Analysis
-
max time kernel
94s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 20:53
Static task
static1
Behavioral task
behavioral1
Sample
f794120bcff9c121096b1e81fca42a50_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f794120bcff9c121096b1e81fca42a50_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
f794120bcff9c121096b1e81fca42a50_NeikiAnalytics.exe
-
Size
163KB
-
MD5
f794120bcff9c121096b1e81fca42a50
-
SHA1
bd49a78f0cad78525c73a2348999da3958c4136f
-
SHA256
f73ac409e693ee377648fd7e5cf46021060849fd0825a5b4a22a65811d27b891
-
SHA512
fb2d6d8e3e6bfac573f894dfd0e4e6c353327a8378a5d0a6fed6319f65a279e5e02d7559471148c1fb01ba832ae1c4340c40a61da57dd99f30bb5f423c959bf4
-
SSDEEP
3072:0jYJ74esv6I3qRbUcNDE9ltOrWKDBr+yJb:pJ7qvCdm9LOf
Malware Config
Extracted
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jpgmha32.exeCfpnph32.exeImihfl32.exeDbllbibl.exeAlhhhcal.exeClkndpag.exeFafkecel.exeJdcpcf32.exeKagichjo.exeNfgmjqop.exeBnkgeg32.exeAhmlgd32.exeMelnob32.exeDdmhja32.exeDddojq32.exeHeocnk32.exeHimldi32.exePfhfan32.exePengdk32.exeBhaebcen.exeMkepnjng.exeMjjmog32.exeEocenh32.exeGlhonj32.exeHijooifk.exeBalpgb32.exeIdacmfkj.exeLpappc32.exeDodbbdbb.exeBlbknaib.exeDlijfneg.exeFdgdgnbm.exeMeiaib32.exeNdaggimg.exeOjoign32.exeJplmmfmi.exeKphmie32.exePncgmkmj.exeOneklm32.exeKpccnefa.exeBemlmgnp.exeCkcgkldl.exeElgfgl32.exeImdgqfbd.exeKpbmco32.exeIabgaklg.exeAbemjmgg.exeDkgqfl32.exeHkmefd32.exeLcgblncm.exeNnolfdcn.exeChbnia32.exeDllfkn32.exeFdegandp.exeJfcbjk32.exeBnhjohkb.exeNnaikd32.exeObidhaog.exeAjneip32.exeLenamdem.exeLljfpnjg.exeMdehlk32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpgmha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfpnph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imihfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbllbibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alhhhcal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clkndpag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fafkecel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdcpcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kagichjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfgmjqop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnkgeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahmlgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Melnob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddmhja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dddojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heocnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Himldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfhfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pengdk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhaebcen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkepnjng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjjmog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eocenh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glhonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hijooifk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balpgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idacmfkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpappc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dodbbdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blbknaib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlijfneg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdgdgnbm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meiaib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndaggimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojoign32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jplmmfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kphmie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pncgmkmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oneklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpccnefa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemlmgnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckcgkldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elgfgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imdgqfbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpbmco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iabgaklg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abemjmgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkgqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkmefd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcgblncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnolfdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chbnia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dllfkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eocenh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdegandp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcbjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhjohkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jplmmfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnaikd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obidhaog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajneip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lenamdem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lljfpnjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdehlk32.exe -
