Analysis
-
max time kernel
140s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 00:24
Static task
static1
Behavioral task
behavioral1
Sample
2c1546414eefe1087cf5fb7970197dd0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2c1546414eefe1087cf5fb7970197dd0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
2c1546414eefe1087cf5fb7970197dd0_NeikiAnalytics.exe
-
Size
163KB
-
MD5
2c1546414eefe1087cf5fb7970197dd0
-
SHA1
cac0a6c10c12571d478d0dee73420f41eed7ebec
-
SHA256
996944dde21e7ec113538e0063e8bf20a55833e3f4084fdb391f8e8b3cd53016
-
SHA512
b8d55ff0d086b74d64e9b912dd8bde430bf32c19282d2232b42871b410bd5f475f5079a76395edfdc1e1edd14fb6b62ab2ba514a39dc1262c88d5425f33e70bb
-
SSDEEP
3072:slibArORSx0IlIC8RKHAcztaNiltOrWKDBr+yJb:PbA4g1dhAczM8LOf
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Nehomq32.exePakllc32.exeGpcoib32.exeLngnfnji.exeJfieigio.exeHclfag32.exeHbfepmmn.exeMihdgkpp.exeChlfnp32.exeEeaepd32.exeIfgpnmom.exeBmnnkl32.exeJmlddeio.exeDgbeiiqe.exePopeif32.exeKpkpadnl.exeLpcoeb32.exeNlefhcnc.exeMbnocipg.exeNijpdfhm.exeOejcpf32.exeCbajkiof.exeGfmgelil.exeCbdiia32.exeLeikbd32.exeDinklffl.exeAqjdgmgd.exePpmgfb32.exeOoclji32.exeIeomef32.exeMdogedmh.exeAeoijidl.exeDgiaefgg.exeDegiggjm.exeFoccjood.exeAnjlebjc.exeAgjobffl.exeLanbdf32.exeCnejim32.exeCmkfji32.exeAgbpnh32.exeEegkpo32.exeHkjkle32.exeGiolnomh.exeCaaggpdh.exeAaimopli.exeNjnmbk32.exeNnleiipc.exeObgnhkkh.exeAhmefdcp.exeAaejojjq.exeDiibag32.exeFlnlkgjq.exeHklhae32.exeElkmmodo.exeFoolgh32.exeEbckmaec.exeLiipnb32.exeGjfgqk32.exeGbdhjm32.exeGmeeepjp.exeHgkfal32.exeKhadpa32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehomq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pakllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpcoib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lngnfnji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfieigio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hclfag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbfepmmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mihdgkpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chlfnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeaepd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgpnmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmnnkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmlddeio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgbeiiqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Popeif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpkpadnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpcoeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlefhcnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbnocipg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nijpdfhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oejcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbajkiof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfmgelil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbdiia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leikbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dinklffl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqjdgmgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppmgfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooclji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieomef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdogedmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeoijidl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgiaefgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Degiggjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foccjood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anjlebjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agjobffl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lanbdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnejim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmkfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agbpnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eegkpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkjkle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giolnomh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caaggpdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaimopli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njnmbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnleiipc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obgnhkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahmefdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaejojjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diibag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flnlkgjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hklhae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Degiggjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elkmmodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foolgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebckmaec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liipnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjfgqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbdhjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmeeepjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgkfal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khadpa32.exe -
