Analysis
-
max time kernel
39s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 21:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
11 signatures
600 seconds
Behavioral task
behavioral2
Sample
02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
13 signatures
600 seconds
General
-
Target
02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990_NeikiAnalytics.exe
-
Size
104KB
-
MD5
2c95b2b9ba80bd2eeb26422c6c21c500
-
SHA1
87f3cdcbdf3cf0b72a879447cea0a644b51b6b03
-
SHA256
02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990
-
SHA512
7d24812f5fb9e55f9698744537cff7ca2b4ed5c93c8cc2bf335ce1a0a946e306985b8b7b2be8267d527974d2b9971a4d7ddb9e425db04ff624f2dcbcf8bd3413
-
SSDEEP
3072:oGCo6a+dYpdmtAtL3A1fJe5Jx7cEGrhkngpDvchkqbAIQS:pCpaQYPm8L3A1fc5Jx4brq2Ahn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbdqmghm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmjjea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgmapfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aboaff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmfjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcmcoblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhpiojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcmgfkeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaaijdgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbcpbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgemplap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhahlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjipenda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghhfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najpll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Najpll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afohaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnclnihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Akhfoldn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dedlag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bifgdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogblbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhkiid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlccdboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nljddpfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncpcfkbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebgacddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jckgicnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcbellac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioliqbjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cllpkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ooqpdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbojdmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kobkpdfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amndem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhnli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plahag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcdopc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cghggc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdaheq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdaheq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peoalc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iamimc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khkpijma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkgcab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlccdboi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejkima32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhdplq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdgafdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mijfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Caidaeak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkmmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfcampgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlhhndno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcegmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhjcic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkbalifo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jajala32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndhlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbdjbaea.exe -
Executes dropped EXE 64 IoCs
