Analysis
-
max time kernel
144s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 00:24
Static task
static1
Behavioral task
behavioral1
Sample
2c1546414eefe1087cf5fb7970197dd0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2c1546414eefe1087cf5fb7970197dd0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
2c1546414eefe1087cf5fb7970197dd0_NeikiAnalytics.exe
-
Size
163KB
-
MD5
2c1546414eefe1087cf5fb7970197dd0
-
SHA1
cac0a6c10c12571d478d0dee73420f41eed7ebec
-
SHA256
996944dde21e7ec113538e0063e8bf20a55833e3f4084fdb391f8e8b3cd53016
-
SHA512
b8d55ff0d086b74d64e9b912dd8bde430bf32c19282d2232b42871b410bd5f475f5079a76395edfdc1e1edd14fb6b62ab2ba514a39dc1262c88d5425f33e70bb
-
SSDEEP
3072:slibArORSx0IlIC8RKHAcztaNiltOrWKDBr+yJb:PbA4g1dhAczM8LOf
Malware Config
Extracted
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jiikak32.exeJfaedkdp.exeJmpgldhg.exeHjhfnccl.exePjkombfj.exeQecppkdm.exeJfcbjk32.exePmdkch32.exeNbhkac32.exeQalnjkgo.exeCbgbgj32.exeDlijfneg.exeDlojkddn.exeMgghhlhq.exeBecifhfj.exeHcmgfbhd.exeHijooifk.exeIkpaldog.exeDphifcoi.exeMpmokb32.exeNacbfdao.exeNpjebj32.exeNafokcol.exeCbqlfkmi.exeJfhlejnh.exeMlopkm32.exeQdbiedpa.exeDohmlp32.exeKajfig32.exeOboaabga.exePkfblfab.exeGbiaapdf.exeJkfkfohj.exeOgogoi32.exeIifokh32.exeDdjejl32.exeIjkljp32.exeLmqgnhmp.exeLcgblncm.exeHbpgbo32.exeJfhbppbc.exeFbgbpihg.exeKmgdgjek.exeNddkgonp.exeDemecd32.exeGjlfbd32.exeAndgoobc.exeJlnnmb32.exeFomonm32.exeCamphf32.exePqdqof32.exeQfcfml32.exeImgkql32.exeAaqgek32.exeMgagbf32.exeLgpagm32.exeNgedij32.exeQkmhlekj.exeIfjodl32.exeLpnlpnih.exeOcdqjceo.exeEpopgbia.exeFfekegon.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiikak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfaedkdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmpgldhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjhfnccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjkombfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qecppkdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmdkch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbhkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qalnjkgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgbgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlijfneg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlojkddn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgghhlhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Becifhfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcmgfbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hijooifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikpaldog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dphifcoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpmokb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacbfdao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npjebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nafokcol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbqlfkmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfhlejnh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlopkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdbiedpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dohmlp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kajfig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oboaabga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkfblfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbiaapdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkfkfohj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogogoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iifokh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijkljp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmqgnhmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcgblncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbpgbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfhbppbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbgbpihg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmgdgjek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Demecd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjlfbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Andgoobc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnnmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fomonm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Camphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfcbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqdqof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfcfml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imgkql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaqgek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgagbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgpagm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngedij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkmhlekj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifjodl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpnlpnih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocdqjceo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epopgbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffekegon.exe -