Executes dropped EXE 64 IoCs
Processes:
Nehomq32.exeNemhhpmp.exeNgneph32.exeOgqaehak.exeOdebolpe.exeOcjophem.exeOnocmadb.exeOghhfg32.exeOoclji32.exeOihqgbhd.exePadeldeo.exePnjfae32.exePkofjijm.exePqkobqhd.exePakllc32.exeQfmafg32.exeQoeeolig.exeAjmfad32.exeAcekjjmk.exeAmnocpdk.exeAffdle32.exeAekqmbod.exeAgjmim32.exeAababceh.exeBnfblgca.exeBjmbqhif.exeBfccei32.exeBlchcpko.exeBpqain32.exeChlfnp32.exeCbajkiof.exeCafgle32.exeCllkin32.exeChcloo32.exeCdjmcpnl.exeDdliip32.exeDiibag32.exeDgmbkk32.exeDljkcb32.exeDinklffl.exeDaipqhdg.exeDomqjm32.exeDegiggjm.exeEkcaonhe.exeEeielfhk.exeElnqmd32.exeFjbafi32.exeFlqmbd32.exeFcjeon32.exeFkejcq32.exeFcmben32.exeFhikme32.exeFoccjood.exeFdpkbf32.exeFnipkkdl.exeFindhdcb.exeGjpqpl32.exeGeeemeif.exeGjbmelgm.exeGgfnopfg.exeGnpflj32.exeGcmoda32.exeGjfgqk32.exeGpcoib32.exepid process 2680 Nehomq32.exe 2540 Nemhhpmp.exe 2500 Ngneph32.exe 2128 Ogqaehak.exe 2192 Odebolpe.exe 2876 Ocjophem.exe 1492 Onocmadb.exe 1652 Oghhfg32.exe 1692 Ooclji32.exe 2600 Oihqgbhd.exe 616 Padeldeo.exe 2716 Pnjfae32.exe 1200 Pkofjijm.exe 1604 Pqkobqhd.exe 3016 Pakllc32.exe 2260 Qfmafg32.exe 548 Qoeeolig.exe 400 Ajmfad32.exe 1908 Acekjjmk.exe 340 Amnocpdk.exe 1428 Affdle32.exe 2868 Aekqmbod.exe 972 Agjmim32.exe 2100 Aababceh.exe 2784 Bnfblgca.exe 2076 Bjmbqhif.exe 2160 Bfccei32.exe 2744 Blchcpko.exe 2544 Bpqain32.exe 2528 Chlfnp32.exe 2652 Cbajkiof.exe 2904 Cafgle32.exe 2376 Cllkin32.exe 1272 Chcloo32.exe 2692 Cdjmcpnl.exe 1072 Ddliip32.exe 2732 Diibag32.exe 2472 Dgmbkk32.exe 848 Dljkcb32.exe 1936 Dinklffl.exe 1724 Daipqhdg.exe 2456 Domqjm32.exe 2736 Degiggjm.exe 1060 Ekcaonhe.exe 1088 Eeielfhk.exe 2284 Elnqmd32.exe 2016 Fjbafi32.exe 1684 Flqmbd32.exe 2344 Fcjeon32.exe 1820 Fkejcq32.exe 1564 Fcmben32.exe 2328 Fhikme32.exe 876 Foccjood.exe 2812 Fdpkbf32.exe 608 Fnipkkdl.exe 2748 Findhdcb.exe 2592 Gjpqpl32.exe 2832 Geeemeif.exe 2556 Gjbmelgm.exe 2384 Ggfnopfg.exe 2372 Gnpflj32.exe 1504 Gcmoda32.exe 1100 Gjfgqk32.exe 1636 Gpcoib32.exe -
Loads dropped DLL 64 IoCs
Processes:
2c1546414eefe1087cf5fb7970197dd0_NeikiAnalytics.exeNehomq32.exeNemhhpmp.exeNgneph32.exeOgqaehak.exeOdebolpe.exeOcjophem.exeOnocmadb.exeOghhfg32.exeOoclji32.exeOihqgbhd.exePadeldeo.exePnjfae32.exePkofjijm.exePqkobqhd.exePakllc32.exeQfmafg32.exeQoeeolig.exeAjmfad32.exeAcekjjmk.exeAmnocpdk.exeAffdle32.exeAekqmbod.exeAgjmim32.exeAababceh.exeBnfblgca.exeBjmbqhif.exeBffpki32.exeBlchcpko.exeBpqain32.exeChlfnp32.exeCbajkiof.exepid process 1500 2c1546414eefe1087cf5fb7970197dd0_NeikiAnalytics.exe 1500 2c1546414eefe1087cf5fb7970197dd0_NeikiAnalytics.exe 2680 Nehomq32.exe 2680 Nehomq32.exe 2540 Nemhhpmp.exe 2540 Nemhhpmp.exe 2500 Ngneph32.exe 2500 Ngneph32.exe 2128 Ogqaehak.exe 2128 Ogqaehak.exe 2192 Odebolpe.exe 2192 Odebolpe.exe 2876 Ocjophem.exe 2876 Ocjophem.exe 1492 Onocmadb.exe 1492 Onocmadb.exe 1652 Oghhfg32.exe 1652 Oghhfg32.exe 1692 Ooclji32.exe 1692 Ooclji32.exe 2600 Oihqgbhd.exe 2600 Oihqgbhd.exe 616 Padeldeo.exe 616 Padeldeo.exe 2716 Pnjfae32.exe 2716 Pnjfae32.exe 1200 Pkofjijm.exe 1200 Pkofjijm.exe 1604 Pqkobqhd.exe 1604 Pqkobqhd.exe 3016 Pakllc32.exe 3016 Pakllc32.exe 2260 Qfmafg32.exe 2260 Qfmafg32.exe 548 Qoeeolig.exe 548 Qoeeolig.exe 400 Ajmfad32.exe 400 Ajmfad32.exe 1908 Acekjjmk.exe 1908 Acekjjmk.exe 340 Amnocpdk.exe 340 Amnocpdk.exe 1428 Affdle32.exe 1428 Affdle32.exe 2868 Aekqmbod.exe 2868 Aekqmbod.exe 972 Agjmim32.exe 972 Agjmim32.exe 2100 Aababceh.exe 2100 Aababceh.exe 2784 Bnfblgca.exe 2784 Bnfblgca.exe 2076 Bjmbqhif.exe 2076 Bjmbqhif.exe 1608 Bffpki32.exe 1608 Bffpki32.exe 2744 Blchcpko.exe 2744 Blchcpko.exe 2544 Bpqain32.exe 2544 Bpqain32.exe 2528 Chlfnp32.exe 2528 Chlfnp32.exe 2652 Cbajkiof.exe 2652 Cbajkiof.exe -
Drops file in System32 directory 64 IoCs
Processes:
Gpcoib32.exeBbeded32.exeBgblmk32.exeHklhae32.exeJkpbdq32.exeDaaenlng.exeGaagcpdl.exeIeponofk.exeNgneph32.exeCicalakk.exeNjjcip32.exeFoolgh32.exeObgnhkkh.exeHbfepmmn.exePcghof32.exeQnghel32.exeAhpifj32.exeBieopm32.exeCaifjn32.exeIbfaopoi.exeCmpgpond.exeDcllbhdn.exeJcqlkjae.exeBnapnm32.exeEelkeeah.exeEnlidg32.exeNlcibc32.exeAlqnah32.exeCpfmmf32.exeHfbcidmk.exeLgkkmm32.exeGhdiokbq.exeLeikbd32.exeGagkjbaf.exeIoakoq32.exeMpmcielb.exeHpbdmo32.exeJbqmhnbo.exeOmklkkpl.exeOekjjl32.exeBnfddp32.exeQhilkege.exeCcnifd32.exeFamaimfe.exeFlnlkgjq.exeJcciqi32.exeCbiiog32.exeFcnkhmdp.exeNapbjjom.exeDjiqdb32.exePlpopddd.exeIjcngenj.exeBmnnkl32.exeLgpdglhn.exeDinklffl.exeLkgngb32.exeKilgoe32.exeQkielpdf.exeKpdjaecc.exeDeenjpcd.exedescription ioc process File created C:\Windows\SysWOW64\Cbpjfb32.dll Gpcoib32.exe File created C:\Windows\SysWOW64\Bgblmk32.exe Bbeded32.exe File created C:\Windows\SysWOW64\Dmdgpc32.dll Bgblmk32.exe File opened for modification C:\Windows\SysWOW64\Hqiqjlga.exe Hklhae32.exe File created C:\Windows\SysWOW64\Iijbfecp.dll Jkpbdq32.exe File created C:\Windows\SysWOW64\Egmpofck.dll Daaenlng.exe File created C:\Windows\SysWOW64\Nmogcf32.dll Gaagcpdl.exe File created C:\Windows\SysWOW64\Ipdbellh.dll Ieponofk.exe File opened for modification C:\Windows\SysWOW64\Ogqaehak.exe Ngneph32.exe File opened for modification C:\Windows\SysWOW64\Cblfdg32.exe Cicalakk.exe File created C:\Windows\SysWOW64\Eiapeffl.dll Njjcip32.exe File created C:\Windows\SysWOW64\Jagkpl32.dll Foolgh32.exe File created C:\Windows\SysWOW64\Ohdfqbio.exe