pid Process 2236 Pphjgfqq.exe 2348 Pipopl32.exe 2160 Paggai32.exe 2772 Pjpkjond.exe 2764 Plahag32.exe 2724 Pfflopdh.exe 2584 Piehkkcl.exe 2468 Pnbacbac.exe 2508 Pelipl32.exe 812 Ppamme32.exe 328 Pbpjiphi.exe 2748 Pijbfj32.exe 1372 Qnfjna32.exe 2560 Qdccfh32.exe 860 Qljkhe32.exe 320 Qnigda32.exe 1512 Qecoqk32.exe 1528 Ahakmf32.exe 2452 Ankdiqih.exe 1132 Amndem32.exe 1276 Adhlaggp.exe 952 Ahchbf32.exe 1876 Ajbdna32.exe 972 Aalmklfi.exe 1748 Adjigg32.exe 1764 Abmibdlh.exe 2244 Ajdadamj.exe 2080 Apajlhka.exe 2612 Amejeljk.exe 2808 Afmonbqk.exe 2548 Aepojo32.exe 2800 Ahokfj32.exe 2964 Bbdocc32.exe 2416 Bagpopmj.exe 2608 Bhahlj32.exe 1652 Blmdlhmp.exe 324 Bhcdaibd.exe 2756 Bloqah32.exe 2864 Bnpmipql.exe 2088 Bdjefj32.exe 1672 Bhfagipa.exe 1240 Bkdmcdoe.exe 1032 Bpafkknm.exe 1612 Bhhnli32.exe 1136 Bkfjhd32.exe 1684 Baqbenep.exe 2900 Bcaomf32.exe 920 Cjlgiqbk.exe 2216 Cngcjo32.exe 2224 Cpeofk32.exe 3016 Ccdlbf32.exe 2340 Cfbhnaho.exe 2668 Cllpkl32.exe 2404 Cphlljge.exe 2656 Cgbdhd32.exe 2552 Clomqk32.exe 2332 Cciemedf.exe 1244 Cfgaiaci.exe 1708 Claifkkf.exe 840 Copfbfjj.exe 1608 Cbnbobin.exe 2116 Cdlnkmha.exe 2616 Chhjkl32.exe 2004 Cobbhfhg.exe -
Loads dropped DLL 64 IoCs
pid Process 2440 02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990_NeikiAnalytics.exe 2440 02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990_NeikiAnalytics.exe 2236 Pphjgfqq.exe 2236 Pphjgfqq.exe 2348 Pipopl32.exe 2348 Pipopl32.exe 2160 Paggai32.exe 2160 Paggai32.exe 2772 Pjpkjond.exe 2772 Pjpkjond.exe 2764 Plahag32.exe 2764 Plahag32.exe 2724 Pfflopdh.exe 2724 Pfflopdh.exe 2584 Piehkkcl.exe 2584 Piehkkcl.exe 2468 Pnbacbac.exe 2468 Pnbacbac.exe 2508 Pelipl32.exe 2508 Pelipl32.exe 812 Ppamme32.exe 812 Ppamme32.exe 328 Pbpjiphi.exe 328 Pbpjiphi.exe 2748 Pijbfj32.exe 2748 Pijbfj32.exe 1372 Qnfjna32.exe 1372 Qnfjna32.exe 2560 Qdccfh32.exe 2560 Qdccfh32.exe 860 Qljkhe32.exe 860 Qljkhe32.exe 320 Qnigda32.exe 320 Qnigda32.exe 1512 Qecoqk32.exe 1512 Qecoqk32.exe 1528 Ahakmf32.exe 1528 Ahakmf32.exe 2452 Ankdiqih.exe 2452 Ankdiqih.exe 1132 Amndem32.exe 1132 Amndem32.exe 1276 Adhlaggp.exe 1276 Adhlaggp.exe 952 Ahchbf32.exe 952 Ahchbf32.exe 1876 Ajbdna32.exe 1876 Ajbdna32.exe 972 Aalmklfi.exe 972 Aalmklfi.exe 1748 Adjigg32.exe 1748 Adjigg32.exe 1764 Abmibdlh.exe 1764 Abmibdlh.exe 2244 Ajdadamj.exe 2244 Ajdadamj.exe 2080 Apajlhka.exe 2080 Apajlhka.exe 2612 Amejeljk.exe 2612 Amejeljk.exe 2808 Afmonbqk.exe 2808 Afmonbqk.exe 2548 Aepojo32.exe 2548 Aepojo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ecmkghcl.exe Eqonkmdh.exe File created C:\Windows\SysWOW64\Iamimc32.exe Ilqpdm32.exe File created C:\Windows\SysWOW64\Laegiq32.exe Linphc32.exe File opened for modification C:\Windows\SysWOW64\Pjpkjond.exe Paggai32.exe File opened for modification C:\Windows\SysWOW64\Eloemi32.exe Eiaiqn32.exe File opened for modification C:\Windows\SysWOW64\Globlmmj.exe Fiaeoang.exe File opened for modification C:\Windows\SysWOW64\Lgmcqkkh.exe Lpekon32.exe File opened for modification C:\Windows\SysWOW64\Cfnmfn32.exe Bonoflae.exe File created C:\Windows\SysWOW64\Aejonffm.dll Gblifo32.exe File created C:\Windows\SysWOW64\Qabkpdke.dll Ehjona32.exe File created C:\Windows\SysWOW64\Nondgn32.exe Nlphkb32.exe File created C:\Windows\SysWOW64\Dliijipn.exe Djklnnaj.exe File created C:\Windows\SysWOW64\Ccigfn32.exe Cddjebgb.exe File created C:\Windows\SysWOW64\Akainj32.dll Jcjnfdbp.exe File created C:\Windows\SysWOW64\Poeofkoh.dll Jofejpmc.exe File created C:\Windows\SysWOW64\Kneicieh.exe Kgkafo32.exe File opened for modification C:\Windows\SysWOW64\Kjljhjkl.exe Kgnnln32.exe File created C:\Windows\SysWOW64\Ajjmcaea.dll Afohaa32.exe File opened for modification C:\Windows\SysWOW64\Cadjgf32.exe Ciifbchf.exe File opened for modification C:\Windows\SysWOW64\Qdccfh32.exe Qnfjna32.exe File opened for modification C:\Windows\SysWOW64\Poocpnbm.exe Pmagdbci.exe File created C:\Windows\SysWOW64\Ggmalk32.dll Ebgclm32.exe File created C:\Windows\SysWOW64\Ciifbchf.exe Bfkifhib.exe File created C:\Windows\SysWOW64\Mjccnjpk.dll Amndem32.exe File created C:\Windows\SysWOW64\Bkfjhd32.exe Bhhnli32.exe File created C:\Windows\SysWOW64\Ogdafiei.dll Ppbfpd32.exe File created C:\Windows\SysWOW64\Mclcijfd.exe Mnojacgm.exe File created C:\Windows\SysWOW64\Fabnbook.dll Ajdadamj.exe File created C:\Windows\SysWOW64\Cfiini32.dll Mgqcmlgl.exe File created C:\Windows\SysWOW64\Ohfeog32.exe Ofhick32.exe File opened for modification C:\Windows\SysWOW64\Gnmgmbhb.exe Gffoldhp.exe File opened for modification C:\Windows\SysWOW64\Odeiibdq.exe Ocdmaj32.exe File created C:\Windows\SysWOW64\Jliohkak.exe Jjjclobg.exe File created C:\Windows\SysWOW64\Nfghdcfj.exe Ndhlhg32.exe File created C:\Windows\SysWOW64\Qnigda32.exe Qljkhe32.exe File created C:\Windows\SysWOW64\Hdhbam32.exe Hlakpp32.exe File opened for modification C:\Windows\SysWOW64\Hcplhi32.exe Hodpgjha.exe File created C:\Windows\SysWOW64\Pmdoik32.dll Ecmkghcl.exe File created C:\Windows\SysWOW64\Flabbihl.exe Fckjalhj.exe File created C:\Windows\SysWOW64\Pogclp32.exe Omfkke32.exe File opened for modification C:\Windows\SysWOW64\Lmgocb32.exe Lfmffhde.exe File opened for modification C:\Windows\SysWOW64\Fqomci32.exe Fnqqgm32.exe File created C:\Windows\SysWOW64\Lkihjf32.dll Mlpneh32.exe File created C:\Windows\SysWOW64\Bjdmohgl.dll Lcojjmea.exe File created C:\Windows\SysWOW64\Cohkpj32.exe Cikbhc32.exe File created C:\Windows\SysWOW64\Hqbbglbj.dll