Executes dropped EXE 64 IoCs
Processes:
Diihojkb.exeDcalgo32.exeDephckaf.exeDjlddi32.exeDljqpd32.exeDohmlp32.exeDagiil32.exeDjnaji32.exeDhqaefng.exeDphifcoi.exeDlojkddn.exeDchbhn32.exeEfgodj32.exeEoocmoao.exeEjegjh32.exeEpopgbia.exeEflhoigi.exeEhjdldfl.exeEqalmafo.exeEfneehef.exeEqciba32.exeEcbenm32.exeEhonfc32.exeEoifcnid.exeFbgbpihg.exeFjnjqfij.exeFokbim32.exeFfekegon.exeFicgacna.exeFomonm32.exeFjcclf32.exeFqmlhpla.exeFckhdk32.exeFfjdqg32.exeFihqmb32.exeFcnejk32.exeFflaff32.exeFijmbb32.exeFodeolof.exeGbcakg32.exeGjjjle32.exeGmhfhp32.exeGogbdl32.exeGbenqg32.exeGjlfbd32.exeGmkbnp32.exeGoiojk32.exeGfcgge32.exeGiacca32.exeGqikdn32.exeGbjhlfhb.exeGidphq32.exeGpnhekgl.exeGjclbc32.exeGameonno.exeHboagf32.exeHjfihc32.exeHihicplj.exeHapaemll.exeHbanme32.exeHjhfnccl.exeHmfbjnbp.exeHpenfjad.exeHbckbepg.exepid process 3216 Diihojkb.exe 1124 Dcalgo32.exe 4608 Dephckaf.exe 2740 Djlddi32.exe 940 Dljqpd32.exe 3264 Dohmlp32.exe 1644 Dagiil32.exe 1316 Djnaji32.exe 4092 Dhqaefng.exe 2472 Dphifcoi.exe 748 Dlojkddn.exe 4724 Dchbhn32.exe 3824 Efgodj32.exe 1684 Eoocmoao.exe 3720 Ejegjh32.exe 4648 Epopgbia.exe 4068 Eflhoigi.exe 4452 Ehjdldfl.exe 3192 Eqalmafo.exe 2852 Efneehef.exe 1676 Eqciba32.exe 1572 Ecbenm32.exe 1260 Ehonfc32.exe 4876 Eoifcnid.exe 4520 Fbgbpihg.exe 3428 Fjnjqfij.exe 3832 Fokbim32.exe 1896 Ffekegon.exe 4856 Ficgacna.exe 4488 Fomonm32.exe 2404 Fjcclf32.exe 4460 Fqmlhpla.exe 636 Fckhdk32.exe 3508 Ffjdqg32.exe 1964 Fihqmb32.exe 3480 Fcnejk32.exe 5076 Fflaff32.exe 4804 Fijmbb32.exe 3952 Fodeolof.exe 4476 Gbcakg32.exe 4588 Gjjjle32.exe 588 Gmhfhp32.exe 1044 Gogbdl32.exe 4176 Gbenqg32.exe 2416 Gjlfbd32.exe 4816 Gmkbnp32.exe 3176 Goiojk32.exe 4620 Gfcgge32.exe 2280 Giacca32.exe 4932 Gqikdn32.exe 4404 Gbjhlfhb.exe 3256 Gidphq32.exe 2228 Gpnhekgl.exe 1792 Gjclbc32.exe 964 Gameonno.exe 440 Hboagf32.exe 3240 Hjfihc32.exe 736 Hihicplj.exe 2780 Hapaemll.exe 4652 Hbanme32.exe 3932 Hjhfnccl.exe 1172 Hmfbjnbp.exe 3260 Hpenfjad.exe 2884 Hbckbepg.exe -
Drops file in System32 directory 64 IoCs
Processes:
Klljnp32.exeGpnhekgl.exeJpojcf32.exePndohaqe.exeIblfnn32.exeJlnnmb32.exeDdjejl32.exeAejfpjne.exeBjokdipf.exeLaefdf32.exeLdkojb32.exeEdpnfo32.exeNgmgne32.exeCogmkl32.exeHbckbepg.exeImgkql32.exeEdihepnm.exeOqkdcn32.exeAaqgek32.exeAlhhhcal.exeHibljoco.exeLgkhlnbn.exeLdaeka32.exeDkgqfl32.exeJfffjqdf.exeMnocof32.exeKibgmdcn.exeKdffocib.exeCbefaj32.exeIcplcpgo.exeJkfkfohj.exeHfcicmqp.exeCmiflbel.exeKacphh32.exeFckajehi.exeHfqlnm32.exeKepelfam.exeFkmchi32.exeFomhdg32.exeHjfihc32.exeKaqcbi32.exeFqmlhpla.exeKmnjhioc.exeBhikcb32.exeBclhhnca.exeNkjjij32.exeIppggbck.exeJpnchp32.exeFflaff32.exeGmhfhp32.exeCacmah32.exeNjfmke32.exeHadkpm32.exeLijdhiaa.exeBhkhibmc.exeImoneg32.exeEpopgbia.exeFomonm32.exeJimekgff.exeJfhlejnh.exeCdcoim32.exeDaekdooc.exedescription ioc process File created C:\Windows\SysWOW64\Imllie32.dll Klljnp32.exe File opened for modification C:\Windows\SysWOW64\Gjclbc32.exe Gpnhekgl.exe File created C:\Windows\SysWOW64\Dbcjkf32.dll Jpojcf32.exe File opened for modification C:\Windows\SysWOW64\Pabkdmpi.exe Pndohaqe.exe File created C:\Windows\SysWOW64\Jmehcnhg.dll Iblfnn32.exe File opened for modification C:\Windows\SysWOW64\Jpijnqkp.exe Jlnnmb32.exe File opened for modification C:\Windows\SysWOW64\Dmcibama.exe Ddjejl32.exe File created C:\Windows\SysWOW64\Anmnemcc.dll Aejfpjne.exe File created C:\Windows\SysWOW64\Beeoaapl.exe Bjokdipf.exe File created C:\Windows\SysWOW64\Jpgeph32.dll Laefdf32.exe File created C:\Windows\SysWOW64\Lgikfn32.exe Ldkojb32.exe File created C:\Windows\SysWOW64\Eadopc32.exe Edpnfo32.exe File created C:\Windows\SysWOW64\Nepgjaeg.exe Ngmgne32.exe File created C:\Windows\SysWOW64\Jidpnp32.dll Cogmkl32.exe File created C:\Windows\SysWOW64\Himcoo32.exe Hbckbepg.exe File opened for modification C:\Windows\SysWOW64\Ibccic32.exe Imgkql32.exe File created C:\Windows\SysWOW64\Jihdea32.dll Edihepnm.exe File opened for modification C:\Windows\SysWOW64\Pcjapi32.exe Oqkdcn32.exe File created C:\Windows\SysWOW64\Acocaf32.exe Aaqgek32.exe File created C:\Windows\SysWOW64\Phadlp32.dll Alhhhcal.exe File created C:\Windows\SysWOW64\Bekppcpp.dll Hibljoco.exe File created C:\Windows\SysWOW64\Lijdhiaa.exe Lgkhlnbn.exe File created C:\Windows\SysWOW64\Lgpagm32.exe Ldaeka32.exe File created C:\Windows\SysWOW64\Jbgkimpf.dll Dkgqfl32.exe File created C:\Windows\SysWOW64\Feambf32.dll Jfffjqdf.exe File opened for modification C:\Windows\SysWOW64\Mpmokb32.exe Mnocof32.exe File created C:\Windows\SysWOW64\Namdcd32.dll Kibgmdcn.exe File created C:\Windows\SysWOW64\Kgdbkohf.exe Kdffocib.exe File opened for modification C:\Windows\SysWOW64\Chbnia32.exe Cbefaj32.exe File opened for modification C:\Windows\SysWOW64\Jeaikh32.exe Icplcpgo.exe File created C:\Windows\SysWOW64\Jiikak32.exe Jkfkfohj.exe File created C:\Windows\SysWOW64\Qegnoi32.dll Hfcicmqp.exe File created C:\Windows\SysWOW64\Nedmmlba.dll Cmiflbel.exe File created C:\Windows\SysWOW64\Bnckcnhb.dll Kacphh32.exe File created C:\Windows\SysWOW64\Flceckoj.exe Fckajehi.exe File created C:\Windows\SysWOW64\Hioiji32.exe Hfqlnm32.exe File created C:\Windows\SysWOW64\Eikdngcl.dll Kepelfam.exe File opened for modification