Analysis
-
max time kernel
99s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 22:55
Static task
static1
Behavioral task
behavioral1
Sample
16fd257c466f33fd2cc581d43f737150_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
16fd257c466f33fd2cc581d43f737150_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
16fd257c466f33fd2cc581d43f737150_NeikiAnalytics.exe
-
Size
163KB
-
MD5
16fd257c466f33fd2cc581d43f737150
-
SHA1
7226dddc31dfe384bfdfffa3c4a21db607c7075e
-
SHA256
e0aedc4a59ee79f7c84a4b2168ce04f3d7eb94f4ed1f0cf2ddaf6d794a0634e3
-
SHA512
11213173f997a1027bad637ac32879b0efc13ab971ff19b630c8d38258d1082cd7e27a0f126b8ff3178226c65407e811b95d63e87850edab3d3b8ff08539583b
-
SSDEEP
3072:mtstRldFJQrUtnA5OPbWQs08lHQZd9ltOrWKDBr+yJb:m2RCubWQsRlHQd9LOf
Malware Config
Extracted
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Efjimhnh.exeGbchdp32.exeIibccgep.exeBacjdbch.exeQfbobf32.exeFdglmkeg.exeEfblbbqd.exeOabhfg32.exeMfhfhong.exeMhoipb32.exeAgimkk32.exeNhnlkfpp.exeOehlkc32.exeKbnepe32.exeIeidhh32.exeOgfcjm32.exeDbqqkkbo.exeEoideh32.exeCkjknfnh.exeHajpbckl.exeFiodpl32.exeOhhnbhok.exeMojhgbdl.exeGbeejp32.exeHfcnpn32.exeNcnofeof.exeQaqegecm.exeKfnkkb32.exePhincl32.exeGpqjglii.exeKoodbl32.exeQkmdkgob.exeKkgiimng.exeLdipha32.exeBhpfqcln.exeEblimcdf.exePlcdiabk.exeJnfcia32.exePkenjh32.exeCoiaiakf.exeDmalne32.exeBkjiao32.exeOjdgnn32.exeIinqbn32.exeMmkkmc32.exeCofnik32.exeGlgcbf32.exeGfeaopqo.exeKoaagkcb.exeDkdliame.exeKqfngd32.exeOeheqm32.exeMleoafmn.exeEkgbccni.exeHbpphi32.exeJilnqqbj.exeQoifflkg.exeCkkiccep.exeDiccgfpd.exeHkbmqb32.exeEefaomcg.exeHloqml32.exeIjcjmmil.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjimhnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbchdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iibccgep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bacjdbch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfbobf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdglmkeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efblbbqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oabhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfhfhong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhoipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agimkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhnlkfpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehlkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbnepe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieidhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogfcjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbqqkkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoideh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjknfnh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hajpbckl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiodpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohhnbhok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mojhgbdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbeejp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfcnpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncnofeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qaqegecm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfnkkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phincl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpqjglii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koodbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkmdkgob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgiimng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldipha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhpfqcln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eblimcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plcdiabk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnfcia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkenjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coiaiakf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmalne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohhnbhok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjiao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojdgnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iinqbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmkkmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cofnik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glgcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfeaopqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koaagkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkdliame.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqfngd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeheqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mleoafmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekgbccni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbpphi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jilnqqbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoifflkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckkiccep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diccgfpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkbmqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eefaomcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hloqml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijcjmmil.exe -