Kcmcoblm.exe File created C:\Windows\SysWOW64\Fqomci32.exe Fnqqgm32.exe File created C:\Windows\SysWOW64\Nlbodgap.dll Cbnbobin.exe File created C:\Windows\SysWOW64\Dflkdp32.exe Cndbcc32.exe File created C:\Windows\SysWOW64\Pnjdhmdo.exe Pogclp32.exe File created C:\Windows\SysWOW64\Djihnh32.dll Pgioaa32.exe File created C:\Windows\SysWOW64\Jnffgd32.exe Ileiplhn.exe File opened for modification C:\Windows\SysWOW64\Jbgkcb32.exe Jqgoiokm.exe File opened for modification C:\Windows\SysWOW64\Mpmapm32.exe Mlaeonld.exe File created C:\Windows\SysWOW64\Hcabof32.dll Inafbooe.exe File opened for modification C:\Windows\SysWOW64\Caidaeak.exe Ckolek32.exe File created C:\Windows\SysWOW64\Kjihalag.exe Kcmcoblm.exe File created C:\Windows\SysWOW64\Peanbblf.exe Plijimee.exe File opened for modification C:\Windows\SysWOW64\Ajbdna32.exe Ahchbf32.exe File opened for modification C:\Windows\SysWOW64\Hpapln32.exe Hhjhkq32.exe File opened for modification C:\Windows\SysWOW64\Iqmcpahh.exe Iokfhi32.exe File opened for modification C:\Windows\SysWOW64\Qjjgclai.exe Qbcpbo32.exe File created C:\Windows\SysWOW64\Mjapln32.dll Hmbpmapf.exe File created C:\Windows\SysWOW64\Eodnebpd.exe Eobapbbg.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffkoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hloiib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnpmipql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amhpnkch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pqjfoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacehmno.dll" Qgmdjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmjnak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll" Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obdkcckg.dll" Mmfbogcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhhpp32.dll" Ceaadk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Plahag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll" Hmlnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohendqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clgipm32.dll" Danmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpblho32.dll" Plijimee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll" Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdacap32.dll" Emkaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qgmdjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjcfnhk.dll" Qbbhgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cpeofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mieeibkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhmcfkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Candgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gbjlaplk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elooehob.dll" Kbgjkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cdlnkmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjlgm32.dll" Idcokkak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hajinjff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iecdhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldmikj32.dll" Najpll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najgne32.dll" Echfaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibddljof.dll" Lcfqkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ihbqdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhlddkmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Okanklik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhciimap.dll" Hjqqap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ookmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aojojl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpmcielb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cibcni32.dll" Qdccfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pikkiijf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeejnlhc.dll" Ngfflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hgmalg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aigmnqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Piehkkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll" Hiqbndpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fjaonpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijdkh32.dll" Fidoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmgocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nncdpa32.dll" Mndmoaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Amndem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpocfncj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ihankokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ppbfpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fajplnhf.dll" Anolkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bagkmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hcplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kqqboncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Annbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmani32.dll" Amqccfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmkmdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbmcbbki.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 584 chrome.exe 584 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe Token: SeShutdownPrivilege 584 chrome.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe 584 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2236 2440 02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990_NeikiAnalytics.exe 28 PID 2440 wrote to memory of 2236 2440 02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990_NeikiAnalytics.exe 28 PID 2440 wrote to memory of 2236 2440 02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990_NeikiAnalytics.exe 28 PID 2440 wrote to memory of 2236 2440 02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990_NeikiAnalytics.exe 28 PID 2236 wrote to memory of 2348 2236 Pphjgfqq.exe 29 PID 2236 wrote to memory of 2348 2236 Pphjgfqq.exe 29 PID 2236 wrote to memory of 2348 2236 Pphjgfqq.exe 29 PID 2236 wrote to memory of 2348 2236 Pphjgfqq.exe 29 PID 2348 wrote to memory of 2160 2348 Pipopl32.exe 30 PID 2348 wrote to memory of 2160 2348 Pipopl32.exe 30 PID 2348 wrote to memory of 2160 2348 Pipopl32.exe 30 PID 2348 wrote to memory of 2160 2348 Pipopl32.exe 30 PID 2160 wrote to memory of 2772 2160 Paggai32.exe 31 PID 2160 wrote to memory of 2772 2160 Paggai32.exe 31 PID 2160 wrote to memory of 2772 2160 Paggai32.exe 31 PID 2160 wrote to memory of 2772 2160 Paggai32.exe 31 PID 2772 wrote to memory of 2764 2772 Pjpkjond.exe 32 PID 2772 wrote to memory of 2764 2772 Pjpkjond.exe 32 PID 2772 wrote to memory of 2764 2772 Pjpkjond.exe 32 PID 2772 wrote to memory of 2764 2772 Pjpkjond.exe 32 PID 2764 wrote to memory of 2724 2764 Plahag32.exe 33 PID 2764 wrote to memory of 2724 2764 Plahag32.exe 33 PID 2764 wrote to memory of 2724 2764 Plahag32.exe 33 PID 2764 wrote to memory of 2724 2764 Plahag32.exe 33 PID 2724 wrote to memory of 2584 2724 Pfflopdh.exe 34 PID 2724 wrote to memory of 2584 2724 Pfflopdh.exe 34 PID 2724 wrote to memory of 2584 2724 Pfflopdh.exe 34 PID 2724 wrote to memory of 2584 2724 Pfflopdh.exe 34 PID 2584 wrote to memory of 2468 2584 Piehkkcl.exe 35 PID 2584 wrote to memory of 2468 2584 Piehkkcl.exe 35 PID 2584 wrote to memory of 2468 2584 Piehkkcl.exe 35 PID 2584 wrote to memory of 2468 2584 Piehkkcl.exe 35 PID 2468 wrote to memory of 2508 2468 Pnbacbac.exe 36 PID 2468 wrote to memory of 2508 2468 Pnbacbac.exe 36 PID 2468 wrote to memory of 2508 2468 Pnbacbac.exe 36 PID 2468 wrote to memory of 2508 2468 Pnbacbac.exe 36 PID 2508 wrote to memory of 812 2508 Pelipl32.exe 37 PID 2508 wrote to memory of 812 2508 Pelipl32.exe 37 PID 2508 wrote to memory of 812 2508 Pelipl32.exe 37 PID 2508 wrote to memory of 812 2508 Pelipl32.exe 37 PID 812 wrote to memory of 328 812 Ppamme32.exe 38 PID 812 wrote to memory of 328 812 Ppamme32.exe 38 PID 812 wrote to memory of 328 812 Ppamme32.exe 38 PID 812 wrote to memory of 328 812 Ppamme32.exe 38 PID 328 wrote to memory of 2748 328 Pbpjiphi.exe 39 PID 328 wrote to memory of 2748 328 Pbpjiphi.exe 39 PID 328 wrote to memory of 2748 328 Pbpjiphi.exe 39 PID 328 wrote to memory of 2748 328 Pbpjiphi.exe 39 PID 2748 wrote to memory of 1372 2748 Pijbfj32.exe 40 PID 2748 wrote to memory of 1372 2748 Pijbfj32.exe 40 PID 2748 wrote to memory of 1372 2748 Pijbfj32.exe 40 PID 2748 wrote to memory of 1372 2748 Pijbfj32.exe 40 PID 1372 wrote to memory of 2560 1372 Qnfjna32.exe 41 PID 1372 wrote to memory of 2560 1372 Qnfjna32.exe 41 PID 1372 wrote to memory of 2560 1372 Qnfjna32.exe 41 PID 1372 wrote to memory of 2560 1372 Qnfjna32.exe 41 PID 2560 wrote to memory of 860 2560 Qdccfh32.exe 42 PID 2560 wrote to memory of 860 2560 Qdccfh32.exe 42 PID 2560 wrote to memory of 860 2560 Qdccfh32.exe 42 PID 2560 wrote to memory of 860 2560 Qdccfh32.exe 42 PID 860 wrote to memory of 320 860 Qljkhe32.exe 43 PID 860 wrote to memory of 320 860 Qljkhe32.exe 43 PID 860 wrote to memory of 320 860 Qljkhe32.exe 43 PID 860 wrote to memory of 320 860 Qljkhe32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:320 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1132 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1276 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1876 