Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 23:26
Static task
static1
Behavioral task
behavioral1
Sample
8ffd95ba1a23c480cc987293ab4245b0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8ffd95ba1a23c480cc987293ab4245b0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
8ffd95ba1a23c480cc987293ab4245b0_NeikiAnalytics.exe
-
Size
125KB
-
MD5
8ffd95ba1a23c480cc987293ab4245b0
-
SHA1
eed1142346e45bd348fbca65e2df07752cca87b4
-
SHA256
78d7c51c37fbb72030ff2c699cf4df21ef7833c1ebb7848fd1e0880e8bf225c8
-
SHA512
77d356012889faaa6ecf8a62b2d23be7c081ca4c4ed8748b165fbc741ede356676595993a8e06c321d43db3587258659c39672437184fc6fa628c181c4f88849
-
SSDEEP
3072:I/H3aPFCgAoLP2uoc31WdTCn93OGey/ZhJakrPF:cHKPSSCcITCndOGeKTaG
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Pelipl32.exeHahjpbad.exeLdfgebbe.exeIjbdha32.exeNbfjdn32.exeGloblmmj.exeGacpdbej.exeMiooigfo.exeIpllekdl.exeLpjdjmfp.exeNncahjgl.exeOoeggp32.exeNenobfak.exeNocemcbj.exeFhhcgj32.exeGmgdddmq.exeIcpigm32.exeMkobnqan.exeAfiecb32.exeHpocfncj.exeJqfffqpm.exeMlkopcge.exeGdgcpi32.exeHpgfki32.exeIchllgfb.exeNcmdhb32.exeNefpnhlc.exeDlgldibq.exeEqbddk32.exeFenmdm32.exeMhhfdo32.exeJjfgjk32.exeMcmhiojk.exeMofecpnl.exeFdoclk32.exeGaqcoc32.exeMgimmm32.exeNdbcpd32.exeCgcmlcja.exeIjeghgoh.exeLafndg32.exeOenifh32.exeEmhlfmgj.exeIcbimi32.exeKmmcjehm.exeLogbhl32.exeLlkbap32.exeMamddf32.exeIpgbjl32.exeJjbpgd32.exeDhnmij32.exeJmbiipml.exeKbfhbeek.exeOdgcfijj.exeHgilchkf.exeJoplbl32.exeOfjfhk32.exePnjdhmdo.exeKfbcbd32.exeLmgmjjdn.exeOqqapjnk.exeFlmefm32.exeHoamgd32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pelipl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahjpbad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldfgebbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijbdha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbfjdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Globlmmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacpdbej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miooigfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipllekdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpjdjmfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncahjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ooeggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nenobfak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nocemcbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhhcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icpigm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkobnqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afiecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqfffqpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlkopcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdgcpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpgfki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ichllgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncmdhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nefpnhlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlgldibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fenmdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhhfdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjfgjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcmhiojk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mofecpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdoclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaqcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldfgebbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgimmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndbcpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgcmlcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijeghgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lafndg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oenifh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emhlfmgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icbimi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmmcjehm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Logbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llkbap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mamddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipgbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjbpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhnmij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbiipml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbfhbeek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odgcfijj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Joplbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofjfhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnjdhmdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfbcbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmgmjjdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqqapjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hoamgd32.exe -