Executes dropped EXE 64 IoCs
Processes:
Olcbmj32.exeOcnjidkf.exeOcpgod32.exeOjjolnaq.exeOpdghh32.exeOjllan32.exeOqfdnhfk.exeOnjegled.exeOqhacgdh.exePqknig32.exePfhfan32.exePclgkb32.exePmdkch32.exePdkcde32.exePjhlml32.exePcppfaka.exePmidog32.exePjmehkqk.exeQgqeappe.exeQmmnjfnl.exeQcgffqei.exeAcnlgp32.exeAndqdh32.exeAglemn32.exeAminee32.exeBfabnjjp.exeBagflcje.exeBnkgeg32.exeBchomn32.exeBmpcfdmg.exeBgehcmmm.exeBmbplc32.exeBanllbdn.exeBhhdil32.exeBmemac32.exeBelebq32.exeCfmajipb.exeCabfga32.exeCfpnph32.exeCmiflbel.exeCdcoim32.exeCnicfe32.exeCagobalc.exeCjpckf32.exeCnkplejl.exeChcddk32.exeCjbpaf32.exeDdjejl32.exeDfiafg32.exeDmcibama.exeDejacond.exeDmefhako.exeDkifae32.exeDeokon32.exeDhmgki32.exeDogogcpo.exeDeagdn32.exeDhocqigp.exeDgbdlf32.exeDoilmc32.exeEhapfiem.exeEefaomcg.exeEhdmlhcj.exeEaladnik.exepid process 3756 Olcbmj32.exe 1544 Ocnjidkf.exe 4976 Ocpgod32.exe 552 Ojjolnaq.exe 4284 Opdghh32.exe 1184 Ojllan32.exe 5020 Oqfdnhfk.exe 3964 Onjegled.exe 1828 Oqhacgdh.exe 2744 Pqknig32.exe 1636 Pfhfan32.exe 4916 Pclgkb32.exe 836 Pmdkch32.exe 1704 Pdkcde32.exe 2600 Pjhlml32.exe 4604 Pcppfaka.exe 4320 Pmidog32.exe 3084 Pjmehkqk.exe 2964 Qgqeappe.exe 4772 Qmmnjfnl.exe 872 Qcgffqei.exe 3748 Acnlgp32.exe 3488 Andqdh32.exe 2248 Aglemn32.exe 4016 Aminee32.exe 1960 Bfabnjjp.exe 1468 Bagflcje.exe 4728 Bnkgeg32.exe 4240 Bchomn32.exe 2924 Bmpcfdmg.exe 4632 Bgehcmmm.exe 3628 Bmbplc32.exe 860 Banllbdn.exe 4992 Bhhdil32.exe 1956 Bmemac32.exe 1652 Belebq32.exe 2240 Cfmajipb.exe 4028 Cabfga32.exe 3656 Cfpnph32.exe 3188 Cmiflbel.exe 1092 Cdcoim32.exe 4588 Cnicfe32.exe 232 Cagobalc.exe 3916 Cjpckf32.exe 3312 Cnkplejl.exe 5048 Chcddk32.exe 4384 Cjbpaf32.exe 2008 Ddjejl32.exe 4408 Dfiafg32.exe 2436 Dmcibama.exe 2356 Dejacond.exe 3864 Dmefhako.exe 1660 Dkifae32.exe 3780 Deokon32.exe 4340 Dhmgki32.exe 1524 Dogogcpo.exe 1060 Deagdn32.exe 684 Dhocqigp.exe 1220 Dgbdlf32.exe 3328 Doilmc32.exe 2728 Ehapfiem.exe 3380 Eefaomcg.exe 1788 Ehdmlhcj.exe 4840 Ealadnik.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jmbhoeid.exeLljklo32.exeDeagdn32.exeNiniei32.exeOhiemobf.exeBkmmaeap.exeIciaqc32.exeFngcmcfe.exeAokkahlo.exeCoqncejg.exeFjjnifbl.exeDdgibkpc.exeInpccihl.exeDbjkkl32.exeDihlbf32.exeFjadje32.exeHlcjhkdp.exeChkobkod.exeBmpcfdmg.exeJfehed32.exeLfodbqfa.exeOmegjomb.exeGbeejp32.exeDannij32.exeEhhpla32.exeCkkiccep.exeJqhafffk.exeEmoadlfo.exeGimqajgh.exeMniallpq.exeCbfgkffn.exeFpkibf32.exeDgcihgaj.exeFikbocki.exeLjhefhha.exePnplfj32.exeApmhiq32.exeKijjbofj.exeKgamnded.exeKkgiimng.exeLlodgnja.exeLfgipd32.exeOcgbld32.exeFhpmgg32.exeOhhnbhok.exeAlbpkc32.exeDmlkhofd.exeEoideh32.exeHninbj32.exeEbhglj32.exeGbdoof32.exeKpoalo32.exeLqhdbm32.exeOnapdl32.exeOlckbd32.exeGhkeio32.exeNhbolp32.exeCljobphg.exeHedafk32.exeKegpifod.exeBpdnjple.exeHdbfodfa.exeKppici32.exeJlmfeg32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Jocefm32.exe Jmbhoeid.exe File created C:\Windows\SysWOW64\Jkjpda32.dll Lljklo32.exe File opened for modification C:\Windows\SysWOW64\Dhocqigp.exe Deagdn32.exe File created C:\Windows\SysWOW64\Ighkgpcl.dll Niniei32.exe File created C:\Windows\SysWOW64\Oocmii32.exe Ohiemobf.exe File opened for modification C:\Windows\SysWOW64\Bbgeno32.exe Bkmmaeap.exe File created C:\Windows\SysWOW64\Ecgamkhq.dll Iciaqc32.exe File created C:\Windows\SysWOW64\Fimhbfpl.dll Fngcmcfe.exe File opened for modification C:\Windows\SysWOW64\Apmhiq32.exe Aokkahlo.exe File created C:\Windows\SysWOW64\Chiblk32.exe Coqncejg.exe File opened for modification C:\Windows\SysWOW64\Fmikeaap.exe Fjjnifbl.exe File created C:\Windows\SysWOW64\Dkqaoe32.exe Ddgibkpc.exe File created C:\Windows\SysWOW64\Idjlpc32.exe Inpccihl.exe File created C:\Windows\SysWOW64\Djqblj32.exe Dbjkkl32.exe File created C:\Windows\SysWOW64\Olealnbk.dll Dihlbf32.exe File created C:\Windows\SysWOW64\Fmpqfq32.exe Fjadje32.exe File created C:\Windows\SysWOW64\Hpofii32.exe Hlcjhkdp.exe File created C:\Windows\SysWOW64\Pcmdgodo.dll Chkobkod.exe File opened for modification C:\Windows\SysWOW64\Bgehcmmm.exe Bmpcfdmg.exe File created C:\Windows\SysWOW64\Abeiec32.dll Jfehed32.exe File created C:\Windows\SysWOW64\Pilehehn.dll Lfodbqfa.exe File created C:\Windows\SysWOW64\Odoogi32.exe Omegjomb.exe File created C:\Windows\SysWOW64\Lfebfnqn.dll Gbeejp32.exe File created C:\Windows\SysWOW64\Qbemjj32.dll Dannij32.exe File created C:\Windows\SysWOW64\Emehdh32.exe Ehhpla32.exe File created C:\Windows\SysWOW64\Egqbff32.dll Ckkiccep.exe File created C:\Windows\SysWOW64\Jgbjbp32.exe Jqhafffk.exe File opened for modification C:\Windows\SysWOW64\Eblimcdf.exe Emoadlfo.exe File opened for modification C:\Windows\SysWOW64\Gpgind32.exe Gimqajgh.exe File created C:\Windows\SysWOW64\Epdikp32.dll Mniallpq.exe File opened for modification