C:\Windows\SysWOW64\Fafkecel.exe Fkmchi32.exe File opened for modification C:\Windows\SysWOW64\Fchddejl.exe Fomhdg32.exe File opened for modification C:\Windows\SysWOW64\Hihicplj.exe Hjfihc32.exe File created C:\Windows\SysWOW64\Jflepa32.dll Jkfkfohj.exe File opened for modification C:\Windows\SysWOW64\Kpccnefa.exe Kaqcbi32.exe File created C:\Windows\SysWOW64\Bjikbh32.dll Fqmlhpla.exe File created C:\Windows\SysWOW64\Lbhnnj32.dll Kmnjhioc.exe File created C:\Windows\SysWOW64\Bjghpn32.exe Bhikcb32.exe File opened for modification C:\Windows\SysWOW64\Bnbmefbg.exe Bclhhnca.exe File created C:\Windows\SysWOW64\Njljefql.exe Nkjjij32.exe File created C:\Windows\SysWOW64\Chbnia32.exe Cbefaj32.exe File created C:\Windows\SysWOW64\Ohfjnoma.dll Ippggbck.exe File created C:\Windows\SysWOW64\Jcioiood.exe Jpnchp32.exe File created C:\Windows\SysWOW64\Fijmbb32.exe Fflaff32.exe File created C:\Windows\SysWOW64\Mepgghma.dll Gmhfhp32.exe File created C:\Windows\SysWOW64\Cdainc32.exe Cacmah32.exe File opened for modification C:\Windows\SysWOW64\Nnaikd32.exe Njfmke32.exe File opened for modification C:\Windows\SysWOW64\Hccglh32.exe Hadkpm32.exe File created C:\Windows\SysWOW64\Mdemcacc.dll Lijdhiaa.exe File created C:\Windows\SysWOW64\Bkidenlg.exe Bhkhibmc.exe File created C:\Windows\SysWOW64\Ipdejo32.dll Imoneg32.exe File created C:\Windows\SysWOW64\Ampkqqjm.dll Epopgbia.exe File created C:\Windows\SysWOW64\Qfiapa32.dll Fomonm32.exe File created C:\Windows\SysWOW64\Gcbifaej.dll Jimekgff.exe File opened for modification C:\Windows\SysWOW64\Jlednamo.exe Jfhlejnh.exe File opened for modification C:\Windows\SysWOW64\Cnicfe32.exe Cdcoim32.exe File created C:\Windows\SysWOW64\Dknpmdfc.exe Daekdooc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 12688 12600 WerFault.exe Dmllipeg.exe -
Modifies registry class 64 IoCs
Processes:
Jaimbj32.exeAfhohlbj.exeNggqoj32.exeLgpagm32.exeBgcknmop.exeCeehho32.exeLalcng32.exeCabfga32.exeCfpnph32.exeAdcmmeog.exeHbgmcnhf.exeMgagbf32.exeNngokoej.exePndohaqe.exeQalnjkgo.exeAndgoobc.exeAjneip32.exeOqkdcn32.exeAeopki32.exeIiibkn32.exeLpfijcfl.exeEqalmafo.exeEadopc32.exeCbefaj32.exeFckajehi.exeOgogoi32.exeBejogg32.exeIkpaldog.exeKmgdgjek.exeAaqgek32.exeIcifbang.exeJmpgldhg.exeLdohebqh.exeLcgblncm.exeFlnlhk32.exeHccglh32.exeNjcpee32.exeGbenqg32.exeLknjmkdo.exePcojkhap.exeBjdkjo32.exeKlngdpdd.exeGpnhekgl.exeMnocof32.exePcjapi32.exeBdhfhe32.exeChghdqbf.exe2c1546414eefe1087cf5fb7970197dd0_NeikiAnalytics.exeIdofhfmm.exeNgedij32.exeCddecc32.exeDjlddi32.exeKbfiep32.exeFchddejl.exeKlgqcqkl.exeMglack32.exeFqmlhpla.exeJplfcpin.exeJfeopj32.exeKmfmmcbo.exeKdopod32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmeac32.dll" Jaimbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll" Afhohlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jheiojpj.dll" Nggqoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgpagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgcknmop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll" Lalcng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cabfga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioeeep32.dll" Adcmmeog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cibifp32.dll" Hbgmcnhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijfjal32.dll" Mgagbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nngokoej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pndohaqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Filmeaek.dll" Qalnjkgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Andgoobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejmcmk32.dll" Ajneip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqkdcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aklmno32.dll" Aeopki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgcknmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll" Iiibkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpfijcfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqalmafo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eadopc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbefaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fckajehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpjcpkfo.dll" Ogogoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdhcbgd.dll" Bejogg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikpaldog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmgdgjek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjhib32.dll" Aaqgek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icifbang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nggqoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmpgldhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll" Ldohebqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll" Lcgblncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flnlhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmeid32.dll" Hccglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll" Njcpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbenqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll" Lknjmkdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcojkhap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjdkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgaocmg.dll" Klngdpdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpnhekgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll" Mnocof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmbmidf.dll" Pcjapi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdhfhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fobdihjo.dll" Chghdqbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 