Analysis
-
max time kernel
143s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 12:22
Static task
static1
Behavioral task
behavioral1
Sample
7bb97b42495d107e57fe43d02ac62ed0_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
7bb97b42495d107e57fe43d02ac62ed0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
7bb97b42495d107e57fe43d02ac62ed0_NeikiAnalytics.exe
-
Size
416KB
-
MD5
7bb97b42495d107e57fe43d02ac62ed0
-
SHA1
2f3f0942aeffaa5eb43bf73bc45fa043bb50b5f1
-
SHA256
2768f89a5e9f172b9fe0ead341721c21ab20723fb516b4e2c586e2a800bb593d
-
SHA512
4dcb4813ccf3c233945527c35dfa5464c1833d450c7c58449b9e5e6cd4a22f4a67310c59fb97f329263bc6555d78398194099e9f23e73c157e18d793d2cc688c
-
SSDEEP
3072:rH0xqX7dhdPVAURfE+HAokWmvEie0RFz3yE2ZwVh16Mz7GFD0AlWP:HPRs+HLlD0rN2ZwVht740PP
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Elkmmodo.exeDnjalhpp.exeDdpobo32.exeFadndbci.exeLlomfpag.exeEicpcm32.exeBefnbd32.exeBfhmqhkd.exeNmejllia.exeGgnmbn32.exeKljdkpfl.exeGdhdkn32.exeOiokholk.exePdjjag32.exeJajmjcoe.exeKcijeg32.exePnjfae32.exeQngopb32.exeBgibnj32.exeJolghndm.exeOnqkclni.exeApefjqob.exeCicpch32.exeJjpdmi32.exeGlbaei32.exeEnkpahon.exeFodebh32.exeAjjgei32.exeGacbmk32.exeClciod32.exeBbonei32.exeDmebcgbb.exeAcekjjmk.exeIiqldc32.exeEnneln32.exeIdmlniea.exeEaeipfei.exeDmgmpnhl.exeJmipdo32.exeKmimcbja.exeDjmiejji.exeKcamjb32.exePpfomk32.exeCkkcep32.exeJaeafklf.exeMhcfjnhm.exeBcgdom32.exeJaoqqflp.exeJefpeh32.exeNnleiipc.exePpinkcnp.exeJdejhfig.exeKckhdg32.exeDkadjn32.exeCileqlmg.exeQobdgo32.exeOldpnn32.exeAldfcpjn.exeBmnlbcfg.exeBknjfb32.exeMjcoqdoc.exeNeknki32.exeFccglehn.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elkmmodo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnjalhpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddpobo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fadndbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llomfpag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eicpcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Befnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfhmqhkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmejllia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggnmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kljdkpfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdhdkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiokholk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdjjag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jajmjcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcijeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnjfae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qngopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgibnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jolghndm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onqkclni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apefjqob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cicpch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjpdmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glbaei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enkpahon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fodebh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjgei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacbmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clciod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbonei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmebcgbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acekjjmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiqldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enneln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idmlniea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaeipfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmgmpnhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmipdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmimcbja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djmiejji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcamjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppfomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckkcep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaeafklf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhcfjnhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcgdom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaoqqflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jefpeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnleiipc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppinkcnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdejhfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kckhdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkadjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppfomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cileqlmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qobdgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oldpnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aldfcpjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmnlbcfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknjfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcoqdoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neknki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fccglehn.exe -
Executes dropped EXE 64 IoCs
Processes:
Cddjebgb.exeCicpch32.exeDdomif32.exeDkiefp32.exeDkkbkp32.exeDjclbl32.exeEjehgkdp.exeEhjehh32.exeEjjbbkpj.exeEmkkdf32.exeFemeig32.exeFjlkgn32.exeGjngmmnp.exeGfehan32.exeGpnmjd32.exeGaafhloq.exeGacbmk32.exeGmjcblbb.exeHnjplo32.exeHdfhdfgl.exeHifmbmda.exeHdkape32.exeHflkaq32.exeIpdojfgh.exeIbehla32.exeIlnmdgkj.exeIoliqbjn.exeIggned32.exeIncbgnmc.exeIdmkdh32.exeJkgcab32.exeJdpgjhbm.exeJlklnjoh.exeJjomgo32.exeJlmicj32.exeKkileele.exeKbcdbp32.exeKjaelaok.exeKcijeg32.exeLmbonmll.exeLihobnap.exeLflplbpi.exeLeammn32.exeLklejh32.exeLedibnco.exeLjabkeaf.exeMeffhnal.exeMjcoqdoc.exeMmakmp32.exeMjekfd32.exeMcnpojca.exeMikhgqbi.exeMabphn32.exeMjjdacik.exeMbeiefff.exeNmkncofl.exeNefbga32.exeNbjcqe32.exeNoacef32.exeNledoj32.exeNdpicm32.exeNoemqe32.exeOgqaehak.exeOmkjbb32.exepid process 2588 Cddjebgb.exe 2708 Cicpch32.exe 2628 Ddomif32.exe 2520 Dkiefp32.exe 2492 Dkkbkp32.exe 2996 Djclbl32.exe 264 Ejehgkdp.exe 1632 Ehjehh32.exe 2988 Ejjbbkpj.exe 1888 Emkkdf32.exe 936 Femeig32.exe 2684 Fjlkgn32.exe 1700 Gjngmmnp.exe 1884 Gfehan32.exe 1720 Gpnmjd32.exe 1992 Gaafhloq.exe 1040 Gacbmk32.exe 1428 Gmjcblbb.exe 704 Hnjplo32.exe 1260 Hdfhdfgl.exe 1800 Hifmbmda.exe 900 Hdkape32.exe 3020 Hflkaq32.exe 1576 Ipdojfgh.exe 2164 Ibehla32.exe 2012 Ilnmdgkj.exe 2792 Ioliqbjn.exe 832 Iggned32.exe 2772 Incbgnmc.exe 2632 Idmkdh32.exe 2896 Jkgcab32.exe 3000 Jdpgjhbm.exe 2476 Jlklnjoh.exe 544 Jjomgo32.exe 1092 Jlmicj32.exe 2860 Kkileele.exe 948 Kbcdbp32.exe 2156 Kjaelaok.exe 1616 Kcijeg32.exe 1676 Lmbonmll.exe 1928 Lihobnap.exe 2052 Lflplbpi.exe 840 Leammn32.exe 1032 Lklejh32.exe 3056 Ledibnco.exe 1496 Ljabkeaf.exe 2020 Meffhnal.exe 1952 Mjcoqdoc.exe 2352 Mmakmp32.exe 1592 Mjekfd32.exe 2848 Mcnpojca.exe 2964 Mikhgqbi.exe 2504 Mabphn32.exe 688 Mjjdacik.exe 2604 Mbeiefff.exe 2376 Nmkncofl.exe 1100 Nefbga32.exe 2284 Nbjcqe32.exe 2056 Noacef32.exe 2196 Nledoj32.exe 2080 Ndpicm32.exe 2400 Noemqe32.exe 2220 Ogqaehak.exe 2644 Omkjbb32.exe -
Loads dropped DLL 64 IoCs
Processes:
7bb97b42495d107e57fe43d02ac62ed0_NeikiAnalytics.exeCddjebgb.exeCicpch32.exeDdomif32.exeDkiefp32.exeDkkbkp32.exeDjclbl32.exeEjehgkdp.exeEhjehh32.exeEjjbbkpj.exeEmkkdf32.exeFemeig32.exeFjlkgn32.exeGjngmmnp.exeGfehan32.exeGpnmjd32.exeGaafhloq.exeGacbmk32.exeGmjcblbb.exeHnjplo32.exeHdfhdfgl.exeHifmbmda.exeHdkape32.exeHflkaq32.exeIpdojfgh.exeIbehla32.exeIlnmdgkj.exeIoliqbjn.exeIggned32.exeIncbgnmc.exeIdmkdh32.exeJkgcab32.exepid process 2576 7bb97b42495d107e57fe43d02ac62ed0_NeikiAnalytics.exe 2576 7bb97b42495d107e57fe43d02ac62ed0_NeikiAnalytics.exe 2588 Cddjebgb.exe 2588 Cddjebgb.exe 2708 Cicpch32.exe 2708 Cicpch32.exe 2628 Ddomif32.exe 2628 Ddomif32.exe 2520 Dkiefp32.exe 2520 Dkiefp32.exe 2492 Dkkbkp32.exe 2492 Dkkbkp32.exe 2996 Djclbl32.exe 2996 Djclbl32.exe 264 Ejehgkdp.exe 264 Ejehgkdp.exe 1632 Ehjehh32.exe 1632 Ehjehh32.exe 2988 Ejjbbkpj.exe 2988 Ejjbbkpj.exe 1888 Emkkdf32.exe 1888 Emkkdf32.exe 936 Femeig32.exe 936 Femeig32.exe 2684 Fjlkgn32.exe 2684 Fjlkgn32.exe 1700 Gjngmmnp.exe 1700 Gjngmmnp.exe 1884 Gfehan32.exe 1884 Gfehan32.exe 1720 Gpnmjd32.exe 1720 Gpnmjd32.exe 1992 Gaafhloq.exe 1992 Gaafhloq.exe 1040 Gacbmk32.exe 1040 Gacbmk32.exe 1428 Gmjcblbb.exe 1428 Gmjcblbb.exe 704 Hnjplo32.exe 704 Hnjplo32.exe 1260 Hdfhdfgl.exe 1260 Hdfhdfgl.exe 1800 Hifmbmda.exe 1800 Hifmbmda.exe 900 Hdkape32.exe 900 Hdkape32.exe 3020 Hflkaq32.exe 3020 Hflkaq32.exe 1576 Ipdojfgh.exe 1576 Ipdojfgh.exe 2164 Ibehla32.exe 2164 Ibehla32.exe 2012 Ilnmdgkj.exe 2012 Ilnmdgkj.exe 2792 Ioliqbjn.exe 2792 Ioliqbjn.exe 832 Iggned32.exe 832 Iggned32.exe 2772 Incbgnmc.exe 2772 Incbgnmc.exe 2632 Idmkdh32.exe 2632 Idmkdh32.exe 2896 Jkgcab32.exe 2896 Jkgcab32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ehgbhbgn.exeEkjgpm32.exeEakooqih.exeHjmlhbbg.exeIomcpe32.exeEepmlf32.exeIlnmdgkj.exeCiagojda.exeLdjbkb32.exeJkbojpna.exeJelfdc32.exePhklaacg.exePiliii32.exeOiokholk.exeOgqaehak.exeCfnoogbo.exeKocmim32.exeMopbgn32.exeGoiafp32.exeIcbipe32.exeHhhgcc32.exeCmhglq32.exeDpnladjl.exeInhdgdmk.exeQmbqcf32.exeAinkcf32.exeIjqjgo32.exeGaqomeke.exeOodjjign.exeKmimcbja.exeLafahdcc.exeDkmljcdh.exeKngekdnf.exeLpdankjg.exeOknhdjko.exeEjfllhao.exePcbncfjd.exeMmdjkhdh.exeDfbnoc32.exeMphiqbon.exeLklejh32.exeClbnhmjo.exePohhna32.exeLkicbk32.exeDeondj32.exeEemnnn32.exeQjgjpi32.exeDklepmal.exeNfghdcfj.exeKmqmod32.exeBogjaamh.exeBnlphh32.exeKpicle32.exeBccmmf32.exeDmgmpnhl.exeHffibceh.exeKipmhc32.exeIianmlfn.exeJkdcdf32.exeMiocmq32.exeLmbonmll.exeOoggpiek.exeNjalacon.exedescription ioc process File created C:\Windows\SysWOW64\Mjbappoe.dll Ehgbhbgn.exe File created C:\Windows\SysWOW64\Epgphcqd.exe Ekjgpm32.exe File created C:\Windows\SysWOW64\Nkajkp32.dll Eakooqih.exe File created C:\Windows\SysWOW64\Gfbaonni.dll Hjmlhbbg.exe File opened for modification C:\Windows\SysWOW64\Iejkhlip.exe Iomcpe32.exe File created C:\Windows\SysWOW64\Emgdmc32.exe Eepmlf32.exe File opened for modification C:\Windows\SysWOW64\Ioliqbjn.exe Ilnmdgkj.exe File created C:\Windows\SysWOW64\Ckpckece.exe Ciagojda.exe File created C:\Windows\SysWOW64\Lopfhk32.exe Ldjbkb32.exe File opened for modification C:\Windows\SysWOW64\Jlckbh32.exe Jkbojpna.exe File opened for modification C:\Windows\SysWOW64\Jhjbqo32.exe Jelfdc32.exe File opened for modification C:\Windows\SysWOW64\Piliii32.exe Phklaacg.exe File created C:\Windows\SysWOW64\Qaacem32.dll Piliii32.exe File opened for modification C:\Windows\SysWOW64\Oknhdjko.exe Oiokholk.exe File created C:\Windows\SysWOW64\Omkjbb32.exe