Obgnhkkh.exe File created C:\Windows\SysWOW64\Hloiib32.exe Hbfepmmn.exe File created C:\Windows\SysWOW64\Pniqhlqh.dll Pcghof32.exe File opened for modification C:\Windows\SysWOW64\Agolnbok.exe Qnghel32.exe File opened for modification C:\Windows\SysWOW64\Aaimopli.exe Ahpifj32.exe File created C:\Windows\SysWOW64\Bcjcme32.exe Bieopm32.exe File opened for modification C:\Windows\SysWOW64\Clojhf32.exe Caifjn32.exe File opened for modification C:\Windows\SysWOW64\Ipjahd32.exe Ibfaopoi.exe File created C:\Windows\SysWOW64\Cgfkmgnj.exe Cmpgpond.exe File created C:\Windows\SysWOW64\Dfkhndca.exe Dcllbhdn.exe File opened for modification C:\Windows\SysWOW64\Jcciqi32.exe Jcqlkjae.exe File created C:\Windows\SysWOW64\Ccnifd32.exe Bnapnm32.exe File created C:\Windows\SysWOW64\Epbpbnan.exe Eelkeeah.exe File created C:\Windows\SysWOW64\Fhbnbpjc.exe Enlidg32.exe File opened for modification C:\Windows\SysWOW64\Napbjjom.exe Nlcibc32.exe File opened for modification C:\Windows\SysWOW64\Abmgjo32.exe Alqnah32.exe File created C:\Windows\SysWOW64\Cbdiia32.exe Cpfmmf32.exe File created C:\Windows\SysWOW64\Hkolakkb.exe Hfbcidmk.exe File opened for modification C:\Windows\SysWOW64\Lpcoeb32.exe Lgkkmm32.exe File opened for modification C:\Windows\SysWOW64\Gonale32.exe Ghdiokbq.exe File created C:\Windows\SysWOW64\Lpnopm32.exe Leikbd32.exe File created C:\Windows\SysWOW64\Ggdcbi32.exe Gagkjbaf.exe File opened for modification C:\Windows\SysWOW64\Iigpli32.exe Ioakoq32.exe File opened for modification C:\Windows\SysWOW64\Miehak32.exe Mpmcielb.exe File created C:\Windows\SysWOW64\Ieomef32.exe Hpbdmo32.exe File created C:\Windows\SysWOW64\Jliaac32.exe Jbqmhnbo.exe File opened for modification C:\Windows\SysWOW64\Ofcqcp32.exe Omklkkpl.exe File opened for modification C:\Windows\SysWOW64\Opqoge32.exe Oekjjl32.exe File opened for modification C:\Windows\SysWOW64\Bgoime32.exe Bnfddp32.exe File created C:\Windows\SysWOW64\Qbnphngk.exe Qhilkege.exe File created C:\Windows\SysWOW64\Cncmcm32.exe Ccnifd32.exe File created C:\Windows\SysWOW64\Fkefbcmf.exe Famaimfe.exe File created C:\Windows\SysWOW64\Fakdcnhh.exe Flnlkgjq.exe File created C:\Windows\SysWOW64\Jmkmjoec.exe Jcciqi32.exe File created C:\Windows\SysWOW64\Dhfcho32.dll Cbiiog32.exe File opened for modification C:\Windows\SysWOW64\Fjhcegll.exe Fcnkhmdp.exe File created C:\Windows\SysWOW64\Nhcmgmam.dll Napbjjom.exe File created C:\Windows\SysWOW64\Gejgei32.dll Djiqdb32.exe File opened for modification C:\Windows\SysWOW64\Ppmgfb32.exe Plpopddd.exe File created C:\Windows\SysWOW64\Opilhdhd.dll Plpopddd.exe File created C:\Windows\SysWOW64\Cmojeo32.dll Ijcngenj.exe File opened for modification C:\Windows\SysWOW64\Bffbdadk.exe Bmnnkl32.exe File opened for modification C:\Windows\SysWOW64\Mphiqbon.exe Lgpdglhn.exe File created C:\Windows\SysWOW64\Bodgdaah.dll Dinklffl.exe File created C:\Windows\SysWOW64\Llgjaeoj.exe Lkgngb32.exe File opened for modification C:\Windows\SysWOW64\Ohncbdbd.exe Njjcip32.exe File created C:\Windows\SysWOW64\Bffbdadk.exe Bmnnkl32.exe File opened for modification C:\Windows\SysWOW64\Kcdlhj32.exe Kilgoe32.exe File created C:\Windows\SysWOW64\Oppkgk32.dll Qkielpdf.exe File created C:\Windows\SysWOW64\Egpfmb32.dll Kpdjaecc.exe File created C:\Windows\SysWOW64\Dkppib32.dll Ahpifj32.exe File created C:\Windows\SysWOW64\Dpjbgh32.exe Deenjpcd.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2504 2376 WerFault.exe Lepaccmo.exe -
Modifies registry class 64 IoCs
Processes:
Ajhddk32.exeCafgle32.exeAaimopli.exeFpohakbp.exeIichjc32.exeNnnbni32.exeMcjhmcok.exeMobfgdcl.exeHgkfal32.exeIbkmchbh.exeFakdcnhh.exeLgpdglhn.exePblcbn32.exeNajpll32.exeOiljam32.exeAqbdkk32.exeCgfkmgnj.exeKpafapbk.exeFijbco32.exeGefmcp32.exeIfdjeoep.exeOhfqmi32.exeCnfqccna.exeDcllbhdn.exeJfieigio.exeHloiib32.exeBimoloog.exeClojhf32.exeDfkhndca.exeLpnopm32.exePkofjijm.exeJlelhe32.exeJdcpkp32.exeNcpdbohb.exeOonldcih.exeHnheohcl.exeMjfnomde.exeHkahgk32.exeJndjmifj.exeEbckmaec.exe2c1546414eefe1087cf5fb7970197dd0_NeikiAnalytics.exeFnipkkdl.exeFindhdcb.exeAmaelomh.exeKgnbnpkp.exeMloiec32.exeIediin32.exeMjpkqonj.exeElkmmodo.exeLohccp32.exeFeggob32.exeLpcoeb32.exeIoakoq32.exeFgldnkkf.exeGgdcbi32.exeFkefbcmf.exeBajqfq32.exeHpphhp32.exeMpebmc32.exeLiipnb32.exeEipgjaoi.exeGiolnomh.exeOdebolpe.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajhddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cafgle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaimopli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpohakbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhndmp32.dll" Iichjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcfmngo.dll" Nnnbni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcjhmcok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacldi32.dll" Mobfgdcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgkfal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibkmchbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fakdcnhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgpdglhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pblcbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Najpll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaknfc32.dll" Oiljam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqbdkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgfkmgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llbncmgg.dll" Kpafapbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fijbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efdmgc32.dll" Gefmcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcjenki.dll" Ifdjeoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pheocfji.dll" Ohfqmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnfqccna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oapldp32.dll" Dcllbhdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfieigio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hloiib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fejhndnn.dll" Bimoloog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igbfkb32.dll" Dfkhndca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpnopm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkofjijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqgkdo32.dll" Jlelhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbnaaeim.dll" Jdcpkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncpdbohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oonldcih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnheohcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nappechk.dll" Mjfnomde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobakc32.dll" Hkahgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jndjmifj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebckmaec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 2c1546414eefe1087cf5fb7970197dd0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnipkkdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Findhdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amaelomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmhflfhh.dll" Kgnbnpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gamnel32.dll" Mloiec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkaobghp.dll" Iediin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjpkqonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elkmmodo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lohccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkolai32.dll" Feggob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpcoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioakoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjfigdn.dll" Fgldnkkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggdcbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odifibfn.dll" Fkefbcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bajqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpphhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpebmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liipnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eipgjaoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkefbcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbbcale.dll" Giolnomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odebolpe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2c1546414eefe1087cf5fb7970197dd0_NeikiAnalytics.exeNehomq32.exeNemhhpmp.exeNgneph32.exeOgqaehak.exeOdebolpe.exeOcjophem.exeOnocmadb.exeOghhfg32.exeOoclji32.exeOihqgbhd.exePadeldeo.exePnjfae32.exePkofjijm.exePqkobqhd.exePakllc32.exedescription pid process target process PID 1500 wrote to memory of 2680 1500 2c1546414eefe1087cf5fb7970197dd0_NeikiAnalytics.exe Nehomq32.exe PID 1500 wrote to memory of 2680 1500 2c1546414eefe1087cf5fb7970197dd0_NeikiAnalytics.exe Nehomq32.exe PID 1500 wrote to memory of 2680 1500 2c1546414eefe1087cf5fb7970197dd0_NeikiAnalytics.exe Nehomq32.exe PID 1500 wrote to memory of 2680 1500 2c1546414eefe1087cf5fb7970197dd0_NeikiAnalytics.exe Nehomq32.exe PID 2680 wrote to memory of 2540 2680 Nehomq32.exe Nemhhpmp.exe PID 2680 wrote to memory of 2540 2680 Nehomq32.exe Nemhhpmp.exe PID 2680 wrote to memory of 2540 2680 Nehomq32.exe Nemhhpmp.exe PID 2680 wrote to memory of 2540 2680 Nehomq32.exe Nemhhpmp.exe PID 2540 wrote to memory of 2500 2540 Nemhhpmp.exe Ngneph32.exe PID 2540 wrote to memory of 2500 2540 Nemhhpmp.exe Ngneph32.exe PID 2540 wrote to memory of 2500 2540 Nemhhpmp.exe Ngneph32.exe PID 2540 wrote to memory of 2500 2540 Nemhhpmp.exe Ngneph32.exe PID 2500 wrote to memory of 2128 2500 Ngneph32.exe Ogqaehak.exe PID 2500 wrote to memory of 2128 2500 Ngneph32.exe Ogqaehak.exe PID 2500 wrote to memory of 2128 2500 Ngneph32.exe Ogqaehak.exe PID 2500 wrote to memory of 2128 2500 Ngneph32.exe Ogqaehak.exe PID 2128 wrote to memory of 2192 2128 Ogqaehak.exe Odebolpe.exe PID 2128 wrote to memory of 2192 2128 Ogqaehak.exe Odebolpe.exe PID 2128 wrote to memory of 2192 2128 Ogqaehak.exe Odebolpe.exe PID 2128 wrote to memory of 2192 2128 Ogqaehak.exe Odebolpe.exe PID 2192 wrote to memory of 2876 2192 Odebolpe.exe Ocjophem.exe PID 2192 wrote to memory of 2876 2192 Odebolpe.exe Ocjophem.exe PID 2192 wrote to memory of 2876 2192 Odebolpe.exe Ocjophem.exe PID 2192 wrote to memory of 2876 2192 Odebolpe.exe Ocjophem.exe PID 2876 wrote to memory of 1492 2876 Ocjophem.exe Onocmadb.exe PID 2876 wrote to memory of 1492 2876 Ocjophem.exe Onocmadb.exe PID 2876 wrote to memory of 1492 2876 Ocjophem.exe Onocmadb.exe PID 2876 wrote to memory of 1492 2876 Ocjophem.exe