C:\Windows\SysWOW64\Cfbcke32.exe Cbfgkffn.exe File created C:\Windows\SysWOW64\Gfeaopqo.exe Fpkibf32.exe File created C:\Windows\SysWOW64\Dojqjdbl.exe Dgcihgaj.exe File opened for modification C:\Windows\SysWOW64\Fpejlmcf.exe Fikbocki.exe File opened for modification C:\Windows\SysWOW64\Lenicahg.exe Ljhefhha.exe File opened for modification C:\Windows\SysWOW64\Ppahmb32.exe Pnplfj32.exe File created C:\Windows\SysWOW64\Pnbddbhk.dll Apmhiq32.exe File created C:\Windows\SysWOW64\Klifnj32.exe Kijjbofj.exe File created C:\Windows\SysWOW64\Lajagj32.exe Kgamnded.exe File opened for modification C:\Windows\SysWOW64\Kmieae32.exe Kkgiimng.exe File created C:\Windows\SysWOW64\Lfgipd32.exe Llodgnja.exe File created C:\Windows\SysWOW64\Bgqoll32.dll Lfgipd32.exe File opened for modification C:\Windows\SysWOW64\Onmfimga.exe Ocgbld32.exe File created C:\Windows\SysWOW64\Fahaplon.exe Fhpmgg32.exe File created C:\Windows\SysWOW64\Omegjomb.exe Ohhnbhok.exe File created C:\Windows\SysWOW64\Pjinodke.dll Albpkc32.exe File opened for modification C:\Windows\SysWOW64\Dfdpad32.exe Dmlkhofd.exe File created C:\Windows\SysWOW64\Ebgpad32.exe Eoideh32.exe File created C:\Windows\SysWOW64\Jndamj32.dll Hninbj32.exe File created C:\Windows\SysWOW64\Emmkiclm.exe Ebhglj32.exe File created C:\Windows\SysWOW64\Gingkqkd.exe Gbdoof32.exe File opened for modification C:\Windows\SysWOW64\Koaagkcb.exe Kpoalo32.exe File opened for modification C:\Windows\SysWOW64\Lfeljd32.exe Lqhdbm32.exe File created C:\Windows\SysWOW64\Nnahhegq.dll Onapdl32.exe File created C:\Windows\SysWOW64\Gcgfom32.dll Olckbd32.exe File created C:\Windows\SysWOW64\Gdapai32.dll Ghkeio32.exe File opened for modification C:\Windows\SysWOW64\Nolgijpk.exe Nhbolp32.exe File opened for modification C:\Windows\SysWOW64\Cohkokgj.exe Cljobphg.exe File created C:\Windows\SysWOW64\Hlnjbedi.exe Hedafk32.exe File opened for modification C:\Windows\SysWOW64\Klahfp32.exe Kegpifod.exe File opened for modification C:\Windows\SysWOW64\Bgnffj32.exe Bpdnjple.exe File opened for modification C:\Windows\SysWOW64\Hgabkoee.exe Hdbfodfa.exe File opened for modification C:\Windows\SysWOW64\Kbnepe32.exe Kppici32.exe File opened for modification C:\Windows\SysWOW64\Jqhafffk.exe Jlmfeg32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5028 8004 WerFault.exe Dkqaoe32.exe -
Modifies registry class 64 IoCs
Processes:
Klahfp32.exeIoambknl.exeDhlpqc32.exeAcmobchj.exeCmjemflb.exeBepmoh32.exeInbqhhfj.exeDpdaepai.exeFbhpch32.exeMcecjmkl.exeNjmqnobn.exePmdkch32.exeJnpmjf32.exeBfqkddfd.exeDhjckcgi.exeQklmpalf.exePhhhhc32.exeDiccgfpd.exeEbhglj32.exeJcphab32.exeLlmhaold.exeMfeeabda.exeNglhld32.exeOlcbmj32.exePpamophb.exeBjlpjm32.exeCodhnb32.exeEpikpo32.exeJcdala32.exeOmnjojpo.exeGnepna32.exeIbhkfm32.exePjmehkqk.exeDpnkdq32.exeLgqfdnah.exeBhkmec32.exeDdjmba32.exeFngcmcfe.exeAokkahlo.exeCoqncejg.exeCfmajipb.exeEkefmc32.exeOhghgodi.exePkenjh32.exeKdigadjo.exeDfdpad32.exeKfcdfbqo.exeMidfokpm.exeAhfdjanb.exeEmehdh32.exeIgchfiof.exePpgegd32.exeFolaiqng.exeNeclenfo.exeOnnmdcjm.exeBoihcf32.exeQcgffqei.exeEfjimhnh.exeBnfihkqm.exeHacbhb32.exeLijlof32.exeMblcnj32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klahfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdkjpimd.dll" Ioambknl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhlpqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acmobchj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmjemflb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkdgfllg.dll" Bepmoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjbmjjno.dll" Klahfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignmpke.dll" Inbqhhfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpdaepai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbhpch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcecjmkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njmqnobn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll" Pmdkch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnpmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfqkddfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhjckcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekpped32.dll" Qklmpalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phhhhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Diccgfpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebhglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcphab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbehfom.dll" Llmhaold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocbnhog.dll" Mfeeabda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oppceehj.dll" Nglhld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olcbmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppamophb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjlpjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Codhnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epikpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcdala32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omnjojpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnepna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahcld32.dll" Ibhkfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjmehkqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpnkdq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgqfdnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iahici32.dll" Bhkmec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddjmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimhbfpl.dll" Fngcmcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeaknci.dll" Aokkahlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coqncejg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfmajipb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnaggngj.dll" Ekefmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohghgodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqklch32.dll" Pkenjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdigadjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfdpad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfcdfbqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Midfokpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahfdjanb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahfdjanb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gigmlgok.dll" Igchfiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppgegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chighhee.dll" Folaiqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neclenfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgnqimah.dll" Onnmdcjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boihcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll" Qcgffqei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efjimhnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnfihkqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hacbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jecffa32.dll" Lijlof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mblcnj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
16fd257c466f33fd2cc581d43f737150_NeikiAnalytics.exeOlcbmj32.exeOcnjidkf.exeOcpgod32.exeOjjolnaq.exeOpdghh32.exeOjllan32.exeOqfdnhfk.exeOnjegled.exeOqhacgdh.exePqknig32.exePfhfan32.exePclgkb32.exePmdkch32.exePdkcde32.exePjhlml32.exePcppfaka.exePmidog32.exePjmehkqk.exeQgqeappe.exeQmmnjfnl.exeQcgffqei.exedescription pid process target process PID 2632 wrote to memory of 3756 2632 16fd257c466f33fd2cc581d43f737150_NeikiAnalytics.exe Olcbmj32.exe PID 2632 wrote to memory of 3756 2632 16fd257c466f33fd2cc581d43f737150_NeikiAnalytics.exe Olcbmj32.exe PID 2632 wrote to memory of 3756 2632 16fd257c466f33fd2cc581d43f737150_NeikiAnalytics.exe Olcbmj32.exe PID 3756 wrote to memory of 1544 3756 Olcbmj32.exe Ocnjidkf.exe PID 3756 wrote to memory of 1544 3756 Olcbmj32.exe Ocnjidkf.exe PID 3756 wrote to memory of 1544 3756 Olcbmj32.exe Ocnjidkf.exe PID 1544 wrote to memory of 4976 1544 Ocnjidkf.exe Ocpgod32.exe PID 1544 wrote to memory of 4976 1544 Ocnjidkf.exe Ocpgod32.exe PID 1544 wrote to memory of 4976 1544 Ocnjidkf.exe Ocpgod32.exe PID 4976 wrote to memory of 552 4976 Ocpgod32.exe Ojjolnaq.exe PID 4976 wrote to memory of 552 4976 Ocpgod32.exe Ojjolnaq.exe PID 4976 wrote to memory of 552 4976 Ocpgod32.exe Ojjolnaq.exe PID 552 wrote to memory of 4284 552 Ojjolnaq.exe Opdghh32.exe PID 552 wrote to memory of 4284 552 Ojjolnaq.exe Opdghh32.exe PID 552 wrote to memory of 4284 552 Ojjolnaq.exe Opdghh32.exe PID 4284 wrote to memory of 1184 4284 Opdghh32.exe Ojllan32.exe PID 4284 wrote to memory of 1184 4284 Opdghh32.exe Ojllan32.exe PID 4284 wrote to memory of 1184 4284 Opdghh32.exe Ojllan32.exe PID 1184 wrote to memory of 5020 1184 Ojllan32.exe Oqfdnhfk.exe PID 1184 wrote to memory of 5020 1184 Ojllan32.exe Oqfdnhfk.exe PID 1184 wrote to memory of 5020 1184 Ojllan32.exe Oqfdnhfk.exe PID 5020 wrote to memory of 3964 5020 Oqfdnhfk.exe Onjegled.exe PID 5020 wrote to memory of 3964 5020 Oqfdnhfk.exe Onjegled.exe PID 5020 wrote to memory of 3964 5020 Oqfdnhfk.exe Onjegled.exe PID 3964 wrote to memory of 1828 3964 Onjegled.exe Oqhacgdh.exe PID 3964 wrote to memory of 1828 3964 Onjegled.exe Oqhacgdh.exe PID 3964 wrote to memory of 1828 3964 Onjegled.exe Oqhacgdh.exe PID 1828 wrote to memory of 2744 1828 Oqhacgdh.exe Pqknig32.exe PID 1828 wrote to memory of 2744 1828 Oqhacgdh.exe Pqknig32.exe PID 1828 wrote to memory of 2744 1828 Oqhacgdh.exe Pqknig32.exe PID 2744 wrote to memory of 1636 2744 Pqknig32.exe Pfhfan32.exe PID 2744 wrote to memory of 1636 2744 Pqknig32.exe Pfhfan32.exe PID 2744 wrote to memory of 1636 2744 Pqknig32.exe Pfhfan32.exe PID 1636 wrote to memory of 4916 1636 Pfhfan32.exe Pclgkb32.exe PID 1636 wrote to memory of 4916 1636 Pfhfan32.exe Pclgkb32.exe PID 1636 wrote to memory of 4916 1636 Pfhfan32.exe Pclgkb32.exe PID 4916 wrote to memory of 836 4916 Pclgkb32.exe Pmdkch32.exe PID 4916 wrote to memory of 836 4916 Pclgkb32.exe Pmdkch32.exe PID 4916 wrote to memory of 836 4916 Pclgkb32.exe Pmdkch32.exe PID 836 wrote to memory