Executes dropped EXE 64 IoCs
Processes:
Iannfk32.exeIcljbg32.exeIiibkn32.exeIpckgh32.exeIbagcc32.exeIfmcdblq.exeIikopmkd.exeIabgaklg.exeIdacmfkj.exeIfopiajn.exeIjkljp32.exeImihfl32.exeJaedgjjd.exeJdcpcf32.exeJfdida32.exeJplmmfmi.exeJjbako32.exeJmpngk32.exeJkdnpo32.exeJangmibi.exeJbocea32.exeJiikak32.exeKpccnefa.exeKgmlkp32.exeKacphh32.exeKgphpo32.exeKphmie32.exeKknafn32.exeKagichjo.exeKdffocib.exeKmnjhioc.exeKdhbec32.exeLiekmj32.exeLpocjdld.exeLgikfn32.exeLmccchkn.exeLpappc32.exeLcpllo32.exeLgkhlnbn.exeLaalifad.exeLdohebqh.exeLgneampk.exeLnhmng32.exeLaciofpa.exeLdaeka32.exeLgpagm32.exeLjnnch32.exeLaefdf32.exeLcgblncm.exeLgbnmm32.exeMjqjih32.exeMahbje32.exeMciobn32.exeMjcgohig.exeMnocof32.exeMpmokb32.exeMcklgm32.exeMjeddggd.exeMnapdf32.exeMpolqa32.exeMdkhapfj.exeMkepnjng.exeMaohkd32.exeMpaifalo.exepid process 3512 Iannfk32.exe 3784 Icljbg32.exe 2344 Iiibkn32.exe 1364 Ipckgh32.exe 2356 Ibagcc32.exe 1428 Ifmcdblq.exe 3480 Iikopmkd.exe 516 Iabgaklg.exe 2208 Idacmfkj.exe 1348 Ifopiajn.exe 4896 Ijkljp32.exe 3808 Imihfl32.exe 3048 Jaedgjjd.exe 1616 Jdcpcf32.exe 1808 Jfdida32.exe 1964 Jplmmfmi.exe 3524 Jjbako32.exe 5104 Jmpngk32.exe 3444 Jkdnpo32.exe 1604 Jangmibi.exe 448 Jbocea32.exe 4888 Jiikak32.exe 5024 Kpccnefa.exe 676 Kgmlkp32.exe 1088 Kacphh32.exe 3432 Kgphpo32.exe 4648 Kphmie32.exe 3320 Kknafn32.exe 4164 Kagichjo.exe 2576 Kdffocib.exe 4356 Kmnjhioc.exe 1168 Kdhbec32.exe 1500 Liekmj32.exe 892 Lpocjdld.exe 2564 Lgikfn32.exe 2656 Lmccchkn.exe 2004 Lpappc32.exe 116 Lcpllo32.exe 748 Lgkhlnbn.exe 3932 Laalifad.exe 8 Ldohebqh.exe 2660 Lgneampk.exe 1936 Lnhmng32.exe 4796 Laciofpa.exe 636 Ldaeka32.exe 4992 Lgpagm32.exe 3384 Ljnnch32.exe 4268 Laefdf32.exe 1628 Lcgblncm.exe 2404 Lgbnmm32.exe 3724 Mjqjih32.exe 4676 Mahbje32.exe 2756 Mciobn32.exe 4228 Mjcgohig.exe 4880 Mnocof32.exe 1996 Mpmokb32.exe 1472 Mcklgm32.exe 3680 Mjeddggd.exe 4476 Mnapdf32.exe 772 Mpolqa32.exe 3928 Mdkhapfj.exe 3892 Mkepnjng.exe 5028 Maohkd32.exe 4544 Mpaifalo.exe -
Drops file in System32 directory 64 IoCs
Processes:
Aegikj32.exeCffdpghg.exeNbhkac32.exeQcepkg32.exeQkmhlekj.exeNgedij32.exeJcgbco32.exeQqfmde32.exeLgkhlnbn.exeMahbje32.exeMaohkd32.exeLpqiemge.exeMdjagjco.exeEeidoc32.exeKmkfhc32.exeKdffocib.exeDlijfneg.exePfolbmje.exeGdqgmmjb.exeNdokbi32.exeOjllan32.exeAqkgpedc.exeCfpnph32.exeObangb32.exeAejfpjne.exeEleiam32.exeDogogcpo.exeBecifhfj.exeBjbndobo.exeHijooifk.exePgioqq32.exeJbocea32.exeHeocnk32.exeHfcicmqp.exeCkpjfm32.exeKfoafi32.exeLcpllo32.exeNqmhbpba.exeOgjmdigk.exeHmcojh32.exeOlcbmj32.exeNjogjfoj.exeBbnpqk32.exeDeanodkh.exeJfaedkdp.exeBmemac32.exeOdpjcm32.exeDbllbibl.exeJlnnmb32.exeClkndpag.exeGlebhjlg.exeIicbehnq.exeNqiogp32.exeBdolhc32.exeJmhale32.exeKfckahdj.exeNpcoakfp.exePkaiqf32.exeQnkdhpjn.exeEdpnfo32.exeHmjdjgjo.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Alabgd32.exe Aegikj32.exe File created C:\Windows\SysWOW64\Cmqmma32.exe Cffdpghg.exe File created C:\Windows\SysWOW64\Paadnmaq.dll Nbhkac32.exe File created C:\Windows\SysWOW64\Eaacilcc.dll Qcepkg32.exe File created C:\Windows\SysWOW64\Qnkdhpjn.exe Qkmhlekj.exe File opened for modification C:\Windows\SysWOW64\Nnolfdcn.exe Ngedij32.exe File opened for modification C:\Windows\SysWOW64\Jehokgge.exe Jcgbco32.exe File opened for modification C:\Windows\SysWOW64\Qnjnnj32.exe Qqfmde32.exe File created C:\Windows\SysWOW64\Laalifad.exe Lgkhlnbn.exe File opened for modification C:\Windows\SysWOW64\Mciobn32.exe Mahbje32.exe File opened for modification C:\Windows\SysWOW64\Mpaifalo.exe Maohkd32.exe File created C:\Windows\SysWOW64\Lenamdem.exe Lpqiemge.exe File created C:\Windows\SysWOW64\Eghpcp32.dll Mdjagjco.exe File created C:\Windows\SysWOW64\Elbmlmml.exe Eeidoc32.exe File created C:\Windows\SysWOW64\Edgbbfnk.dll Kmkfhc32.exe File created C:\Windows\SysWOW64\Oimhnoch.dll Kdffocib.exe File opened for modification C:\Windows\SysWOW64\Dohfbj32.exe Dlijfneg.exe File created C:\Windows\SysWOW64\Jpcmfk32.dll Pfolbmje.exe File opened for modification C:\Windows\SysWOW64\Glhonj32.exe Gdqgmmjb.exe File opened for modification C:\Windows\SysWOW64\Nilcjp32.exe Ndokbi32.exe File opened for modification C:\Windows\SysWOW64\Ocdqjceo.exe Ojllan32.exe File created C:\Windows\SysWOW64\Ageolo32.exe Aqkgpedc.exe File created C:\Windows\SysWOW64\Cfbkeh32.exe Cfpnph32.exe File created C:\Windows\SysWOW64\Kjmidh32.dll Obangb32.exe File opened for modification C:\Windows\SysWOW64\Ahhblemi.exe Aejfpjne.exe File created C:\Windows\SysWOW64\Aainof32.dll Eleiam32.exe File created C:\Windows\SysWOW64\Kahdohfm.dll Dogogcpo.exe File opened for modification