Resubmissions
02-06-2024 03:46
240602-ebmn8ahg9y 1002-06-2024 03:44
240602-earlsahg7s 1002-06-2024 03:41
240602-d8s2tshf81 10Analysis
-
max time kernel
25s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 03:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
305b9cc3e0fcc6cf8b3cbb37d405fe50_NeikiAnalytics.exe
Resource
win7-20240508-en
7 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
305b9cc3e0fcc6cf8b3cbb37d405fe50_NeikiAnalytics.exe
-
Size
226KB
-
MD5
305b9cc3e0fcc6cf8b3cbb37d405fe50
-
SHA1
22ce243c09482c01f220b837ca2cb06cf321427c
-
SHA256
cec874dce92a056c7d8e63e725bd508190d49ae1745e07f0817398ccd495b04d
-
SHA512
ba84e8074a80982080a7453b7cf337e385c0aa8eece753be3c2738c3dd9c10f1b3d40689a5da8e51df8b00c998817e2c36b52e0aba32a52428f161c68389946c
-
SSDEEP
6144:CgulzKYnBjs0UUkUUUUUUUUUUUUUUOUUUUUUUWUUUUUXAjXfxqySSKpRmSKeTk7p:OlWySG5IKrEAlnLAg
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Geolea32.exeHellne32.exeAaobdjof.exeCaknol32.exeEojnkg32.exeCkoilb32.exeIkddbj32.exeLijjoe32.exeLhbcfa32.exeApimacnn.exeAemkjiem.exeEjmebq32.exeCgpgce32.exeEpieghdk.exeHhmepp32.exeLlkbap32.exeQcpofbjl.exeBocolb32.exeDcenlceh.exeDhbfdjdp.exePccfge32.exeHkpnhgge.exeHlcgeo32.exeAidnohbk.exeAlbjlcao.exeBldcpf32.exeAlenki32.exeGhhofmql.exeLpbefoai.exePflomnkb.exePedleg32.exeAplpai32.exeApcfahio.exeFfnphf32.exeLecgje32.exeOonafa32.exeOoeggp32.exeEbedndfa.exeHmlnoc32.exeIokfhi32.exeJoifam32.exeKjnfniii.exeHpmgqnfl.exeOhfeog32.exeQbelgood.exeAamfnkai.exeEndhhp32.exeEibbcm32.exeLimfed32.exeNncahjgl.exePmanoifd.exeAnafhopc.exeBdbhke32.exeBoqbfb32.exeOobjaqaj.exeBpafkknm.exeCkffgg32.exeJcbellac.exeFmhheqje.exeKcbakpdo.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geolea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hellne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaobdjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Caknol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eojnkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckoilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikddbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apimacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aemkjiem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejmebq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgpgce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epieghdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llkbap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcpofbjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bocolb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcenlceh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbfdjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pccfge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpnhgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aidnohbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albjlcao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bldcpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alenki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgpgce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpbefoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pflomnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pedleg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aplpai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lecgje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oonafa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooeggp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebedndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmlnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iokfhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Joifam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjnfniii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohfeog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbelgood.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aamfnkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Endhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eibbcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Limfed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncahjgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmanoifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anafhopc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boqbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apcfahio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oobjaqaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eojnkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpafkknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckffgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcbellac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmhheqje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcbakpdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpbefoai.exe -
