Analysis
-
max time kernel
138s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 23:41
Static task
static1
Behavioral task
behavioral1
Sample
5a67157d139200f535c231f22a2de25d_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5a67157d139200f535c231f22a2de25d_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
5a67157d139200f535c231f22a2de25d_NeikiAnalytics.exe
-
Size
163KB
-
MD5
5a67157d139200f535c231f22a2de25d
-
SHA1
c31316b7cabb8957d3e13d4e42a19a4f530f9879
-
SHA256
fb4e989254ee00e41fff646cb5b5505c4595cebe01a5888df76776b14014cf72
-
SHA512
a3fb36291d4d97344f720179356766e6916b85ab270d8c1be91ae153f13da694d374a7910cf7c384f8e10a4b8934d2a7c880f3b7609a1360cd8124631bd77307
-
SSDEEP
1536:PRFsB24PRFhUOcZLR9AnXM4n/lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:ZQUOcZdSnXb/ltOrWKDBr+yJb
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ffklhqao.exeGepehphc.exeHeihnoph.exeKqqboncb.exeEhgppi32.exePjhknm32.exeGfjhgdck.exeHhckpk32.exeIkhjki32.exeJmplcp32.exePmlmic32.exeMonhhk32.exeLimfed32.exeOmfkke32.exePjadmnic.exeBbokmqie.exeFadminnn.exeHmbpmapf.exeKjqccigf.exeNkgbbo32.exeMgqcmlgl.exePqkmjh32.exeHgmalg32.exeJqfffqpm.exeHknach32.exeGmpgio32.exeIompkh32.exeJabbhcfe.exeFnkjhb32.exeIgchlf32.exeJkjfah32.exeKfmjgeaj.exeMeppiblm.exeAaheie32.exeHhehek32.exeIqmcpahh.exeEkhhadmk.exeNpagjpcd.exeOllajp32.exeGobgcg32.exeNgnbgplj.exeOgeigofa.exeLjmlbfhi.exeAaolidlk.exeHlakpp32.exeNhiffc32.exeBdgafdfp.exeIipgcaob.exeLlnofpcg.exeOonafa32.exeAlbjlcao.exeCjdfmo32.exeJfnnha32.exeMieeibkn.exeAbeemhkh.exeFbgmbg32.exeMppepcfg.exeKnmhgf32.exeAkmjfn32.exeFhffaj32.exePkpagq32.exeBdkgocpm.exeNefpnhlc.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffklhqao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gepehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heihnoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqqboncb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehgppi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfjhgdck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhckpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikhjki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmplcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmlmic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Monhhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Limfed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omfkke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjadmnic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fadminnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbpmapf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjqccigf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkgbbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgqcmlgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqkmjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgmalg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqfffqpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmpgio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iompkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jabbhcfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnkjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igchlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkjfah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfmjgeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meppiblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaheie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhehek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqmcpahh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhhadmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npagjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ollajp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gobgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngnbgplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogeigofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljmlbfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaolidlk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlakpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhiffc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdgafdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iipgcaob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llnofpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oonafa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albjlcao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjdfmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfnnha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mieeibkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abeemhkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbgmbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mppepcfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knmhgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akmjfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkpagq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaolidlk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdkgocpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefpnhlc.exe -
