.exe 3000 Gljpncgc.exe 824 Hmjlhfof.exe 544 Hbfepmmn.exe 1988 Heealhla.exe 1972 Heikgh32.exe 1800 Hjfcpo32.exe 1396 Idadnd32.exe 2348 Iphecepe.exe 1156 Ibfaopoi.exe 1980 Idfnicfl.exe 1000 Iegjqk32.exe 2968 Ioooiack.exe 2264 Ihhcbf32.exe 2908 Ioakoq32.exe 2748 Jhjphfgi.exe 2616 Jabdql32.exe 2556 Jofejpmc.exe 2840 Jhoice32.exe 1040 Jagnlkjd.exe 1184 Jgdfdbhk.exe 1148 Jplkmgol.exe 1048 Jgfcja32.exe -
Loads dropped DLL 64 IoCs
Processes:
d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exeLnlnlc32.exeMfllkece.exeMabphn32.exeNianhplq.exeNidkmojn.exeNledoj32.exeNadimacd.exeOgcnkgoh.exeOdgodl32.exeOifdbb32.exePoeipifl.exePohfehdi.exePkofjijm.exePdihiook.exeQglmpi32.exeQmifhq32.exeAojojl32.exeAgjmim32.exeAboaff32.exeBnhoag32.exeBpjkiogm.exeBmnlbcfg.exeBlchcpko.exeBmbemb32.exeBbonei32.exeClgbno32.exeChnbcpmn.exeCmmhaf32.exeEamilh32.exeEjkkfjkj.exeEgokonjc.exepid process 2152 d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exe 2152 d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exe 2012 Lnlnlc32.exe 2012 Lnlnlc32.exe 2148 Mfllkece.exe 2148 Mfllkece.exe 2516 Mabphn32.exe 2516 Mabphn32.exe 2408 Nianhplq.exe 2408 Nianhplq.exe 1724 Nidkmojn.exe 1724 Nidkmojn.exe 2504 Nledoj32.exe 2504 Nledoj32.exe 836 Nadimacd.exe 836 Nadimacd.exe 112 Ogcnkgoh.exe 112 Ogcnkgoh.exe 2596 Odgodl32.exe 2596 Odgodl32.exe 2724 Oifdbb32.exe 2724 Oifdbb32.exe 1300 Poeipifl.exe 1300 Poeipifl.exe 2212 Pohfehdi.exe 2212 Pohfehdi.exe 2852 Pkofjijm.exe 2852 Pkofjijm.exe 1388 Pdihiook.exe 1388 Pdihiook.exe 1736 Qglmpi32.exe 1736 Qglmpi32.exe 2756 Qmifhq32.exe 2756 Qmifhq32.exe 3064 Aojojl32.exe 3064 Aojojl32.exe 1108 Agjmim32.exe 1108 Agjmim32.exe 940 Aboaff32.exe 940 Aboaff32.exe 1604 Bnhoag32.exe 1604 Bnhoag32.exe 2200 Bpjkiogm.exe 2200 Bpjkiogm.exe 1520 Bmnlbcfg.exe 1520 Bmnlbcfg.exe 1052 Blchcpko.exe 1052 Blchcpko.exe 1632 Bmbemb32.exe 1632 Bmbemb32.exe 568 Bbonei32.exe 568 Bbonei32.exe 2868 Clgbno32.exe 2868 Clgbno32.exe 2000 Chnbcpmn.exe 2000 Chnbcpmn.exe 1592 Cmmhaf32.exe 1592 Cmmhaf32.exe 2900 Eamilh32.exe 2900 Eamilh32.exe 2608 Ejkkfjkj.exe 2608 Ejkkfjkj.exe 2156 Egokonjc.exe 2156 Egokonjc.exe -
Drops file in System32 directory 64 IoCs
Processes:
Hemqpf32.exeGqodqodl.exeImaapa32.exeMqjefamk.exeOflpgnld.exeEdclib32.exeIbfaopoi.exeOoicid32.exeBkbaii32.exeAhgofi32.exeCiihklpj.exeDmgmpnhl.exeIbcphc32.exeKkjnnn32.exeGdhdkn32.exeJnagmc32.exeLomgjb32.exeFajbke32.exeNcpdbohb.exePljlbf32.exeGnfkba32.exeKbjbge32.exeGljpncgc.exeDjgkii32.exeDddimn32.exeNapbjjom.exeEheglk32.exeLgngbmjp.exePkofjijm.exeKcdjoaee.exeAchjibcl.exeIbipmiek.exeHgqlafap.exeBbhccm32.exeBfqpecma.exePlgolf32.exeCfhkhd32.exePhfoee32.exeGamnhq32.exeKdhcli32.exeBflbigdb.exeApgagg32.exeCgaaah32.exeGjdldd32.exeNnjicjbf.exeCogfqe32.exeFbmfkkbm.exeEdibhmml.exeOpqoge32.exeJlfnangf.exeFchijone.exeQdlggg32.exeHomdhjai.exeNnleiipc.exeQglmpi32.exeIoooiack.exeBjjaikoa.exeAdaiee32.exeHjcaha32.exeJofejpmc.exeEcnoijbd.exeNplimbka.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Iflmjihl.exe Hemqpf32.exe File created C:\Windows\SysWOW64\Gmeeepjp.exe Gqodqodl.exe File opened for modification C:\Windows\SysWOW64\Jbnjhh32.exe Imaapa32.exe File created C:\Windows\SysWOW64\Fhkhip32.dll Mqjefamk.exe File created C:\Windows\SysWOW64\Bnkpfm32.dll Oflpgnld.exe File opened for modification C:\Windows\SysWOW64\Fchijone.exe Edclib32.exe File opened for modification C:\Windows\SysWOW64\Idfnicfl.exe Ibfaopoi.exe File created C:\Windows\SysWOW64\Oehdan32.exe Ooicid32.exe File opened for modification C:\Windows\SysWOW64\Bnqned32.exe Bkbaii32.exe File opened for modification C:\Windows\SysWOW64\Andgop32.exe Ahgofi32.exe File opened for modification C:\Windows\SysWOW64\Cfmhdpnc.exe Ciihklpj.exe File created C:\Windows\SysWOW64\Dbdehdfc.exe Dmgmpnhl.exe File created C:\Windows\SysWOW64\Igqhpj32.exe Ibcphc32.exe File created C:\Windows\SysWOW64\Kpgffe32.exe Kkjnnn32.exe File opened for modification C:\Windows\SysWOW64\Gjdldd32.exe Gdhdkn32.exe File created C:\Windows\SysWOW64\Jcnoejch.exe Jnagmc32.exe File created C:\Windows\SysWOW64\Njlcmaba.dll Lomgjb32.exe File opened for modification C:\Windows\SysWOW64\Famope32.exe Fajbke32.exe File created C:\Windows\SysWOW64\Omhhke32.exe Ncpdbohb.exe File created C:\Windows\SysWOW64\Pdeqfhjd.exe Pljlbf32.exe File created C:\Windows\SysWOW64\Eioigi32.dll Gnfkba32.exe File opened for modification