Ogqaehak.exe File created C:\Windows\SysWOW64\Iomhdbkn.dll Cfnoogbo.exe File opened for modification C:\Windows\SysWOW64\Kpdjaecc.exe Kocmim32.exe File created C:\Windows\SysWOW64\Eommkfoh.dll Mopbgn32.exe File created C:\Windows\SysWOW64\Gdfiofhn.exe Goiafp32.exe File created C:\Windows\SysWOW64\Dmcjgd32.dll Icbipe32.exe File created C:\Windows\SysWOW64\Hmeolj32.exe Hhhgcc32.exe File created C:\Windows\SysWOW64\Nbkkmi32.dll Cmhglq32.exe File created C:\Windows\SysWOW64\Dfhdnn32.exe Dpnladjl.exe File created C:\Windows\SysWOW64\Ikldqile.exe Inhdgdmk.exe File opened for modification C:\Windows\SysWOW64\Qiiahgjh.exe Qmbqcf32.exe File opened for modification C:\Windows\SysWOW64\Aphcppmo.exe Ainkcf32.exe File created C:\Windows\SysWOW64\Pgiolk32.dll Ijqjgo32.exe File created C:\Windows\SysWOW64\Fnejdq32.dll Iomcpe32.exe File opened for modification C:\Windows\SysWOW64\Gcokiaji.exe Gaqomeke.exe File created C:\Windows\SysWOW64\Lbpihjem.dll Oodjjign.exe File created C:\Windows\SysWOW64\Kdbepm32.exe Kmimcbja.exe File created C:\Windows\SysWOW64\Pgjkggck.dll Lafahdcc.exe File opened for modification C:\Windows\SysWOW64\Dbgdgm32.exe Dkmljcdh.exe File created C:\Windows\SysWOW64\Kfnnlboi.exe Kngekdnf.exe File opened for modification C:\Windows\SysWOW64\Lkifkdjm.exe Lpdankjg.exe File opened for modification C:\Windows\SysWOW64\Obhpad32.exe Oknhdjko.exe File created C:\Windows\SysWOW64\Ebappk32.exe Ejfllhao.exe File created C:\Windows\SysWOW64\Epkpbiah.dll Pcbncfjd.exe File created C:\Windows\SysWOW64\Mjhjdm32.exe Mmdjkhdh.exe File created C:\Windows\SysWOW64\Dlofgj32.exe Dfbnoc32.exe File created C:\Windows\SysWOW64\Mgbaml32.exe Mphiqbon.exe File created C:\Windows\SysWOW64\Mmkehj32.dll Lklejh32.exe File created C:\Windows\SysWOW64\Fklkbele.dll Clbnhmjo.exe File created C:\Windows\SysWOW64\Pdeqfhjd.exe Pohhna32.exe File created C:\Windows\SysWOW64\Lljpjchg.exe Lkicbk32.exe File created C:\Windows\SysWOW64\Iqdekgib.dll Deondj32.exe File opened for modification C:\Windows\SysWOW64\Eoebgcol.exe Eemnnn32.exe File created C:\Windows\SysWOW64\Pjcpccaf.dll Qjgjpi32.exe File opened for modification C:\Windows\SysWOW64\Dnjalhpp.exe Dklepmal.exe File opened for modification C:\Windows\SysWOW64\Nallalep.exe Nfghdcfj.exe File opened for modification C:\Windows\SysWOW64\Kdkelolf.exe Kmqmod32.exe File created C:\Windows\SysWOW64\Baefnmml.exe Bogjaamh.exe File opened for modification C:\Windows\SysWOW64\Bchhqo32.exe Bnlphh32.exe File opened for modification C:\Windows\SysWOW64\Kffldlne.exe Kpicle32.exe File created C:\Windows\SysWOW64\Bgmdailj.dll Bccmmf32.exe File created C:\Windows\SysWOW64\Dfpaic32.exe Dmgmpnhl.exe File created C:\Windows\SysWOW64\Pbonaedo.dll Hffibceh.exe File created C:\Windows\SysWOW64\Canhhi32.dll Kipmhc32.exe File opened for modification C:\Windows\SysWOW64\Iokfjf32.exe Iianmlfn.exe File created C:\Windows\SysWOW64\Befaceaa.dll Jkdcdf32.exe File created C:\Windows\SysWOW64\Mpikik32.exe Miocmq32.exe File created C:\Windows\SysWOW64\Lihobnap.exe Lmbonmll.exe File opened for modification C:\Windows\SysWOW64\Ofaolcmh.exe Ooggpiek.exe File created C:\Windows\SysWOW64\Mpbelhkp.dll Njalacon.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5996 4808 WerFault.exe Pdgmlhha.exe -
Modifies registry class 64 IoCs
Processes:
Hnmeen32.exeDifqji32.exeGdfiofhn.exePadccpal.exeDdmchcnd.exeAgpcihcf.exeLoqmba32.exeLdpbpgoh.exeBhbkpgbf.exeFeddombd.exePmnghfhi.exeEqngcc32.exeMjcoqdoc.exePgckjk32.exeQqdbiopj.exePnchhllf.exePaocnkph.exeAknngo32.exeCncmcm32.exeFlhhed32.exeNddcimag.exeLhnkffeo.exePepcelel.exeKhadpa32.exeHmmdin32.exeFmegncpp.exeDoecog32.exeGncldi32.exeKkjnnn32.exeHofngkga.exeFbegbacp.exeKablnadm.exeBimphc32.exeCpdhna32.exeEdlhqlfi.exeJfaeme32.exeQjklenpa.exeNnleiipc.exeIdmkdh32.exeMabphn32.exeDegiggjm.exeFcjeon32.exeCkhdggom.exeCchbgi32.exeFefqdl32.exeFdkmeiei.exeEloipb32.exeJnbpqb32.exeKiecgo32.exeNdhlhg32.exeEggndi32.exeQcogbdkg.exeJajmjcoe.exeJkfpjf32.exeNjalacon.exeNfjildbp.exeGmgpbf32.exeIfffkncm.exeLomgjb32.exeElajgpmj.exeKpicle32.exeLdbofgme.exeMqehjecl.exeNndemg32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnmeen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eckfklnl.dll" Difqji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhgacc32.dll" Gdfiofhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbbinm32.dll" Padccpal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddmchcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnibe32.dll" Agpcihcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loqmba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldpbpgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqhkjacc.dll" Bhbkpgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feddombd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmnghfhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqngcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjcoqdoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgckjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqdbiopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhngh32.dll" Pnchhllf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbolo32.dll" Paocnkph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aknngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cncmcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flhhed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nddcimag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnajpcii.dll" Lhnkffeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pepcelel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khadpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmmdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmegncpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doecog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmqbcm32.dll" Gncldi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkjnnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hofngkga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbegbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghoka32.dll" Kablnadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgaajh32.dll" Bimphc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpdhna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edlhqlfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfaeme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjklenpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhkbcb32.dll" Nnleiipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idmkdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mabphn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Degiggjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcjeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckhdggom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll" Cchbgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fefqdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgdokbck.dll" Fdkmeiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komlabbb.dll" Eloipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnhjppcf.dll" Jnbpqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllgegfe.dll" Kiecgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndhlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eggndi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcogbdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jajmjcoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkfpjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njalacon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfjildbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmgpbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifffkncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lomgjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elajgpmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpicle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldbofgme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqehjecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deankpkm.dll" Nndemg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7bb97b42495d107e57fe43d02ac62ed0_NeikiAnalytics.exeCddjebgb.exeCicpch32.exeDdomif32.exeDkiefp32.exeDkkbkp32.exeDjclbl32.exeEjehgkdp.exeEhjehh32.exeEjjbbkpj.exeEmkkdf32.exeFemeig32.exeFjlkgn32.exeGjngmmnp.exeGfehan32.exeGpnmjd32.exedescription pid process target process PID 2576 wrote to memory of 2588 2576 7bb97b42495d107e57fe43d02ac62ed0_NeikiAnalytics.exe Cddjebgb.exe PID 2576 wrote to memory of 2588 2576 7bb97b42495d107e57fe43d02ac62ed0_NeikiAnalytics.exe Cddjebgb.exe PID 2576 wrote to memory of 2588 2576 7bb97b42495d107e57fe43d02ac62ed0_NeikiAnalytics.exe Cddjebgb.exe PID 2576 wrote to memory of 2588 2576 7bb97b42495d107e57fe43d02ac62ed0_NeikiAnalytics.exe Cddjebgb.exe PID 2588 wrote to memory of 2708 2588 Cddjebgb.exe Cicpch32.exe PID 2588 wrote to memory of 2708 2588 Cddjebgb.exe Cicpch32.exe PID 2588 wrote to memory of 2708 2588 Cddjebgb.exe Cicpch32.exe PID 2588 wrote to memory of 2708 2588 Cddjebgb.exe Cicpch32.exe PID 2708 wrote to memory of 2628 2708 Cicpch32.exe Ddomif32.exe PID 2708 wrote to memory of 2628 2708 Cicpch32.exe Ddomif32.exe PID 2708 wrote to memory of 2628 2708 Cicpch32.exe Ddomif32.exe PID 2708 wrote to memory of 2628 2708 Cicpch32.exe Ddomif32.exe PID 2628 wrote to memory of 2520 2628 Ddomif32.exe Ccnifd32.exe PID 2628 wrote to memory of 2520 2628 Ddomif32.exe Ccnifd32.exe PID 2628 wrote to memory of 2520 2628 Ddomif32.exe Ccnifd32.exe PID 2628 wrote to memory of 2520 2628 Ddomif32.exe Ccnifd32.exe PID 2520 wrote to memory of 2492 2520 Dkiefp32.exe Dkkbkp32.exe PID 2520 wrote to memory of 2492 2520 Dkiefp32.exe Dkkbkp32.exe PID 2520 wrote to memory of 2492 2520 Dkiefp32.exe Dkkbkp32.exe PID 2520 wrote to memory of 2492 2520 Dkiefp32.exe Dkkbkp32.exe PID 2492 wrote to memory of 2996 2492 Dkkbkp32.exe Djclbl32.exe PID 2492 wrote to memory of 2996 2492 Dkkbkp32.exe Djclbl32.exe PID 2492 wrote to memory of 2996 2492 Dkkbkp32.exe Djclbl32.exe PID 2492 wrote to memory of 2996 2492 Dkkbkp32.exe Djclbl32.exe PID 2996 wrote to memory of 264 2996 Djclbl32.exe Ejehgkdp.exe PID 2996 wrote to memory of 264 2996 Djclbl32.exe Ejehgkdp.exe PID 2996 wrote to memory of 264 2996 Djclbl32.exe Ejehgkdp.exe PID 2996 wrote to memory of 264 2996 Djclbl32.exe Ejehgkdp.exe PID 264 wrote to memory of 1632 264 Ejehgkdp.exe Ehjehh32.exe PID 264 wrote to memory of 1632 264 Ejehgkdp.exe Ehjehh32.exe PID 264 wrote to memory of 1632 264 Ejehgkdp.exe Ehjehh32.exe PID 264 wrote to memory of 1632 264 Ejehgkdp.exe Ehjehh32.exe PID 1632 wrote to memory of 2988 1632 Ehjehh32.exe Ifdlng32.exe PID 1632 wrote to memory of 2988 1632 Ehjehh32.exe Ifdlng32.exe PID 1632 wrote to memory of 2988 1632 Ehjehh32.exe Ifdlng32.exe PID 1632 wrote to memory of 2988 1632 Ehjehh32.exe Ifdlng32.exe