Executes dropped EXE 64 IoCs
Processes:
Fhffaj32.exeFaokjpfd.exeFmekoalh.exeFfnphf32.exeFacdeo32.exeFjlhneio.exeFlmefm32.exeFbgmbg32.exeGpknlk32.exeGbijhg32.exeGegfdb32.exeGieojq32.exeGobgcg32.exeGelppaof.exeGmgdddmq.exeGkkemh32.exeHgbebiao.exeHknach32.exeHahjpbad.exeHicodd32.exeHlakpp32.exeHejoiedd.exeHobcak32.exeHellne32.exeHpapln32.exeHenidd32.exeHhmepp32.exeIknnbklc.exeIoijbj32.exeIdfbkq32.exeIajcde32.exeIqmcpahh.exeIggkllpe.exeIqopea32.exeIqalka32.exeIdmhkpml.exeJnemdecl.exeJqdipqbp.exeJcbellac.exeJqfffqpm.exeJmmfkafa.exeJokcgmee.exeJmocpado.exeJonplmcb.exeJifdebic.exeJkdpanhg.exeKemejc32.exeKkgmgmfd.exeKjjmbj32.exeKbqecg32.exeKeoapb32.exeKgnnln32.exeKkijmm32.exeKngfih32.exeKafbec32.exeKgpjanje.exeKnjbnh32.exeKmmcjehm.exeKcfkfo32.exeKjqccigf.exeKiccofna.exeKpmlkp32.exeKcihlong.exeKjcpii32.exepid process 2084 Fhffaj32.exe 2776 Faokjpfd.exe 2684 Fmekoalh.exe 2848 Ffnphf32.exe 2716 Facdeo32.exe 2468 Fjlhneio.exe 2668 Flmefm32.exe 2208 Fbgmbg32.exe 1428 Gpknlk32.exe 2024 Gbijhg32.exe 1296 Gegfdb32.exe 2476 Gieojq32.exe 2244 Gobgcg32.exe 1352 Gelppaof.exe 2344 Gmgdddmq.exe 2268 Gkkemh32.exe 672 Hgbebiao.exe 652 Hknach32.exe 1896 Hahjpbad.exe 912 Hicodd32.exe 1704 Hlakpp32.exe 1532 Hejoiedd.exe 1688 Hobcak32.exe 820 Hellne32.exe 1736 Hpapln32.exe 1696 Henidd32.exe 2240 Hhmepp32.exe 3052 Iknnbklc.exe 2732 Ioijbj32.exe 2764 Idfbkq32.exe 2524 Iajcde32.exe 2760 Iqmcpahh.exe 2620 Iggkllpe.exe 2220 Iqopea32.exe 1580 Iqalka32.exe 2740 Idmhkpml.exe 1656 Jnemdecl.exe 1844 Jqdipqbp.exe 2036 Jcbellac.exe 2824 Jqfffqpm.exe 1764 Jmmfkafa.exe 2804 Jokcgmee.exe 2864 Jmocpado.exe 572 Jonplmcb.exe 1796 Jifdebic.exe 1500 Jkdpanhg.exe 1140 Kemejc32.exe 1528 Kkgmgmfd.exe 568 Kjjmbj32.exe 884 Kbqecg32.exe 2912 Keoapb32.exe 1592 Kgnnln32.exe 2996 Kkijmm32.exe 2604 Kngfih32.exe 2852 Kafbec32.exe 2588 Kgpjanje.exe 2512 Knjbnh32.exe 2932 Kmmcjehm.exe 1068 Kcfkfo32.exe 2600 Kjqccigf.exe 1608 Kiccofna.exe 1640 Kpmlkp32.exe 1632 Kcihlong.exe 836 Kjcpii32.exe -
Loads dropped DLL 64 IoCs
Processes:
5a67157d139200f535c231f22a2de25d_NeikiAnalytics.exeFhffaj32.exeFaokjpfd.exeFmekoalh.exeFfnphf32.exeFacdeo32.exeFjlhneio.exeFlmefm32.exeFbgmbg32.exeGpknlk32.exeGbijhg32.exeGegfdb32.exeGieojq32.exeGobgcg32.exeGelppaof.exeGmgdddmq.exeGkkemh32.exeHgbebiao.exeHknach32.exeHahjpbad.exeHicodd32.exeHlakpp32.exeHejoiedd.exeHobcak32.exeHellne32.exeHpapln32.exeHenidd32.exeHhmepp32.exeIknnbklc.exeIoijbj32.exeIdfbkq32.exeIajcde32.exepid process 1980 5a67157d139200f535c231f22a2de25d_NeikiAnalytics.exe 1980 5a67157d139200f535c231f22a2de25d_NeikiAnalytics.exe 2084 Fhffaj32.exe 2084 Fhffaj32.exe 2776 Faokjpfd.exe 2776 Faokjpfd.exe 2684 Fmekoalh.exe 2684 Fmekoalh.exe 2848 Ffnphf32.exe 2848 Ffnphf32.exe 2716 Facdeo32.exe 2716 Facdeo32.exe 2468 Fjlhneio.exe 2468 Fjlhneio.exe 2668 Flmefm32.exe 2668 Flmefm32.exe 2208 Fbgmbg32.exe 2208 Fbgmbg32.exe 1428 Gpknlk32.exe 1428 Gpknlk32.exe 2024 Gbijhg32.exe 2024 Gbijhg32.exe 1296 Gegfdb32.exe 1296 Gegfdb32.exe 2476 Gieojq32.exe 2476 Gieojq32.exe 2244 Gobgcg32.exe 2244 Gobgcg32.exe 1352 Gelppaof.exe 1352 Gelppaof.exe 2344 Gmgdddmq.exe 2344 Gmgdddmq.exe 2268 Gkkemh32.exe 2268 Gkkemh32.exe 672 Hgbebiao.exe 672 Hgbebiao.exe 652 Hknach32.exe 652 Hknach32.exe 1896 Hahjpbad.exe 1896 Hahjpbad.exe 912 Hicodd32.exe 912 Hicodd32.exe 1704 Hlakpp32.exe 1704 Hlakpp32.exe 1532 Hejoiedd.exe 1532 Hejoiedd.exe 1688 Hobcak32.exe 1688 Hobcak32.exe 820 Hellne32.exe 820 Hellne32.exe 1736 Hpapln32.exe 1736 Hpapln32.exe 1696 Henidd32.exe 1696 Henidd32.exe 2240 Hhmepp32.exe 2240 Hhmepp32.exe 3052 Iknnbklc.exe 3052 Iknnbklc.exe 2732 Ioijbj32.exe 2732 Ioijbj32.exe 2764 Idfbkq32.exe 2764 Idfbkq32.exe 2524 Iajcde32.exe 2524 Iajcde32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Edkcojga.exeCaknol32.exeLfdmggnm.exeBmeimhdj.exeGdjpeifj.exeLfpclh32.exeAidnohbk.exeLmebnb32.exePiekcd32.exeHlakpp32.exeLemaif32.exeDcadac32.exeFnfamcoj.exeHiknhbcg.exePmjqcc32.exeLcagpl32.exeOnpjghhn.exeHpapln32.exeDjklnnaj.exeGdniqh32.exeHapicp32.exeLjmlbfhi.exeMpfkqb32.exeOobjaqaj.exeCahail32.exeEhgppi32.exeKmgbdo32.exeLollckbk.exePklhlael.exeBiamilfj.exeIgonafba.exeFhffaj32.exeIqalka32.exeApoooa32.exeIapebchh.exeMimbdhhb.exeNaajoinb.exeCgcmlcja.exeEnakbp32.exeKcfkfo32.exePkdgpo32.exeLjffag32.exeIipgcaob.exeKfpgmdog.exeAnnbhi32.exePbnoliap.exePndpajgd.exeBkglameg.exeIajcde32.exeOmfkke32.exeIlcmjl32.exeLlnofpcg.exeAmkpegnj.exeEcqqpgli.exeNdjfeo32.exeIggkllpe.exeKkijmm32.exeAhikqd32.exeBemgilhh.exedescription ioc process File created C:\Windows\SysWOW64\Ehgppi32.exe Edkcojga.exe File created