C:\Windows\SysWOW64\Khgkpl32.exe Kbjbge32.exe File created C:\Windows\SysWOW64\Ccbpgj32.dll Gljpncgc.exe File opened for modification C:\Windows\SysWOW64\Ddpobo32.exe Djgkii32.exe File created C:\Windows\SysWOW64\Dkqnoh32.exe Dddimn32.exe File created C:\Windows\SysWOW64\Gkclcjqj.dll Napbjjom.exe File created C:\Windows\SysWOW64\Edlhqlfi.exe Eheglk32.exe File created C:\Windows\SysWOW64\Lljpjchg.exe Lgngbmjp.exe File created C:\Windows\SysWOW64\Pdihiook.exe Pkofjijm.exe File created C:\Windows\SysWOW64\Kkoncdcp.exe Kcdjoaee.exe File created C:\Windows\SysWOW64\Binbknik.dll Achjibcl.exe File opened for modification C:\Windows\SysWOW64\Imodkadq.exe Ibipmiek.exe File created C:\Windows\SysWOW64\Mmichb32.dll Hgqlafap.exe File opened for modification C:\Windows\SysWOW64\Bolcma32.exe Bbhccm32.exe File created C:\Windows\SysWOW64\Bkmhnjlh.exe Bfqpecma.exe File created C:\Windows\SysWOW64\Pepcelel.exe Plgolf32.exe File created C:\Windows\SysWOW64\Dfkhndca.exe Cfhkhd32.exe File created C:\Windows\SysWOW64\Qejpoi32.exe Phfoee32.exe File created C:\Windows\SysWOW64\Ghgfekpn.exe Gamnhq32.exe File created C:\Windows\SysWOW64\Lidqce32.dll Kdhcli32.exe File created C:\Windows\SysWOW64\Cnckjddd.exe Bflbigdb.exe File created C:\Windows\SysWOW64\Afdiondb.exe Apgagg32.exe File opened for modification C:\Windows\SysWOW64\Cnkjnb32.exe Cgaaah32.exe File created C:\Windows\SysWOW64\Pelnlcjj.dll Gjdldd32.exe File opened for modification C:\Windows\SysWOW64\Nnleiipc.exe Nnjicjbf.exe File created C:\Windows\SysWOW64\Bccblb32.dll Cogfqe32.exe File opened for modification C:\Windows\SysWOW64\Fdnolfon.exe Fbmfkkbm.exe File opened for modification C:\Windows\SysWOW64\Eiekpd32.exe Edibhmml.exe File created C:\Windows\SysWOW64\Plgolf32.exe Opqoge32.exe File created C:\Windows\SysWOW64\Gjdldd32.exe Gdhdkn32.exe File created C:\Windows\SysWOW64\Jhmofo32.exe Jlfnangf.exe File opened for modification C:\Windows\SysWOW64\Fbmfkkbm.exe Fchijone.exe File created C:\Windows\SysWOW64\Qndkpmkm.exe Qdlggg32.exe File created C:\Windows\SysWOW64\Bfglkheo.dll Homdhjai.exe File created C:\Windows\SysWOW64\Mkidliln.dll Nnleiipc.exe File created C:\Windows\SysWOW64\Qmifhq32.exe Qglmpi32.exe File created C:\Windows\SysWOW64\Ihhcbf32.exe Ioooiack.exe File opened for modification C:\Windows\SysWOW64\Baefnmml.exe Bjjaikoa.exe File created C:\Windows\SysWOW64\Lkpidd32.dll Opqoge32.exe File opened for modification C:\Windows\SysWOW64\Aklabp32.exe Adaiee32.exe File created C:\Windows\SysWOW64\Hclfag32.exe Hjcaha32.exe File opened for modification C:\Windows\SysWOW64\Jhoice32.exe Jofejpmc.exe File created C:\Windows\SysWOW64\Elfcbo32.exe Ecnoijbd.exe File created C:\Windows\SysWOW64\Nidmfh32.exe Nplimbka.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5004 4964 WerFault.exe Lepaccmo.exe -
Modifies registry class 64 IoCs
Processes:
Gbaken32.exeJplkmgol.exeLkgngb32.exeCiihklpj.exeHclfag32.exeBmbemb32.exeFkecij32.exeIeponofk.exeBpjkiogm.exeFamope32.exeIbfaopoi.exeCnckjddd.exePdeqfhjd.exeIamfdo32.exePoeipifl.exeNidmfh32.exeGgdcbi32.exeHomdhjai.exeIcdcllpc.exeFnfcel32.exeCcbphk32.exeEnlidg32.exeKdnild32.exeOflpgnld.exePdbmfb32.exeIoakoq32.exeMkddnf32.exeCjhabndo.exeIbcphc32.exeJlckbh32.exeDklddhka.exeGncldi32.exeOdedge32.exeDmgmpnhl.exeBaefnmml.exeKdklfe32.exeFapeic32.exeMmccqbpm.exeCmkfji32.exeGncnmane.exed37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exeJagnlkjd.exeAkcomepg.exeJjjdhc32.exeBnhoag32.exeCeebklai.exeHfepod32.exeKekkiq32.exeEjkkfjkj.exeLfmbek32.exeGfnjne32.exeGnfkba32.exeAmfognic.exeMmgfqh32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmkfmdne.dll" Gbaken32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldahfej.dll" Jplkmgol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkgngb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll" Ciihklpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmjmajn.dll" Hclfag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmbemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbaken32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkecij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieponofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oniefifl.dll" Bpjkiogm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Famope32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibfaopoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnckjddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdhkd32.dll" Pdeqfhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iamfdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poeipifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blangfdh.dll" Nidmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggdcbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Homdhjai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icdcllpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciqnaaen.dll" Fnfcel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccbphk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enlidg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdnild32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oflpgnld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdbmfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miqnbfnp.dll" Ieponofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioakoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkddnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madnjdee.dll" Cjhabndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibcphc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlckbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dklddhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhfnge32.dll" Gncldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odedge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdeqfhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmgmpnhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baefnmml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieponofk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdklfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fapeic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gonnhc32.dll" Mmccqbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmkfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdaaomdi.dll" Gncnmane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfcik32.dll" d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jagnlkjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdklfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baepmlkg.dll" Odedge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akcomepg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjjdhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnhoag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll" Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Belhfdmi.dll" Hfepod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kekkiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejkkfjkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfmbek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfnjne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnfkba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibfaopoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amfognic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gncldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfmbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddgejcp.dll" Mmgfqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdeqfhjd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exeLnlnlc32.exeMfllkece.exeMabphn32.exeNianhplq.exeNidkmojn.exeNledoj32.exeNadimacd.exeOgcnkgoh.exeOdgodl32.exeOifdbb32.exePoeipifl.exePohfehdi.exePkofjijm.exePdihiook.exeQglmpi32.exedescription pid process target process PID 2152 wrote to memory of 2012 2152 d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exe Lnlnlc32.exe PID 2152 wrote to memory of 2012 2152 d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exe Lnlnlc32.exe PID 2152 wrote to memory of 2012 2152 d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exe Lnlnlc32.exe PID 2152 wrote to memory of 2012 2152 d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exe Lnlnlc32.exe PID 2012 wrote to memory of 2148 2012 Lnlnlc32.exe Mfllkece.exe PID 2012 wrote to memory of 2148 2012 Lnlnlc32.exe Mfllkece.exe PID 2012 wrote to memory of 2148 2012 Lnlnlc32.exe Mfllkece.exe PID 2012 wrote to memory of 2148 2012 Lnlnlc32.exe Mfllkece.exe PID 2148 wrote to memory of 2516 2148 Mfllkece.exe Mabphn32.exe PID 2148 wrote to memory of 2516 2148 Mfllkece.exe Mabphn32.exe PID 2148 wrote to memory of 2516 2148 Mfllkece.exe Mabphn32.exe PID 2148 wrote to memory of 2516 