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe33⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe34⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe35⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe37⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe38⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe39⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe41⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe42⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe43⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe44⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe46⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe47⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe48⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe49⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe50⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe52⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe53⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe55⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe56⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe57⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe58⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe59⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe60⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe61⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe64⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe65⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe66⤵
- Drops file in System32 directory
PID:1492 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe67⤵PID:592
-
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe68⤵PID:2084
-
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe69⤵PID:828
-
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe70⤵PID:2476
-
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe71⤵PID:2408
-
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe72⤵
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe73⤵PID:1092
-
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe74⤵PID:1540
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe75⤵PID:2676
-
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe76⤵PID:2796
-
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1212 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe78⤵PID:2592
-
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe79⤵PID:1196
-
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe80⤵PID:2020
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe81⤵PID:768
-
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe82⤵PID:2156
-
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe83⤵PID:1716
-
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe84⤵PID:1500
-
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe85⤵
- Drops file in System32 directory
PID:476 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe86⤵
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe87⤵PID:1304
-
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe88⤵PID:1308
-
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe89⤵PID:1784
-
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe90⤵PID:2064
-
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe91⤵PID:2644
-
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe92⤵PID:3056
-
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe93⤵PID:2024
-
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe94⤵PID:2960
-
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe95⤵PID:2192
-
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe96⤵PID:1696
-
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe97⤵PID:2108
-
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2504 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe99⤵PID:680
-
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe100⤵
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe101⤵PID:1340
-
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe102⤵PID:636
-
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe103⤵PID:1860
-
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe104⤵PID:2776
-
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe105⤵
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe106⤵PID:2520
-
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe107⤵PID:2588
-
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe108⤵PID:2868
-
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2144 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe110⤵PID:568
-
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe111⤵PID:1384
-
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe112⤵PID:1108
-
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe113⤵PID:1064
-
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe114⤵PID:1632
-
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe115⤵PID:1296
-
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe116⤵PID:2788
-
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe117⤵PID:2540
-
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe118⤵PID:2556
-
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1776 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe120⤵PID:1532
-
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe121⤵PID:1144
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-