Onocmadb.exe PID 1492 wrote to memory of 1652 1492 Onocmadb.exe Oghhfg32.exe PID 1492 wrote to memory of 1652 1492 Onocmadb.exe Oghhfg32.exe PID 1492 wrote to memory of 1652 1492 Onocmadb.exe Oghhfg32.exe PID 1492 wrote to memory of 1652 1492 Onocmadb.exe Oghhfg32.exe PID 1652 wrote to memory of 1692 1652 Oghhfg32.exe Ooclji32.exe PID 1652 wrote to memory of 1692 1652 Oghhfg32.exe Ooclji32.exe PID 1652 wrote to memory of 1692 1652 Oghhfg32.exe Ooclji32.exe PID 1652 wrote to memory of 1692 1652 Oghhfg32.exe Ooclji32.exe PID 1692 wrote to memory of 2600 1692 Ooclji32.exe Oihqgbhd.exe PID 1692 wrote to memory of 2600 1692 Ooclji32.exe Oihqgbhd.exe PID 1692 wrote to memory of 2600 1692 Ooclji32.exe Oihqgbhd.exe PID 1692 wrote to memory of 2600 1692 Ooclji32.exe Oihqgbhd.exe PID 2600 wrote to memory of 616 2600 Oihqgbhd.exe Padeldeo.exe PID 2600 wrote to memory of 616 2600 Oihqgbhd.exe Padeldeo.exe PID 2600 wrote to memory of 616 2600 Oihqgbhd.exe Padeldeo.exe PID 2600 wrote to memory of 616 2600 Oihqgbhd.exe Padeldeo.exe PID 616 wrote to memory of 2716 616 Padeldeo.exe Pnjfae32.exe PID 616 wrote to memory of 2716 616 Padeldeo.exe Pnjfae32.exe PID 616 wrote to memory of 2716 616 Padeldeo.exe Pnjfae32.exe PID 616 wrote to memory of 2716 616 Padeldeo.exe Pnjfae32.exe PID 2716 wrote to memory of 1200 2716 Pnjfae32.exe Pkofjijm.exe PID 2716 wrote to memory of 1200 2716 Pnjfae32.exe Pkofjijm.exe PID 2716 wrote to memory of 1200 2716 Pnjfae32.exe Pkofjijm.exe PID 2716 wrote to memory of 1200 2716 Pnjfae32.exe Pkofjijm.exe PID 1200 wrote to memory of 1604 1200 Pkofjijm.exe Pqkobqhd.exe PID 1200 wrote to memory of 1604 1200 Pkofjijm.exe Pqkobqhd.exe PID 1200 wrote to memory of 1604 1200 Pkofjijm.exe Pqkobqhd.exe PID 1200 wrote to memory of 1604 1200 Pkofjijm.exe Pqkobqhd.exe PID 1604 wrote to memory of 3016 1604 Pqkobqhd.exe Pakllc32.exe PID 1604 wrote to memory of 3016 1604 Pqkobqhd.exe Pakllc32.exe PID 1604 wrote to memory of 3016 1604 Pqkobqhd.exe Pakllc32.exe PID 1604 wrote to memory of 3016 1604 Pqkobqhd.exe Pakllc32.exe PID 3016 wrote to memory of 2260 3016 Pakllc32.exe Qfmafg32.exe PID 3016 wrote to memory of 2260 3016 Pakllc32.exe Qfmafg32.exe PID 3016 wrote to memory of 2260 3016 Pakllc32.exe Qfmafg32.exe PID 3016 wrote to memory of 2260 3016 Pakllc32.exe Qfmafg32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c1546414eefe1087cf5fb7970197dd0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2c1546414eefe1087cf5fb7970197dd0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Nehomq32.exeC:\Windows\system32\Nehomq32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Nemhhpmp.exeC:\Windows\system32\Nemhhpmp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Ngneph32.exeC:\Windows\system32\Ngneph32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Ogqaehak.exeC:\Windows\system32\Ogqaehak.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Odebolpe.exeC:\Windows\system32\Odebolpe.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Ocjophem.exeC:\Windows\system32\Ocjophem.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\Pnjfae32.exeC:\Windows\system32\Pnjfae32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Pkofjijm.exeC:\Windows\system32\Pkofjijm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Qfmafg32.exeC:\Windows\system32\Qfmafg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Windows\SysWOW64\Qoeeolig.exeC:\Windows\system32\Qoeeolig.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:548 -
C:\Windows\SysWOW64\Ajmfad32.exeC:\Windows\system32\Ajmfad32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:400 -
C:\Windows\SysWOW64\Acekjjmk.exeC:\Windows\system32\Acekjjmk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1908 -
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:340 -
C:\Windows\SysWOW64\Affdle32.exeC:\Windows\system32\Affdle32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1428 -
C:\Windows\SysWOW64\Aekqmbod.exeC:\Windows\system32\Aekqmbod.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972 -
C:\Windows\SysWOW64\Aababceh.exeC:\Windows\system32\Aababceh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Bjmbqhif.exeC:\Windows\system32\Bjmbqhif.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Bfccei32.exeC:\Windows\system32\Bfccei32.exe28⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe29⤵
- Loads dropped DLL
PID:1608 -
C:\Windows\SysWOW64\Blchcpko.exeC:\Windows\system32\Blchcpko.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Chlfnp32.exeC:\Windows\system32\Chlfnp32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Cafgle32.exeC:\Windows\system32\Cafgle32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Cllkin32.exeC:\Windows\system32\Cllkin32.exe35⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Chcloo32.exeC:\Windows\system32\Chcloo32.exe36⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Cdjmcpnl.exeC:\Windows\system32\Cdjmcpnl.exe37⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Ddliip32.exeC:\Windows\system32\Ddliip32.exe38⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Dgmbkk32.exeC:\Windows\system32\Dgmbkk32.exe40⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Dljkcb32.exeC:\Windows\system32\Dljkcb32.exe41⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Dinklffl.exeC:\Windows\system32\Dinklffl.