2c1546414eefe1087cf5fb7970197dd0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll" Idofhfmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngedij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bejogg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cddecc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllceb32.dll" Djlddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll" Kbfiep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fchddejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpafo32.dll" Klgqcqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mglack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjikbh32.dll" Fqmlhpla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jplfcpin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfeopj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmfmmcbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll" Kdopod32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2c1546414eefe1087cf5fb7970197dd0_NeikiAnalytics.exeDiihojkb.exeDcalgo32.exeDephckaf.exeDjlddi32.exeDljqpd32.exeDohmlp32.exeDagiil32.exeDjnaji32.exeDhqaefng.exeDphifcoi.exeDlojkddn.exeDchbhn32.exeEfgodj32.exeEoocmoao.exeEjegjh32.exeEpopgbia.exeEflhoigi.exeEhjdldfl.exeEqalmafo.exeEfneehef.exeEqciba32.exedescription pid process target process PID 3696 wrote to memory of 3216 3696 2c1546414eefe1087cf5fb7970197dd0_NeikiAnalytics.exe Diihojkb.exe PID 3696 wrote to memory of 3216 3696 2c1546414eefe1087cf5fb7970197dd0_NeikiAnalytics.exe Diihojkb.exe PID 3696 wrote to memory of 3216 3696 2c1546414eefe1087cf5fb7970197dd0_NeikiAnalytics.exe Diihojkb.exe PID 3216 wrote to memory of 1124 3216 Diihojkb.exe Dcalgo32.exe PID 3216 wrote to memory of 1124 3216 Diihojkb.exe Dcalgo32.exe PID 3216 wrote to memory of 1124 3216 Diihojkb.exe Dcalgo32.exe PID 1124 wrote to memory of 4608 1124 Dcalgo32.exe Dephckaf.exe PID 1124 wrote to memory of 4608 1124 Dcalgo32.exe Dephckaf.exe PID 1124 wrote to memory of 4608 1124 Dcalgo32.exe Dephckaf.exe PID 4608 wrote to memory of 2740 4608 Dephckaf.exe Djlddi32.exe PID 4608 wrote to memory of 2740 4608 Dephckaf.exe Djlddi32.exe PID 4608 wrote to memory of 2740 4608 Dephckaf.exe Djlddi32.exe PID 2740 wrote to memory of 940 2740 Djlddi32.exe Dljqpd32.exe PID 2740 wrote to memory of 940 2740 Djlddi32.exe Dljqpd32.exe PID 2740 wrote to memory of 940 2740 Djlddi32.exe Dljqpd32.exe PID 940 wrote to memory of 3264 940 Dljqpd32.exe Dohmlp32.exe PID 940 wrote to memory of 3264 940 Dljqpd32.exe Dohmlp32.exe PID 940 wrote to memory of 3264 940 Dljqpd32.exe Dohmlp32.exe PID 3264 wrote to memory of 1644 3264 Dohmlp32.exe Dagiil32.exe PID 3264 wrote to memory of 1644 3264 Dohmlp32.exe Dagiil32.exe PID 3264 wrote to memory of 1644 3264 Dohmlp32.exe Dagiil32.exe PID 1644 wrote to memory of 1316 1644 Dagiil32.exe Djnaji32.exe PID 1644 wrote to memory of 1316 1644 Dagiil32.exe Djnaji32.exe PID 1644 wrote to memory of 1316 1644 Dagiil32.exe Djnaji32.exe PID 1316 wrote to memory of 4092 1316 Djnaji32.exe Dhqaefng.exe PID 1316 wrote to memory of 4092 1316 Djnaji32.exe Dhqaefng.exe PID 1316 wrote to memory of 4092 1316 Djnaji32.exe Dhqaefng.exe PID 4092 wrote to memory of 2472 4092 Dhqaefng.exe Dphifcoi.exe PID 4092 wrote to memory of 2472 4092 Dhqaefng.exe Dphifcoi.exe PID 4092 wrote to memory of 2472 4092 Dhqaefng.exe Dphifcoi.exe PID 2472 wrote to memory of 748 2472 Dphifcoi.exe Dlojkddn.exe PID 2472 wrote to memory of 748 2472 Dphifcoi.exe Dlojkddn.exe PID 2472 wrote to memory of 748 2472 Dphifcoi.exe Dlojkddn.exe PID 748 wrote to memory of 4724 748 Dlojkddn.exe Dchbhn32.exe PID 748 wrote to memory of 4724 748 Dlojkddn.exe Dchbhn32.exe PID 748 wrote to memory of 4724 748 Dlojkddn.exe Dchbhn32.exe PID 4724 wrote to memory of 3824 4724 Dchbhn32.exe Efgodj32.exe PID 4724 wrote to memory of 3824 4724 Dchbhn32.exe Efgodj32.exe PID 4724 wrote to memory of 3824 4724 Dchbhn32.exe Efgodj32.exe PID 3824 wrote to memory of 1684 3824 Efgodj32.exe Eoocmoao.exe PID 3824 wrote to memory of 1684 3824 Efgodj32.exe Eoocmoao.exe PID 3824 wrote to memory of 1684 3824 Efgodj32.exe Eoocmoao.exe PID 1684 wrote to memory of 3720 1684 Eoocmoao.exe Ejegjh32.exe PID 1684 wrote to memory of 3720 1684 Eoocmoao.exe Ejegjh32.exe PID 1684 wrote to memory of 3720 1684 Eoocmoao.exe Ejegjh32.exe PID 3720 wrote to memory of 4648 3720 Ejegjh32.exe Epopgbia.exe PID 3720 wrote to memory of 4648 3720 Ejegjh32.exe Epopgbia.exe PID 3720 wrote to memory of 4648 3720 Ejegjh32.exe Epopgbia.exe PID 4648 wrote to memory of 4068 4648 Epopgbia.exe Eflhoigi.exe PID 4648 wrote to memory of 4068 4648 Epopgbia.exe Eflhoigi.exe PID 4648 wrote to memory of 4068 4648 Epopgbia.exe Eflhoigi.exe