C:\Windows\SysWOW64\Cdikkg32.exe Caknol32.exe File created C:\Windows\SysWOW64\Mmneda32.exe Lfdmggnm.exe File created C:\Windows\SysWOW64\Ndmjqgdd.dll Bmeimhdj.exe File created C:\Windows\SysWOW64\Gfhladfn.exe Gdjpeifj.exe File opened for modification C:\Windows\SysWOW64\Linphc32.exe Lfpclh32.exe File created C:\Windows\SysWOW64\Jjifqd32.dll Aidnohbk.exe File created C:\Windows\SysWOW64\Leljop32.exe Lmebnb32.exe File opened for modification C:\Windows\SysWOW64\Pkdgpo32.exe Piekcd32.exe File created C:\Windows\SysWOW64\Hepmggig.dll Hlakpp32.exe File created C:\Windows\SysWOW64\Eqmbdn32.dll Lemaif32.exe File opened for modification C:\Windows\SysWOW64\Dfoqmo32.exe Dcadac32.exe File created C:\Windows\SysWOW64\Fadminnn.exe Fnfamcoj.exe File opened for modification C:\Windows\SysWOW64\Habfipdj.exe Hiknhbcg.exe File opened for modification C:\Windows\SysWOW64\Pdaheq32.exe Pmjqcc32.exe File opened for modification C:\Windows\SysWOW64\Lfpclh32.exe Lcagpl32.exe File created C:\Windows\SysWOW64\Oalfhf32.exe Onpjghhn.exe File created C:\Windows\SysWOW64\Polebcgg.dll Hpapln32.exe File created C:\Windows\SysWOW64\Dpeekh32.exe Djklnnaj.exe File created C:\Windows\SysWOW64\Gepehphc.exe Gdniqh32.exe File created C:\Windows\SysWOW64\Idnmhkin.dll Hapicp32.exe File created C:\Windows\SysWOW64\Llohjo32.exe Ljmlbfhi.exe File opened for modification C:\Windows\SysWOW64\Mgqcmlgl.exe Mpfkqb32.exe File created C:\Windows\SysWOW64\Obafnlpn.exe Oobjaqaj.exe File opened for modification C:\Windows\SysWOW64\Cpkbdiqb.exe Cahail32.exe File created C:\Windows\SysWOW64\Ekelld32.exe Ehgppi32.exe File created C:\Windows\SysWOW64\Kofopj32.exe Kmgbdo32.exe File created C:\Windows\SysWOW64\Bqdgkecq.dll Lollckbk.exe File opened for modification C:\Windows\SysWOW64\Pnjdhmdo.exe Pklhlael.exe File opened for modification C:\Windows\SysWOW64\Obafnlpn.exe Oobjaqaj.exe File created C:\Windows\SysWOW64\Blpjegfm.exe Biamilfj.exe File created C:\Windows\SysWOW64\Iimjmbae.exe Igonafba.exe File created C:\Windows\SysWOW64\Cqmnhocj.dll Fhffaj32.exe File created C:\Windows\SysWOW64\Idmhkpml.exe Iqalka32.exe File created C:\Windows\SysWOW64\Plgifc32.dll Apoooa32.exe File opened for modification C:\Windows\SysWOW64\Aedeic32.dll Iapebchh.exe File created C:\Windows\SysWOW64\Mlkopcge.exe Mimbdhhb.exe File created C:\Windows\SysWOW64\Fbbecd32.dll Naajoinb.exe File created C:\Windows\SysWOW64\Cojema32.exe Cgcmlcja.exe File created C:\Windows\SysWOW64\Gogcek32.dll Enakbp32.exe File opened for modification C:\Windows\SysWOW64\Kjqccigf.exe Kcfkfo32.exe File opened for modification C:\Windows\SysWOW64\Pbnoliap.exe Pkdgpo32.exe File opened for modification C:\Windows\SysWOW64\Lmebnb32.exe Ljffag32.exe File opened for modification C:\Windows\SysWOW64\Idmhkpml.exe Iqalka32.exe File opened for modification C:\Windows\SysWOW64\Ilncom32.exe Iipgcaob.exe File opened for modification C:\Windows\SysWOW64\Kincipnk.exe Kfpgmdog.exe File opened for modification C:\Windows\SysWOW64\Apoooa32.exe Annbhi32.exe File opened for modification C:\Windows\SysWOW64\Pdlkiepd.exe Pbnoliap.exe File opened for modification C:\Windows\SysWOW64\Qflhbhgg.exe Pndpajgd.exe File created C:\Windows\SysWOW64\Bmeimhdj.exe Bkglameg.exe File created C:\Windows\SysWOW64\Iqmcpahh.exe Iajcde32.exe File created C:\Windows\SysWOW64\Apmmjh32.dll Biamilfj.exe File created C:\Windows\SysWOW64\Mcaiqm32.dll Omfkke32.exe File created C:\Windows\SysWOW64\Bqjfjb32.dll Onpjghhn.exe File created C:\Windows\SysWOW64\Khdlmj32.dll Ilcmjl32.exe File opened for modification C:\Windows\SysWOW64\Lollckbk.exe Llnofpcg.exe File created C:\Windows\SysWOW64\Abjlmo32.dll Amkpegnj.exe File created C:\Windows\SysWOW64\Ekhhadmk.exe Ecqqpgli.exe File created C:\Windows\SysWOW64\Ncmfqkdj.exe Ndjfeo32.exe File created C:\Windows\SysWOW64\Oimbjlde.dll Bkglameg.exe File opened for modification C:\Windows\SysWOW64\Iqopea32.exe Iggkllpe.exe File opened for modification C:\Windows\SysWOW64\Kngfih32.exe Kkijmm32.exe File created C:\Windows\SysWOW64\Oqhiplaj.dll Ahikqd32.exe File created C:\Windows\SysWOW64\Ffdiejho.dll Bemgilhh.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 6104 6012 WerFault.exe Cacacg32.exe -
Modifies registry class 64 IoCs
Processes:
Pnlqnl32.exeDndlim32.exeKkaiqk32.exeKngfih32.exeLollckbk.exeOclilp32.exePpbfpd32.exeBlbfjg32.exeQbbhgi32.exeAjgpbj32.exeNacgdhlp.exePjadmnic.exePmdjdh32.exeDbhnhp32.exeJokcgmee.exeKnjbnh32.exeKkolkk32.exePmojocel.exeNaajoinb.exeGepehphc.exeGobgcg32.exePjcabmga.exeMlcbenjb.exeMaedhd32.exeOjcecjee.exeAdpkee32.exeLinphc32.exeLjmlbfhi.exeApoooa32.exePklhlael.exeFlehkhai.exeGmpgio32.exeKeednado.exeLjffag32.exeKafbec32.exeMlmlecec.exeNkiogn32.exeAhdaee32.exeQgmdjp32.exeMaoajf32.exeDpeekh32.exeGfjhgdck.exeOnpjghhn.exePnimnfpc.exeJcbellac.exePfjbgnme.exeIompkh32.exeLmgocb32.exeIqmcpahh.exeOobjaqaj.exeOkoafmkm.exeOkikfagn.exeJfnnha32.exeMagqncba.exeOonafa32.exeDogefd32.exeEfaibbij.exeIoaifhid.exePedleg32.exeFadminnn.exePimkpfeh.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dndlim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkaiqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnoej32.dll" Dndlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kngfih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lollckbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oclilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdafiei.dll" Ppbfpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blbfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbche32.dll" Qbbhgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajgpbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nacgdhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolpjf32.dll" Pjadmnic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmdjdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbhnhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jokcgmee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knjbnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkolkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgafgmqa.dll" Pmojocel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naajoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gepehphc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gobgcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjcabmga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlcbenjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maedhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojcecjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cahqdihi.dll" Adpkee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Linphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olliabba.dll" Ljmlbfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apoooa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pklhlael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flehkhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmpgio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keednado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljffag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cddfocpb.dll" Kafbec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlmlecec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkiogn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojgbclk.dll" Ahdaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacehmno.dll" Qgmdjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkophk32.dll" Maoajf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpeekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfjhgdck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onpjghhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnimnfpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcbellac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiilgb32.dll" Pfjbgnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afcklihm.dll" Iompkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmgocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhnijp32.dll" Iqmcpahh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oobjaqaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aafminbq.dll" Blbfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhdqqjhl.dll" Okoafmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okikfagn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfnnha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Magqncba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oonafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdjal32.dll" Dogefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioaifhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpkof32.dll" Pedleg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fadminnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kngfih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pimkpfeh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5a67157d139200f535c231f22a2de25d_NeikiAnalytics.exeFhffaj32.exeFaokjpfd.exeFmekoalh.exeFfnphf32.exeFacdeo32.exeFjlhneio.exeFlmefm32.exeFbgmbg32.exeGpknlk32.exeGbijhg32.exeGegfdb32.exeGieojq32.exeGobgcg32.exeGelppaof.exeGmgdddmq.exedescription pid process target process PID 1980 wrote to memory of 2084 1980 5a67157d139200f535c231f22a2de25d_NeikiAnalytics.exe Fhffaj32.exe PID 1980 wrote to memory of 2084 1980 5a67157d139200f535c231f22a2de25d_NeikiAnalytics.exe Fhffaj32.exe PID 1980 wrote to memory of 2084 1980 5a67157d139200f535c231f22a2de25d_NeikiAnalytics.exe Fhffaj32.exe PID 1980 wrote to memory of 2084 1980 5a67157d139200f535c231f22a2de25d_NeikiAnalytics.exe Fhffaj32.exe PID 2084 wrote to memory of 2776 2084 Fhffaj32.exe Faokjpfd.exe PID 2084 wrote to memory of 2776 