PID 2988 wrote to memory of 1888 2988 Ejjbbkpj.exe Khadpa32.exe PID 2988 wrote to memory of 1888 2988 Ejjbbkpj.exe Khadpa32.exe PID 2988 wrote to memory of 1888 2988 Ejjbbkpj.exe Khadpa32.exe PID 2988 wrote to memory of 1888 2988 Ejjbbkpj.exe Khadpa32.exe PID 1888 wrote to memory of 936 1888 Emkkdf32.exe Femeig32.exe PID 1888 wrote to memory of 936 1888 Emkkdf32.exe Femeig32.exe PID 1888 wrote to memory of 936 1888 Emkkdf32.exe Femeig32.exe PID 1888 wrote to memory of 936 1888 Emkkdf32.exe Femeig32.exe PID 936 wrote to memory of 2684 936 Femeig32.exe Fjlkgn32.exe PID 936 wrote to memory of 2684 936 Femeig32.exe Fjlkgn32.exe PID 936 wrote to memory of 2684 936 Femeig32.exe Fjlkgn32.exe PID 936 wrote to memory of 2684 936 Femeig32.exe Fjlkgn32.exe PID 2684 wrote to memory of 1700 2684 Fjlkgn32.exe Gjngmmnp.exe PID 2684 wrote to memory of 1700 2684 Fjlkgn32.exe Gjngmmnp.exe PID 2684 wrote to memory of 1700 2684 Fjlkgn32.exe Gjngmmnp.exe PID 2684 wrote to memory of 1700 2684 Fjlkgn32.exe Gjngmmnp.exe PID 1700 wrote to memory of 1884 1700 Gjngmmnp.exe Gfehan32.exe PID 1700 wrote to memory of 1884 1700 Gjngmmnp.exe Gfehan32.exe PID 1700 wrote to memory of 1884 1700 Gjngmmnp.exe Gfehan32.exe PID 1700 wrote to memory of 1884 1700 Gjngmmnp.exe Gfehan32.exe PID 1884 wrote to memory of 1720 1884 Gfehan32.exe Gpnmjd32.exe PID 1884 wrote to memory of 1720 1884 Gfehan32.exe Gpnmjd32.exe PID 1884 wrote to memory of 1720 1884 Gfehan32.exe Gpnmjd32.exe PID 1884 wrote to memory of 1720 1884 Gfehan32.exe Gpnmjd32.exe PID 1720 wrote to memory of 1992 1720 Gpnmjd32.exe Gaafhloq.exe PID 1720 wrote to memory of 1992 1720 Gpnmjd32.exe Gaafhloq.exe PID 1720 wrote to memory of 1992 1720 Gpnmjd32.exe Gaafhloq.exe PID 1720 wrote to memory of 1992 1720 Gpnmjd32.exe Gaafhloq.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7bb97b42495d107e57fe43d02ac62ed0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7bb97b42495d107e57fe43d02ac62ed0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Cddjebgb.exeC:\Windows\system32\Cddjebgb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Cicpch32.exeC:\Windows\system32\Cicpch32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Ddomif32.exeC:\Windows\system32\Ddomif32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Dkiefp32.exeC:\Windows\system32\Dkiefp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Dkkbkp32.exeC:\Windows\system32\Dkkbkp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Djclbl32.exeC:\Windows\system32\Djclbl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Ejehgkdp.exeC:\Windows\system32\Ejehgkdp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Ehjehh32.exeC:\Windows\system32\Ehjehh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Ejjbbkpj.exeC:\Windows\system32\Ejjbbkpj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Emkkdf32.exeC:\Windows\system32\Emkkdf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Femeig32.exeC:\Windows\system32\Femeig32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\Fjlkgn32.exeC:\Windows\system32\Fjlkgn32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Gjngmmnp.exeC:\Windows\system32\Gjngmmnp.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Gfehan32.exeC:\Windows\system32\Gfehan32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Gpnmjd32.exeC:\Windows\system32\Gpnmjd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Gaafhloq.exeC:\Windows\system32\Gaafhloq.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Gacbmk32.exeC:\Windows\system32\Gacbmk32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1428 -
C:\Windows\SysWOW64\Hnjplo32.exeC:\Windows\system32\Hnjplo32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:704 -
C:\Windows\SysWOW64\Hdfhdfgl.exeC:\Windows\system32\Hdfhdfgl.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1260 -
C:\Windows\SysWOW64\Hifmbmda.exeC:\Windows\system32\Hifmbmda.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Hdkape32.exeC:\Windows\system32\Hdkape32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Hflkaq32.exeC:\Windows\system32\Hflkaq32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Ipdojfgh.exeC:\Windows\system32\Ipdojfgh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Ibehla32.exeC:\Windows\system32\Ibehla32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Ilnmdgkj.exeC:\Windows\system32\Ilnmdgkj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Ioliqbjn.exeC:\Windows\system32\Ioliqbjn.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Iggned32.exeC:\Windows\system32\Iggned32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Incbgnmc.exeC:\Windows\system32\Incbgnmc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Idmkdh32.exeC:\Windows\system32\Idmkdh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Jkgcab32.exeC:\Windows\system32\Jkgcab32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Jdpgjhbm.exeC:\Windows\system32\Jdpgjhbm.exe33⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Jlklnjoh.exeC:\Windows\system32\Jlklnjoh.exe34⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Jjomgo32.exeC:\Windows\system32\Jjomgo32.exe35⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Jlmicj32.exeC:\Windows\system32\Jlmicj32.exe36⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe37⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Kbcdbp32.exeC:\Windows\system32\Kbcdbp32.exe38⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Kjaelaok.exeC:\Windows\system32\Kjaelaok.exe39⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Lmbonmll.exeC:\Windows\system32\Lmbonmll.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Lihobnap.exeC:\Windows\system32\Lihobnap.exe42⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Lflplbpi.exeC:\Windows\system32\Lflplbpi.exe43⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Leammn32.exeC:\Windows\system32\Leammn32.exe44⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Lklejh32.exeC:\Windows\system32\Lklejh32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1032 -