Executes dropped EXE 64 IoCs
Processes:
Ogmfbd32.exePccfge32.exePaggai32.exePfdpip32.exePchpbded.exePmqdkj32.exePelipl32.exePbpjiphi.exeQlhnbf32.exeQnfjna32.exeQdccfh32.exeQecoqk32.exeAplpai32.exeAmpqjm32.exeAfiecb32.exeAlenki32.exeAiinen32.exeApcfahio.exeAepojo32.exeAhokfj32.exeBebkpn32.exeBhahlj32.exeBkodhe32.exeBommnc32.exeBkdmcdoe.exeBpafkknm.exeBkfjhd32.exeBnefdp32.exeCjlgiqbk.exeCpeofk32.exeCgpgce32.exeCphlljge.exeCjpqdp32.exeCciemedf.exeCjbmjplb.exeCfinoq32.exeCkffgg32.exeDkhcmgnl.exeDhmcfkme.exeDkkpbgli.exeDnilobkm.exeDjpmccqq.exeDmoipopd.exeDdeaalpg.exeDjbiicon.exeDmafennb.exeDoobajme.exeEihfjo32.exeEpaogi32.exeEflgccbp.exeEmeopn32.exeEpdkli32.exeEfncicpm.exeEkklaj32.exeEbedndfa.exeEiomkn32.exeEpieghdk.exeEbgacddo.exeEiaiqn32.exeEnnaieib.exeEalnephf.exeFckjalhj.exeFjdbnf32.exeFaokjpfd.exepid process 1212 Ogmfbd32.exe 1292 Pccfge32.exe 2904 Paggai32.exe 2804 Pfdpip32.exe 2676 Pchpbded.exe 2744 Pmqdkj32.exe 2684 Pelipl32.exe 2792 Pbpjiphi.exe 2868 Qlhnbf32.exe 2428 Qnfjna32.exe 1880 Qdccfh32.exe 1584 Qecoqk32.exe 1688 Aplpai32.exe 2284 Ampqjm32.exe 2316 Afiecb32.exe 2220 Alenki32.exe 692 Aiinen32.exe 1916 Apcfahio.exe 1364 Aepojo32.exe 2376 Ahokfj32.exe 1728 Bebkpn32.exe 376 Bhahlj32.exe 556 Bkodhe32.exe 2272 Bommnc32.exe 1308 Bkdmcdoe.exe 2104 Bpafkknm.exe 2812 Bkfjhd32.exe 2652 Bnefdp32.exe 2668 Cjlgiqbk.exe 2760 Cpeofk32.exe 2512 Cgpgce32.exe 2564 Cphlljge.exe 1028 Cjpqdp32.exe 2828 Cciemedf.exe 2004 Cjbmjplb.exe 2948 Cfinoq32.exe 1816 Ckffgg32.exe 1744 Dkhcmgnl.exe 2192 Dhmcfkme.exe 1680 Dkkpbgli.exe 2608 Dnilobkm.exe 2112 Djpmccqq.exe 536 Dmoipopd.exe 932 Ddeaalpg.exe 1084 Djbiicon.exe 2348 Dmafennb.exe 1560 Doobajme.exe 2924 Eihfjo32.exe 2448 Epaogi32.exe 1508 Eflgccbp.exe 1580 Emeopn32.exe 3068 Epdkli32.exe 2732 Efncicpm.exe 2644 Ekklaj32.exe 2568 Ebedndfa.exe 3012 Eiomkn32.exe 2580 Epieghdk.exe 2688 Ebgacddo.exe 1984 Eiaiqn32.exe 2156 Ennaieib.exe 1720 Ealnephf.exe 1740 Fckjalhj.exe 2264 Fjdbnf32.exe 2492 Faokjpfd.exe -
Loads dropped DLL 64 IoCs
Processes:
305b9cc3e0fcc6cf8b3cbb37d405fe50_NeikiAnalytics.exeOgmfbd32.exePccfge32.exePaggai32.exePfdpip32.exePchpbded.exePmqdkj32.exePelipl32.exePbpjiphi.exeQlhnbf32.exeQnfjna32.exeQdccfh32.exeQecoqk32.exeAplpai32.exeAmpqjm32.exeAfiecb32.exeAlenki32.exeAiinen32.exeApcfahio.exeAepojo32.exeAhokfj32.exeBebkpn32.exeBhahlj32.exeBkodhe32.exeBommnc32.exeBkdmcdoe.exeBpafkknm.exeBkfjhd32.exeBnefdp32.exeCjlgiqbk.exeCpeofk32.exeCgpgce32.exepid process 1276 305b9cc3e0fcc6cf8b3cbb37d405fe50_NeikiAnalytics.exe 1276 305b9cc3e0fcc6cf8b3cbb37d405fe50_NeikiAnalytics.exe 1212 Ogmfbd32.exe 1212 Ogmfbd32.exe 1292 Pccfge32.exe 1292 Pccfge32.exe 2904 Paggai32.exe 2904 Paggai32.exe 2804 Pfdpip32.exe 2804 Pfdpip32.exe 2676 Pchpbded.exe 2676 Pchpbded.exe 2744 Pmqdkj32.exe 2744 Pmqdkj32.exe 2684 Pelipl32.exe 2684 Pelipl32.exe 2792 Pbpjiphi.exe 2792 Pbpjiphi.exe 2868 Qlhnbf32.exe 2868 Qlhnbf32.exe 2428 Qnfjna32.exe 2428 Qnfjna32.exe 1880 Qdccfh32.exe 1880 Qdccfh32.exe 1584 Qecoqk32.exe 1584 Qecoqk32.exe 1688 Aplpai32.exe 1688 Aplpai32.exe 2284 Ampqjm32.exe 2284 Ampqjm32.exe 2316 Afiecb32.exe 2316 Afiecb32.exe 2220 Alenki32.exe 2220 Alenki32.exe 692 Aiinen32.exe 692 Aiinen32.exe 1916 Apcfahio.exe 1916 Apcfahio.exe 1364 Aepojo32.exe 1364 Aepojo32.exe 2376 Ahokfj32.exe 2376 Ahokfj32.exe 1728 Bebkpn32.exe 1728 Bebkpn32.exe 376 Bhahlj32.exe 376 Bhahlj32.exe 556 Bkodhe32.exe 556 Bkodhe32.exe 2272 Bommnc32.exe 2272 Bommnc32.exe 1308 Bkdmcdoe.exe 1308 Bkdmcdoe.exe 2104 Bpafkknm.exe 2104 Bpafkknm.exe 2812 Bkfjhd32.exe 2812 Bkfjhd32.exe 2652 Bnefdp32.exe 2652 Bnefdp32.exe 2668 Cjlgiqbk.exe 2668 Cjlgiqbk.exe 2760 Cpeofk32.exe 2760 Cpeofk32.exe 2512 Cgpgce32.exe 2512 Cgpgce32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Pklhlael.exeEpieghdk.exeIfcbodli.exeKifpdelo.exeAamfnkai.exeEffcma32.exeFckjalhj.exeIoijbj32.exeNajdnj32.exeNaajoinb.exeCafecmlj.exeDjpmccqq.exeCcahbp32.exeEbgacddo.exeKgpjanje.exeNncahjgl.exeJbgbni32.exeGhhofmql.exeMmahdggc.exePnjdhmdo.exeBldcpf32.exeBlgpef32.exeEgoife32.exeDnilobkm.exeCjlgiqbk.exeFpfdalii.exeMimbdhhb.exeOonafa32.exeQedhdjnh.exeAnafhopc.exeCnmehnan.exePfdpip32.exeDkqbaecc.exeAiinen32.exeQbelgood.exeBfadgq32.exeEnakbp32.exeQnfjna32.exeBdgafdfp.exeCphlljge.exeJkbcln32.exeLlnofpcg.exeCddaphkn.exeEqijej32.exePelipl32.exeNpfgpe32.exeAplifb32.exeDfoqmo32.exeAepojo32.exeCghggc32.exeFjdbnf32.exeFaokjpfd.exeEflgccbp.exeBlpjegfm.exeBkfjhd32.exeBfenbpec.exeDbfabp32.exeKjljhjkl.exedescription ioc process File created C:\Windows\SysWOW64\Pnjdhmdo.exe Pklhlael.exe