2084 Fhffaj32.exe Faokjpfd.exe PID 2084 wrote to memory of 2776 2084 Fhffaj32.exe Faokjpfd.exe PID 2084 wrote to memory of 2776 2084 Fhffaj32.exe Faokjpfd.exe PID 2776 wrote to memory of 2684 2776 Faokjpfd.exe Fmekoalh.exe PID 2776 wrote to memory of 2684 2776 Faokjpfd.exe Fmekoalh.exe PID 2776 wrote to memory of 2684 2776 Faokjpfd.exe Fmekoalh.exe PID 2776 wrote to memory of 2684 2776 Faokjpfd.exe Fmekoalh.exe PID 2684 wrote to memory of 2848 2684 Fmekoalh.exe Ffnphf32.exe PID 2684 wrote to memory of 2848 2684 Fmekoalh.exe Ffnphf32.exe PID 2684 wrote to memory of 2848 2684 Fmekoalh.exe Ffnphf32.exe PID 2684 wrote to memory of 2848 2684 Fmekoalh.exe Ffnphf32.exe PID 2848 wrote to memory of 2716 2848 Ffnphf32.exe Facdeo32.exe PID 2848 wrote to memory of 2716 2848 Ffnphf32.exe Facdeo32.exe PID 2848 wrote to memory of 2716 2848 Ffnphf32.exe Facdeo32.exe PID 2848 wrote to memory of 2716 2848 Ffnphf32.exe Facdeo32.exe PID 2716 wrote to memory of 2468 2716 Facdeo32.exe Fjlhneio.exe PID 2716 wrote to memory of 2468 2716 Facdeo32.exe Fjlhneio.exe PID 2716 wrote to memory of 2468 2716 Facdeo32.exe Fjlhneio.exe PID 2716 wrote to memory of 2468 2716 Facdeo32.exe Fjlhneio.exe PID 2468 wrote to memory of 2668 2468 Fjlhneio.exe Flmefm32.exe PID 2468 wrote to memory of 2668 2468 Fjlhneio.exe Flmefm32.exe PID 2468 wrote to memory of 2668 2468 Fjlhneio.exe Flmefm32.exe PID 2468 wrote to memory of 2668 2468 Fjlhneio.exe Flmefm32.exe PID 2668 wrote to memory of 2208 2668 Flmefm32.exe Fbgmbg32.exe PID 2668 wrote to memory of 2208 2668 Flmefm32.exe Fbgmbg32.exe PID 2668 wrote to memory of 2208 2668 Flmefm32.exe Fbgmbg32.exe PID 2668 wrote to memory of 2208 2668 Flmefm32.exe Fbgmbg32.exe PID 2208 wrote to memory of 1428 2208 Fbgmbg32.exe Gpknlk32.exe PID 2208 wrote to memory of 1428 2208 Fbgmbg32.exe Gpknlk32.exe PID 2208 wrote to memory of 1428 2208 Fbgmbg32.exe Gpknlk32.exe PID 2208 wrote to memory of 1428 2208 Fbgmbg32.exe Gpknlk32.exe PID 1428 wrote to memory of 2024 1428 Gpknlk32.exe Gbijhg32.exe PID 1428 wrote to memory of 2024 1428 Gpknlk32.exe Gbijhg32.exe PID 1428 wrote to memory of 2024 1428 Gpknlk32.exe Gbijhg32.exe PID 1428 wrote to memory of 2024 1428 Gpknlk32.exe Gbijhg32.exe PID 2024 wrote to memory of 1296 2024 Gbijhg32.exe Gegfdb32.exe PID 2024 wrote to memory of 1296 2024 Gbijhg32.exe Gegfdb32.exe PID 2024 wrote to memory of 1296 2024 Gbijhg32.exe Gegfdb32.exe PID 2024 wrote to memory of 1296 2024 Gbijhg32.exe Gegfdb32.exe PID 1296 wrote to memory of 2476 1296 Gegfdb32.exe Gieojq32.exe PID 1296 wrote to memory of 2476 1296 Gegfdb32.exe Gieojq32.exe PID 1296 wrote to memory of 2476 1296 Gegfdb32.exe Gieojq32.exe PID 1296 wrote to memory of 2476 1296 Gegfdb32.exe Gieojq32.exe PID 2476 wrote to memory of 2244 2476 Gieojq32.exe Gobgcg32.exe PID 2476 wrote to memory of 2244 2476 Gieojq32.exe Gobgcg32.exe PID 2476 wrote to memory of 2244 2476 Gieojq32.exe Gobgcg32.exe PID 2476 wrote to memory of 2244 2476 Gieojq32.exe Gobgcg32.exe PID 2244 wrote to memory of 1352 2244 Gobgcg32.exe Gelppaof.exe PID 2244 wrote to memory of 1352 2244 Gobgcg32.exe Gelppaof.exe PID 2244 wrote to memory of 1352 2244 Gobgcg32.exe Gelppaof.exe PID 2244 wrote to memory of 1352 2244 Gobgcg32.exe Gelppaof.exe PID 1352 wrote to memory of 2344 1352 Gelppaof.exe Gmgdddmq.exe PID 1352 wrote to memory of 2344 1352 Gelppaof.exe Gmgdddmq.exe PID 1352 wrote to memory of 2344 1352 Gelppaof.exe Gmgdddmq.exe PID 1352 wrote to memory of 2344 1352 Gelppaof.exe Gmgdddmq.exe PID 2344 wrote to memory of 2268 2344 Gmgdddmq.exe Gkkemh32.exe PID 2344 wrote to memory of 2268 2344 Gmgdddmq.exe Gkkemh32.exe PID 2344 wrote to memory of 2268 2344 Gmgdddmq.exe Gkkemh32.exe PID 2344 wrote to memory of 2268 2344 Gmgdddmq.exe Gkkemh32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a67157d139200f535c231f22a2de25d_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5a67157d139200f535c231f22a2de25d_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:672 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:652 -
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1896 -
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:912 -
C:\Windows\SysWOW64\Hlakpp32.exeC:\Windows\system32\Hlakpp32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:820 -
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe35⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe37⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe38⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe39⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe42⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe44⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe45⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe46⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe47⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe48⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe49⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe50⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe51⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe52⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe53⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe57⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe59⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1068 -