C:\Windows\SysWOW64\Ledibnco.exeC:\Windows\system32\Ledibnco.exe46⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Ljabkeaf.exeC:\Windows\system32\Ljabkeaf.exe47⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Meffhnal.exeC:\Windows\system32\Meffhnal.exe48⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Mjcoqdoc.exeC:\Windows\system32\Mjcoqdoc.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe50⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Mjekfd32.exeC:\Windows\system32\Mjekfd32.exe51⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Mcnpojca.exeC:\Windows\system32\Mcnpojca.exe52⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Mikhgqbi.exeC:\Windows\system32\Mikhgqbi.exe53⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Mabphn32.exeC:\Windows\system32\Mabphn32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe55⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe56⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Nmkncofl.exeC:\Windows\system32\Nmkncofl.exe57⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Nefbga32.exeC:\Windows\system32\Nefbga32.exe58⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Nbjcqe32.exeC:\Windows\system32\Nbjcqe32.exe59⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Noacef32.exeC:\Windows\system32\Noacef32.exe60⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Nledoj32.exeC:\Windows\system32\Nledoj32.exe61⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Ndpicm32.exeC:\Windows\system32\Ndpicm32.exe62⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe63⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Ogqaehak.exeC:\Windows\system32\Ogqaehak.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Omkjbb32.exeC:\Windows\system32\Omkjbb32.exe65⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe66⤵PID:2432
-
C:\Windows\SysWOW64\Opkccm32.exeC:\Windows\system32\Opkccm32.exe67⤵PID:2360
-
C:\Windows\SysWOW64\Ocjophem.exeC:\Windows\system32\Ocjophem.exe68⤵PID:2368
-
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe69⤵PID:1996
-
C:\Windows\SysWOW64\Oekhacbn.exeC:\Windows\system32\Oekhacbn.exe70⤵PID:2288
-
C:\Windows\SysWOW64\Oldpnn32.exeC:\Windows\system32\Oldpnn32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2776 -
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe72⤵PID:1192
-
C:\Windows\SysWOW64\Pkjmoj32.exeC:\Windows\system32\Pkjmoj32.exe73⤵PID:672
-
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe74⤵PID:2568
-
C:\Windows\SysWOW64\Plijimee.exeC:\Windows\system32\Plijimee.exe75⤵PID:2500
-
C:\Windows\SysWOW64\Pnjfae32.exeC:\Windows\system32\Pnjfae32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1920 -
C:\Windows\SysWOW64\Peanbblf.exeC:\Windows\system32\Peanbblf.exe77⤵PID:2620
-
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe78⤵
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Pnmcfeia.exeC:\Windows\system32\Pnmcfeia.exe79⤵PID:2068
-
C:\Windows\SysWOW64\Pjcckf32.exeC:\Windows\system32\Pjcckf32.exe80⤵PID:1708
-
C:\Windows\SysWOW64\Pclhdl32.exeC:\Windows\system32\Pclhdl32.exe81⤵PID:2756
-
C:\Windows\SysWOW64\Pdldnomh.exeC:\Windows\system32\Pdldnomh.exe82⤵PID:2820
-
C:\Windows\SysWOW64\Qqbecp32.exeC:\Windows\system32\Qqbecp32.exe83⤵PID:1948
-
C:\Windows\SysWOW64\Qcqaok32.exeC:\Windows\system32\Qcqaok32.exe84⤵PID:3044
-
C:\Windows\SysWOW64\Qjkjle32.exeC:\Windows\system32\Qjkjle32.exe85⤵PID:2084
-
C:\Windows\SysWOW64\Qqdbiopj.exeC:\Windows\system32\Qqdbiopj.exe86⤵
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Afajafoa.exeC:\Windows\system32\Afajafoa.exe87⤵PID:2108
-
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe88⤵PID:2224
-
C:\Windows\SysWOW64\Acekjjmk.exeC:\Windows\system32\Acekjjmk.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3040 -
C:\Windows\SysWOW64\Aibcba32.exeC:\Windows\system32\Aibcba32.exe90⤵PID:2232
-
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe91⤵PID:1500
-
C:\Windows\SysWOW64\Aeidgbaf.exeC:\Windows\system32\Aeidgbaf.exe92⤵PID:2044
-
C:\Windows\SysWOW64\Akcldl32.exeC:\Windows\system32\Akcldl32.exe93⤵PID:1664
-
C:\Windows\SysWOW64\Aapemc32.exeC:\Windows\system32\Aapemc32.exe94⤵PID:1356
-
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe95⤵PID:1748
-
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe96⤵PID:2036
-
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe97⤵PID:1880
-
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe98⤵PID:2404
-
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe99⤵PID:1876
-
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe100⤵PID:1956
-
C:\Windows\SysWOW64\Bcegin32.exeC:\Windows\system32\Bcegin32.exe101⤵PID:1300
-
C:\Windows\SysWOW64\Bmnlbcfg.exeC:\Windows\system32\Bmnlbcfg.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3004 -