2148 Mfllkece.exe Mabphn32.exe PID 2516 wrote to memory of 2408 2516 Mabphn32.exe Nianhplq.exe PID 2516 wrote to memory of 2408 2516 Mabphn32.exe Nianhplq.exe PID 2516 wrote to memory of 2408 2516 Mabphn32.exe Nianhplq.exe PID 2516 wrote to memory of 2408 2516 Mabphn32.exe Nianhplq.exe PID 2408 wrote to memory of 1724 2408 Nianhplq.exe Nidkmojn.exe PID 2408 wrote to memory of 1724 2408 Nianhplq.exe Nidkmojn.exe PID 2408 wrote to memory of 1724 2408 Nianhplq.exe Nidkmojn.exe PID 2408 wrote to memory of 1724 2408 Nianhplq.exe Nidkmojn.exe PID 1724 wrote to memory of 2504 1724 Nidkmojn.exe Nledoj32.exe PID 1724 wrote to memory of 2504 1724 Nidkmojn.exe Nledoj32.exe PID 1724 wrote to memory of 2504 1724 Nidkmojn.exe Nledoj32.exe PID 1724 wrote to memory of 2504 1724 Nidkmojn.exe Nledoj32.exe PID 2504 wrote to memory of 836 2504 Nledoj32.exe Nadimacd.exe PID 2504 wrote to memory of 836 2504 Nledoj32.exe Nadimacd.exe PID 2504 wrote to memory of 836 2504 Nledoj32.exe Nadimacd.exe PID 2504 wrote to memory of 836 2504 Nledoj32.exe Nadimacd.exe PID 836 wrote to memory of 112 836 Nadimacd.exe Ogcnkgoh.exe PID 836 wrote to memory of 112 836 Nadimacd.exe Ogcnkgoh.exe PID 836 wrote to memory of 112 836 Nadimacd.exe Ogcnkgoh.exe PID 836 wrote to memory of 112 836 Nadimacd.exe Ogcnkgoh.exe PID 112 wrote to memory of 2596 112 Ogcnkgoh.exe Odgodl32.exe PID 112 wrote to memory of 2596 112 Ogcnkgoh.exe Odgodl32.exe PID 112 wrote to memory of 2596 112 Ogcnkgoh.exe Odgodl32.exe PID 112 wrote to memory of 2596 112 Ogcnkgoh.exe Odgodl32.exe PID 2596 wrote to memory of 2724 2596 Odgodl32.exe Oifdbb32.exe PID 2596 wrote to memory of 2724 2596 Odgodl32.exe Oifdbb32.exe PID 2596 wrote to memory of 2724 2596 Odgodl32.exe Oifdbb32.exe PID 2596 wrote to memory of 2724 2596 Odgodl32.exe Oifdbb32.exe PID 2724 wrote to memory of 1300 2724 Oifdbb32.exe Poeipifl.exe PID 2724 wrote to memory of 1300 2724 Oifdbb32.exe Poeipifl.exe PID 2724 wrote to memory of 1300 2724 Oifdbb32.exe Poeipifl.exe PID 2724 wrote to memory of 1300 2724 Oifdbb32.exe Poeipifl.exe PID 1300 wrote to memory of 2212 1300 Poeipifl.exe Pohfehdi.exe PID 1300 wrote to memory of 2212 1300 Poeipifl.exe Pohfehdi.exe PID 1300 wrote to memory of 2212 1300 Poeipifl.exe Pohfehdi.exe PID 1300 wrote to memory of 2212 1300 Poeipifl.exe Pohfehdi.exe PID 2212 wrote to memory of 2852 2212 Pohfehdi.exe Pkofjijm.exe PID 2212 wrote to memory of 2852 2212 Pohfehdi.exe Pkofjijm.exe PID 2212 wrote to memory of 2852 2212 Pohfehdi.exe Pkofjijm.exe PID 2212 wrote to memory of 2852 2212 Pohfehdi.exe Pkofjijm.exe PID 2852 wrote to memory of 1388 2852 Pkofjijm.exe Pdihiook.exe PID 2852 wrote to memory of 1388 2852 Pkofjijm.exe Pdihiook.exe PID 2852 wrote to memory of 1388 2852 Pkofjijm.exe Pdihiook.exe PID 2852 wrote to memory of 1388 2852 Pkofjijm.exe Pdihiook.exe PID 1388 wrote to memory of 1736 1388 Pdihiook.exe Qglmpi32.exe PID 1388 wrote to memory of 1736 1388 Pdihiook.exe Qglmpi32.exe PID 1388 wrote to memory of 1736 1388 Pdihiook.exe Qglmpi32.exe PID 1388 wrote to memory of 1736 1388 Pdihiook.exe Qglmpi32.exe PID 1736 wrote to memory of 2756 1736 Qglmpi32.exe Qmifhq32.exe PID 1736 wrote to memory of 2756 1736 Qglmpi32.exe Qmifhq32.exe PID 1736 wrote to memory of 2756 1736 Qglmpi32.exe Qmifhq32.exe PID 1736 wrote to memory of 2756 1736 Qglmpi32.exe Qmifhq32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Lnlnlc32.exeC:\Windows\system32\Lnlnlc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Mfllkece.exeC:\Windows\system32\Mfllkece.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Mabphn32.exeC:\Windows\system32\Mabphn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Nianhplq.exeC:\Windows\system32\Nianhplq.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Nidkmojn.exeC:\Windows\system32\Nidkmojn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Nledoj32.exeC:\Windows\system32\Nledoj32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Poeipifl.exeC:\Windows\system32\Poeipifl.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Pkofjijm.exeC:\Windows\system32\Pkofjijm.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Qglmpi32.exeC:\Windows\system32\Qglmpi32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Qmifhq32.exeC:\Windows\system32\Qmifhq32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Aojojl32.exeC:\Windows\system32\Aojojl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1108 -