PID 4068 wrote to memory of 4452 4068 Eflhoigi.exe Ehjdldfl.exe PID 4068 wrote to memory of 4452 4068 Eflhoigi.exe Ehjdldfl.exe PID 4068 wrote to memory of 4452 4068 Eflhoigi.exe Ehjdldfl.exe PID 4452 wrote to memory of 3192 4452 Ehjdldfl.exe Eqalmafo.exe PID 4452 wrote to memory of 3192 4452 Ehjdldfl.exe Eqalmafo.exe PID 4452 wrote to memory of 3192 4452 Ehjdldfl.exe Eqalmafo.exe PID 3192 wrote to memory of 2852 3192 Eqalmafo.exe Efneehef.exe PID 3192 wrote to memory of 2852 3192 Eqalmafo.exe Efneehef.exe PID 3192 wrote to memory of 2852 3192 Eqalmafo.exe Efneehef.exe PID 2852 wrote to memory of 1676 2852 Efneehef.exe Eqciba32.exe PID 2852 wrote to memory of 1676 2852 Efneehef.exe Eqciba32.exe PID 2852 wrote to memory of 1676 2852 Efneehef.exe Eqciba32.exe PID 1676 wrote to memory of 1572 1676 Eqciba32.exe Ecbenm32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c1546414eefe1087cf5fb7970197dd0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2c1546414eefe1087cf5fb7970197dd0_NeikiAnalytics.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Diihojkb.exeC:\Windows\system32\Diihojkb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\Dcalgo32.exeC:\Windows\system32\Dcalgo32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Dephckaf.exeC:\Windows\system32\Dephckaf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Djlddi32.exeC:\Windows\system32\Djlddi32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Dljqpd32.exeC:\Windows\system32\Dljqpd32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\Dohmlp32.exeC:\Windows\system32\Dohmlp32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Dagiil32.exeC:\Windows\system32\Dagiil32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Djnaji32.exeC:\Windows\system32\Djnaji32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Dhqaefng.exeC:\Windows\system32\Dhqaefng.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\Dphifcoi.exeC:\Windows\system32\Dphifcoi.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Dlojkddn.exeC:\Windows\system32\Dlojkddn.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Dchbhn32.exeC:\Windows\system32\Dchbhn32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\Efgodj32.exeC:\Windows\system32\Efgodj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\Eoocmoao.exeC:\Windows\system32\Eoocmoao.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\Epopgbia.exeC:\Windows\system32\Epopgbia.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\Eflhoigi.exeC:\Windows\system32\Eflhoigi.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Ehjdldfl.exeC:\Windows\system32\Ehjdldfl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Eqalmafo.exeC:\Windows\system32\Eqalmafo.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\Efneehef.exeC:\Windows\system32\Efneehef.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Eqciba32.exeC:\Windows\system32\Eqciba32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Ecbenm32.exeC:\Windows\system32\Ecbenm32.exe23⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Ehonfc32.exeC:\Windows\system32\Ehonfc32.exe24⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Eoifcnid.exeC:\Windows\system32\Eoifcnid.exe25⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Fbgbpihg.exeC:\Windows\system32\Fbgbpihg.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Fjnjqfij.exeC:\Windows\system32\Fjnjqfij.exe27⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe28⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Ffekegon.exeC:\Windows\system32\Ffekegon.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Ficgacna.exeC:\Windows\system32\Ficgacna.exe30⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4488 -
C:\Windows\SysWOW64\Fjcclf32.exeC:\Windows\system32\Fjcclf32.exe32⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4460 -
C:\Windows\SysWOW64\Fckhdk32.exeC:\Windows\system32\Fckhdk32.exe34⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe35⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe36⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Fcnejk32.exeC:\Windows\system32\Fcnejk32.exe37⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5076 -
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe39⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe40⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Gbcakg32.exeC:\Windows\system32\Gbcakg32.exe41⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Gjjjle32.exeC:\Windows\system32\Gjjjle32.exe42⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Gmhfhp32.exeC:\Windows\system32\Gmhfhp32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:588 -
C:\Windows\SysWOW64\Gogbdl32.exeC:\Windows\system32\Gogbdl32.exe44⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Gbenqg32.exeC:\Windows\system32\Gbenqg32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4176 -
