Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 17:41
Static task
static1
Behavioral task
behavioral1
Sample
03031f397f738a3d2cc5913a779d3180_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
03031f397f738a3d2cc5913a779d3180_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
03031f397f738a3d2cc5913a779d3180_NeikiAnalytics.exe
-
Size
163KB
-
MD5
03031f397f738a3d2cc5913a779d3180
-
SHA1
c33922af94b306758eac55a88d3466a674acf5a6
-
SHA256
2dcbdb88747abde3b15b219ae809103e11c86fef9df3b5ea7dc6455630cabbd8
-
SHA512
eb0fb8b5b4374503277904e0d6d34fadbd9bef37f6019ac1f1ad5bbc752844449d44dc8987cdc4b05f561038f453cc246f83e6aae34d2709513db51d58e42d79
-
SSDEEP
1536:PH1X7qbU83+MO0JpVQIBj0oDa0IVK6JEkoTlProNVU4qNVUrk/9QbfBr+7GwKrPb:teVX3j0oDaNVK2B6ltOrWKDBr+yJb
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Fbdqmghm.exeMlmlecec.exeObcccl32.exePnomcl32.exeAmfcikek.exeOopnlacm.exeAaobdjof.exeGbijhg32.exeKbqecg32.exeNaajoinb.exeNceclqan.exeOfelmloo.exeBfcampgf.exeHjhhocjj.exeNgnbgplj.exeAdpkee32.exeJiakjb32.exeKmopod32.exeBpiipf32.exeCafecmlj.exeMeccii32.exePikkiijf.exeGphmeo32.exeOcnfbo32.exeBioqclil.exeBaakhm32.exeMihiih32.exeMoiklogi.exePflomnkb.exeAoepcn32.exeDglpbbbg.exeLflmci32.exeMdpjlajk.exeQbelgood.exeAnafhopc.exeCoelaaoi.exeEchfaf32.exeKgbggnhc.exeBpnbkeld.exeIdfbkq32.exeKpmlkp32.exeAhikqd32.exeBghjhp32.exeCgcmlcja.exeCdlgpgef.exeOjfaijcc.exeQabcjgkh.exeDccagcgk.exeDdigjkid.exeDkcofe32.exeGaqcoc32.exeNialog32.exeCghggc32.exeDjhphncm.exeDbfabp32.exeFacdeo32.exeCjfccn32.exeHlcgeo32.exeAibajhdn.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbdqmghm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlmlecec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obcccl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnomcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfcikek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oopnlacm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaobdjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbijhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbqecg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naajoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nceclqan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofelmloo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcampgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjhhocjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngnbgplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adpkee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiakjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmopod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpiipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cafecmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meccii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pikkiijf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocnfbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bioqclil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baakhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mihiih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moiklogi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pflomnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoepcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dglpbbbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflmci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdpjlajk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naajoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbelgood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anafhopc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coelaaoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Echfaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgbggnhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbelgood.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anafhopc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpnbkeld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idfbkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahikqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bghjhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcmlcja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlgpgef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojfaijcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qabcjgkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dccagcgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddigjkid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkcofe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaqcoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nialog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cghggc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhphncm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Facdeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiakjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjfccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aibajhdn.exe -
Executes dropped EXE 64 IoCs
Processes:
Fmekoalh.exeFacdeo32.exeFbdqmghm.exeFddmgjpo.exeFiaeoang.exeGonnhhln.exeGbijhg32.exeGbkgnfbd.exeGhhofmql.exeGaqcoc32.exeGlfhll32.exeGacpdbej.exeGkkemh32.exeGphmeo32.exeHiqbndpb.exeHcifgjgc.exeHnojdcfi.exeHpmgqnfl.exeHiekid32.exeHlcgeo32.exeHjhhocjj.exeHlfdkoin.exeHjjddchg.exeHogmmjfo.exeIdceea32.exeIknnbklc.exeInljnfkg.exeIdfbkq32.exeIajcde32.exeIkbgmj32.exeIblpjdpk.exeIjgdngmf.exeImfqjbli.exeIdmhkpml.exeJnemdecl.exeJqdipqbp.exeJfqahgpg.exeJiakjb32.exeJkpgfn32.exeJehkodcm.exeJicgpb32.exeJnqphi32.exeJoplbl32.exeJnclnihj.exeKgkafo32.exeKjjmbj32.exeKbqecg32.exeKeoapb32.exeKcbakpdo.exeKjljhjkl.exeKmjfdejp.exeKeanebkb.exeKgpjanje.exeKjnfniii.exeKmmcjehm.exeKahojc32.exeKgbggnhc.exeKfegbj32.exeKmopod32.exeKpmlkp32.exeKfgdhjmk.exeKjcpii32.exeLldlqakb.exeLbnemk32.exepid process 2216 Fmekoalh.exe 2344 Facdeo32.exe 2808 Fbdqmghm.exe 2820 Fddmgjpo.exe 2544 Fiaeoang.exe 2524 Gonnhhln.exe 2992 Gbijhg32.exe 352 Gbkgnfbd.exe 2756 Ghhofmql.exe 1940 Gaqcoc32.exe 1976 Glfhll32.exe 1968 Gacpdbej.exe 320 Gkkemh32.exe 1260 Gphmeo32.exe 1544 Hiqbndpb.exe 2360 Hcifgjgc.exe 2148 Hnojdcfi.exe 964 Hpmgqnfl.exe 540 Hiekid32.exe 2132 Hlcgeo32.exe 3024 Hjhhocjj.exe 1732 Hlfdkoin.exe 376 Hjjddchg.exe 2124 Hogmmjfo.exe 2024 Idceea32.exe 1328 Iknnbklc.exe 2864 Inljnfkg.exe 2804 Idfbkq32.exe 2840 Iajcde32.exe 2724 Ikbgmj32.exe 2444 Iblpjdpk.exe 2976 Ijgdngmf.exe 2984 Imfqjbli.exe 1636 Idmhkpml.exe 2720 Jnemdecl.exe 2456 Jqdipqbp.exe 776 Jfqahgpg.exe 2000 Jiakjb32.exe 688 Jkpgfn32.exe 2440 Jehkodcm.exe 1616 Jicgpb32.exe 2340 Jnqphi32.exe 2052 Joplbl32.exe 1728 Jnclnihj.exe 1256 Kgkafo32.exe 1548 Kjjmbj32.exe 1028 Kbqecg32.exe 1932 Keoapb32.exe 1188 Kcbakpdo.exe 1720 Kjljhjkl.exe 1572 Kmjfdejp.exe 3068 Keanebkb.exe 2628 Kgpjanje.exe 2908 Kjnfniii.exe 2636 Kmmcjehm.exe 2988 Kahojc32.exe 2532 Kgbggnhc.exe 2540 Kfegbj32.exe 856 Kmopod32.exe 2016 Kpmlkp32.exe 824 Kfgdhjmk.exe 1140 Kjcpii32.exe 2760 Lldlqakb.exe 788 Lbnemk32.exe -