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:940 -
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Bmnlbcfg.exeC:\Windows\system32\Bmnlbcfg.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Windows\SysWOW64\Blchcpko.exeC:\Windows\system32\Blchcpko.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1052 -
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568 -
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Cmmhaf32.exeC:\Windows\system32\Cmmhaf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Eamilh32.exeC:\Windows\system32\Eamilh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Edclib32.exeC:\Windows\system32\Edclib32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Fchijone.exeC:\Windows\system32\Fchijone.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe38⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe39⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe40⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe41⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Gaqomeke.exeC:\Windows\system32\Gaqomeke.exe42⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Gbaken32.exeC:\Windows\system32\Gbaken32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Hmjlhfof.exeC:\Windows\system32\Hmjlhfof.exe45⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe46⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe47⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe48⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe49⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe54⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe56⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe59⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Jhoice32.exeC:\Windows\system32\Jhoice32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Jagnlkjd.exeC:\Windows\system32\Jagnlkjd.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe63⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Jplkmgol.exeC:\Windows\system32\Jplkmgol.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1148 -
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe65⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe66⤵
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe67⤵PID:2308
-
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe68⤵PID:2476
-
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe69⤵PID:1936
-
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe71⤵PID:776
-
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe72⤵
- Drops file in System32 directory
PID:1168 -
C:\Windows\SysWOW64\Lomgjb32.exeC:\Windows\system32\Lomgjb32.exe73⤵
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Lhelbh32.exeC:\Windows\system32\Lhelbh32.exe74⤵PID:1732
-
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe75⤵PID:1684
-
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe76⤵PID:2176
-
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe77⤵PID:2472
-
C:\Windows\SysWOW64\Lfbbjpgd.exeC:\Windows\system32\Lfbbjpgd.exe78⤵PID:2600
-
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe79⤵PID:2640
-
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe80⤵PID:2452
-
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe81⤵PID:1344
-
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe82⤵
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe83⤵PID:2644
-
C:\Windows\SysWOW64\Mlfacfpc.exeC:\Windows\system32\Mlfacfpc.exe84⤵PID:1608
-
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe85⤵
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1268 -
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe87⤵PID:1140
-
C:\Windows\SysWOW64\Amaelomh.exeC:\Windows\system32\Amaelomh.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2880 -
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe89⤵PID:3020
-
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe90⤵PID:1180
-
C:\Windows\SysWOW64\Abpjjeim.exeC:\Windows\system32\Abpjjeim.exe91⤵PID:1480
-
C:\Windows\SysWOW64\Amfognic.exeC:\Windows\system32\Amfognic.exe92⤵
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe93⤵PID:1564
-
C:\Windows\SysWOW64\Bfqpecma.exeC:\Windows\system32\Bfqpecma.exe94⤵
- Drops file in System32 directory
PID:924 -
C:\Windows\SysWOW64\Bkmhnjlh.exeC:\Windows\system32\Bkmhnjlh.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2052 -