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe62⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe63⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe64⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe65⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe66⤵PID:1248
-
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe67⤵PID:2276
-
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe68⤵
- Drops file in System32 directory
PID:484 -
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe69⤵PID:2356
-
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe70⤵PID:3048
-
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe71⤵PID:2204
-
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe72⤵PID:756
-
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe73⤵PID:2096
-
C:\Windows\SysWOW64\Logbhl32.exeC:\Windows\system32\Logbhl32.exe74⤵PID:2028
-
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe75⤵PID:2100
-
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2728 -
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe77⤵PID:2288
-
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe78⤵PID:2576
-
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe79⤵PID:2928
-
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe80⤵PID:2560
-
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe81⤵PID:1692
-
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1868 -
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe83⤵PID:1404
-
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe85⤵PID:1964
-
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe86⤵PID:1108
-
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe87⤵PID:3024
-
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1372 -
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe89⤵PID:1708
-
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1188 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe91⤵PID:2592
-
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe92⤵PID:2844
-
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe93⤵
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Mpbaebdd.exeC:\Windows\system32\Mpbaebdd.exe94⤵PID:1504
-
C:\Windows\SysWOW64\Mgljbm32.exeC:\Windows\system32\Mgljbm32.exe95⤵PID:1600
-
C:\Windows\SysWOW64\Mmfbogcn.exeC:\Windows\system32\Mmfbogcn.exe96⤵PID:2424
-
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe97⤵PID:304
-
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe98⤵PID:2272
-
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe99⤵PID:2860
-
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe100⤵PID:1252
-
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe101⤵
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe102⤵PID:108
-
C:\Windows\SysWOW64\Mpfkqb32.exeC:\Windows\system32\Mpfkqb32.exe103⤵
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1596 -
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe105⤵
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe106⤵PID:2692
-
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2780 -
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe108⤵PID:2572
-
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe109⤵PID:2316
-
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe110⤵PID:1668
-
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe111⤵PID:1792
-
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe112⤵PID:1928
-
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2040 -
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2920 -
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe115⤵PID:548
-
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Ndpfkdmf.exeC:\Windows\system32\Ndpfkdmf.exe117⤵PID:944
-
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2456 -
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe119⤵
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe120⤵
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe121⤵PID:2472
-
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe122⤵PID:3000
-
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe123⤵PID:2724
-
C:\Windows\SysWOW64\Onjgiiad.exeC:\Windows\system32\Onjgiiad.exe124⤵PID:2800
-
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe125⤵PID:2532
-
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe126⤵PID:804
-
C:\Windows\SysWOW64\Ofelmloo.exeC:\Windows\system32\Ofelmloo.exe127⤵PID:2180