C:\Windows\SysWOW64\Bcgdom32.exeC:\Windows\system32\Bcgdom32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:336 -
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe104⤵PID:2600
-
C:\Windows\SysWOW64\Blchcpko.exeC:\Windows\system32\Blchcpko.exe105⤵PID:2660
-
C:\Windows\SysWOW64\Bpnddn32.exeC:\Windows\system32\Bpnddn32.exe106⤵PID:1248
-
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2060 -
C:\Windows\SysWOW64\Bigimdjh.exeC:\Windows\system32\Bigimdjh.exe108⤵PID:1984
-
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1176 -
C:\Windows\SysWOW64\Cemjae32.exeC:\Windows\system32\Cemjae32.exe110⤵PID:804
-
C:\Windows\SysWOW64\Cpcnonob.exeC:\Windows\system32\Cpcnonob.exe111⤵PID:1940
-
C:\Windows\SysWOW64\Cepfgdnj.exeC:\Windows\system32\Cepfgdnj.exe112⤵PID:1604
-
C:\Windows\SysWOW64\Cljodo32.exeC:\Windows\system32\Cljodo32.exe113⤵PID:2100
-
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe114⤵PID:2732
-
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe115⤵PID:2552
-
C:\Windows\SysWOW64\Cakqgeoi.exeC:\Windows\system32\Cakqgeoi.exe116⤵PID:2004
-
C:\Windows\SysWOW64\Dinklffl.exeC:\Windows\system32\Dinklffl.exe117⤵PID:2572
-
C:\Windows\SysWOW64\Dkadjn32.exeC:\Windows\system32\Dkadjn32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1480 -
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe119⤵
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Ehgbhbgn.exeC:\Windows\system32\Ehgbhbgn.exe120⤵
- Drops file in System32 directory
PID:972 -
C:\Windows\SysWOW64\Ekfndmfb.exeC:\Windows\system32\Ekfndmfb.exe121⤵PID:2472
-
C:\Windows\SysWOW64\Ednbncmb.exeC:\Windows\system32\Ednbncmb.exe122⤵PID:2728
-
C:\Windows\SysWOW64\Enfgfh32.exeC:\Windows\system32\Enfgfh32.exe123⤵PID:2148
-
C:\Windows\SysWOW64\Ekjgpm32.exeC:\Windows\system32\Ekjgpm32.exe124⤵
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Epgphcqd.exeC:\Windows\system32\Epgphcqd.exe125⤵PID:2340
-
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe126⤵PID:2152
-
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe127⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2064 -
C:\Windows\SysWOW64\Eqjmncna.exeC:\Windows\system32\Eqjmncna.exe128⤵PID:2832
-
C:\Windows\SysWOW64\Fchijone.exeC:\Windows\system32\Fchijone.exe129⤵PID:2192
-
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe130⤵PID:2912
-
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe131⤵PID:1580
-
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe132⤵
- Modifies registry class
PID:608 -
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe133⤵PID:2464
-
C:\Windows\SysWOW64\Foafdoag.exeC:\Windows\system32\Foafdoag.exe134⤵PID:1824
-
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe135⤵PID:2816
-
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe136⤵
- Modifies registry class
PID:1000 -
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe137⤵PID:2556
-
C:\Windows\SysWOW64\Filgbdfd.exeC:\Windows\system32\Filgbdfd.exe138⤵PID:1528
-
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe139⤵PID:2736
-
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe140⤵PID:1812
-
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe141⤵PID:2608
-
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe142⤵PID:2804
-
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe143⤵PID:1792
-
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe144⤵PID:2764
-
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe145⤵PID:3024
-
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe146⤵PID:1560
-
C:\Windows\SysWOW64\Gaqomeke.exeC:\Windows\system32\Gaqomeke.exe147⤵
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe148⤵PID:2924
-
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe149⤵
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Gcahoqhf.exeC:\Windows\system32\Gcahoqhf.exe150⤵PID:1756
-
C:\Windows\SysWOW64\Hebdfind.exeC:\Windows\system32\Hebdfind.exe151⤵PID:2636
-
C:\Windows\SysWOW64\Hmjlhfof.exeC:\Windows\system32\Hmjlhfof.exe152⤵PID:652
-
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe153⤵PID:2424
-
C:\Windows\SysWOW64\Hhcmhdke.exeC:\Windows\system32\Hhcmhdke.exe154⤵PID:1440
-
C:\Windows\SysWOW64\Hnmeen32.exeC:\Windows\system32\Hnmeen32.exe155⤵
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe156⤵PID:3012
-
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe157⤵PID:1600
-
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe158⤵PID:1376
-
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe159⤵PID:2540
-
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe160⤵
- Drops file in System32 directory
PID:1020 -
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe161⤵PID:2560
-
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe162⤵PID:2784
-
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe163⤵PID:2880
-
C:\Windows\SysWOW64\Iinmfk32.exeC:\Windows\system32\Iinmfk32.exe164⤵PID:1976
-
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe165⤵PID:520
-
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe166⤵PID:1944
-
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe167⤵PID:3064
-
C:\Windows\SysWOW64\Ifdjeoep.exeC:\Windows\system32\Ifdjeoep.exe168⤵PID:2456
-
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe169⤵
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe170⤵PID:2656
-
C:\Windows\SysWOW64\Ipokcdjn.exeC:\Windows\system32\Ipokcdjn.exe171⤵PID:928
-
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe172⤵PID:1788
-
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe173⤵PID:2916