C:\Windows\SysWOW64\Bajqfq32.exeC:\Windows\system32\Bajqfq32.exe96⤵PID:1656
-
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2552 -
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2400 -
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe99⤵PID:2636
-
C:\Windows\SysWOW64\Bkbaii32.exeC:\Windows\system32\Bkbaii32.exe100⤵
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:760 -
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe102⤵
- Drops file in System32 directory
PID:612 -
C:\Windows\SysWOW64\Cnckjddd.exeC:\Windows\system32\Cnckjddd.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Ccpcckck.exeC:\Windows\system32\Ccpcckck.exe104⤵PID:2928
-
C:\Windows\SysWOW64\Cillkbac.exeC:\Windows\system32\Cillkbac.exe105⤵PID:2948
-
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe106⤵
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe107⤵PID:2876
-
C:\Windows\SysWOW64\Ceeieced.exeC:\Windows\system32\Ceeieced.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:936 -
C:\Windows\SysWOW64\Cnnnnh32.exeC:\Windows\system32\Cnnnnh32.exe109⤵PID:1584
-
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe110⤵PID:2684
-
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe111⤵PID:2864
-
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe112⤵
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe113⤵PID:2196
-
C:\Windows\SysWOW64\Dacpkc32.exeC:\Windows\system32\Dacpkc32.exe114⤵PID:2456
-
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:556 -
C:\Windows\SysWOW64\Dddimn32.exeC:\Windows\system32\Dddimn32.exe116⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Dkqnoh32.exeC:\Windows\system32\Dkqnoh32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2204 -
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe118⤵
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe119⤵PID:1904
-
C:\Windows\SysWOW64\Ecnoijbd.exeC:\Windows\system32\Ecnoijbd.exe120⤵
- Drops file in System32 directory
PID:820 -
C:\Windows\SysWOW64\Elfcbo32.exeC:\Windows\system32\Elfcbo32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2260 -
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe122⤵PID:2240
-
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe123⤵PID:832
-
C:\Windows\SysWOW64\Eogmcjef.exeC:\Windows\system32\Eogmcjef.exe124⤵PID:1928
-
C:\Windows\SysWOW64\Enlidg32.exeC:\Windows\system32\Enlidg32.exe125⤵
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe126⤵
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Famope32.exeC:\Windows\system32\Famope32.exe127⤵
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Fkecij32.exeC:\Windows\system32\Fkecij32.exe128⤵
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe129⤵PID:1708
-
C:\Windows\SysWOW64\Fjjpjgjj.exeC:\Windows\system32\Fjjpjgjj.exe130⤵PID:2680
-
C:\Windows\SysWOW64\Fcbecl32.exeC:\Windows\system32\Fcbecl32.exe131⤵PID:2696
-
C:\Windows\SysWOW64\Fqfemqod.exeC:\Windows\system32\Fqfemqod.exe132⤵PID:1596
-
C:\Windows\SysWOW64\Gfcnegnk.exeC:\Windows\system32\Gfcnegnk.exe133⤵PID:1216
-
C:\Windows\SysWOW64\Gkpfmnlb.exeC:\Windows\system32\Gkpfmnlb.exe134⤵PID:1412
-
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe135⤵PID:2716
-
C:\Windows\SysWOW64\Gonocmbi.exeC:\Windows\system32\Gonocmbi.exe136⤵PID:1648
-
C:\Windows\SysWOW64\Gdkgkcpq.exeC:\Windows\system32\Gdkgkcpq.exe137⤵PID:2008
-
C:\Windows\SysWOW64\Gncldi32.exeC:\Windows\system32\Gncldi32.exe138⤵
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe139⤵PID:1600
-
C:\Windows\SysWOW64\Hkiicmdh.exeC:\Windows\system32\Hkiicmdh.exe140⤵PID:1088
-
C:\Windows\SysWOW64\Hebnlb32.exeC:\Windows\system32\Hebnlb32.exe141⤵PID:1832
-
C:\Windows\SysWOW64\Hjofdi32.exeC:\Windows\system32\Hjofdi32.exe142⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2256 -
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe143⤵PID:2912
-
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe144⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2492 -
C:\Windows\SysWOW64\Hifpke32.exeC:\Windows\system32\Hifpke32.exe145⤵PID:2576
-
C:\Windows\SysWOW64\Hemqpf32.exeC:\Windows\system32\Hemqpf32.exe146⤵
- Drops file in System32 directory
PID:1004 -
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe147⤵PID:2952
-
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe148⤵PID:1892
-