-
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe128⤵PID:2432
-
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe129⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe130⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1156 -
C:\Windows\SysWOW64\Ojcecjee.exeC:\Windows\system32\Ojcecjee.exe131⤵
- Modifies registry class
PID:284 -
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe132⤵PID:1320
-
C:\Windows\SysWOW64\Oqmmpd32.exeC:\Windows\system32\Oqmmpd32.exe133⤵PID:976
-
C:\Windows\SysWOW64\Oclilp32.exeC:\Windows\system32\Oclilp32.exe134⤵
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe135⤵PID:1584
-
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe136⤵PID:2120
-
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe137⤵
- Drops file in System32 directory
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe138⤵PID:2520
-
C:\Windows\SysWOW64\Odobjg32.exeC:\Windows\system32\Odobjg32.exe139⤵PID:2568
-
C:\Windows\SysWOW64\Omfkke32.exeC:\Windows\system32\Omfkke32.exe140⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe141⤵
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe142⤵PID:588
-
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe143⤵PID:664
-
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe144⤵
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe145⤵
- Drops file in System32 directory
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Pnjdhmdo.exeC:\Windows\system32\Pnjdhmdo.exe146⤵PID:2704
-
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe147⤵PID:2384
-
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe148⤵
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe149⤵PID:2488
-
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe150⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe151⤵
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe152⤵PID:1700
-
C:\Windows\SysWOW64\Pqkmjh32.exeC:\Windows\system32\Pqkmjh32.exe153⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2192 -
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe154⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1788 -
C:\Windows\SysWOW64\Pjcabmga.exeC:\Windows\system32\Pjcabmga.exe155⤵
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Pmanoifd.exeC:\Windows\system32\Pmanoifd.exe156⤵PID:2508
-
C:\Windows\SysWOW64\Peiepfgg.exeC:\Windows\system32\Peiepfgg.exe157⤵PID:1512
-
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe158⤵PID:1284
-
C:\Windows\SysWOW64\Pfjbgnme.exeC:\Windows\system32\Pfjbgnme.exe159⤵
- Modifies registry class
PID:1260 -
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe160⤵
- Modifies registry class
PID:448 -
C:\Windows\SysWOW64\Ppbfpd32.exeC:\Windows\system32\Ppbfpd32.exe161⤵
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Pgioaa32.exeC:\Windows\system32\Pgioaa32.exe162⤵PID:2188
-
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe163⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1128 -
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe164⤵PID:1568
-
C:\Windows\SysWOW64\Qabcjgkh.exeC:\Windows\system32\Qabcjgkh.exe165⤵PID:1968
-
C:\Windows\SysWOW64\Qcpofbjl.exeC:\Windows\system32\Qcpofbjl.exe166⤵PID:1384
-
C:\Windows\SysWOW64\Qfokbnip.exeC:\Windows\system32\Qfokbnip.exe167⤵PID:2088
-
C:\Windows\SysWOW64\Qimhoi32.exeC:\Windows\system32\Qimhoi32.exe168⤵PID:2496
-
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe169⤵PID:1916
-
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe170⤵PID:1036
-
C:\Windows\SysWOW64\Qedhdjnh.exeC:\Windows\system32\Qedhdjnh.exe171⤵PID:596
-
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe172⤵PID:2624
-
C:\Windows\SysWOW64\Amkpegnj.exeC:\Windows\system32\Amkpegnj.exe173⤵
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe174⤵PID:2812
-
C:\Windows\SysWOW64\Abhimnma.exeC:\Windows\system32\Abhimnma.exe175⤵PID:1808
-
C:\Windows\SysWOW64\Aefeijle.exeC:\Windows\system32\Aefeijle.exe176⤵PID:2752
-
C:\Windows\SysWOW64\Ahdaee32.exeC:\Windows\system32\Ahdaee32.exe177⤵
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Aplifb32.exeC:\Windows\system32\Aplifb32.exe178⤵PID:2880
-
C:\Windows\SysWOW64\Anojbobe.exeC:\Windows\system32\Anojbobe.exe179⤵PID:2172
-
C:\Windows\SysWOW64\Aamfnkai.exeC:\Windows\system32\Aamfnkai.exe180⤵PID:808
-
C:\Windows\SysWOW64\Aidnohbk.exeC:\Windows\system32\Aidnohbk.exe181⤵
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Albjlcao.exeC:\Windows\system32\Albjlcao.exe182⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1336 -
C:\Windows\SysWOW64\Ajejgp32.exeC:\Windows\system32\Ajejgp32.exe183⤵PID:2436
-
C:\Windows\SysWOW64\Aaobdjof.exeC:\Windows\system32\Aaobdjof.exe184⤵PID:2548
-
C:\Windows\SysWOW64\Aekodi32.exeC:\Windows\system32\Aekodi32.exe185⤵PID:2396
-
C:\Windows\SysWOW64\Ahikqd32.exeC:\Windows\system32\Ahikqd32.exe186⤵