Loads dropped DLL 64 IoCs
Processes:
03031f397f738a3d2cc5913a779d3180_NeikiAnalytics.exeFmekoalh.exeFacdeo32.exeFbdqmghm.exeFddmgjpo.exeFiaeoang.exeGonnhhln.exeGbijhg32.exeGbkgnfbd.exeGhhofmql.exeGaqcoc32.exeGlfhll32.exeGacpdbej.exeGkkemh32.exeGphmeo32.exeHiqbndpb.exeHcifgjgc.exeHnojdcfi.exeHpmgqnfl.exeHiekid32.exeHlcgeo32.exeHjhhocjj.exeHlfdkoin.exeHjjddchg.exeHogmmjfo.exeIdceea32.exeIknnbklc.exeInljnfkg.exeIdfbkq32.exeIajcde32.exeIkbgmj32.exeIblpjdpk.exepid process 2020 03031f397f738a3d2cc5913a779d3180_NeikiAnalytics.exe 2020 03031f397f738a3d2cc5913a779d3180_NeikiAnalytics.exe 2216 Fmekoalh.exe 2216 Fmekoalh.exe 2344 Facdeo32.exe 2344 Facdeo32.exe 2808 Fbdqmghm.exe 2808 Fbdqmghm.exe 2820 Fddmgjpo.exe 2820 Fddmgjpo.exe 2544 Fiaeoang.exe 2544 Fiaeoang.exe 2524 Gonnhhln.exe 2524 Gonnhhln.exe 2992 Gbijhg32.exe 2992 Gbijhg32.exe 352 Gbkgnfbd.exe 352 Gbkgnfbd.exe 2756 Ghhofmql.exe 2756 Ghhofmql.exe 1940 Gaqcoc32.exe 1940 Gaqcoc32.exe 1976 Glfhll32.exe 1976 Glfhll32.exe 1968 Gacpdbej.exe 1968 Gacpdbej.exe 320 Gkkemh32.exe 320 Gkkemh32.exe 1260 Gphmeo32.exe 1260 Gphmeo32.exe 1544 Hiqbndpb.exe 1544 Hiqbndpb.exe 2360 Hcifgjgc.exe 2360 Hcifgjgc.exe 2148 Hnojdcfi.exe 2148 Hnojdcfi.exe 964 Hpmgqnfl.exe 964 Hpmgqnfl.exe 540 Hiekid32.exe 540 Hiekid32.exe 2132 Hlcgeo32.exe 2132 Hlcgeo32.exe 3024 Hjhhocjj.exe 3024 Hjhhocjj.exe 1732 Hlfdkoin.exe 1732 Hlfdkoin.exe 376 Hjjddchg.exe 376 Hjjddchg.exe 2124 Hogmmjfo.exe 2124 Hogmmjfo.exe 2024 Idceea32.exe 2024 Idceea32.exe 1328 Iknnbklc.exe 1328 Iknnbklc.exe 2864 Inljnfkg.exe 2864 Inljnfkg.exe 2804 Idfbkq32.exe 2804 Idfbkq32.exe 2840 Iajcde32.exe 2840 Iajcde32.exe 2724 Ikbgmj32.exe 2724 Ikbgmj32.exe 2444 Iblpjdpk.exe 2444 Iblpjdpk.exe -
Drops file in System32 directory 64 IoCs
Processes:
Effcma32.exeGkkemh32.exeKmjfdejp.exeLkppbl32.exeMhgmapfi.exePbhmnkjf.exeCpnojioo.exeIblpjdpk.exeKgkafo32.exePflomnkb.exeBaakhm32.exePcnbablo.exeAjhgmpfg.exeKcbakpdo.exeLihmjejl.exeJicgpb32.exeMijfnh32.exeQabcjgkh.exeEjhlgaeh.exeIknnbklc.exeCnmehnan.exeDolnad32.exeJiakjb32.exeAdpkee32.exeBioqclil.exeLlkbap32.exeOhibdf32.exeImfqjbli.exeKbqecg32.exeAlbjlcao.exeNlphkb32.exeEmieil32.exeInljnfkg.exeIdmhkpml.exeDccagcgk.exeJqdipqbp.exeOcgpappk.exeAaobdjof.exeEojnkg32.exeAhikqd32.exeHcifgjgc.exeNaoniipe.exeQedhdjnh.exeBiicik32.exeChnqkg32.exeGhhofmql.exeJoplbl32.exeCnobnmpl.exeFbdqmghm.exeLbqabkql.exeMmhodf32.exeIdceea32.exeDbfabp32.exeBifgdk32.exeGlfhll32.exePeiepfgg.exeCohigamf.exedescription ioc process File created C:\Windows\SysWOW64\Fmpkjkma.exe Effcma32.exe File opened for modification C:\Windows\SysWOW64\Gphmeo32.exe Gkkemh32.exe File created C:\Windows\SysWOW64\Keanebkb.exe Kmjfdejp.exe File created C:\Windows\SysWOW64\Lmolnh32.exe Lkppbl32.exe File opened for modification C:\Windows\SysWOW64\Mihiih32.exe Mhgmapfi.exe File created C:\Windows\SysWOW64\Pqkmjh32.exe Pbhmnkjf.exe File opened for modification C:\Windows\SysWOW64\Cdikkg32.exe Cpnojioo.exe File created