-
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe174⤵PID:2444
-
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe175⤵PID:800
-
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe176⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1060 -
C:\Windows\SysWOW64\Joiappkp.exeC:\Windows\system32\Joiappkp.exe177⤵PID:2032
-
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2980 -
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe179⤵PID:776
-
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe180⤵
- Drops file in System32 directory
PID:1900 -
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe181⤵PID:2688
-
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe182⤵PID:2672
-
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe183⤵PID:536
-
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe184⤵PID:1484
-
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe185⤵PID:3100
-
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe186⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3140 -
C:\Windows\SysWOW64\Kkmand32.exeC:\Windows\system32\Kkmand32.exe187⤵PID:3180
-
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe188⤵PID:3220
-
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe189⤵PID:3260
-
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe190⤵PID:3300
-
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe191⤵PID:3340
-
C:\Windows\SysWOW64\Lomgjb32.exeC:\Windows\system32\Lomgjb32.exe192⤵
- Modifies registry class
PID:3380 -
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe193⤵PID:3420
-
C:\Windows\SysWOW64\Ljghjpfe.exeC:\Windows\system32\Ljghjpfe.exe194⤵PID:3460
-
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe195⤵PID:3500
-
C:\Windows\SysWOW64\Ljieppcb.exeC:\Windows\system32\Ljieppcb.exe196⤵PID:3544
-
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe197⤵PID:3584
-
C:\Windows\SysWOW64\Lfpeeqig.exeC:\Windows\system32\Lfpeeqig.exe198⤵PID:3624
-
C:\Windows\SysWOW64\Lqejbiim.exeC:\Windows\system32\Lqejbiim.exe199⤵PID:3664
-
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe200⤵PID:3704
-
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe201⤵PID:3744
-
C:\Windows\SysWOW64\Lokgcf32.exeC:\Windows\system32\Lokgcf32.exe202⤵PID:3784
-
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe203⤵PID:3824
-
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe204⤵PID:3864
-
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe205⤵PID:3920
-
C:\Windows\SysWOW64\Nhakcfab.exeC:\Windows\system32\Nhakcfab.exe206⤵PID:3960
-
C:\Windows\SysWOW64\Nmnclmoj.exeC:\Windows\system32\Nmnclmoj.exe207⤵PID:4000
-
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe208⤵
- Modifies registry class
PID:4040 -
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe209⤵
- Drops file in System32 directory
PID:4080 -
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe210⤵PID:3108
-
C:\Windows\SysWOW64\Nmcmgm32.exeC:\Windows\system32\Nmcmgm32.exe211⤵PID:1908
-
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe212⤵PID:3204
-
C:\Windows\SysWOW64\Nfkapb32.exeC:\Windows\system32\Nfkapb32.exe213⤵PID:3248
-
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe214⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3308 -
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe215⤵PID:3360
-
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe216⤵PID:3404
-
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe217⤵PID:3456
-
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe218⤵PID:1712
-
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe219⤵PID:3560
-
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe220⤵PID:3608
-
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe221⤵PID:3656
-
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe222⤵PID:3700
-
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe223⤵PID:3756
-
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe224⤵PID:3800
-
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe225⤵PID:3852
-
C:\Windows\SysWOW64\Pcbncfjd.exeC:\Windows\system32\Pcbncfjd.exe226⤵
- Drops file in System32 directory
PID:3896 -
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe227⤵PID:3884
-
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe228⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2664 -
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe229⤵PID:3988
-
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe230⤵PID:4052
-
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe231⤵PID:3804
-
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe232⤵PID:3148
-
C:\Windows\SysWOW64\Plaimk32.exeC:\Windows\system32\Plaimk32.exe233⤵PID:2932
-
C:\Windows\SysWOW64\Panaeb32.exeC:\Windows\system32\Panaeb32.exe234⤵PID:3244
-
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe235⤵PID:3312
-
C:\Windows\SysWOW64\Qobbofgn.exeC:\Windows\system32\Qobbofgn.exe236⤵PID:3392
-
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe237⤵PID:3444
-
C:\Windows\SysWOW64\Qngopb32.exeC:\Windows\system32\Qngopb32.exe238⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3512 -
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe239⤵PID:3572
-
C:\Windows\SysWOW64\Agpcihcf.exeC:\Windows\system32\Agpcihcf.exe240⤵
- Modifies registry class
PID:3640 -
C:\Windows\SysWOW64\Anjlebjc.exeC:\Windows\system32\Anjlebjc.exe241⤵PID:1924
-
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe242⤵PID:452