C:\Windows\SysWOW64\Bhaebcen.exe Becifhfj.exe File created C:\Windows\SysWOW64\Ncnkogdb.dll Bjbndobo.exe File created C:\Windows\SysWOW64\Ajgblabf.dll Hijooifk.exe File created C:\Windows\SysWOW64\Pncgmkmj.exe Pgioqq32.exe File opened for modification C:\Windows\SysWOW64\Jiikak32.exe Jbocea32.exe File opened for modification C:\Windows\SysWOW64\Hijooifk.exe Heocnk32.exe File created C:\Windows\SysWOW64\Pldhcm32.dll Hfcicmqp.exe File created C:\Windows\SysWOW64\Opfkao32.dll Ckpjfm32.exe File created C:\Windows\SysWOW64\Hqdeld32.dll Kfoafi32.exe File created C:\Windows\SysWOW64\Ndclfb32.dll Lcpllo32.exe File created C:\Windows\SysWOW64\Dlddhggk.dll Nqmhbpba.exe File created C:\Windows\SysWOW64\Ojhiqefo.exe Ogjmdigk.exe File created C:\Windows\SysWOW64\Hobkfd32.exe Hmcojh32.exe File created C:\Windows\SysWOW64\Fdjlic32.dll Olcbmj32.exe File opened for modification C:\Windows\SysWOW64\Nqiogp32.exe Njogjfoj.exe File created C:\Windows\SysWOW64\Dokfjo32.dll Qkmhlekj.exe File opened for modification C:\Windows\SysWOW64\Bemlmgnp.exe Bbnpqk32.exe File created C:\Windows\SysWOW64\Dddojq32.exe Deanodkh.exe File created C:\Windows\SysWOW64\Jiopcppf.dll Jfaedkdp.exe File created C:\Windows\SysWOW64\Cenahpha.exe Bmemac32.exe File opened for modification C:\Windows\SysWOW64\Okjbpglo.exe Odpjcm32.exe File opened for modification C:\Windows\SysWOW64\Qkmhlekj.exe Qcepkg32.exe File created C:\Windows\SysWOW64\Dnqmalhn.dll Dbllbibl.exe File opened for modification C:\Windows\SysWOW64\Jfcbjk32.exe Jlnnmb32.exe File opened for modification C:\Windows\SysWOW64\Cecbmf32.exe Clkndpag.exe File created C:\Windows\SysWOW64\Gcojed32.exe Glebhjlg.exe File created C:\Windows\SysWOW64\Ipnjab32.exe Iicbehnq.exe File created C:\Windows\SysWOW64\Mciobn32.exe Mahbje32.exe File opened for modification C:\Windows\SysWOW64\Nkncdifl.exe Nqiogp32.exe File created C:\Windows\SysWOW64\Jfcibe32.dll Bdolhc32.exe File opened for modification C:\Windows\SysWOW64\Jpgmha32.exe Jmhale32.exe File created C:\Windows\SysWOW64\Kdgljmcd.exe Kfckahdj.exe File created C:\Windows\SysWOW64\Idodkeom.dll Npcoakfp.exe File created C:\Windows\SysWOW64\Pbkamqmd.exe Pkaiqf32.exe File created C:\Windows\SysWOW64\Ceipnc32.dll Qnkdhpjn.exe File opened for modification C:\Windows\SysWOW64\Elgfgl32.exe Edpnfo32.exe File created C:\Windows\SysWOW64\Ieakglmn.dll Hmjdjgjo.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 9384 9300 WerFault.exe Dmllipeg.exe -
Modifies registry class 64 IoCs
Processes:
Iicbehnq.exeAgeolo32.exeDgbdlf32.exeNnaikd32.exeOkjbpglo.exeDdmhja32.exeFlqimk32.exeHihbijhn.exeAnbkio32.exeMgkjhe32.exeOjoign32.exePqbdjfln.exeQnkdhpjn.exeNdaggimg.exeKagichjo.exeDaqbip32.exeBnhjohkb.exeBgehcmmm.exef794120bcff9c121096b1e81fca42a50_NeikiAnalytics.exeIjkljp32.exeLiekmj32.exeLcgblncm.exePfjcgn32.exeJfcbjk32.exeMjcgohig.exePkhoae32.exeAlhhhcal.exeFdlnbm32.exeDhhnpjmh.exeLjnnch32.exeDddojq32.exeIblfnn32.exeMcklgm32.exeMaohkd32.exeQeemej32.exeGmlhii32.exeOjllan32.exeAlabgd32.exeMmbfpp32.exeMnapdf32.exeNcldnkae.exeHobkfd32.exeLbabgh32.exeQqfmde32.exeCkedalaj.exeJmmjgejj.exeBffkij32.exeDogogcpo.exeJangmibi.exeOfeilobp.exeAfjlnk32.exeBhhdil32.exeMdkhapfj.exeDlijfneg.exeEemnjbaj.exePjcbbmif.exePnakhkol.exeIannfk32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpmhl32.dll" Iicbehnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ageolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" Dgbdlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnaikd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okjbpglo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddmhja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ophfae32.dll" Flqimk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqqlehck.dll" Hihbijhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anbkio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjlibkf.dll" Mgkjhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojoign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqbdjfln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnkdhpjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndaggimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kagichjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iicbehnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daqbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll" Bnhjohkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll" Bgehcmmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID f794120bcff9c121096b1e81fca42a50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijkljp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll" Liekmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll" Lcgblncm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfjcgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfcbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" f794120bcff9c121096b1e81fca42a50_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjcgohig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjoheljj.dll" Pkhoae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alhhhcal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdlnbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll" Dhhnpjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll" Ljnnch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dddojq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hihbijhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iblfnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgkjhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcklgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maohkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjipjg32.dll" Qeemej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmlhii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll" Ojllan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiqbfn32.dll" Alabgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmbfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnapdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncldnkae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hobkfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbabgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqfmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckedalaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmmjgejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bffkij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll" Jangmibi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofeilobp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll" Afjlnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdkhapfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maohkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlijfneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmfmfg32.dll" Eemnjbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogibpb32.dll" Lbabgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjcbbmif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnakhkol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iannfk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f794120bcff9c121096b1e81fca42a50_NeikiAnalytics.exeIannfk32.exeIcljbg32.exeIiibkn32.exeIpckgh32.exeIbagcc32.exeIfmcdblq.exeIikopmkd.exeIabgaklg.exeIdacmfkj.exeIfopiajn.exeIjkljp32.exeImihfl32.exeJaedgjjd.exeJdcpcf32.exeJfdida32.exeJplmmfmi.exeJjbako32.exeJmpngk32.exeJkdnpo32.exeJangmibi.exeJbocea32.exedescription pid process target process PID 4324 wrote to memory of 3512 4324 f794120bcff9c121096b1e81fca42a50_NeikiAnalytics.exe Iannfk32.exe PID 4324 wrote to memory of 3512 4324 f794120bcff9c121096b1e81fca42a50_NeikiAnalytics.exe Iannfk32.exe PID 4324 wrote to memory of 3512 4324 f794120bcff9c121096b1e81fca42a50_NeikiAnalytics.exe Iannfk32.exe PID 3512 wrote to memory of 3784 3512 Iannfk32.exe Icljbg32.exe PID 3512 wrote to memory of 3784 3512 Iannfk32.exe Icljbg32.exe PID 3512 wrote to memory of 3784 3512 Iannfk32.exe Icljbg32.exe PID 3784 wrote to memory of 2344 3784 Icljbg32.exe Iiibkn32.exe PID 3784 wrote to memory of 2344 3784 Icljbg32.exe Iiibkn32.exe PID 3784 wrote to memory of 2344 3784 Icljbg32.exe Iiibkn32.exe PID 2344 wrote to memory of 1364 2344 Iiibkn32.exe Ipckgh32.exe PID 2344 wrote to memory of 1364 2344 Iiibkn32.exe Ipckgh32.exe PID 2344 wrote to memory of 1364 2344 Iiibkn32.exe Ipckgh32.exe PID 1364 wrote to memory of 2356 1364 Ipckgh32.exe Ibagcc32.exe PID 1364 wrote to memory of 2356 1364 Ipckgh32.exe Ibagcc32.exe PID 1364 wrote to memory of 2356 1364 Ipckgh32.exe Ibagcc32.exe PID 2356 wrote to memory of 1428 2356 Ibagcc32.exe Ifmcdblq.exe PID 2356 wrote to memory of 1428 2356 Ibagcc32.exe Ifmcdblq.exe PID 2356 wrote to memory of 1428 2356 Ibagcc32.exe Ifmcdblq.exe PID 1428 wrote to memory of 3480 1428 Ifmcdblq.exe Iikopmkd.exe PID 1428 wrote to memory of 3480 1428 Ifmcdblq.exe Iikopmkd.exe PID 1428 wrote to memory of 3480 1428 Ifmcdblq.exe Iikopmkd.exe PID 3480 wrote to memory of 516 3480 Iikopmkd.exe Iabgaklg.exe PID 3480 wrote to memory of 516 3480 Iikopmkd.exe Iabgaklg.exe PID 3480 wrote to memory of 516 3480 Iikopmkd.exe Iabgaklg.exe PID 516 wrote to memory of 2208 516 Iabgaklg.exe Idacmfkj.exe PID 516 wrote to memory of 2208 516 Iabgaklg.exe Idacmfkj.exe PID 516 wrote to memory of 2208 516 Iabgaklg.exe Idacmfkj.exe PID 2208 wrote to memory of 1348 2208 Idacmfkj.exe Ifopiajn.exe PID 2208 wrote to memory of 1348 2208 Idacmfkj.exe Ifopiajn.exe PID 2208 wrote to memory of 1348 2208 Idacmfkj.exe Ifopiajn.exe PID 1348 wrote to memory of 4896 1348 Ifopiajn.exe Ijkljp32.exe PID 1348 wrote to memory of 4896 1348 Ifopiajn.exe Ijkljp32.exe PID 1348 wrote to memory of 4896 1348 Ifopiajn.exe Ijkljp32.exe PID 4896 wrote to memory of 3808 4896 Ijkljp32.exe Imihfl32.exe PID 4896 wrote to memory of 3808 4896 Ijkljp32.exe Imihfl32.exe PID 4896 wrote to memory of 3808 4896 Ijkljp32.exe Imihfl32.exe PID 3808 wrote to memory of 