Executes dropped EXE 64 IoCs
Processes:
Jgcabqic.exeJmpjkggj.exeJjdkdl32.exeJpqclb32.exeJjfgjk32.exeKpcpbb32.exeKjhdokbo.exeKljqgc32.exeKfoedl32.exeKmimafop.exeKnjiin32.exeKfaajlfp.exeKhcnad32.exeKomfnnck.exeKbhbom32.exeKhekgc32.exeKbkodl32.exeKanopipl.exeKdlkld32.exeLkfciogm.exeLmdpejfq.exeLfmdnp32.exeLmgmjjdn.exeLhlqhb32.exeLgoacojo.exeLimmokib.exeLpgele32.exeLbfahp32.exeLganiohl.exeLipjejgp.exeLgdjnofi.exeLmnbkinf.exeLlqcfe32.exeMeigpkka.exeMhgclfje.exeMcmhiojk.exeMaphdl32.exeMlelaeqk.exeMochnppo.exeMenakj32.exeMhlmgf32.exeMofecpnl.exeMhnjle32.exeMgajhbkg.exeMagnek32.exeMpjoqhah.exeMhqfbebj.exeMkobnqan.exeNnnojlpa.exeNaikkk32.exeNplkfgoe.exeNdgggf32.exeNgfcca32.exeNkaocp32.exeNnplpl32.exeNlblkhei.exeNdjdlffl.exeNcmdhb32.exeNghphaeo.exeNjgldmdc.exeNocemcbj.exeNgkmnacm.exeNjiijlbp.exeNlgefh32.exepid process 2960 Jgcabqic.exe 2592 Jmpjkggj.exe 2584 Jjdkdl32.exe 2472 Jpqclb32.exe 2072 Jjfgjk32.exe 2556 Kpcpbb32.exe 2068 Kjhdokbo.exe 1364 Kljqgc32.exe 992 Kfoedl32.exe 788 Kmimafop.exe 2236 Knjiin32.exe 1336 Kfaajlfp.exe 2016 Khcnad32.exe 492 Komfnnck.exe 2192 Kbhbom32.exe 2176 Khekgc32.exe 580 Kbkodl32.exe 568 Kanopipl.exe 1048 Kdlkld32.exe 2408 Lkfciogm.exe 1932 Lmdpejfq.exe 1896 Lfmdnp32.exe 1432 Lmgmjjdn.exe 1552 Lhlqhb32.exe 2364 Lgoacojo.exe 1524 Limmokib.exe 2760 Lpgele32.exe 3040 Lbfahp32.exe 2716 Lganiohl.exe 2788 Lipjejgp.exe 2448 Lgdjnofi.exe 2456 Lmnbkinf.exe 3052 Llqcfe32.exe 1216 Meigpkka.exe 2712 Mhgclfje.exe 2104 Mcmhiojk.exe 1744 Maphdl32.exe 2388 Mlelaeqk.exe 2000 Mochnppo.exe 2200 Menakj32.exe 2216 Mhlmgf32.exe 628 Mofecpnl.exe 2380 Mhnjle32.exe 1716 Mgajhbkg.exe 1704 Magnek32.exe 1688 Mpjoqhah.exe 556 Mhqfbebj.exe 2848 Mkobnqan.exe 1640 Nnnojlpa.exe 1520 Naikkk32.exe 1424 Nplkfgoe.exe 2668 Ndgggf32.exe 2548 Ngfcca32.exe 2972 Nkaocp32.exe 2512 Nnplpl32.exe 2916 Nlblkhei.exe 2460 Ndjdlffl.exe 1444 Ncmdhb32.exe 2248 Nghphaeo.exe 1692 Njgldmdc.exe 2536 Nocemcbj.exe 620 Ngkmnacm.exe 1768 Njiijlbp.exe 2324 Nlgefh32.exe -
Loads dropped DLL 64 IoCs
Processes:
8ffd95ba1a23c480cc987293ab4245b0_NeikiAnalytics.exeJgcabqic.exeJmpjkggj.exeJjdkdl32.exeJpqclb32.exeJjfgjk32.exeKpcpbb32.exeKjhdokbo.exeKljqgc32.exeKfoedl32.exeKmimafop.exeKnjiin32.exeKfaajlfp.exeKhcnad32.exeKomfnnck.exeKbhbom32.exeKhekgc32.exeKbkodl32.exeKanopipl.exeKdlkld32.exeLkfciogm.exeLmdpejfq.exeLfmdnp32.exeLmgmjjdn.exeLhlqhb32.exeLgoacojo.exeLimmokib.exeLpgele32.exeLbfahp32.exeLganiohl.exeLipjejgp.exeLgdjnofi.exepid process 2284 8ffd95ba1a23c480cc987293ab4245b0_NeikiAnalytics.exe 2284 8ffd95ba1a23c480cc987293ab4245b0_NeikiAnalytics.exe 2960 Jgcabqic.exe 2960 Jgcabqic.exe 2592 Jmpjkggj.exe 2592 Jmpjkggj.exe 2584 Jjdkdl32.exe 2584 Jjdkdl32.exe 2472 Jpqclb32.exe 2472 Jpqclb32.exe 2072 Jjfgjk32.exe 2072 Jjfgjk32.exe 2556 Kpcpbb32.exe 2556 Kpcpbb32.exe 2068 Kjhdokbo.exe 2068 Kjhdokbo.exe 1364 Kljqgc32.exe 1364 Kljqgc32.exe 992 Kfoedl32.exe 992 Kfoedl32.exe 788 Kmimafop.exe 788 Kmimafop.exe 2236 Knjiin32.exe 2236 Knjiin32.exe 1336 Kfaajlfp.exe 1336 Kfaajlfp.exe 2016 Khcnad32.exe 2016 Khcnad32.exe 492 Komfnnck.exe 492 Komfnnck.exe 2192 Kbhbom32.exe 2192 Kbhbom32.exe 2176 Khekgc32.exe 2176 Khekgc32.exe 580 Kbkodl32.exe 580 Kbkodl32.exe 568 Kanopipl.exe 568 Kanopipl.exe 1048 Kdlkld32.exe 1048 Kdlkld32.exe 2408 Lkfciogm.exe 2408 Lkfciogm.exe 1932 Lmdpejfq.exe 1932 Lmdpejfq.exe 1896 Lfmdnp32.exe 1896 Lfmdnp32.exe 1432 Lmgmjjdn.exe 1432 Lmgmjjdn.exe 1552 Lhlqhb32.exe 1552 Lhlqhb32.exe 2364 Lgoacojo.exe 2364 Lgoacojo.exe 1524 Limmokib.exe 1524 Limmokib.exe 2760 Lpgele32.exe 2760 Lpgele32.exe 3040 Lbfahp32.exe 3040 Lbfahp32.exe 2716 Lganiohl.exe 2716 Lganiohl.exe 2788 Lipjejgp.exe 2788 Lipjejgp.exe 2448 Lgdjnofi.exe 2448 Lgdjnofi.exe -
Drops file in System32 directory 64 IoCs
Processes:
Nhdlkdkg.exeEqgnokip.exePjcabmga.exeIgakgfpn.exeJjfgjk32.exeInngcfid.exeEkhhadmk.exeIimjmbae.exeJdgdempa.exeDoehqead.exeLlqcfe32.exeGieojq32.exeGaqcoc32.exePkndaa32.exeDhjgal32.exeDqlafm32.exeIhoafpmp.exeFncdgcqm.exeLnbbbffj.exeLiplnc32.exeCjpqdp32.exeKmmcjehm.exeGdjpeifj.exeNiebhf32.exeDfijnd32.exeHodpgjha.exeOkikfagn.exeDhbfdjdp.exeMencccop.exeLgdjnofi.exeEgdilkbf.exeHejoiedd.exeLmolnh32.exeBidjnkdg.exeGffoldhp.exeLegmbd32.exePmanoifd.exeAadloj32.exeDookgcij.exePndniaop.exeHpgfki32.exeJjdkdl32.exeJmmfkafa.exeMeccii32.exeAplifb32.exeDfoqmo32.exeJcmafj32.exeLinphc32.exeKmimafop.exePlcdgfbo.exeOenifh32.exePbpjiphi.exeQbbfopeg.exeGloblmmj.exeGacpdbej.exeLefdpe32.exeGifhnpea.exeChemfl32.exePenfelgm.exeCfinoq32.exeImfqjbli.exeKgpjanje.exeKiccofna.exedescription ioc process File created