File created C:\Windows\SysWOW64\Clnlnhop.dll Epieghdk.exe File created C:\Windows\SysWOW64\Igdogl32.exe Ifcbodli.exe File created C:\Windows\SysWOW64\Lpphap32.exe Kifpdelo.exe File opened for modification C:\Windows\SysWOW64\Aidnohbk.exe Aamfnkai.exe File created C:\Windows\SysWOW64\Fidoim32.exe Effcma32.exe File created C:\Windows\SysWOW64\Fjdbnf32.exe Fckjalhj.exe File created C:\Windows\SysWOW64\Ifcbodli.exe Ioijbj32.exe File created C:\Windows\SysWOW64\Onmddnil.dll Najdnj32.exe File opened for modification C:\Windows\SysWOW64\Nhkbkc32.exe Naajoinb.exe File created C:\Windows\SysWOW64\Nanbpedg.dll Cafecmlj.exe File opened for modification C:\Windows\SysWOW64\Dmoipopd.exe Djpmccqq.exe File opened for modification C:\Windows\SysWOW64\Ceodnl32.exe Ccahbp32.exe File opened for modification C:\Windows\SysWOW64\Eiaiqn32.exe Ebgacddo.exe File created C:\Windows\SysWOW64\Kbjlonii.dll Kgpjanje.exe File created C:\Windows\SysWOW64\Nkkgfioo.dll Nncahjgl.exe File opened for modification C:\Windows\SysWOW64\Jjojofgn.exe Jbgbni32.exe File created C:\Windows\SysWOW64\Chhpdp32.dll Ghhofmql.exe File created C:\Windows\SysWOW64\Mppepcfg.exe Mmahdggc.exe File created C:\Windows\SysWOW64\Kaplbi32.dll Pnjdhmdo.exe File created C:\Windows\SysWOW64\Fdlhfbqi.dll Bldcpf32.exe File created C:\Windows\SysWOW64\Bneqdoee.dll Blgpef32.exe File created C:\Windows\SysWOW64\Ejmebq32.exe Egoife32.exe File created C:\Windows\SysWOW64\Djpmccqq.exe Dnilobkm.exe File created C:\Windows\SysWOW64\Lpicol32.dll Cjlgiqbk.exe File created C:\Windows\SysWOW64\Clphjpmh.dll Fpfdalii.exe File created C:\Windows\SysWOW64\Hlnbfd32.dll Mimbdhhb.exe File opened for modification C:\Windows\SysWOW64\Ohfeog32.exe Oonafa32.exe File opened for modification C:\Windows\SysWOW64\Amkpegnj.exe Qedhdjnh.exe File created C:\Windows\SysWOW64\Ippdhfji.dll Anafhopc.exe File created C:\Windows\SysWOW64\Cpkbdiqb.exe Cnmehnan.exe File created C:\Windows\SysWOW64\Pchpbded.exe Pfdpip32.exe File created C:\Windows\SysWOW64\Mmnclh32.dll Dkqbaecc.exe File opened for modification C:\Windows\SysWOW64\Apcfahio.exe Aiinen32.exe File created C:\Windows\SysWOW64\Kkgklabn.dll Qbelgood.exe File created C:\Windows\SysWOW64\Hokokc32.dll Bfadgq32.exe File created C:\Windows\SysWOW64\Gogcek32.dll Enakbp32.exe File created C:\Windows\SysWOW64\Elgpfqll.dll Qnfjna32.exe File opened for modification C:\Windows\SysWOW64\Bfenbpec.exe Bdgafdfp.exe File created C:\Windows\SysWOW64\Cjpqdp32.exe Cphlljge.exe File opened for modification C:\Windows\SysWOW64\Jnqphi32.exe Jkbcln32.exe File opened for modification C:\Windows\SysWOW64\Lajhofao.exe Llnofpcg.exe File created C:\Windows\SysWOW64\Ckoilb32.exe Cddaphkn.exe File opened for modification C:\Windows\SysWOW64\Dnoomqbg.exe Dkqbaecc.exe File created C:\Windows\SysWOW64\Effcma32.exe Eqijej32.exe File opened for modification C:\Windows\SysWOW64\Pbpjiphi.exe Pelipl32.exe File created C:\Windows\SysWOW64\Ngpolo32.exe Npfgpe32.exe File created C:\Windows\SysWOW64\Aamfnkai.exe Aplifb32.exe File created C:\Windows\SysWOW64\Epjomppp.dll Dfoqmo32.exe File created C:\Windows\SysWOW64\Ahokfj32.exe Aepojo32.exe File created C:\Windows\SysWOW64\Cjfccn32.exe Cghggc32.exe File opened for modification C:\Windows\SysWOW64\Faokjpfd.exe Fjdbnf32.exe File created C:\Windows\SysWOW64\Egadpgfp.dll Faokjpfd.exe File opened for modification C:\Windows\SysWOW64\Ebgacddo.exe Epieghdk.exe File opened for modification C:\Windows\SysWOW64\Emeopn32.exe Eflgccbp.exe File opened for modification C:\Windows\SysWOW64\Pnjdhmdo.exe Pklhlael.exe File created C:\Windows\SysWOW64\Ncfnmo32.dll Blpjegfm.exe File opened for modification C:\Windows\SysWOW64\Bnefdp32.exe Bkfjhd32.exe File created C:\Windows\SysWOW64\Nhdlkdkg.exe Najdnj32.exe File created C:\Windows\SysWOW64\Bidjnkdg.exe Bfenbpec.exe File created C:\Windows\SysWOW64\Odifab32.dll Dbfabp32.exe File opened for modification C:\Windows\SysWOW64\Keanebkb.exe Kjljhjkl.exe File opened for modification C:\Windows\SysWOW64\Bidjnkdg.exe Bfenbpec.exe File created C:\Windows\SysWOW64\Kjnfniii.exe Kgpjanje.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4648 4624 WerFault.exe Fkckeh32.exe -
Modifies registry class 64 IoCs
Processes:
Hmlnoc32.exeClilkfnb.exeDlkepi32.exeDhmcfkme.exeIggkllpe.exeIfnechbj.exeLecgje32.exeLlnofpcg.exeMihiih32.exeNlphkb32.exeNondgn32.exeEihfjo32.exeCaknol32.exeFjdbnf32.exeChbjffad.exeCjdfmo32.exeEkklaj32.exeJnqphi32.exeAamfnkai.exeDpbheh32.exeDnoomqbg.exeIdklfpon.exePefijfii.exeFfnphf32.exeJkbcln32.exeKfgdhjmk.exeMaoajf32.exeNdmjedoi.exeAfcenm32.exePmqdkj32.exePmanoifd.exeGejcjbah.exePclfkc32.exeAjhgmpfg.exeEcqqpgli.exeJoifam32.exeBidjnkdg.exeHcifgjgc.exeJcbellac.exeMijfnh32.exeDjmicm32.exeFckjalhj.exeAmpqjm32.exeEbedndfa.exeBaakhm32.exeDnilobkm.exeOmdneebf.exeOobjaqaj.exePflomnkb.exeJmocpado.exeKjqccigf.exeCkoilb32.exeBpafkknm.exeBocolb32.exeQmicohqm.exeEbgacddo.exeFaokjpfd.exeGhkllmoi.exeHellne32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmlnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clilkfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjidgghp.dll" Dlkepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhmcfkme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iggkllpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifnechbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lecgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqdgkecq.dll" Llnofpcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mihiih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlphkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nondgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eihfjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Caknol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghohc32.dll" Chbjffad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjdfmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekklaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnqphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efkdgmla.dll" Aamfnkai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpbheh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnoomqbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idklfpon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pefijfii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkbcln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfimidmd.dll" Kfgdhjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Maoajf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndmjedoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afcenm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmqdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmanoifd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gejcjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oacima32.dll" Mihiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pclfkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jneohcll.dll" Ajhgmpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajhgmpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfidj32.dll" Ecqqpgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Joifam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bidjnkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll" Hcifgjgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcbellac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mijfnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djmicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll" Fckjalhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ampqjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebedndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Baakhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnilobkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omdneebf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oobjaqaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pflomnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfaqa32.dll" Djmicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmocpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqgmkdbj.dll" Kjqccigf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckoilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpafkknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khjjpi32.dll" Bocolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Focnmm32.dll" Dnoomqbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanjadqp.dll" Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibckiab.dll" Ebgacddo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Maoajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egadpgfp.dll" Faokjpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpij32.dll" Ghkllmoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hellne32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