3048 3808 Imihfl32.exe Jaedgjjd.exe PID 3808 wrote to memory of 3048 3808 Imihfl32.exe Jaedgjjd.exe PID 3808 wrote to memory of 3048 3808 Imihfl32.exe Jaedgjjd.exe PID 3048 wrote to memory of 1616 3048 Jaedgjjd.exe Jdcpcf32.exe PID 3048 wrote to memory of 1616 3048 Jaedgjjd.exe Jdcpcf32.exe PID 3048 wrote to memory of 1616 3048 Jaedgjjd.exe Jdcpcf32.exe PID 1616 wrote to memory of 1808 1616 Jdcpcf32.exe Jfdida32.exe PID 1616 wrote to memory of 1808 1616 Jdcpcf32.exe Jfdida32.exe PID 1616 wrote to memory of 1808 1616 Jdcpcf32.exe Jfdida32.exe PID 1808 wrote to memory of 1964 1808 Jfdida32.exe Jplmmfmi.exe PID 1808 wrote to memory of 1964 1808 Jfdida32.exe Jplmmfmi.exe PID 1808 wrote to memory of 1964 1808 Jfdida32.exe Jplmmfmi.exe PID 1964 wrote to memory of 3524 1964 Jplmmfmi.exe Jjbako32.exe PID 1964 wrote to memory of 3524 1964 Jplmmfmi.exe Jjbako32.exe PID 1964 wrote to memory of 3524 1964 Jplmmfmi.exe Jjbako32.exe PID 3524 wrote to memory of 5104 3524 Jjbako32.exe Jmpngk32.exe PID 3524 wrote to memory of 5104 3524 Jjbako32.exe Jmpngk32.exe PID 3524 wrote to memory of 5104 3524 Jjbako32.exe Jmpngk32.exe PID 5104 wrote to memory of 3444 5104 Jmpngk32.exe Jkdnpo32.exe PID 5104 wrote to memory of 3444 5104 Jmpngk32.exe Jkdnpo32.exe PID 5104 wrote to memory of 3444 5104 Jmpngk32.exe Jkdnpo32.exe PID 3444 wrote to memory of 1604 3444 Jkdnpo32.exe Jangmibi.exe PID 3444 wrote to memory of 1604 3444 Jkdnpo32.exe Jangmibi.exe PID 3444 wrote to memory of 1604 3444 Jkdnpo32.exe Jangmibi.exe PID 1604 wrote to memory of 448 1604 Jangmibi.exe Jbocea32.exe PID 1604 wrote to memory of 448 1604 Jangmibi.exe Jbocea32.exe PID 1604 wrote to memory of 448 1604 Jangmibi.exe Jbocea32.exe PID 448 wrote to memory of 4888 448 Jbocea32.exe Jiikak32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f794120bcff9c121096b1e81fca42a50_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\f794120bcff9c121096b1e81fca42a50_NeikiAnalytics.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Ifopiajn.exeC:\Windows\system32\Ifopiajn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\Jaedgjjd.exeC:\Windows\system32\Jaedgjjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Jdcpcf32.exeC:\Windows\system32\Jdcpcf32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe23⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe25⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Kacphh32.exeC:\Windows\system32\Kacphh32.exe26⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Kgphpo32.exeC:\Windows\system32\Kgphpo32.exe27⤵
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4648 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe29⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4164 -
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe32⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe33⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Liekmj32.exeC:\Windows\system32\Liekmj32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe35⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe36⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe37⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:116 -
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:748 -
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe41⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe42⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe43⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe44⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe45⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe46⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe47⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:3384 -
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe49⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe51⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe52⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4676 -
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe54⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:4228 -
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe56⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe57⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1472 -
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe59⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:4476 -
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe61⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:3928 -
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5028 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe65⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4672 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe67⤵PID:4956
-
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe68⤵PID:3280
-
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe69⤵PID:3904
-
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe70⤵PID:2716
-
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe71⤵