C:\Windows\SysWOW64\Gjlfbd32.exeC:\Windows\system32\Gjlfbd32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe47⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Goiojk32.exeC:\Windows\system32\Goiojk32.exe48⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\Gfcgge32.exeC:\Windows\system32\Gfcgge32.exe49⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe50⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe51⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Gbjhlfhb.exeC:\Windows\system32\Gbjhlfhb.exe52⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Gidphq32.exeC:\Windows\system32\Gidphq32.exe53⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Gpnhekgl.exeC:\Windows\system32\Gpnhekgl.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe55⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Gameonno.exeC:\Windows\system32\Gameonno.exe56⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe57⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Hjfihc32.exeC:\Windows\system32\Hjfihc32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3240 -
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe59⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Hapaemll.exeC:\Windows\system32\Hapaemll.exe60⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe61⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Hmfbjnbp.exeC:\Windows\system32\Hmfbjnbp.exe63⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe64⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Hbckbepg.exeC:\Windows\system32\Hbckbepg.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe66⤵PID:5092
-
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe67⤵
- Drops file in System32 directory
PID:4036 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe68⤵
- Modifies registry class
PID:4948 -
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe69⤵PID:3780
-
C:\Windows\SysWOW64\Hpihai32.exeC:\Windows\system32\Hpihai32.exe70⤵PID:2824
-
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe71⤵PID:712
-
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe72⤵PID:1856
-
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe73⤵
- Drops file in System32 directory
PID:3244 -
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe74⤵PID:1020
-
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe75⤵PID:2608
-
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe76⤵PID:1844
-
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe77⤵PID:868
-
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe78⤵PID:2368
-
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe79⤵PID:2456
-
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe80⤵PID:4528
-
C:\Windows\SysWOW64\Ibojncfj.exeC:\Windows\system32\Ibojncfj.exe81⤵PID:3516
-
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe82⤵PID:3184
-
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe83⤵
- Modifies registry class
PID:3140 -
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe84⤵PID:2892
-
C:\Windows\SysWOW64\Idofhfmm.exeC:\Windows\system32\Idofhfmm.exe85⤵
- Modifies registry class
PID:3316 -
C:\Windows\SysWOW64\Imgkql32.exeC:\Windows\system32\Imgkql32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\Ibccic32.exeC:\Windows\system32\Ibccic32.exe87⤵PID:4884
-
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4140 -
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe89⤵PID:3916
-
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe90⤵PID:4640
-
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe91⤵PID:3724
-
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe92⤵PID:2760
-
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe93⤵PID:5136
-
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe94⤵PID:5176
-
C:\Windows\SysWOW64\Jaimbj32.exeC:\Windows\system32\Jaimbj32.exe95⤵
- Modifies registry class
PID:5216 -
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe96⤵
- Drops file in System32 directory
PID:5260 -
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe97⤵PID:5300
-
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe98⤵PID:5336
-
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe99⤵
- Drops file in System32 directory
PID:5384 -
C:\Windows\SysWOW64\Jfhbppbc.exeC:\Windows\system32\Jfhbppbc.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5428 -
C:\Windows\SysWOW64\Jmbklj32.exeC:\Windows\system32\Jmbklj32.exe101⤵PID:5472
-
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe102⤵PID:5516
-
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe103⤵PID:5560
-
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5600 -
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5640 -
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe106⤵
- Drops file in System32 directory
PID:5684 -
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe107⤵PID:5724
-
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe108⤵
- Modifies registry class
PID:5764 -
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe109⤵PID:5808
-
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe110⤵PID:5848
-
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5888 -
C:\Windows\SysWOW64\Kacphh32.exeC:\Windows\system32\Kacphh32.exe112⤵
- Drops file in System32 directory
PID:5936 -
C:\Windows\SysWOW64\Kdaldd32.exeC:\Windows\system32\Kdaldd32.exe113⤵PID:5992
-
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe114⤵PID:6052
-
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe115⤵PID:6108
-