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Daipqhdg.exeC:\Windows\system32\Daipqhdg.exe43⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Domqjm32.exeC:\Windows\system32\Domqjm32.exe44⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Ekcaonhe.exeC:\Windows\system32\Ekcaonhe.exe46⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Eeielfhk.exeC:\Windows\system32\Eeielfhk.exe47⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Elnqmd32.exeC:\Windows\system32\Elnqmd32.exe48⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Fjbafi32.exeC:\Windows\system32\Fjbafi32.exe49⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe50⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe51⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Fkejcq32.exeC:\Windows\system32\Fkejcq32.exe52⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Fcmben32.exeC:\Windows\system32\Fcmben32.exe53⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Fhikme32.exeC:\Windows\system32\Fhikme32.exe54⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe56⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Fnipkkdl.exeC:\Windows\system32\Fnipkkdl.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:608 -
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Gjpqpl32.exeC:\Windows\system32\Gjpqpl32.exe59⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Geeemeif.exeC:\Windows\system32\Geeemeif.exe60⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Gjbmelgm.exeC:\Windows\system32\Gjbmelgm.exe61⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe62⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe63⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe64⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Gpcoib32.exeC:\Windows\system32\Gpcoib32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1696 -
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe68⤵PID:824
-
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:292 -
C:\Windows\SysWOW64\Hmjlhfof.exeC:\Windows\system32\Hmjlhfof.exe70⤵PID:1068
-
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:792 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe72⤵
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe73⤵PID:1620
-
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe74⤵PID:980
-
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe75⤵PID:320
-
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe76⤵PID:2252
-
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe77⤵PID:2492
-
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe78⤵PID:3048
-
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe79⤵PID:2888
-
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe80⤵PID:1484
-
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe81⤵
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe82⤵PID:2432
-
C:\Windows\SysWOW64\Ifdjeoep.exeC:\Windows\system32\Ifdjeoep.exe83⤵
- Modifies registry class
PID:576 -
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe84⤵PID:572
-
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:1476 -
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe86⤵PID:2632
-
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe87⤵
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Jdaqmg32.exeC:\Windows\system32\Jdaqmg32.exe88⤵PID:528
-
C:\Windows\SysWOW64\Jniefm32.exeC:\Windows\system32\Jniefm32.exe89⤵PID:800
-
C:\Windows\SysWOW64\Jhoice32.exeC:\Windows\system32\Jhoice32.exe90⤵PID:1784
-
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe91⤵PID:2268
-
C:\Windows\SysWOW64\Jkpbdq32.exeC:\Windows\system32\Jkpbdq32.exe92⤵
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Jplkmgol.exeC:\Windows\system32\Jplkmgol.exe93⤵PID:2080
-
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe94⤵PID:1760
-
C:\Windows\SysWOW64\Kghpoa32.exeC:\Windows\system32\Kghpoa32.exe95⤵PID:1412
-
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe96⤵PID:1396
-
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe97⤵PID:2676
-
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe98⤵PID:2944
-
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe99⤵PID:2648
-
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe100⤵PID:1592
-
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe101⤵PID:2292
-
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe102⤵PID:2392
-
C:\Windows\SysWOW64\Lblcfnhj.exeC:\Windows\system32\Lblcfnhj.exe103⤵PID:3052
-
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe104⤵PID:772
-
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe105⤵PID:2280
-
C:\Windows\SysWOW64\Ljieppcb.exeC:\Windows\system32\Ljieppcb.exe106⤵PID:912
-
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe107⤵PID:2924
-
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2928 -
C:\Windows\SysWOW64\Lfbbjpgd.exeC:\Windows\system32\Lfbbjpgd.exe109⤵PID:1052
-
C:\Windows\SysWOW64\Lmljgj32.exeC:\Windows\system32\Lmljgj32.exe110⤵PID:2808
-
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe111⤵
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe112⤵
- Drops file in System32 directory
PID:1224 -
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe113⤵PID:2264
-
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe114⤵PID:2672
-
C:\Windows\SysWOW64\Mihdgkpp.exeC:\Windows\system32\Mihdgkpp.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2644 -