C:\Windows\SysWOW64\Ngogde32.dll Nhdlkdkg.exe File opened for modification C:\Windows\SysWOW64\Eojnkg32.exe Eqgnokip.exe File created C:\Windows\SysWOW64\Pmanoifd.exe Pjcabmga.exe File created C:\Windows\SysWOW64\Fffdil32.dll Igakgfpn.exe File opened for modification C:\Windows\SysWOW64\Kpcpbb32.exe Jjfgjk32.exe File created C:\Windows\SysWOW64\Jobnme32.dll Inngcfid.exe File opened for modification C:\Windows\SysWOW64\Emieil32.exe Ekhhadmk.exe File created C:\Windows\SysWOW64\Illgimph.exe Iimjmbae.exe File opened for modification C:\Windows\SysWOW64\Jcjdpj32.exe Jdgdempa.exe File opened for modification C:\Windows\SysWOW64\Dcadac32.exe Doehqead.exe File created C:\Windows\SysWOW64\Benfcheg.dll Llqcfe32.exe File opened for modification C:\Windows\SysWOW64\Gldkfl32.exe Gieojq32.exe File opened for modification C:\Windows\SysWOW64\Gdopkn32.exe Gaqcoc32.exe File opened for modification C:\Windows\SysWOW64\Pnlqnl32.exe Pkndaa32.exe File created C:\Windows\SysWOW64\Dkhcmgnl.exe Dhjgal32.exe File opened for modification C:\Windows\SysWOW64\Dcknbh32.exe Dqlafm32.exe File created C:\Windows\SysWOW64\Eqpofkjo.dll Ihoafpmp.exe File created C:\Windows\SysWOW64\Ifiacd32.dll Fncdgcqm.exe File created C:\Windows\SysWOW64\Jpfppg32.dll Lnbbbffj.exe File created C:\Windows\SysWOW64\Ipjcbn32.dll Liplnc32.exe File opened for modification C:\Windows\SysWOW64\Clomqk32.exe Cjpqdp32.exe File opened for modification C:\Windows\SysWOW64\Kpkofpgq.exe Kmmcjehm.exe File created C:\Windows\SysWOW64\Gfhladfn.exe Gdjpeifj.exe File created C:\Windows\SysWOW64\Ogjgkqaa.dll Niebhf32.exe File created C:\Windows\SysWOW64\Emcbkn32.exe Dfijnd32.exe File created C:\Windows\SysWOW64\Polebcgg.dll Hodpgjha.exe File created C:\Windows\SysWOW64\Cmeabq32.dll Okikfagn.exe File created C:\Windows\SysWOW64\Dkqbaecc.exe Dhbfdjdp.exe File created C:\Windows\SysWOW64\Mhloponc.exe Mencccop.exe File created C:\Windows\SysWOW64\Lmnbkinf.exe Lgdjnofi.exe File created C:\Windows\SysWOW64\Ejbfhfaj.exe Egdilkbf.exe File created C:\Windows\SysWOW64\Hiekid32.exe Hejoiedd.exe File created C:\Windows\SysWOW64\Gpdgnh32.dll Lmolnh32.exe File created C:\Windows\SysWOW64\Blbfjg32.exe Bidjnkdg.exe File created C:\Windows\SysWOW64\Obknqjig.dll Gffoldhp.exe File created C:\Windows\SysWOW64\Kbelde32.dll Legmbd32.exe File created C:\Windows\SysWOW64\Ilbgbe32.dll Pmanoifd.exe File opened for modification C:\Windows\SysWOW64\Bdbhke32.exe Aadloj32.exe File created C:\Windows\SysWOW64\Lednakhd.dll Dookgcij.exe File opened for modification C:\Windows\SysWOW64\Pbpjiphi.exe Pndniaop.exe File created C:\Windows\SysWOW64\Hbfbgd32.exe Hpgfki32.exe File opened for modification C:\Windows\SysWOW64\Jpqclb32.exe Jjdkdl32.exe File opened for modification C:\Windows\SysWOW64\Jkpgfn32.exe Jmmfkafa.exe File opened for modification C:\Windows\SysWOW64\Miooigfo.exe Meccii32.exe File created C:\Windows\SysWOW64\Qcjfoqkg.dll Aplifb32.exe File created C:\Windows\SysWOW64\Djklnnaj.exe Dfoqmo32.exe File created C:\Windows\SysWOW64\Lkmkpl32.dll Eqgnokip.exe File opened for modification C:\Windows\SysWOW64\Jfknbe32.exe Jcmafj32.exe File created C:\Windows\SysWOW64\Lmikibio.exe Linphc32.exe File created C:\Windows\SysWOW64\Oihfic32.dll Kmimafop.exe File opened for modification C:\Windows\SysWOW64\Pnbacbac.exe Plcdgfbo.exe File opened for modification C:\Windows\SysWOW64\Ogmfbd32.exe Oenifh32.exe File created C:\Windows\SysWOW64\Penfelgm.exe Pbpjiphi.exe File opened for modification C:\Windows\SysWOW64\Qeqbkkej.exe Qbbfopeg.exe File created C:\Windows\SysWOW64\Gpknlk32.exe Globlmmj.exe File opened for modification C:\Windows\SysWOW64\Gdamqndn.exe Gacpdbej.exe File created C:\Windows\SysWOW64\Mhdplq32.exe Lefdpe32.exe File created C:\Windows\SysWOW64\Ganpomec.exe Gifhnpea.exe File created C:\Windows\SysWOW64\Cbnbobin.exe Chemfl32.exe File created C:\Windows\SysWOW64\Kodppf32.dll Penfelgm.exe File created C:\Windows\SysWOW64\Ckffgg32.exe Cfinoq32.exe File created C:\Windows\SysWOW64\Bmoado32.dll Imfqjbli.exe File opened for modification C:\Windows\SysWOW64\Kjnfniii.exe Kgpjanje.exe File opened for modification C:\Windows\SysWOW64\Kaklpcoc.exe Kiccofna.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 8064 8040 WerFault.exe Nlhgoqhh.exe -
Modifies registry class 64 IoCs
Processes:
Okoomd32.exeBpfcgg32.exeGkihhhnm.exeKcihlong.exeLlfifq32.exeDgjclbdi.exeMmhodf32.exeNncahjgl.exePqhpdhcc.exeAidnohbk.exeBioqclil.exeKbbngf32.exeNiebhf32.exeGlfhll32.exeOkikfagn.exeCafecmlj.exeCdlgpgef.exeDoehqead.exeJhljdm32.exeNaikkk32.exeMhdplq32.exeAlnqqd32.exeGffoldhp.exeMhloponc.exeFaigdn32.exeKicmdo32.exeGanpomec.exeKmimafop.exeBnbjopoi.exeLimfed32.exeNkeelohh.exeOfelmloo.exeQfahhm32.exeNcmdhb32.exeEcpgmhai.exeGaemjbcg.exeFpcqaf32.exeLmlhnagm.exePaejki32.exeLafndg32.exeGepehphc.exeKnmhgf32.exeLganiohl.exeNdgggf32.exeLflmci32.exeLhmjkaoc.exeMpigfa32.exeBdbhke32.exeEmeopn32.exeJjjacf32.exeEplkpgnh.exeJkoplhip.exeLfmdnp32.exeFphafl32.exeAdnopfoj.exePciifc32.exeBhkdeggl.exeFjongcbl.exeHlngpjlj.exeGiieco32.exeHhehek32.exeNgfcca32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abmjii32.dll" Okoomd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpfcgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkihhhnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcihlong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aagancdj.dll" Llfifq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgjclbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlnbfd32.dll" Mmhodf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopgmbf.dll" Nncahjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqhpdhcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aidnohbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geiiogja.dll" Bioqclil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giegfm32.dll" Kbbngf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjgkqaa.dll" Niebhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glfhll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okikfagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cafecmlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdlgpgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eofjhkoj.dll" Doehqead.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhljdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmihgeia.dll" Naikkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhdplq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alnqqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gffoldhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhloponc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhmkol32.dll" Faigdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kicmdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmaqpohl.dll" Ganpomec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmimafop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnbjopoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfcml32.dll" Limfed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkeelohh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofelmloo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moljch32.dll" Qfahhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ildamhjd.dll" Ncmdhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jamfqeie.dll" Ecpgmhai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gaemjbcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpcqaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmlhnagm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Paejki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcocb32.dll" Glfhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goedqe32.dll" Lafndg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehdqecfo.dll" Gepehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knmhgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfecjakk.dll" Lganiohl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndgggf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daoiajfm.dll" Lflmci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhmjkaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpigfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbgkoe32.dll" Bdbhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekpaqgc.dll" Emeopn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljdjcj32.dll" Jjjacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aidnohbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eplkpgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkhgoi32.dll" Jkoplhip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfmdnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fphafl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adnopfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pciifc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhkdeggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjongcbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlngpjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oagcgibo.dll" Giieco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhehek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngfcca32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8ffd95ba1a23c480cc987293ab4245b0_NeikiAnalytics.exeJgcabqic.exeJmpjkggj.exeJjdkdl32.exeJpqclb32.exeJjfgjk32.exeKpcpbb32.exeKjhdokbo.exeKljqgc32.exeKfoedl32.exeKmimafop.exeKnjiin32.exeKfaajlfp.exeKhcnad32.exeKomfnnck.exeKbhbom32.exedescription pid process target process PID 2284 wrote to memory of 2960 2284 8ffd95ba1a23c480cc987293ab4245b0_NeikiAnalytics.exe