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Alegac32.exeC:\Windows\system32\Alegac32.exe187⤵PID:2688
-
C:\Windows\SysWOW64\Amfcikek.exeC:\Windows\system32\Amfcikek.exe188⤵PID:1652
-
C:\Windows\SysWOW64\Adpkee32.exeC:\Windows\system32\Adpkee32.exe189⤵
- Modifies registry class
PID:3096 -
C:\Windows\SysWOW64\Ahlgfdeq.exeC:\Windows\system32\Ahlgfdeq.exe190⤵PID:3136
-
C:\Windows\SysWOW64\Ajjcbpdd.exeC:\Windows\system32\Ajjcbpdd.exe191⤵PID:3176
-
C:\Windows\SysWOW64\Amhpnkch.exeC:\Windows\system32\Amhpnkch.exe192⤵PID:3216
-
C:\Windows\SysWOW64\Aadloj32.exeC:\Windows\system32\Aadloj32.exe193⤵PID:3256
-
C:\Windows\SysWOW64\Bdbhke32.exeC:\Windows\system32\Bdbhke32.exe194⤵PID:3296
-
C:\Windows\SysWOW64\Bfadgq32.exeC:\Windows\system32\Bfadgq32.exe195⤵PID:3336
-
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe196⤵PID:3376
-
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe197⤵PID:3416
-
C:\Windows\SysWOW64\Bdeeqehb.exeC:\Windows\system32\Bdeeqehb.exe198⤵PID:3456
-
C:\Windows\SysWOW64\Bbhela32.exeC:\Windows\system32\Bbhela32.exe199⤵PID:3496
-
C:\Windows\SysWOW64\Bkommo32.exeC:\Windows\system32\Bkommo32.exe200⤵PID:3536
-
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe201⤵
- Drops file in System32 directory
PID:3576 -
C:\Windows\SysWOW64\Blpjegfm.exeC:\Windows\system32\Blpjegfm.exe202⤵PID:3616
-
C:\Windows\SysWOW64\Bdgafdfp.exeC:\Windows\system32\Bdgafdfp.exe203⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3656 -
C:\Windows\SysWOW64\Behnnm32.exeC:\Windows\system32\Behnnm32.exe204⤵PID:3696
-
C:\Windows\SysWOW64\Bidjnkdg.exeC:\Windows\system32\Bidjnkdg.exe205⤵PID:3736
-
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe206⤵
- Modifies registry class
PID:3776 -
C:\Windows\SysWOW64\Boqbfb32.exeC:\Windows\system32\Boqbfb32.exe207⤵PID:3816
-
C:\Windows\SysWOW64\Bghjhp32.exeC:\Windows\system32\Bghjhp32.exe208⤵PID:3856
-
C:\Windows\SysWOW64\Bekkcljk.exeC:\Windows\system32\Bekkcljk.exe209⤵PID:3896
-
C:\Windows\SysWOW64\Bhigphio.exeC:\Windows\system32\Bhigphio.exe210⤵PID:3936
-
C:\Windows\SysWOW64\Bppoqeja.exeC:\Windows\system32\Bppoqeja.exe211⤵PID:3976
-
C:\Windows\SysWOW64\Bbokmqie.exeC:\Windows\system32\Bbokmqie.exe212⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4016 -
C:\Windows\SysWOW64\Bemgilhh.exeC:\Windows\system32\Bemgilhh.exe213⤵
- Drops file in System32 directory
PID:4056 -
C:\Windows\SysWOW64\Bhkdeggl.exeC:\Windows\system32\Bhkdeggl.exe214⤵PID:2960
-
C:\Windows\SysWOW64\Blgpef32.exeC:\Windows\system32\Blgpef32.exe215⤵PID:3108
-
C:\Windows\SysWOW64\Coelaaoi.exeC:\Windows\system32\Coelaaoi.exe216⤵PID:3148
-
C:\Windows\SysWOW64\Ccahbp32.exeC:\Windows\system32\Ccahbp32.exe217⤵PID:3212
-
C:\Windows\SysWOW64\Ceodnl32.exeC:\Windows\system32\Ceodnl32.exe218⤵PID:3272
-
C:\Windows\SysWOW64\Chnqkg32.exeC:\Windows\system32\Chnqkg32.exe219⤵PID:3320
-
C:\Windows\SysWOW64\Cklmgb32.exeC:\Windows\system32\Cklmgb32.exe220⤵PID:3368
-
C:\Windows\SysWOW64\Cohigamf.exeC:\Windows\system32\Cohigamf.exe221⤵PID:3404
-
C:\Windows\SysWOW64\Cafecmlj.exeC:\Windows\system32\Cafecmlj.exe222⤵PID:3472
-
C:\Windows\SysWOW64\Cddaphkn.exeC:\Windows\system32\Cddaphkn.exe223⤵PID:3520
-
C:\Windows\SysWOW64\Cgcmlcja.exeC:\Windows\system32\Cgcmlcja.exe224⤵
- Drops file in System32 directory
PID:3572 -
C:\Windows\SysWOW64\Cojema32.exeC:\Windows\system32\Cojema32.exe225⤵PID:3624
-
C:\Windows\SysWOW64\Cahail32.exeC:\Windows\system32\Cahail32.exe226⤵
- Drops file in System32 directory
PID:3676 -
C:\Windows\SysWOW64\Cpkbdiqb.exeC:\Windows\system32\Cpkbdiqb.exe227⤵PID:3724
-
C:\Windows\SysWOW64\Chbjffad.exeC:\Windows\system32\Chbjffad.exe228⤵PID:3768
-
C:\Windows\SysWOW64\Cgejac32.exeC:\Windows\system32\Cgejac32.exe229⤵PID:3788
-
C:\Windows\SysWOW64\Cjdfmo32.exeC:\Windows\system32\Cjdfmo32.exe230⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3872 -
C:\Windows\SysWOW64\Caknol32.exeC:\Windows\system32\Caknol32.exe231⤵
- Drops file in System32 directory
PID:3908 -
C:\Windows\SysWOW64\Cdikkg32.exeC:\Windows\system32\Cdikkg32.exe232⤵PID:3956
-
C:\Windows\SysWOW64\Cclkfdnc.exeC:\Windows\system32\Cclkfdnc.exe233⤵PID:4012
-
C:\Windows\SysWOW64\Cnaocmmi.exeC:\Windows\system32\Cnaocmmi.exe234⤵PID:4072
-
C:\Windows\SysWOW64\Cldooj32.exeC:\Windows\system32\Cldooj32.exe235⤵PID:3080
-
C:\Windows\SysWOW64\Cdlgpgef.exeC:\Windows\system32\Cdlgpgef.exe236⤵PID:3156
-
C:\Windows\SysWOW64\Dgjclbdi.exeC:\Windows\system32\Dgjclbdi.exe237⤵PID:3188
-
C:\Windows\SysWOW64\Djhphncm.exeC:\Windows\system32\Djhphncm.exe238⤵PID:3280
-
C:\Windows\SysWOW64\Dndlim32.exeC:\Windows\system32\Dndlim32.exe239⤵
- Modifies registry class
PID:3324 -
C:\Windows\SysWOW64\Doehqead.exeC:\Windows\system32\Doehqead.exe240⤵PID:3392
-
C:\Windows\SysWOW64\Dcadac32.exeC:\Windows\system32\Dcadac32.exe241⤵
- Drops file in System32 directory
PID:3476 -
C:\Windows\SysWOW64\Dfoqmo32.exeC:\Windows\system32\Dfoqmo32.exe242⤵PID:3544