305b9cc3e0fcc6cf8b3cbb37d405fe50_NeikiAnalytics.exeOgmfbd32.exePccfge32.exePaggai32.exePfdpip32.exePchpbded.exePmqdkj32.exePelipl32.exePbpjiphi.exeQlhnbf32.exeQnfjna32.exeQdccfh32.exeQecoqk32.exeAplpai32.exeAmpqjm32.exeAfiecb32.exedescription pid process target process PID 1276 wrote to memory of 1212 1276 305b9cc3e0fcc6cf8b3cbb37d405fe50_NeikiAnalytics.exe Ogmfbd32.exe PID 1276 wrote to memory of 1212 1276 305b9cc3e0fcc6cf8b3cbb37d405fe50_NeikiAnalytics.exe Ogmfbd32.exe PID 1276 wrote to memory of 1212 1276 305b9cc3e0fcc6cf8b3cbb37d405fe50_NeikiAnalytics.exe Ogmfbd32.exe PID 1276 wrote to memory of 1212 1276 305b9cc3e0fcc6cf8b3cbb37d405fe50_NeikiAnalytics.exe Ogmfbd32.exe PID 1212 wrote to memory of 1292 1212 Ogmfbd32.exe Pccfge32.exe PID 1212 wrote to memory of 1292 1212 Ogmfbd32.exe Pccfge32.exe PID 1212 wrote to memory of 1292 1212 Ogmfbd32.exe Pccfge32.exe PID 1212 wrote to memory of 1292 1212 Ogmfbd32.exe Pccfge32.exe PID 1292 wrote to memory of 2904 1292 Pccfge32.exe Paggai32.exe PID 1292 wrote to memory of 2904 1292 Pccfge32.exe Paggai32.exe PID 1292 wrote to memory of 2904 1292 Pccfge32.exe Paggai32.exe PID 1292 wrote to memory of 2904 1292 Pccfge32.exe Paggai32.exe PID 2904 wrote to memory of 2804 2904 Paggai32.exe Pfdpip32.exe PID 2904 wrote to memory of 2804 2904 Paggai32.exe Pfdpip32.exe PID 2904 wrote to memory of 2804 2904 Paggai32.exe Pfdpip32.exe PID 2904 wrote to memory of 2804 2904 Paggai32.exe Pfdpip32.exe PID 2804 wrote to memory of 2676 2804 Pfdpip32.exe Pchpbded.exe PID 2804 wrote to memory of 2676 2804 Pfdpip32.exe Pchpbded.exe PID 2804 wrote to memory of 2676 2804 Pfdpip32.exe Pchpbded.exe PID 2804 wrote to memory of 2676 2804 Pfdpip32.exe Pchpbded.exe PID 2676 wrote to memory of 2744 2676 Pchpbded.exe Pmqdkj32.exe PID 2676 wrote to memory of 2744 2676 Pchpbded.exe Pmqdkj32.exe PID 2676 wrote to memory of 2744 2676 Pchpbded.exe Pmqdkj32.exe PID 2676 wrote to memory of 2744 2676 Pchpbded.exe Pmqdkj32.exe PID 2744 wrote to memory of 2684 2744 Pmqdkj32.exe Pelipl32.exe PID 2744 wrote to memory of 2684 2744 Pmqdkj32.exe Pelipl32.exe PID 2744 wrote to memory of 2684 2744 Pmqdkj32.exe Pelipl32.exe PID 2744 wrote to memory of 2684 2744 Pmqdkj32.exe Pelipl32.exe PID 2684 wrote to memory of 2792 2684 Pelipl32.exe Pbpjiphi.exe PID 2684 wrote to memory of 2792 2684 Pelipl32.exe Pbpjiphi.exe PID 2684 wrote to memory of 2792 2684 Pelipl32.exe Pbpjiphi.exe PID 2684 wrote to memory of 2792 2684 Pelipl32.exe Pbpjiphi.exe PID 2792 wrote to memory of 2868 2792 Pbpjiphi.exe Qlhnbf32.exe PID 2792 wrote to memory of 2868 2792 Pbpjiphi.exe Qlhnbf32.exe PID 2792 wrote to memory of 2868 2792 Pbpjiphi.exe Qlhnbf32.exe PID 2792 wrote to memory of 2868 2792 Pbpjiphi.exe Qlhnbf32.exe PID 2868 wrote to memory of 2428 2868 Qlhnbf32.exe Qnfjna32.exe PID 2868 wrote to memory of 2428 2868 Qlhnbf32.exe Qnfjna32.exe PID 2868 wrote to memory of 2428 2868 Qlhnbf32.exe Qnfjna32.exe PID 2868 wrote to memory of 2428 2868 Qlhnbf32.exe Qnfjna32.exe PID 2428 wrote to memory of 1880 2428 Qnfjna32.exe Qdccfh32.exe PID 2428 wrote to memory of 1880 2428 Qnfjna32.exe Qdccfh32.exe PID 2428 wrote to memory of 1880 2428 Qnfjna32.exe Qdccfh32.exe PID 2428 wrote to memory of 1880 2428 Qnfjna32.exe Qdccfh32.exe PID 1880 wrote to memory of 1584 1880 Qdccfh32.exe Qecoqk32.exe PID 1880 wrote to memory of 1584 1880 Qdccfh32.exe Qecoqk32.exe PID 1880 wrote to memory of 1584 1880 Qdccfh32.exe Qecoqk32.exe PID 1880 wrote to memory of 1584 1880 Qdccfh32.exe Qecoqk32.exe PID 1584 wrote to memory of 1688 1584 Qecoqk32.exe Aplpai32.exe PID 1584 wrote to memory of 1688 1584 Qecoqk32.exe Aplpai32.exe PID 1584 wrote to memory of 1688 1584 Qecoqk32.exe Aplpai32.exe PID 1584 wrote to memory of 1688 1584 Qecoqk32.exe Aplpai32.exe PID 1688 wrote to memory of 2284 1688 Aplpai32.exe Ampqjm32.exe PID 1688 wrote to memory of 2284 1688 Aplpai32.exe Ampqjm32.exe PID 1688 wrote to memory of 2284 1688 Aplpai32.exe Ampqjm32.exe PID 1688 wrote to memory of 2284 1688 Aplpai32.exe Ampqjm32.exe PID 2284 wrote to memory of 2316 2284 Ampqjm32.exe Afiecb32.exe PID 2284 wrote to memory of 2316 2284 Ampqjm32.exe Afiecb32.exe PID 2284 wrote to memory of 2316 2284 Ampqjm32.exe Afiecb32.exe PID 2284 wrote to memory of 2316 2284 Ampqjm32.exe Afiecb32.exe PID 2316 wrote to memory of 2220 2316 Afiecb32.exe Alenki32.exe PID 2316 wrote to memory of 2220 2316 Afiecb32.exe Alenki32.exe PID 2316 wrote to memory of 2220 2316 Afiecb32.exe Alenki32.exe PID 2316 wrote to memory of 2220 2316 Afiecb32.exe Alenki32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\305b9cc3e0fcc6cf8b3cbb37d405fe50_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\305b9cc3e0fcc6cf8b3cbb37d405fe50_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2220 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:692 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1916 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1364 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:376 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:556 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1308 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2512 