Jgcabqic.exe PID 2284 wrote to memory of 2960 2284 8ffd95ba1a23c480cc987293ab4245b0_NeikiAnalytics.exe Jgcabqic.exe PID 2284 wrote to memory of 2960 2284 8ffd95ba1a23c480cc987293ab4245b0_NeikiAnalytics.exe Jgcabqic.exe PID 2284 wrote to memory of 2960 2284 8ffd95ba1a23c480cc987293ab4245b0_NeikiAnalytics.exe Jgcabqic.exe PID 2960 wrote to memory of 2592 2960 Jgcabqic.exe Jmpjkggj.exe PID 2960 wrote to memory of 2592 2960 Jgcabqic.exe Jmpjkggj.exe PID 2960 wrote to memory of 2592 2960 Jgcabqic.exe Jmpjkggj.exe PID 2960 wrote to memory of 2592 2960 Jgcabqic.exe Jmpjkggj.exe PID 2592 wrote to memory of 2584 2592 Jmpjkggj.exe Jjdkdl32.exe PID 2592 wrote to memory of 2584 2592 Jmpjkggj.exe Jjdkdl32.exe PID 2592 wrote to memory of 2584 2592 Jmpjkggj.exe Jjdkdl32.exe PID 2592 wrote to memory of 2584 2592 Jmpjkggj.exe Jjdkdl32.exe PID 2584 wrote to memory of 2472 2584 Jjdkdl32.exe Jpqclb32.exe PID 2584 wrote to memory of 2472 2584 Jjdkdl32.exe Jpqclb32.exe PID 2584 wrote to memory of 2472 2584 Jjdkdl32.exe Jpqclb32.exe PID 2584 wrote to memory of 2472 2584 Jjdkdl32.exe Jpqclb32.exe PID 2472 wrote to memory of 2072 2472 Jpqclb32.exe Jjfgjk32.exe PID 2472 wrote to memory of 2072 2472 Jpqclb32.exe Jjfgjk32.exe PID 2472 wrote to memory of 2072 2472 Jpqclb32.exe Jjfgjk32.exe PID 2472 wrote to memory of 2072 2472 Jpqclb32.exe Jjfgjk32.exe PID 2072 wrote to memory of 2556 2072 Jjfgjk32.exe Kpcpbb32.exe PID 2072 wrote to memory of 2556 2072 Jjfgjk32.exe Kpcpbb32.exe PID 2072 wrote to memory of 2556 2072 Jjfgjk32.exe Kpcpbb32.exe PID 2072 wrote to memory of 2556 2072 Jjfgjk32.exe Kpcpbb32.exe PID 2556 wrote to memory of 2068 2556 Kpcpbb32.exe Kjhdokbo.exe PID 2556 wrote to memory of 2068 2556 Kpcpbb32.exe Kjhdokbo.exe PID 2556 wrote to memory of 2068 2556 Kpcpbb32.exe Kjhdokbo.exe PID 2556 wrote to memory of 2068 2556 Kpcpbb32.exe Kjhdokbo.exe PID 2068 wrote to memory of 1364 2068 Kjhdokbo.exe Kljqgc32.exe PID 2068 wrote to memory of 1364 2068 Kjhdokbo.exe Kljqgc32.exe PID 2068 wrote to memory of 1364 2068 Kjhdokbo.exe Kljqgc32.exe PID 2068 wrote to memory of 1364 2068 Kjhdokbo.exe Kljqgc32.exe PID 1364 wrote to memory of 992 1364 Kljqgc32.exe Kfoedl32.exe PID 1364 wrote to memory of 992 1364 Kljqgc32.exe Kfoedl32.exe PID 1364 wrote to memory of 992 1364 Kljqgc32.exe Kfoedl32.exe PID 1364 wrote to memory of 992 1364 Kljqgc32.exe Kfoedl32.exe PID 992 wrote to memory of 788 992 Kfoedl32.exe Kmimafop.exe PID 992 wrote to memory of 788 992 Kfoedl32.exe Kmimafop.exe PID 992 wrote to memory of 788 992 Kfoedl32.exe Kmimafop.exe PID 992 wrote to memory of 788 992 Kfoedl32.exe Kmimafop.exe PID 788 wrote to memory of 2236 788 Kmimafop.exe Knjiin32.exe PID 788 wrote to memory of 2236 788 Kmimafop.exe Knjiin32.exe PID 788 wrote to memory of 2236 788 Kmimafop.exe Knjiin32.exe PID 788 wrote to memory of 2236 788 Kmimafop.exe Knjiin32.exe PID 2236 wrote to memory of 1336 2236 Knjiin32.exe Kfaajlfp.exe PID 2236 wrote to memory of 1336 2236 Knjiin32.exe Kfaajlfp.exe PID 2236 wrote to memory of 1336 2236 Knjiin32.exe Kfaajlfp.exe PID 2236 wrote to memory of 1336 2236 Knjiin32.exe Kfaajlfp.exe PID 1336 wrote to memory of 2016 1336 Kfaajlfp.exe Khcnad32.exe PID 1336 wrote to memory of 2016 1336 Kfaajlfp.exe Khcnad32.exe PID 1336 wrote to memory of 2016 1336 Kfaajlfp.exe Khcnad32.exe PID 1336 wrote to memory of 2016 1336 Kfaajlfp.exe Khcnad32.exe PID 2016 wrote to memory of 492 2016 Khcnad32.exe Komfnnck.exe PID 2016 wrote to memory of 492 2016 Khcnad32.exe Komfnnck.exe PID 2016 wrote to memory of 492 2016 Khcnad32.exe Komfnnck.exe PID 2016 wrote to memory of 492 2016 Khcnad32.exe Komfnnck.exe PID 492 wrote to memory of 2192 492 Komfnnck.exe Kbhbom32.exe PID 492 wrote to memory of 2192 492 Komfnnck.exe Kbhbom32.exe PID 492 wrote to memory of 2192 492 Komfnnck.exe Kbhbom32.exe PID 492 wrote to memory of 2192 492 Komfnnck.exe Kbhbom32.exe PID 2192 wrote to memory of 2176 2192 Kbhbom32.exe Khekgc32.exe PID 2192 wrote to memory of 2176 2192 Kbhbom32.exe Khekgc32.exe PID 2192 wrote to memory of 2176 2192 Kbhbom32.exe Khekgc32.exe PID 2192 wrote to memory of 2176 2192 Kbhbom32.exe Khekgc32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ffd95ba1a23c480cc987293ab4245b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8ffd95ba1a23c480cc987293ab4245b0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Jgcabqic.exeC:\Windows\system32\Jgcabqic.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Jmpjkggj.exeC:\Windows\system32\Jmpjkggj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Jjdkdl32.exeC:\Windows\system32\Jjdkdl32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Jjfgjk32.exeC:\Windows\system32\Jjfgjk32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Kpcpbb32.exeC:\Windows\system32\Kpcpbb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:580 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1048 -