- Drops file in System32 directory
PID:3956 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe72⤵
- Drops file in System32 directory
PID:3088 -
C:\Windows\SysWOW64\Nkncdifl.exeC:\Windows\system32\Nkncdifl.exe73⤵PID:2140
-
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe74⤵
- Drops file in System32 directory
PID:3268 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe75⤵
- Drops file in System32 directory
PID:3404 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3100 -
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe77⤵
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe78⤵
- Modifies registry class
PID:1196 -
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe79⤵PID:2860
-
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4976 -
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe81⤵
- Drops file in System32 directory
PID:5048 -
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe82⤵PID:4364
-
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe83⤵PID:4688
-
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe84⤵PID:3028
-
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe85⤵PID:2832
-
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe86⤵
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe87⤵
- Drops file in System32 directory
PID:868 -
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe88⤵
- Modifies registry class
PID:1180 -
C:\Windows\SysWOW64\Onholckc.exeC:\Windows\system32\Onholckc.exe89⤵PID:864
-
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe90⤵PID:4160
-
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe91⤵PID:3552
-
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe92⤵PID:2512
-
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1488 -
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe94⤵
- Drops file in System32 directory
PID:3800 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe95⤵PID:1356
-
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe96⤵PID:3176
-
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe97⤵PID:4632
-
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe98⤵PID:5128
-
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe99⤵PID:5172
-
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe100⤵PID:5212
-
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe101⤵PID:5252
-
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe102⤵PID:5296
-
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe103⤵PID:5340
-
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5384 -
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe105⤵
- Modifies registry class
PID:5424 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe106⤵PID:5468
-
C:\Windows\SysWOW64\Pbbgnpgl.exeC:\Windows\system32\Pbbgnpgl.exe107⤵PID:5508
-
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe108⤵PID:5544
-
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe109⤵PID:5592
-
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe110⤵PID:5636
-
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe111⤵PID:5676
-
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe112⤵
- Drops file in System32 directory
PID:5724 -
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe113⤵
- Drops file in System32 directory
PID:5764 -
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe114⤵
- Drops file in System32 directory
- Modifies registry class
PID:5804 -
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe115⤵PID:5844
-
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe116⤵
- Modifies registry class
PID:5880 -
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe117⤵PID:5924
-
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe118⤵PID:5968
-
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe119⤵
- Drops file in System32 directory
PID:6008 -
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe120⤵
- Modifies registry class
PID:6052 -
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe121⤵
- Drops file in System32 directory
PID:6096 -
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe122⤵PID:6132
-
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe123⤵
- Modifies registry class
PID:5164 -
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe124⤵PID:5236
-
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe125⤵PID:5292
-
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe126⤵PID:5368
-
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe127⤵PID:5416
-
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe128⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5500 -
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe129⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5552 -
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe130⤵PID:5628
-
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe131⤵PID:5708
-
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe132⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5760 -