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe34⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe35⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe36⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe37⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe39⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe41⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe44⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe45⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe46⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe47⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe48⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe50⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1508 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe52⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe53⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe54⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe57⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe60⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe61⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe62⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe66⤵PID:1040
-
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe67⤵PID:1684
-
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe68⤵PID:2152
-
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1624 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe71⤵
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe72⤵PID:2252
-
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe73⤵PID:3044
-
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe74⤵PID:2432
-
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe75⤵PID:2992
-
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe76⤵PID:2780
-
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe77⤵PID:1836
-
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe78⤵PID:1288
-
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe79⤵PID:1656
-
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe80⤵
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe82⤵PID:1484
-
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe83⤵PID:2484
-
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe84⤵
- Modifies registry class
PID:1340 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe85⤵PID:2328
-
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2876 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe87⤵PID:1756
-
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe88⤵PID:2612
-
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe89⤵PID:2756
-
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe90⤵PID:2588
-
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe92⤵PID:792
-
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe93⤵
- Modifies registry class
PID:748 -
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2216 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1672 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe96⤵PID:676
-
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe97⤵PID:380
-
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1824 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe99⤵PID:1404
-
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe101⤵PID:2148
-
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe102⤵PID:1604
-
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2656 -
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe104⤵PID:2892
-
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe105⤵PID:2800
-
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe106⤵PID:2768
-
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe107⤵
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe108⤵
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe109⤵PID:2288
-
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2908 -
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe111⤵PID:1476
-
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe112⤵
- Modifies registry class
PID:108 -
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe113⤵PID:1776
-
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe114⤵PID:884
-
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe115⤵
- Modifies registry class
PID:1380 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2628 -
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe117⤵PID:2788
-
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe118⤵PID:764
-
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe119⤵
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe120⤵PID:2096
-
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe122⤵PID:2240
-
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe123⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe124⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe125⤵PID:1600