C:\Windows\SysWOW64\Mpamde32.exeC:\Windows\system32\Mpamde32.exe116⤵PID:556
-
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe117⤵PID:844
-
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe118⤵PID:1116
-
C:\Windows\SysWOW64\Mlkjne32.exeC:\Windows\system32\Mlkjne32.exe119⤵PID:2484
-
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe120⤵PID:2572
-
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe121⤵
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe122⤵PID:2720
-
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe123⤵
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe124⤵PID:1180
-
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe125⤵
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe126⤵
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe127⤵PID:2164
-
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe128⤵PID:1344
-
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe129⤵PID:944
-
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe130⤵PID:2828
-
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe131⤵PID:880
-
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe132⤵PID:2596
-
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe133⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Phcpgm32.exeC:\Windows\system32\Phcpgm32.exe134⤵PID:1172
-
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe135⤵PID:2320
-
C:\Windows\SysWOW64\Popeif32.exeC:\Windows\system32\Popeif32.exe136⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2236 -
C:\Windows\SysWOW64\Qkffng32.exeC:\Windows\system32\Qkffng32.exe137⤵PID:596
-
C:\Windows\SysWOW64\Qdojgmfe.exeC:\Windows\system32\Qdojgmfe.exe138⤵PID:2996
-
C:\Windows\SysWOW64\Qngopb32.exeC:\Windows\system32\Qngopb32.exe139⤵PID:1376
-
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe140⤵PID:1824
-
C:\Windows\SysWOW64\Anjlebjc.exeC:\Windows\system32\Anjlebjc.exe141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2884 -
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe142⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1160 -
C:\Windows\SysWOW64\Aqjdgmgd.exeC:\Windows\system32\Aqjdgmgd.exe143⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2248 -
C:\Windows\SysWOW64\Agdmdg32.exeC:\Windows\system32\Agdmdg32.exe144⤵PID:2488
-
C:\Windows\SysWOW64\Amaelomh.exeC:\Windows\system32\Amaelomh.exe145⤵
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe146⤵PID:904
-
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe147⤵PID:2428
-
C:\Windows\SysWOW64\Acnjnh32.exeC:\Windows\system32\Acnjnh32.exe148⤵PID:2448
-
C:\Windows\SysWOW64\Amfognic.exeC:\Windows\system32\Amfognic.exe149⤵PID:2148
-
C:\Windows\SysWOW64\Bbbgod32.exeC:\Windows\system32\Bbbgod32.exe150⤵PID:1016
-
C:\Windows\SysWOW64\Bimoloog.exeC:\Windows\system32\Bimoloog.exe151⤵
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Bbeded32.exeC:\Windows\system32\Bbeded32.exe152⤵
- Drops file in System32 directory
PID:1096 -
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe153⤵
- Drops file in System32 directory
PID:700 -
C:\Windows\SysWOW64\Bajqfq32.exeC:\Windows\system32\Bajqfq32.exe154⤵
- Modifies registry class
PID:780 -
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe155⤵PID:1020
-
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe156⤵PID:3040
-
C:\Windows\SysWOW64\Baojapfj.exeC:\Windows\system32\Baojapfj.exe157⤵PID:3012
-
C:\Windows\SysWOW64\Caaggpdh.exeC:\Windows\system32\Caaggpdh.exe158⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2444 -
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe159⤵PID:1524
-
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe160⤵PID:2188
-
C:\Windows\SysWOW64\Cfcijf32.exeC:\Windows\system32\Cfcijf32.exe161⤵PID:1540
-
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe162⤵PID:1768
-
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe163⤵
- Drops file in System32 directory
PID:976 -
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe164⤵
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe165⤵PID:1916
-
C:\Windows\SysWOW64\Demofaol.exeC:\Windows\system32\Demofaol.exe166⤵PID:1548
-
C:\Windows\SysWOW64\Dacpkc32.exeC:\Windows\system32\Dacpkc32.exe167⤵PID:2780
-
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe168⤵PID:756
-
C:\Windows\SysWOW64\Dphmloih.exeC:\Windows\system32\Dphmloih.exe169⤵PID:568
-
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe170⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2820 -
C:\Windows\SysWOW64\Dmmmfc32.exeC:\Windows\system32\Dmmmfc32.exe171⤵PID:2304
-
C:\Windows\SysWOW64\Dbifnj32.exeC:\Windows\system32\Dbifnj32.exe172⤵PID:1080
-
C:\Windows\SysWOW64\Epmfgo32.exeC:\Windows\system32\Epmfgo32.exe173⤵PID:2636
-
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe174⤵PID:636
-
C:\Windows\SysWOW64\Eelkeeah.exeC:\Windows\system32\Eelkeeah.exe175⤵
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Epbpbnan.exeC:\Windows\system32\Epbpbnan.exe176⤵PID:760
-
C:\Windows\SysWOW64\Elipgofb.exeC:\Windows\system32\Elipgofb.exe177⤵PID:2856
-
C:\Windows\SysWOW64\Eeaepd32.exeC:\Windows\system32\Eeaepd32.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2120 -
C:\Windows\SysWOW64\Elkmmodo.exeC:\Windows\system32\Elkmmodo.exe179⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Enlidg32.exeC:\Windows\system32\Enlidg32.exe180⤵