C:\Windows\SysWOW64\Injndk32.exeC:\Windows\system32\Injndk32.exe149⤵PID:2292
-
C:\Windows\SysWOW64\Ihbcmaje.exeC:\Windows\system32\Ihbcmaje.exe150⤵PID:2228
-
C:\Windows\SysWOW64\Imokehhl.exeC:\Windows\system32\Imokehhl.exe151⤵PID:2328
-
C:\Windows\SysWOW64\Jlphbbbg.exeC:\Windows\system32\Jlphbbbg.exe152⤵PID:540
-
C:\Windows\SysWOW64\Kdklfe32.exeC:\Windows\system32\Kdklfe32.exe153⤵
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Koaqcn32.exeC:\Windows\system32\Koaqcn32.exe154⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:272 -
C:\Windows\SysWOW64\Kdnild32.exeC:\Windows\system32\Kdnild32.exe155⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Knfndjdp.exeC:\Windows\system32\Knfndjdp.exe156⤵PID:2620
-
C:\Windows\SysWOW64\Kkjnnn32.exeC:\Windows\system32\Kkjnnn32.exe157⤵
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Kpgffe32.exeC:\Windows\system32\Kpgffe32.exe158⤵PID:1440
-
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe159⤵PID:2728
-
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe160⤵PID:1956
-
C:\Windows\SysWOW64\Kpkpadnl.exeC:\Windows\system32\Kpkpadnl.exe161⤵PID:2924
-
C:\Windows\SysWOW64\Lfhhjklc.exeC:\Windows\system32\Lfhhjklc.exe162⤵PID:2768
-
C:\Windows\SysWOW64\Lfkeokjp.exeC:\Windows\system32\Lfkeokjp.exe163⤵PID:2812
-
C:\Windows\SysWOW64\Lkgngb32.exeC:\Windows\system32\Lkgngb32.exe164⤵
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Lfmbek32.exeC:\Windows\system32\Lfmbek32.exe165⤵
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Loefnpnn.exeC:\Windows\system32\Loefnpnn.exe166⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2392 -
C:\Windows\SysWOW64\Lhnkffeo.exeC:\Windows\system32\Lhnkffeo.exe167⤵PID:1120
-
C:\Windows\SysWOW64\Lqipkhbj.exeC:\Windows\system32\Lqipkhbj.exe168⤵PID:1124
-
C:\Windows\SysWOW64\Mjaddn32.exeC:\Windows\system32\Mjaddn32.exe169⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1540 -
C:\Windows\SysWOW64\Mcjhmcok.exeC:\Windows\system32\Mcjhmcok.exe170⤵PID:3032
-
C:\Windows\SysWOW64\Mclebc32.exeC:\Windows\system32\Mclebc32.exe171⤵PID:2796
-
C:\Windows\SysWOW64\Mqpflg32.exeC:\Windows\system32\Mqpflg32.exe172⤵PID:2732
-
C:\Windows\SysWOW64\Mgjnhaco.exeC:\Windows\system32\Mgjnhaco.exe173⤵PID:2384
-
C:\Windows\SysWOW64\Mmgfqh32.exeC:\Windows\system32\Mmgfqh32.exe174⤵
- Modifies registry class
PID:1144 -
C:\Windows\SysWOW64\Mcqombic.exeC:\Windows\system32\Mcqombic.exe175⤵PID:1716
-
C:\Windows\SysWOW64\Mimgeigj.exeC:\Windows\system32\Mimgeigj.exe176⤵PID:1308
-
C:\Windows\SysWOW64\Nbflno32.exeC:\Windows\system32\Nbflno32.exe177⤵PID:1092
-
C:\Windows\SysWOW64\Nipdkieg.exeC:\Windows\system32\Nipdkieg.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2296 -
C:\Windows\SysWOW64\Nefdpjkl.exeC:\Windows\system32\Nefdpjkl.exe179⤵PID:2560
-
C:\Windows\SysWOW64\Nplimbka.exeC:\Windows\system32\Nplimbka.exe180⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Nidmfh32.exeC:\Windows\system32\Nidmfh32.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1176 -
C:\Windows\SysWOW64\Napbjjom.exeC:\Windows\system32\Napbjjom.exe182⤵
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Nncbdomg.exeC:\Windows\system32\Nncbdomg.exe183⤵PID:2084
-
C:\Windows\SysWOW64\Nenkqi32.exeC:\Windows\system32\Nenkqi32.exe184⤵PID:3044
-
C:\Windows\SysWOW64\Opglafab.exeC:\Windows\system32\Opglafab.exe185⤵PID:2316
-
C:\Windows\SysWOW64\Oippjl32.exeC:\Windows\system32\Oippjl32.exe186⤵PID:1820
-
C:\Windows\SysWOW64\Odedge32.exeC:\Windows\system32\Odedge32.exe187⤵
- Modifies registry class
PID:792 -
C:\Windows\SysWOW64\Oibmpl32.exeC:\Windows\system32\Oibmpl32.exe188⤵PID:2512
-
C:\Windows\SysWOW64\Objaha32.exeC:\Windows\system32\Objaha32.exe189⤵PID:2044
-
C:\Windows\SysWOW64\Obmnna32.exeC:\Windows\system32\Obmnna32.exe190⤵PID:1588
-
C:\Windows\SysWOW64\Opqoge32.exeC:\Windows\system32\Opqoge32.exe191⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Plgolf32.exeC:\Windows\system32\Plgolf32.exe192⤵
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Pepcelel.exeC:\Windows\system32\Pepcelel.exe193⤵PID:1680
-
C:\Windows\SysWOW64\Pljlbf32.exeC:\Windows\system32\Pljlbf32.exe194⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\Pdeqfhjd.exeC:\Windows\system32\Pdeqfhjd.exe195⤵
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Pplaki32.exeC:\Windows\system32\Pplaki32.exe196⤵PID:2960
-
C:\Windows\SysWOW64\Paknelgk.exeC:\Windows\system32\Paknelgk.exe197⤵PID:1468