-
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe126⤵PID:2696
-
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe127⤵PID:2500
-
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe128⤵PID:2164
-
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe129⤵
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe130⤵
- Drops file in System32 directory
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe131⤵
- Modifies registry class
PID:636 -
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe132⤵PID:1320
-
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe133⤵PID:1360
-
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe134⤵PID:1928
-
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe135⤵PID:1620
-
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe136⤵PID:2624
-
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe137⤵PID:3052
-
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe138⤵PID:2872
-
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe139⤵PID:2012
-
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe140⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2116 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe141⤵
- Drops file in System32 directory
PID:916 -
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe142⤵PID:484
-
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe143⤵
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe144⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2136 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe145⤵PID:2884
-
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe146⤵PID:316
-
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe147⤵
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe148⤵PID:2584
-
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe149⤵PID:2820
-
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe150⤵
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe151⤵
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe152⤵PID:2988
-
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe153⤵PID:408
-
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe154⤵PID:2436
-
C:\Windows\SysWOW64\Lmcijcbe.exeC:\Windows\system32\Lmcijcbe.exe155⤵PID:896
-
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2808 -
C:\Windows\SysWOW64\Loeebl32.exeC:\Windows\system32\Loeebl32.exe157⤵PID:2980
-
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe158⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2020 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe159⤵PID:2268
-
C:\Windows\SysWOW64\Logbhl32.exeC:\Windows\system32\Logbhl32.exe160⤵PID:596
-
C:\Windows\SysWOW64\Lafndg32.exeC:\Windows\system32\Lafndg32.exe161⤵PID:1780
-
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:736 -
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe163⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2708 -
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe164⤵PID:2648
-
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe165⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe166⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1668 -
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe167⤵
- Drops file in System32 directory
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe168⤵PID:2472
-
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe169⤵PID:2060
-
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe170⤵PID:2968
-
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe171⤵
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe172⤵PID:1920
-
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe173⤵PID:1888
-
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe174⤵
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe175⤵
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe176⤵PID:1132
-
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe177⤵PID:2296
-
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe178⤵
- Modifies registry class
PID:236 -
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe179⤵PID:1660
-
C:\Windows\SysWOW64\Mgnfhlin.exeC:\Windows\system32\Mgnfhlin.exe180⤵PID:832
-
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe181⤵
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe182⤵PID:1080
-
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe183⤵PID:812
-
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe184⤵PID:1608
-
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe185⤵PID:2016
-
C:\Windows\SysWOW64\Nolhan32.exeC:\Windows\system32\Nolhan32.exe186⤵PID:2544
-
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe187⤵