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe133⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5840 -
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe134⤵
- Drops file in System32 directory
PID:5916 -
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe135⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5980 -
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe136⤵PID:6036
-
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe137⤵PID:6120
-
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe138⤵
- Drops file in System32 directory
PID:5144 -
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe139⤵PID:5284
-
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe140⤵PID:5380
-
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5492 -
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe142⤵PID:5620
-
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe143⤵PID:5712
-
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe144⤵PID:5836
-
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe145⤵
- Drops file in System32 directory
PID:5956 -
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe146⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6064 -
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe147⤵
- Drops file in System32 directory
PID:5152 -
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe148⤵PID:5360
-
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe149⤵PID:2348
-
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe150⤵PID:2000
-
C:\Windows\SysWOW64\Clkndpag.exeC:\Windows\system32\Clkndpag.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5580 -
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe152⤵PID:5756
-
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe153⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5904 -
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe154⤵
- Drops file in System32 directory
PID:6084 -
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe155⤵PID:5308
-
C:\Windows\SysWOW64\Chdkoa32.exeC:\Windows\system32\Chdkoa32.exe156⤵PID:2320
-
C:\Windows\SysWOW64\Ckcgkldl.exeC:\Windows\system32\Ckcgkldl.exe157⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5564 -
C:\Windows\SysWOW64\Cbjoljdo.exeC:\Windows\system32\Cbjoljdo.exe158⤵PID:5868
-
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe159⤵PID:6016
-
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe160⤵PID:2928
-
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe161⤵
- Modifies registry class
PID:5536 -
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5876 -
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe163⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5352 -
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe164⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5800 -
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe165⤵PID:5264
-
C:\Windows\SysWOW64\Ddpeoafg.exeC:\Windows\system32\Ddpeoafg.exe166⤵PID:6080
-
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe167⤵PID:4264
-
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe168⤵PID:6156
-
C:\Windows\SysWOW64\Ddbbeade.exeC:\Windows\system32\Ddbbeade.exe169⤵PID:6188
-
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe170⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6236 -
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe171⤵PID:6276
-
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe172⤵
- Drops file in System32 directory
PID:6320 -
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe173⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6356 -
C:\Windows\SysWOW64\Dllfkn32.exeC:\Windows\system32\Dllfkn32.exe174⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6396 -
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe175⤵PID:6436
-
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe176⤵PID:6476
-
C:\Windows\SysWOW64\Edihepnm.exeC:\Windows\system32\Edihepnm.exe177⤵PID:6516
-
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe178⤵PID:6556
-
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe179⤵PID:6596
-
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe180⤵
- Drops file in System32 directory
PID:6636 -
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe181⤵PID:6676
-
C:\Windows\SysWOW64\Ecmeig32.exeC:\Windows\system32\Ecmeig32.exe182⤵PID:6716
-
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe183⤵PID:6756
-
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe184⤵
- Drops file in System32 directory
PID:6792 -
C:\Windows\SysWOW64\Eocenh32.exeC:\Windows\system32\Eocenh32.exe185⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6832 -
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe186⤵
- Modifies registry class
PID:6872 -
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe187⤵
- Drops file in System32 directory
PID:6916 -
C:\Windows\SysWOW64\Elgfgl32.exeC:\Windows\system32\Elgfgl32.exe188⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6956 -