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe116⤵PID:5128
-
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe117⤵
- Modifies registry class
PID:5252 -
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe118⤵PID:5308
-
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe119⤵PID:5392
-
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe120⤵PID:5468
-
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe121⤵
- Drops file in System32 directory
PID:5548 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe122⤵PID:5632
-
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe123⤵PID:5716
-
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe124⤵
- Drops file in System32 directory
PID:5800 -
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe125⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5872 -
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe126⤵PID:5928
-
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe127⤵PID:6068
-
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe128⤵PID:6136
-
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe129⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3380 -
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe130⤵
- Modifies registry class
PID:5368 -
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe131⤵
- Drops file in System32 directory
PID:5484 -
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe132⤵PID:5692
-
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe133⤵PID:5772
-
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe134⤵PID:5908
-
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe135⤵PID:6116
-
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe136⤵
- Drops file in System32 directory
PID:5324 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe137⤵
- Drops file in System32 directory
PID:5524 -
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe138⤵PID:5796
-
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe139⤵
- Modifies registry class
PID:6048 -
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe140⤵PID:5544
-
C:\Windows\SysWOW64\Lilanioo.exeC:\Windows\system32\Lilanioo.exe141⤵PID:5896
-
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe142⤵
- Modifies registry class
PID:5720 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe143⤵
- Drops file in System32 directory
PID:5420 -
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe144⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6164 -
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe145⤵PID:6208
-
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe146⤵
- Drops file in System32 directory
PID:6252 -
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe147⤵PID:6292
-
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe148⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6336 -
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe149⤵
- Modifies registry class
PID:6388 -
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe150⤵PID:6428
-
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe151⤵PID:6476
-
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe152⤵PID:6516
-
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe153⤵PID:6552
-
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe154⤵PID:6596
-
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe155⤵
- Drops file in System32 directory
- Modifies registry class
PID:6644 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6684 -
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe157⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6740 -
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe158⤵PID:6796
-
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe159⤵PID:6844
-
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe160⤵PID:6892
-
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe161⤵PID:6932
-
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe162⤵PID:6980
-
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe163⤵PID:7016
-
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe164⤵PID:7060
-
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe165⤵PID:7108
-
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe166⤵PID:7152
-
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe167⤵
- Modifies registry class
PID:6172 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe168⤵PID:6236
-
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe169⤵PID:6304
-
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe170⤵PID:6364
-
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe171⤵PID:6436
-
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe172⤵
- Drops file in System32 directory
PID:6500 -
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe173⤵PID:5836
-
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe174⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6584 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe175⤵PID:6640
-
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe176⤵PID:6704
-
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe177⤵PID:6780
-
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe178⤵PID:6856
-