-
C:\Windows\SysWOW64\Pghfnc32.exeC:\Windows\system32\Pghfnc32.exe198⤵PID:624
-
C:\Windows\SysWOW64\Qdlggg32.exeC:\Windows\system32\Qdlggg32.exe199⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Qndkpmkm.exeC:\Windows\system32\Qndkpmkm.exe200⤵PID:932
-
C:\Windows\SysWOW64\Qjklenpa.exeC:\Windows\system32\Qjklenpa.exe201⤵PID:3024
-
C:\Windows\SysWOW64\Aohdmdoh.exeC:\Windows\system32\Aohdmdoh.exe202⤵PID:3080
-
C:\Windows\SysWOW64\Apgagg32.exeC:\Windows\system32\Apgagg32.exe203⤵
- Drops file in System32 directory
PID:3120 -
C:\Windows\SysWOW64\Afdiondb.exeC:\Windows\system32\Afdiondb.exe204⤵PID:3160
-
C:\Windows\SysWOW64\Achjibcl.exeC:\Windows\system32\Achjibcl.exe205⤵
- Drops file in System32 directory
PID:3200 -
C:\Windows\SysWOW64\Akcomepg.exeC:\Windows\system32\Akcomepg.exe206⤵
- Modifies registry class
PID:3240 -
C:\Windows\SysWOW64\Ahgofi32.exeC:\Windows\system32\Ahgofi32.exe207⤵
- Drops file in System32 directory
PID:3280 -
C:\Windows\SysWOW64\Andgop32.exeC:\Windows\system32\Andgop32.exe208⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3320 -
C:\Windows\SysWOW64\Bjkhdacm.exeC:\Windows\system32\Bjkhdacm.exe209⤵PID:3360
-
C:\Windows\SysWOW64\Bdqlajbb.exeC:\Windows\system32\Bdqlajbb.exe210⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3404 -
C:\Windows\SysWOW64\Bniajoic.exeC:\Windows\system32\Bniajoic.exe211⤵PID:3452
-
C:\Windows\SysWOW64\Bdcifi32.exeC:\Windows\system32\Bdcifi32.exe212⤵PID:3524
-
C:\Windows\SysWOW64\Bjpaop32.exeC:\Windows\system32\Bjpaop32.exe213⤵PID:3564
-
C:\Windows\SysWOW64\Bchfhfeh.exeC:\Windows\system32\Bchfhfeh.exe214⤵PID:3616
-
C:\Windows\SysWOW64\Bjbndpmd.exeC:\Windows\system32\Bjbndpmd.exe215⤵PID:3684
-
C:\Windows\SysWOW64\Bqlfaj32.exeC:\Windows\system32\Bqlfaj32.exe216⤵PID:3728
-
C:\Windows\SysWOW64\Bjdkjpkb.exeC:\Windows\system32\Bjdkjpkb.exe217⤵PID:3772
-
C:\Windows\SysWOW64\Bmbgfkje.exeC:\Windows\system32\Bmbgfkje.exe218⤵PID:3812
-
C:\Windows\SysWOW64\Ccmpce32.exeC:\Windows\system32\Ccmpce32.exe219⤵PID:3852
-
C:\Windows\SysWOW64\Ciihklpj.exeC:\Windows\system32\Ciihklpj.exe220⤵
- Drops file in System32 directory
- Modifies registry class
PID:3896 -
C:\Windows\SysWOW64\Cfmhdpnc.exeC:\Windows\system32\Cfmhdpnc.exe221⤵PID:4016
-
C:\Windows\SysWOW64\Cbdiia32.exeC:\Windows\system32\Cbdiia32.exe222⤵PID:4056
-
C:\Windows\SysWOW64\Cgaaah32.exeC:\Windows\system32\Cgaaah32.exe223⤵
- Drops file in System32 directory
PID:3076 -
C:\Windows\SysWOW64\Cnkjnb32.exeC:\Windows\system32\Cnkjnb32.exe224⤵PID:3112
-
C:\Windows\SysWOW64\Ceebklai.exeC:\Windows\system32\Ceebklai.exe225⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3148 -
C:\Windows\SysWOW64\Cjakccop.exeC:\Windows\system32\Cjakccop.exe226⤵PID:3216
-
C:\Windows\SysWOW64\Cmpgpond.exeC:\Windows\system32\Cmpgpond.exe227⤵PID:3256
-
C:\Windows\SysWOW64\Cfhkhd32.exeC:\Windows\system32\Cfhkhd32.exe228⤵
- Drops file in System32 directory
PID:3312 -
C:\Windows\SysWOW64\Dfkhndca.exeC:\Windows\system32\Dfkhndca.exe229⤵PID:3356
-
C:\Windows\SysWOW64\Dpcmgi32.exeC:\Windows\system32\Dpcmgi32.exe230⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3420 -
C:\Windows\SysWOW64\Dmgmpnhl.exeC:\Windows\system32\Dmgmpnhl.exe231⤵
- Drops file in System32 directory
- Modifies registry class
PID:3516 -
C:\Windows\SysWOW64\Dbdehdfc.exeC:\Windows\system32\Dbdehdfc.exe232⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3560 -
C:\Windows\SysWOW64\Dfbnoc32.exeC:\Windows\system32\Dfbnoc32.exe233⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3600 -
C:\Windows\SysWOW64\Dhckfkbh.exeC:\Windows\system32\Dhckfkbh.exe234⤵PID:3672
-
C:\Windows\SysWOW64\Domccejd.exeC:\Windows\system32\Domccejd.exe235⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3696 -
C:\Windows\SysWOW64\Eheglk32.exeC:\Windows\system32\Eheglk32.exe236⤵
- Drops file in System32 directory
PID:3804 -
C:\Windows\SysWOW64\Edlhqlfi.exeC:\Windows\system32\Edlhqlfi.exe237⤵PID:3836
-
C:\Windows\SysWOW64\Ekfpmf32.exeC:\Windows\system32\Ekfpmf32.exe238⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3912 -
C:\Windows\SysWOW64\Eaphjp32.exeC:\Windows\system32\Eaphjp32.exe239⤵PID:3964
-
C:\Windows\SysWOW64\Eodicd32.exeC:\Windows\system32\Eodicd32.exe240⤵PID:4004
-
C:\Windows\SysWOW64\Egonhf32.exeC:\Windows\system32\Egonhf32.exe241⤵PID:4064
-
C:\Windows\SysWOW64\Ephbal32.exeC:\Windows\system32\Ephbal32.exe242⤵PID:4084