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe189⤵PID:7000
-
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe190⤵PID:7040
-
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe191⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7080 -
C:\Windows\SysWOW64\Fdegandp.exeC:\Windows\system32\Fdegandp.exe192⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7120 -
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe193⤵PID:7160
-
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe194⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6184 -
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe195⤵PID:6264
-
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe196⤵PID:6328
-
C:\Windows\SysWOW64\Ffgqqaip.exeC:\Windows\system32\Ffgqqaip.exe197⤵PID:6388
-
C:\Windows\SysWOW64\Flqimk32.exeC:\Windows\system32\Flqimk32.exe198⤵
- Modifies registry class
PID:6468 -
C:\Windows\SysWOW64\Fbnafb32.exeC:\Windows\system32\Fbnafb32.exe199⤵PID:6524
-
C:\Windows\SysWOW64\Fdlnbm32.exeC:\Windows\system32\Fdlnbm32.exe200⤵
- Modifies registry class
PID:6580 -
C:\Windows\SysWOW64\Fhgjblfq.exeC:\Windows\system32\Fhgjblfq.exe201⤵PID:6652
-
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe202⤵PID:6712
-
C:\Windows\SysWOW64\Ffkjlp32.exeC:\Windows\system32\Ffkjlp32.exe203⤵PID:6780
-
C:\Windows\SysWOW64\Glebhjlg.exeC:\Windows\system32\Glebhjlg.exe204⤵
- Drops file in System32 directory
PID:6848 -
C:\Windows\SysWOW64\Gcojed32.exeC:\Windows\system32\Gcojed32.exe205⤵PID:6900
-
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe206⤵
- Drops file in System32 directory
PID:6968 -
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe207⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7032 -
C:\Windows\SysWOW64\Gdcdbl32.exeC:\Windows\system32\Gdcdbl32.exe208⤵PID:7088
-
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe209⤵PID:7152
-
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe210⤵PID:6272
-
C:\Windows\SysWOW64\Gfbploob.exeC:\Windows\system32\Gfbploob.exe211⤵PID:6380
-
C:\Windows\SysWOW64\Gmlhii32.exeC:\Windows\system32\Gmlhii32.exe212⤵
- Modifies registry class
PID:6488 -
C:\Windows\SysWOW64\Gbiaapdf.exeC:\Windows\system32\Gbiaapdf.exe213⤵PID:6616
-
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe214⤵PID:6700
-
C:\Windows\SysWOW64\Gomakdcp.exeC:\Windows\system32\Gomakdcp.exe215⤵PID:6824
-
C:\Windows\SysWOW64\Gblngpbd.exeC:\Windows\system32\Gblngpbd.exe216⤵PID:6952
-
C:\Windows\SysWOW64\Gdjjckag.exeC:\Windows\system32\Gdjjckag.exe217⤵PID:7036
-
C:\Windows\SysWOW64\Hopnqdan.exeC:\Windows\system32\Hopnqdan.exe218⤵PID:7144
-
C:\Windows\SysWOW64\Hbnjmp32.exeC:\Windows\system32\Hbnjmp32.exe219⤵PID:6288
-
C:\Windows\SysWOW64\Hihbijhn.exeC:\Windows\system32\Hihbijhn.exe220⤵
- Modifies registry class
PID:6432 -
C:\Windows\SysWOW64\Hmcojh32.exeC:\Windows\system32\Hmcojh32.exe221⤵
- Drops file in System32 directory
PID:6704 -
C:\Windows\SysWOW64\Hobkfd32.exeC:\Windows\system32\Hobkfd32.exe222⤵
- Modifies registry class
PID:6752 -
C:\Windows\SysWOW64\Heocnk32.exeC:\Windows\system32\Heocnk32.exe223⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7028 -
C:\Windows\SysWOW64\Hijooifk.exeC:\Windows\system32\Hijooifk.exe224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6252 -
C:\Windows\SysWOW64\Hodgkc32.exeC:\Windows\system32\Hodgkc32.exe225⤵PID:6664
-
C:\Windows\SysWOW64\Hfnphn32.exeC:\Windows\system32\Hfnphn32.exe226⤵PID:6896
-
C:\Windows\SysWOW64\Himldi32.exeC:\Windows\system32\Himldi32.exe227⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7096 -
C:\Windows\SysWOW64\Hbeqmoji.exeC:\Windows\system32\Hbeqmoji.exe228⤵PID:6840
-
C:\Windows\SysWOW64\Hmjdjgjo.exeC:\Windows\system32\Hmjdjgjo.exe229⤵
- Drops file in System32 directory
PID:6880 -
C:\Windows\SysWOW64\Hkmefd32.exeC:\Windows\system32\Hkmefd32.exe230⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6632 -
C:\Windows\SysWOW64\Hfcicmqp.exeC:\Windows\system32\Hfcicmqp.exe231⤵
- Drops file in System32 directory
PID:6764 -
C:\Windows\SysWOW64\Immapg32.exeC:\Windows\system32\Immapg32.exe232⤵PID:7192
-
C:\Windows\SysWOW64\Ipknlb32.exeC:\Windows\system32\Ipknlb32.exe233⤵PID:7232
-
C:\Windows\SysWOW64\Ibjjhn32.exeC:\Windows\system32\Ibjjhn32.exe234⤵PID:7272
-
C:\Windows\SysWOW64\Iicbehnq.exeC:\Windows\system32\Iicbehnq.exe235⤵
- Drops file in System32 directory
- Modifies registry class
PID:7312 -
C:\Windows\SysWOW64\Ipnjab32.exeC:\Windows\system32\Ipnjab32.exe236⤵PID:7352
-
C:\Windows\SysWOW64\Iblfnn32.exeC:\Windows\system32\Iblfnn32.exe237⤵
- Modifies registry class
PID:7392 -
C:\Windows\SysWOW64\Iifokh32.exeC:\Windows\system32\Iifokh32.exe238⤵PID:7440
-
C:\Windows\SysWOW64\Ildkgc32.exeC:\Windows\system32\Ildkgc32.exe239⤵PID:7480
-
C:\Windows\SysWOW64\Ippggbck.exeC:\Windows\system32\Ippggbck.exe240⤵PID:7516
-
C:\Windows\SysWOW64\Ibnccmbo.exeC:\Windows\system32\Ibnccmbo.exe241⤵PID:7560
-
C:\Windows\SysWOW64\Imdgqfbd.exeC:\Windows\system32\Imdgqfbd.exe242⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7608