of 1704 836 Pmdkch32.exe Pdkcde32.exe PID 836 wrote to memory of 1704 836 Pmdkch32.exe Pdkcde32.exe PID 836 wrote to memory of 1704 836 Pmdkch32.exe Pdkcde32.exe PID 1704 wrote to memory of 2600 1704 Pdkcde32.exe Pjhlml32.exe PID 1704 wrote to memory of 2600 1704 Pdkcde32.exe Pjhlml32.exe PID 1704 wrote to memory of 2600 1704 Pdkcde32.exe Pjhlml32.exe PID 2600 wrote to memory of 4604 2600 Pjhlml32.exe Pcppfaka.exe PID 2600 wrote to memory of 4604 2600 Pjhlml32.exe Pcppfaka.exe PID 2600 wrote to memory of 4604 2600 Pjhlml32.exe Pcppfaka.exe PID 4604 wrote to memory of 4320 4604 Pcppfaka.exe Pmidog32.exe PID 4604 wrote to memory of 4320 4604 Pcppfaka.exe Pmidog32.exe PID 4604 wrote to memory of 4320 4604 Pcppfaka.exe Pmidog32.exe PID 4320 wrote to memory of 3084 4320 Pmidog32.exe Pjmehkqk.exe PID 4320 wrote to memory of 3084 4320 Pmidog32.exe Pjmehkqk.exe PID 4320 wrote to memory of 3084 4320 Pmidog32.exe Pjmehkqk.exe PID 3084 wrote to memory of 2964 3084 Pjmehkqk.exe Qgqeappe.exe PID 3084 wrote to memory of 2964 3084 Pjmehkqk.exe Qgqeappe.exe PID 3084 wrote to memory of 2964 3084 Pjmehkqk.exe Qgqeappe.exe PID 2964 wrote to memory of 4772 2964 Qgqeappe.exe Qmmnjfnl.exe PID 2964 wrote to memory of 4772 2964 Qgqeappe.exe Qmmnjfnl.exe PID 2964 wrote to memory of 4772 2964 Qgqeappe.exe Qmmnjfnl.exe PID 4772 wrote to memory of 872 4772 Qmmnjfnl.exe Qcgffqei.exe PID 4772 wrote to memory of 872 4772 Qmmnjfnl.exe Qcgffqei.exe PID 4772 wrote to memory of 872 4772 Qmmnjfnl.exe Qcgffqei.exe PID 872 wrote to memory of 3748 872 Qcgffqei.exe Acnlgp32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\16fd257c466f33fd2cc581d43f737150_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\16fd257c466f33fd2cc581d43f737150_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Olcbmj32.exeC:\Windows\system32\Olcbmj32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\Ocnjidkf.exeC:\Windows\system32\Ocnjidkf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Ocpgod32.exeC:\Windows\system32\Ocpgod32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Ojjolnaq.exeC:\Windows\system32\Ojjolnaq.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Opdghh32.exeC:\Windows\system32\Opdghh32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\Ojllan32.exeC:\Windows\system32\Ojllan32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Oqfdnhfk.exeC:\Windows\system32\Oqfdnhfk.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\Onjegled.exeC:\Windows\system32\Onjegled.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Oqhacgdh.exeC:\Windows\system32\Oqhacgdh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Pqknig32.exeC:\Windows\system32\Pqknig32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Pfhfan32.exeC:\Windows\system32\Pfhfan32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Pclgkb32.exeC:\Windows\system32\Pclgkb32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\Pdkcde32.exeC:\Windows\system32\Pdkcde32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Pcppfaka.exeC:\Windows\system32\Pcppfaka.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\Pmidog32.exeC:\Windows\system32\Pmidog32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\Pjmehkqk.exeC:\Windows\system32\Pjmehkqk.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\Qgqeappe.exeC:\Windows\system32\Qgqeappe.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Qmmnjfnl.exeC:\Windows\system32\Qmmnjfnl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Acnlgp32.exeC:\Windows\system32\Acnlgp32.exe23⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe24⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Aglemn32.exeC:\Windows\system32\Aglemn32.exe25⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe26⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe27⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe28⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe29⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Bchomn32.exeC:\Windows\system32\Bchomn32.exe30⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Bgehcmmm.exeC:\Windows\system32\Bgehcmmm.exe32⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Bmbplc32.exeC:\Windows\system32\Bmbplc32.exe33⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe34⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe35⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Bmemac32.exeC:\Windows\system32\Bmemac32.exe36⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe37⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe39⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe40⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe41⤵
- Executes dropped EXE
PID:3188 -
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe42⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe43⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe44⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe45⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe46⤵
- Executes dropped EXE
PID:3312 -