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1432 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe33⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe35⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe36⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe38⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe39⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe40⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe41⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe42⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe44⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe45⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe46⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe47⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe48⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe50⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe52⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe55⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe56⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe57⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe58⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1444 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe60⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe61⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe63⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe64⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe65⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe66⤵PID:1812
-
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe67⤵PID:2032
-
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe68⤵PID:832
-
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe69⤵PID:2320
-
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1600 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe71⤵PID:3000
-
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe72⤵PID:1280
-
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe73⤵
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe74⤵PID:1728
-
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe75⤵PID:2600
-
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2948 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe77⤵PID:1220
-
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe78⤵PID:2120
-
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe79⤵PID:1192
-
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe80⤵PID:2764
-
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe81⤵PID:476
-
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe82⤵PID:804
-
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2844 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe84⤵PID:1568
-
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe85⤵PID:2416
-
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe86⤵PID:1492
-
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe88⤵PID:1464
-
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe89⤵PID:2812
-
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe90⤵
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe91⤵PID:1008
-
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe92⤵PID:2244
-
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe93⤵PID:2892
-
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe94⤵PID:2696
-
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe95⤵PID:2908
-
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe96⤵PID:264
-
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe97⤵PID:800
-
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe98⤵PID:2400
-
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe99⤵PID:1660
-
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe100⤵PID:1604
-
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe101⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe102⤵PID:772
-
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe103⤵PID:2732
-
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2500 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe105⤵PID:2672
-
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe106⤵
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe107⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe108⤵
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe109⤵PID:1028
-
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe110⤵PID:2100
-
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe111⤵
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe112⤵PID:2824
-
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe113⤵PID:1528
-
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe114⤵PID:1616
-