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Fhbnbpjc.exeC:\Windows\system32\Fhbnbpjc.exe181⤵PID:1320
-
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe182⤵PID:1212
-
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe183⤵PID:2408
-
C:\Windows\SysWOW64\Fnacpffh.exeC:\Windows\system32\Fnacpffh.exe184⤵PID:1688
-
C:\Windows\SysWOW64\Fcnkhmdp.exeC:\Windows\system32\Fcnkhmdp.exe185⤵
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Fjhcegll.exeC:\Windows\system32\Fjhcegll.exe186⤵PID:1792
-
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe187⤵
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Flhmfbim.exeC:\Windows\system32\Flhmfbim.exe188⤵PID:1352
-
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe189⤵PID:2852
-
C:\Windows\SysWOW64\Fqfemqod.exeC:\Windows\system32\Fqfemqod.exe190⤵PID:2628
-
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe191⤵PID:2512
-
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe192⤵PID:1380
-
C:\Windows\SysWOW64\Ggnmbn32.exeC:\Windows\system32\Ggnmbn32.exe193⤵PID:2656
-
C:\Windows\SysWOW64\Hnheohcl.exeC:\Windows\system32\Hnheohcl.exe194⤵
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe195⤵PID:392
-
C:\Windows\SysWOW64\Hfcjdkpg.exeC:\Windows\system32\Hfcjdkpg.exe196⤵PID:2588
-
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe197⤵PID:2200
-
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe198⤵PID:1092
-
C:\Windows\SysWOW64\Hfhcoj32.exeC:\Windows\system32\Hfhcoj32.exe199⤵PID:2476
-
C:\Windows\SysWOW64\Hpphhp32.exeC:\Windows\system32\Hpphhp32.exe200⤵
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe201⤵
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Ieomef32.exeC:\Windows\system32\Ieomef32.exe202⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3080 -
C:\Windows\SysWOW64\Inhanl32.exeC:\Windows\system32\Inhanl32.exe203⤵PID:3120
-
C:\Windows\SysWOW64\Ieajkfmd.exeC:\Windows\system32\Ieajkfmd.exe204⤵PID:3160
-
C:\Windows\SysWOW64\Ibejdjln.exeC:\Windows\system32\Ibejdjln.exe205⤵PID:3200
-
C:\Windows\SysWOW64\Ihbcmaje.exeC:\Windows\system32\Ihbcmaje.exe206⤵PID:3240
-
C:\Windows\SysWOW64\Ifgpnmom.exeC:\Windows\system32\Ifgpnmom.exe207⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3280 -
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe208⤵PID:3320
-
C:\Windows\SysWOW64\Jmdepg32.exeC:\Windows\system32\Jmdepg32.exe209⤵PID:3360
-
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe210⤵
- Drops file in System32 directory
PID:3400 -
C:\Windows\SysWOW64\Jliaac32.exeC:\Windows\system32\Jliaac32.exe211⤵PID:3440
-
C:\Windows\SysWOW64\Jeafjiop.exeC:\Windows\system32\Jeafjiop.exe212⤵PID:3480
-
C:\Windows\SysWOW64\Jpgjgboe.exeC:\Windows\system32\Jpgjgboe.exe213⤵PID:3520
-
C:\Windows\SysWOW64\Jedcpi32.exeC:\Windows\system32\Jedcpi32.exe214⤵PID:3560
-
C:\Windows\SysWOW64\Jolghndm.exeC:\Windows\system32\Jolghndm.exe215⤵PID:3600
-
C:\Windows\SysWOW64\Jajcdjca.exeC:\Windows\system32\Jajcdjca.exe216⤵PID:3640
-
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe217⤵PID:3684
-
C:\Windows\SysWOW64\Klbdgb32.exeC:\Windows\system32\Klbdgb32.exe218⤵PID:3724
-
C:\Windows\SysWOW64\Kekiphge.exeC:\Windows\system32\Kekiphge.exe219⤵PID:3764
-
C:\Windows\SysWOW64\Khielcfh.exeC:\Windows\system32\Khielcfh.exe220⤵PID:3804
-
C:\Windows\SysWOW64\Kpdjaecc.exeC:\Windows\system32\Kpdjaecc.exe221⤵
- Drops file in System32 directory
PID:3844 -
C:\Windows\SysWOW64\Kgnbnpkp.exeC:\Windows\system32\Kgnbnpkp.exe222⤵
- Modifies registry class
PID:3884 -
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe223⤵PID:3924
-
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe224⤵PID:3964
-
C:\Windows\SysWOW64\Kffldlne.exeC:\Windows\system32\Kffldlne.exe225⤵PID:4004
-
C:\Windows\SysWOW64\Kpkpadnl.exeC:\Windows\system32\Kpkpadnl.exe226⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4044 -
C:\Windows\SysWOW64\Lhfefgkg.exeC:\Windows\system32\Lhfefgkg.exe227⤵PID:4088
-
C:\Windows\SysWOW64\Lclicpkm.exeC:\Windows\system32\Lclicpkm.exe228⤵PID:3112
-
C:\Windows\SysWOW64\Lkgngb32.exeC:\Windows\system32\Lkgngb32.exe229⤵
- Drops file in System32 directory
PID:3152 -
C:\Windows\SysWOW64\Llgjaeoj.exeC:\Windows\system32\Llgjaeoj.exe230⤵PID:3208
-
C:\Windows\SysWOW64\Ldbofgme.exeC:\Windows\system32\Ldbofgme.exe231⤵PID:3260
-
C:\Windows\SysWOW64\Lohccp32.exeC:\Windows\system32\Lohccp32.exe232⤵
- Modifies registry class
PID:3312 -
C:\Windows\SysWOW64\Lddlkg32.exeC:\Windows\system32\Lddlkg32.exe233⤵PID:3352
-
C:\Windows\SysWOW64\Mkndhabp.exeC:\Windows\system32\Mkndhabp.exe234⤵PID:3420
-
C:\Windows\SysWOW64\Mcjhmcok.exeC:\Windows\system32\Mcjhmcok.exe235⤵
- Modifies registry class
PID:3476 -
C:\Windows\SysWOW64\Mjcaimgg.exeC:\Windows\system32\Mjcaimgg.exe236⤵PID:3508
-
C:\Windows\SysWOW64\Mclebc32.exeC:\Windows\system32\Mclebc32.exe237⤵PID:3552
-
C:\Windows\SysWOW64\Mjfnomde.exeC:\Windows\system32\Mjfnomde.exe238⤵
- Modifies registry class
PID:3608 -
C:\Windows\SysWOW64\Mobfgdcl.exeC:\Windows\system32\Mobfgdcl.exe239⤵
- Modifies registry class
PID:3660 -
C:\Windows\SysWOW64\Mikjpiim.exeC:\Windows\system32\Mikjpiim.exe240⤵PID:3720
-
C:\Windows\SysWOW64\Mpebmc32.exeC:\Windows\system32\Mpebmc32.exe241⤵
- Modifies registry class
PID:3756 -
C:\Windows\SysWOW64\Mcckcbgp.exeC:\Windows\system32\Mcckcbgp.exe242⤵PID:3812