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe47⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe48⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe49⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe50⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe51⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe52⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe53⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe54⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe55⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe56⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe57⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1060 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe59⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe60⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe61⤵
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\Ehapfiem.exeC:\Windows\system32\Ehapfiem.exe62⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Eefaomcg.exeC:\Windows\system32\Eefaomcg.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Ehdmlhcj.exeC:\Windows\system32\Ehdmlhcj.exe64⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Ealadnik.exeC:\Windows\system32\Ealadnik.exe65⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Edknqiho.exeC:\Windows\system32\Edknqiho.exe66⤵PID:3728
-
C:\Windows\SysWOW64\Ekefmc32.exeC:\Windows\system32\Ekefmc32.exe67⤵
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Eejjjl32.exeC:\Windows\system32\Eejjjl32.exe68⤵PID:3532
-
C:\Windows\SysWOW64\Ekgbccni.exeC:\Windows\system32\Ekgbccni.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3004 -
C:\Windows\SysWOW64\Eaakpm32.exeC:\Windows\system32\Eaakpm32.exe70⤵PID:1864
-
C:\Windows\SysWOW64\Edpgli32.exeC:\Windows\system32\Edpgli32.exe71⤵PID:2440
-
C:\Windows\SysWOW64\Egnchd32.exeC:\Windows\system32\Egnchd32.exe72⤵PID:3292
-
C:\Windows\SysWOW64\Eachem32.exeC:\Windows\system32\Eachem32.exe73⤵PID:2588
-
C:\Windows\SysWOW64\Fdbdah32.exeC:\Windows\system32\Fdbdah32.exe74⤵PID:1912
-
C:\Windows\SysWOW64\Fgppmd32.exeC:\Windows\system32\Fgppmd32.exe75⤵PID:2308
-
C:\Windows\SysWOW64\Fafdkmap.exeC:\Windows\system32\Fafdkmap.exe76⤵PID:3704
-
C:\Windows\SysWOW64\Fhpmgg32.exeC:\Windows\system32\Fhpmgg32.exe77⤵
- Drops file in System32 directory
PID:4556 -
C:\Windows\SysWOW64\Fahaplon.exeC:\Windows\system32\Fahaplon.exe78⤵PID:3216
-
C:\Windows\SysWOW64\Fdfmlhna.exeC:\Windows\system32\Fdfmlhna.exe79⤵PID:1144
-
C:\Windows\SysWOW64\Folaiqng.exeC:\Windows\system32\Folaiqng.exe80⤵
- Modifies registry class
PID:5092 -
C:\Windows\SysWOW64\Fajnfl32.exeC:\Windows\system32\Fajnfl32.exe81⤵PID:776
-
C:\Windows\SysWOW64\Fkcboack.exeC:\Windows\system32\Fkcboack.exe82⤵PID:1972
-
C:\Windows\SysWOW64\Fehfljca.exeC:\Windows\system32\Fehfljca.exe83⤵PID:4432
-
C:\Windows\SysWOW64\Fgjccb32.exeC:\Windows\system32\Fgjccb32.exe84⤵PID:4544
-
C:\Windows\SysWOW64\Fnckpmql.exeC:\Windows\system32\Fnckpmql.exe85⤵PID:2548
-
C:\Windows\SysWOW64\Gekcaj32.exeC:\Windows\system32\Gekcaj32.exe86⤵PID:1784
-
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe87⤵PID:1272
-
C:\Windows\SysWOW64\Gdppbfff.exeC:\Windows\system32\Gdppbfff.exe88⤵PID:4600
-
C:\Windows\SysWOW64\Gkjhoq32.exeC:\Windows\system32\Gkjhoq32.exe89⤵PID:5128
-
C:\Windows\SysWOW64\Gnhdkl32.exeC:\Windows\system32\Gnhdkl32.exe90⤵PID:5176
-
C:\Windows\SysWOW64\Gdbmhf32.exeC:\Windows\system32\Gdbmhf32.exe91⤵PID:5220
-
C:\Windows\SysWOW64\Gkleeplq.exeC:\Windows\system32\Gkleeplq.exe92⤵PID:5264
-
C:\Windows\SysWOW64\Gddinf32.exeC:\Windows\system32\Gddinf32.exe93⤵PID:5312
-
C:\Windows\SysWOW64\Ggcfja32.exeC:\Windows\system32\Ggcfja32.exe94⤵PID:5348
-
C:\Windows\SysWOW64\Gahjgj32.exeC:\Windows\system32\Gahjgj32.exe95⤵PID:5404
-
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe96⤵PID:5452
-
C:\Windows\SysWOW64\Gkaopp32.exeC:\Windows\system32\Gkaopp32.exe97⤵PID:5496
-
C:\Windows\SysWOW64\Goljqnpd.exeC:\Windows\system32\Goljqnpd.exe98⤵PID:5536
-
C:\Windows\SysWOW64\Hffcmh32.exeC:\Windows\system32\Hffcmh32.exe99⤵PID:5584
-
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe100⤵PID:5632
-
C:\Windows\SysWOW64\Hnagak32.exeC:\Windows\system32\Hnagak32.exe101⤵PID:5672
-
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe102⤵PID:5712
-
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe103⤵PID:5756
-
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe104⤵PID:5800
-
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5844 -
C:\Windows\SysWOW64\Hdnldd32.exeC:\Windows\system32\Hdnldd32.exe106⤵PID:5884
-
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe107⤵PID:5928
-
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe108⤵PID:5972
-
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe109⤵PID:6020
-
C:\Windows\SysWOW64\Hdpiid32.exeC:\Windows\system32\Hdpiid32.exe110⤵PID:6064
-
C:\Windows\SysWOW64\Hkjafn32.exeC:\Windows\system32\Hkjafn32.exe111⤵PID:6108
-
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe112⤵
- Drops file in System32 directory
PID:5136 -
C:\Windows\SysWOW64\Hdbfodfa.exeC:\Windows\system32\Hdbfodfa.exe113⤵