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe115⤵PID:2936
-
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe116⤵PID:2440
-
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe117⤵PID:2704
-
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe118⤵PID:2796
-
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe119⤵PID:1452
-
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe120⤵PID:2532
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe121⤵PID:1944
-
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe122⤵PID:1428
-
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe123⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1708 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe124⤵PID:2748
-
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe125⤵PID:2552
-
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe126⤵PID:2444
-
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe127⤵PID:2496
-
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe128⤵PID:2112
-
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe129⤵PID:1736
-
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe130⤵
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe131⤵PID:1408
-
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe132⤵PID:532
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe133⤵PID:2360
-
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe134⤵PID:2924
-
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe135⤵PID:1920
-
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe136⤵
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe137⤵PID:2664
-
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe138⤵PID:1624
-
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe139⤵PID:2680
-
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe140⤵PID:2780
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe141⤵PID:2124
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe142⤵PID:2088
-
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe143⤵PID:1948
-
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe144⤵PID:2136
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe145⤵PID:604
-
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe146⤵PID:2868
-
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe147⤵
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe148⤵PID:2508
-
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe149⤵PID:2480
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe150⤵PID:2268
-
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe151⤵
- Drops file in System32 directory
PID:1400 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe152⤵PID:1912
-
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe153⤵
- Drops file in System32 directory
PID:868 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe154⤵PID:2804
-
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe155⤵PID:2968
-
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe156⤵
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe157⤵PID:2524
-
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe158⤵PID:2008
-
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe159⤵PID:2348
-
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe160⤵PID:2188
-
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe161⤵PID:684
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe162⤵PID:3060
-
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe163⤵PID:3068
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe164⤵PID:2396
-
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe165⤵PID:1764
-
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe166⤵PID:2832
-
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe167⤵PID:2184
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe168⤵PID:2608
-
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe169⤵PID:2964
-
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe170⤵
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe171⤵PID:2092
-
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe172⤵PID:2816
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe173⤵
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe174⤵PID:1996
-
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe175⤵PID:736
-
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe176⤵PID:2996
-
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe177⤵PID:1352
-
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe178⤵
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe179⤵
- Modifies registry class
PID:380 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe180⤵PID:2316
-
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe181⤵PID:2096
-