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe179⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6928 -
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe180⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7028 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe181⤵PID:7072
-
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe182⤵PID:7144
-
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe183⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6200 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe184⤵PID:6344
-
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe185⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6452 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe186⤵
- Modifies registry class
PID:5712 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe187⤵PID:6536
-
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe188⤵
- Modifies registry class
PID:6776 -
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe189⤵
- Drops file in System32 directory
PID:6876 -
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe190⤵PID:7000
-
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe191⤵PID:6976
-
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe192⤵PID:6160
-
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe193⤵PID:6416
-
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe194⤵PID:5592
-
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe195⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6672 -
C:\Windows\SysWOW64\Oqbamo32.exeC:\Windows\system32\Oqbamo32.exe196⤵PID:6964
-
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe197⤵PID:7136
-
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe198⤵PID:6424
-
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe199⤵PID:6692
-
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe200⤵PID:7056
-
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe201⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5460 -
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe202⤵PID:6000
-
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe203⤵PID:6916
-
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe204⤵PID:7068
-
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe205⤵PID:7200
-
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe206⤵PID:7240
-
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe207⤵PID:7280
-
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe208⤵PID:7316
-
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe209⤵PID:7352
-
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe210⤵PID:7396
-
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe211⤵
- Drops file in System32 directory
- Modifies registry class
PID:7440 -
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe212⤵
- Modifies registry class
PID:7476 -
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe213⤵PID:7520
-
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe214⤵PID:7556
-
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe215⤵PID:7592
-
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe216⤵PID:7628
-
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe217⤵PID:7664
-
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe218⤵PID:7704
-
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe219⤵PID:7752
-
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe220⤵
- Modifies registry class
PID:7804 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe221⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7856 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe222⤵
- Drops file in System32 directory
- Modifies registry class
PID:7892 -
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe223⤵PID:7928
-
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe224⤵PID:7964
-
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe225⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8004 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe226⤵PID:8040
-
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe227⤵PID:8084
-
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe228⤵PID:8120
-
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe229⤵PID:8156
-
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe230⤵PID:7188
-
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe231⤵PID:7236
-
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe232⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7300 -
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe233⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7392 -
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe234⤵PID:7468
-
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe235⤵PID:7548
-
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe236⤵PID:7612
-
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe237⤵PID:7680
-
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe238⤵PID:7744
-
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe239⤵PID:7840
-
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe240⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:7888 -
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe241⤵PID:7960
-
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe242⤵PID:6736