- Drops file in System32 directory
PID:5152 -
C:\Windows\SysWOW64\Hgabkoee.exeC:\Windows\system32\Hgabkoee.exe114⤵PID:5256
-
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe115⤵PID:5336
-
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe116⤵PID:5432
-
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe117⤵PID:5492
-
C:\Windows\SysWOW64\Inmgmijo.exeC:\Windows\system32\Inmgmijo.exe118⤵PID:5580
-
C:\Windows\SysWOW64\Ibicnh32.exeC:\Windows\system32\Ibicnh32.exe119⤵PID:5640
-
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe120⤵PID:5696
-
C:\Windows\SysWOW64\Igfkfo32.exeC:\Windows\system32\Igfkfo32.exe121⤵PID:5768
-
C:\Windows\SysWOW64\Inpccihl.exeC:\Windows\system32\Inpccihl.exe122⤵
- Drops file in System32 directory
PID:5836 -
C:\Windows\SysWOW64\Idjlpc32.exeC:\Windows\system32\Idjlpc32.exe123⤵PID:5912
-
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe124⤵PID:5968
-
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe125⤵
- Modifies registry class
PID:6040 -
C:\Windows\SysWOW64\Ieliebnf.exeC:\Windows\system32\Ieliebnf.exe126⤵PID:6100
-
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe127⤵PID:5156
-
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe128⤵
- Modifies registry class
PID:5272 -
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe129⤵PID:5400
-
C:\Windows\SysWOW64\Ienekbld.exeC:\Windows\system32\Ienekbld.exe130⤵PID:5516
-
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe131⤵PID:5620
-
C:\Windows\SysWOW64\Jkhngl32.exeC:\Windows\system32\Jkhngl32.exe132⤵PID:5764
-
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe133⤵PID:5852
-
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5960 -
C:\Windows\SysWOW64\Jkkjmlan.exeC:\Windows\system32\Jkkjmlan.exe135⤵PID:6056
-
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe136⤵PID:5172
-
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe137⤵PID:5368
-
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe138⤵PID:5576
-
C:\Windows\SysWOW64\Jbgoof32.exeC:\Windows\system32\Jbgoof32.exe139⤵PID:5748
-
C:\Windows\SysWOW64\Jeekkafl.exeC:\Windows\system32\Jeekkafl.exe140⤵PID:5940
-
C:\Windows\SysWOW64\Jkodhk32.exeC:\Windows\system32\Jkodhk32.exe141⤵PID:5140
-
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe142⤵PID:5428
-
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe143⤵
- Drops file in System32 directory
PID:4100 -
C:\Windows\SysWOW64\Jicdap32.exeC:\Windows\system32\Jicdap32.exe144⤵PID:5708
-
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe145⤵PID:5124
-
C:\Windows\SysWOW64\Jnpmjf32.exeC:\Windows\system32\Jnpmjf32.exe146⤵
- Modifies registry class
PID:5380 -
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe147⤵PID:5740
-
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe148⤵PID:5484
-
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe149⤵PID:5936
-
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe150⤵
- Drops file in System32 directory
PID:5344 -
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5692 -
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe152⤵PID:5112
-
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe153⤵PID:6156
-
C:\Windows\SysWOW64\Knefeffd.exeC:\Windows\system32\Knefeffd.exe154⤵PID:6200
-
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe155⤵PID:6244
-
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe156⤵
- Drops file in System32 directory
PID:6288 -
C:\Windows\SysWOW64\Klifnj32.exeC:\Windows\system32\Klifnj32.exe157⤵PID:6336
-
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe158⤵PID:6372
-
C:\Windows\SysWOW64\Kfnkkb32.exeC:\Windows\system32\Kfnkkb32.exe159⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6416 -
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe160⤵PID:6460
-
C:\Windows\SysWOW64\Khpgckkb.exeC:\Windows\system32\Khpgckkb.exe161⤵PID:6500
-
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe162⤵PID:6544
-
C:\Windows\SysWOW64\Kbekqdjh.exeC:\Windows\system32\Kbekqdjh.exe163⤵PID:6580
-
C:\Windows\SysWOW64\Kechmoil.exeC:\Windows\system32\Kechmoil.exe164⤵PID:6616
-
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe165⤵PID:6652
-
C:\Windows\SysWOW64\Klmpiiai.exeC:\Windows\system32\Klmpiiai.exe166⤵PID:6696
-
C:\Windows\SysWOW64\Knlleepl.exeC:\Windows\system32\Knlleepl.exe167⤵PID:6732
-
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe168⤵
- Modifies registry class
PID:6772 -
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe169⤵PID:6808
-
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe170⤵PID:6844
-
C:\Windows\SysWOW64\Lbjelc32.exeC:\Windows\system32\Lbjelc32.exe171⤵PID:6888
-
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe172⤵PID:6928
-
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe173⤵PID:6964
-
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe174⤵PID:7000
-
C:\Windows\SysWOW64\Lnqeqd32.exeC:\Windows\system32\Lnqeqd32.exe175⤵PID:7040
-
C:\Windows\SysWOW64\Lejnmncd.exeC:\Windows\system32\Lejnmncd.exe176⤵PID:7076
-
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe177⤵PID:7112
-
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe178⤵PID:7152