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe182⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1556 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe183⤵PID:2352
-
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe184⤵PID:2368
-
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe185⤵PID:1780
-
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe186⤵PID:2956
-
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe187⤵PID:2340
-
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe188⤵PID:3100
-
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe189⤵
- Drops file in System32 directory
PID:3140 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe190⤵PID:3180
-
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe191⤵PID:3220
-
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe192⤵PID:3260
-
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe193⤵PID:3300
-
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe194⤵PID:3340
-
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe195⤵PID:3380
-
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe196⤵PID:3420
-
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe197⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3460 -
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe198⤵PID:3500
-
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe199⤵PID:3540
-
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe200⤵PID:3580
-
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe201⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3620 -
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe202⤵PID:3660
-
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe203⤵PID:3700
-
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe204⤵PID:3740
-
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe205⤵PID:3780
-
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe206⤵PID:3820
-
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe207⤵PID:3860
-
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe208⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3900 -
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe209⤵
- Modifies registry class
PID:3940 -
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe210⤵PID:3980
-
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe211⤵PID:4020
-
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe212⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4060 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe213⤵PID:2272
-
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe214⤵PID:3112
-
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe215⤵PID:3164
-
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe216⤵PID:3212
-
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe217⤵PID:3232
-
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe218⤵PID:3316
-
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe219⤵PID:3364
-
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe220⤵
- Drops file in System32 directory
PID:3404 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe221⤵PID:3452
-
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe222⤵PID:3520
-
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe223⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3564 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe224⤵PID:3616
-
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe225⤵PID:3668
-
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe226⤵
- Modifies registry class
PID:3720 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe227⤵
- Modifies registry class
PID:3776 -
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe228⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3816 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe229⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3876 -
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe230⤵PID:3916
-
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe231⤵PID:3968
-
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe232⤵PID:4008
-
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe233⤵
- Modifies registry class
PID:4032 -
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe234⤵PID:4076
-
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe235⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3120 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe236⤵PID:3204
-
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe237⤵PID:3272
-
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe238⤵PID:3276
-
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe239⤵PID:3400
-
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe240⤵PID:3456
-
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe241⤵PID:3528
-
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe242⤵
- Drops file in System32 directory
PID:3588