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe188⤵PID:540
-
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe189⤵
- Modifies registry class
PID:304 -
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe190⤵
- Modifies registry class
PID:3100 -
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe191⤵PID:3140
-
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe192⤵PID:3180
-
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe193⤵PID:3220
-
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe194⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3260 -
C:\Windows\SysWOW64\Naoniipe.exeC:\Windows\system32\Naoniipe.exe195⤵PID:3300
-
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe196⤵
- Modifies registry class
PID:3340 -
C:\Windows\SysWOW64\Nglfapnl.exeC:\Windows\system32\Nglfapnl.exe197⤵PID:3380
-
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe198⤵PID:3420
-
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe199⤵
- Drops file in System32 directory
PID:3460 -
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe200⤵PID:3500
-
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe201⤵PID:3540
-
C:\Windows\SysWOW64\Nnhkcj32.exeC:\Windows\system32\Nnhkcj32.exe202⤵PID:3580
-
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe203⤵
- Drops file in System32 directory
PID:3620 -
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe204⤵PID:3660
-
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe205⤵PID:3700
-
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe206⤵PID:3740
-
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe207⤵PID:3780
-
C:\Windows\SysWOW64\Ofelmloo.exeC:\Windows\system32\Ofelmloo.exe208⤵PID:3820
-
C:\Windows\SysWOW64\Ojahnj32.exeC:\Windows\system32\Ojahnj32.exe209⤵PID:3860
-
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe210⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3900 -
C:\Windows\SysWOW64\Ohfeog32.exeC:\Windows\system32\Ohfeog32.exe211⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3940 -
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe212⤵PID:3980
-
C:\Windows\SysWOW64\Obojhlbq.exeC:\Windows\system32\Obojhlbq.exe213⤵PID:4020
-
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe214⤵
- Modifies registry class
PID:4060 -
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe215⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:340 -
C:\Windows\SysWOW64\Ofmbnkhg.exeC:\Windows\system32\Ofmbnkhg.exe216⤵PID:3108
-
C:\Windows\SysWOW64\Odobjg32.exeC:\Windows\system32\Odobjg32.exe217⤵PID:3160
-
C:\Windows\SysWOW64\Omfkke32.exeC:\Windows\system32\Omfkke32.exe218⤵PID:3204
-
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe219⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3244 -
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe220⤵PID:3308
-
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe221⤵PID:3356
-
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe222⤵
- Drops file in System32 directory
PID:3404 -
C:\Windows\SysWOW64\Pnjdhmdo.exeC:\Windows\system32\Pnjdhmdo.exe223⤵
- Drops file in System32 directory
PID:3448 -
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3508 -
C:\Windows\SysWOW64\Piphee32.exeC:\Windows\system32\Piphee32.exe225⤵PID:3560
-
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe226⤵PID:3608
-
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe227⤵PID:3652
-
C:\Windows\SysWOW64\Pefijfii.exeC:\Windows\system32\Pefijfii.exe228⤵
- Modifies registry class
PID:3708 -
C:\Windows\SysWOW64\Pciifc32.exeC:\Windows\system32\Pciifc32.exe229⤵PID:3756
-
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe230⤵PID:3804
-
C:\Windows\SysWOW64\Pmanoifd.exeC:\Windows\system32\Pmanoifd.exe231⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3840 -
C:\Windows\SysWOW64\Pclfkc32.exeC:\Windows\system32\Pclfkc32.exe232⤵
- Modifies registry class
PID:3908 -
C:\Windows\SysWOW64\Pfjbgnme.exeC:\Windows\system32\Pfjbgnme.exe233⤵PID:3960
-
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe234⤵PID:4004
-
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe235⤵PID:4052
-
C:\Windows\SysWOW64\Pcnbablo.exeC:\Windows\system32\Pcnbablo.exe236⤵PID:1976
-
C:\Windows\SysWOW64\Pflomnkb.exeC:\Windows\system32\Pflomnkb.exe237⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3136 -
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe238⤵PID:3188
-
C:\Windows\SysWOW64\Qcpofbjl.exeC:\Windows\system32\Qcpofbjl.exe239⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3232 -
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe240⤵PID:3320
-
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe241⤵
- Modifies registry class
PID:3368 -
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe242⤵PID:3452