-
C:\Windows\SysWOW64\Locbfd32.exeC:\Windows\system32\Locbfd32.exe179⤵PID:6036
-
C:\Windows\SysWOW64\Lfjjga32.exeC:\Windows\system32\Lfjjga32.exe180⤵PID:6220
-
C:\Windows\SysWOW64\Lihfcm32.exeC:\Windows\system32\Lihfcm32.exe181⤵PID:6280
-
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe182⤵PID:6324
-
C:\Windows\SysWOW64\Loeolc32.exeC:\Windows\system32\Loeolc32.exe183⤵PID:6400
-
C:\Windows\SysWOW64\Lflgmqhd.exeC:\Windows\system32\Lflgmqhd.exe184⤵PID:6456
-
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe185⤵PID:6516
-
C:\Windows\SysWOW64\Llipehgk.exeC:\Windows\system32\Llipehgk.exe186⤵PID:6568
-
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe187⤵
- Drops file in System32 directory
PID:6648 -
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe188⤵PID:6704
-
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe189⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6768 -
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe190⤵PID:6856
-
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe191⤵PID:1920
-
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe192⤵PID:6916
-
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe193⤵PID:7008
-
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe194⤵PID:7068
-
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe195⤵PID:7140
-
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe196⤵PID:6176
-
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe197⤵PID:6276
-
C:\Windows\SysWOW64\Mffjcopi.exeC:\Windows\system32\Mffjcopi.exe198⤵PID:6368
-
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe199⤵
- Modifies registry class
PID:6508 -
C:\Windows\SysWOW64\Mlbbkfoq.exeC:\Windows\system32\Mlbbkfoq.exe200⤵PID:6612
-
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe201⤵PID:6740
-
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe202⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6836 -
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe203⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6924 -
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe204⤵PID:7048
-
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe205⤵PID:7148
-
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe206⤵PID:6316
-
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe207⤵PID:6492
-
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe208⤵PID:6692
-
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe209⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6884 -
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe210⤵PID:6988
-
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe211⤵PID:4244
-
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe212⤵
- Drops file in System32 directory
PID:6388 -
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe213⤵PID:6760
-
C:\Windows\SysWOW64\Ngaionfl.exeC:\Windows\system32\Ngaionfl.exe214⤵PID:6956
-
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe215⤵PID:6272
-
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe216⤵PID:2664
-
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe217⤵PID:3228
-
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe218⤵PID:3120
-
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe219⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2936 -
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe220⤵
- Drops file in System32 directory
PID:6908 -
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe221⤵PID:3984
-
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe222⤵PID:6936
-
C:\Windows\SysWOW64\Opadhb32.exeC:\Windows\system32\Opadhb32.exe223⤵PID:6264
-
C:\Windows\SysWOW64\Ocopdn32.exeC:\Windows\system32\Ocopdn32.exe224⤵PID:4668
-
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe225⤵PID:6232
-
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe226⤵PID:1800
-
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe227⤵PID:7176
-
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe228⤵PID:7216
-
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe229⤵PID:7260
-
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe230⤵PID:7304
-
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe231⤵PID:7340
-
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe232⤵PID:7384
-
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe233⤵PID:7432
-
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe234⤵PID:7468
-
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe235⤵PID:7516
-
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe236⤵PID:7548
-
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe237⤵PID:7592
-
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe238⤵
- Modifies registry class
PID:7632 -
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe239⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7676 -
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe240⤵PID:7720
-
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe241⤵
- Modifies registry class
PID:7768 -
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe242⤵PID:7804