C:\Windows\SysWOW64\Fpffnl32.dll Iblpjdpk.exe File created C:\Windows\SysWOW64\Kjjmbj32.exe Kgkafo32.exe File created C:\Windows\SysWOW64\Ijgdngmf.exe Iblpjdpk.exe File created C:\Windows\SysWOW64\Pikkiijf.exe Pflomnkb.exe File created C:\Windows\SysWOW64\Biicik32.exe Baakhm32.exe File created C:\Windows\SysWOW64\Pflomnkb.exe Pcnbablo.exe File opened for modification C:\Windows\SysWOW64\Amfcikek.exe Ajhgmpfg.exe File opened for modification C:\Windows\SysWOW64\Kjljhjkl.exe Kcbakpdo.exe File created C:\Windows\SysWOW64\Aagancdj.dll Lihmjejl.exe File created C:\Windows\SysWOW64\Ikbkhq32.dll Jicgpb32.exe File created C:\Windows\SysWOW64\Delpclld.dll Mijfnh32.exe File created C:\Windows\SysWOW64\Qcpofbjl.exe Qabcjgkh.exe File created C:\Windows\SysWOW64\Endhhp32.exe Ejhlgaeh.exe File created C:\Windows\SysWOW64\Gphmeo32.exe Gkkemh32.exe File created C:\Windows\SysWOW64\Jdnaob32.dll Iknnbklc.exe File created C:\Windows\SysWOW64\Cdgneh32.exe Cnmehnan.exe File opened for modification C:\Windows\SysWOW64\Dbkknojp.exe Dolnad32.exe File opened for modification C:\Windows\SysWOW64\Jkpgfn32.exe Jiakjb32.exe File opened for modification C:\Windows\SysWOW64\Ahlgfdeq.exe Adpkee32.exe File opened for modification C:\Windows\SysWOW64\Bafidiio.exe Bioqclil.exe File created C:\Windows\SysWOW64\Lojomkdn.exe Llkbap32.exe File opened for modification C:\Windows\SysWOW64\Omdneebf.exe Ohibdf32.exe File created C:\Windows\SysWOW64\Idmhkpml.exe Imfqjbli.exe File opened for modification C:\Windows\SysWOW64\Keoapb32.exe Kbqecg32.exe File created C:\Windows\SysWOW64\Ecfhengk.dll Pcnbablo.exe File created C:\Windows\SysWOW64\Gjchig32.dll Albjlcao.exe File created C:\Windows\SysWOW64\Mdkjlm32.dll Nlphkb32.exe File created C:\Windows\SysWOW64\Eccmffjf.exe Emieil32.exe File opened for modification C:\Windows\SysWOW64\Idfbkq32.exe Inljnfkg.exe File created C:\Windows\SysWOW64\Dhcebp32.dll Idmhkpml.exe File created C:\Windows\SysWOW64\Ecdjal32.dll Dccagcgk.exe File created C:\Windows\SysWOW64\Jfqahgpg.exe Jqdipqbp.exe File created C:\Windows\SysWOW64\Ofelmloo.exe Ocgpappk.exe File created C:\Windows\SysWOW64\Fikjha32.dll Aaobdjof.exe File opened for modification C:\Windows\SysWOW64\Ecejkf32.exe Eojnkg32.exe File created C:\Windows\SysWOW64\Ajhgmpfg.exe Ahikqd32.exe File created C:\Windows\SysWOW64\Ecejkf32.exe Eojnkg32.exe File created C:\Windows\SysWOW64\Odpegjpg.dll Hcifgjgc.exe File opened for modification C:\Windows\SysWOW64\Ndmjedoi.exe Naoniipe.exe File created C:\Windows\SysWOW64\Amkpegnj.exe Qedhdjnh.exe File opened for modification C:\Windows\SysWOW64\Aekodi32.exe Aaobdjof.exe File opened for modification C:\Windows\SysWOW64\Blgpef32.exe Biicik32.exe File opened for modification C:\Windows\SysWOW64\Cohigamf.exe Chnqkg32.exe File opened for modification C:\Windows\SysWOW64\Gaqcoc32.exe Ghhofmql.exe File opened for modification C:\Windows\SysWOW64\Jnclnihj.exe Joplbl32.exe File created C:\Windows\SysWOW64\Bpooed32.dll Biicik32.exe File created C:\Windows\SysWOW64\Elgkkpon.dll Cnobnmpl.exe File created C:\Windows\SysWOW64\Fddmgjpo.exe Fbdqmghm.exe File created C:\Windows\SysWOW64\Lflmci32.exe Lbqabkql.exe File created C:\Windows\SysWOW64\Ofbjgh32.dll Mmhodf32.exe File created C:\Windows\SysWOW64\Fndldonj.dll Ghhofmql.exe File created C:\Windows\SysWOW64\Eqpofkjo.dll Idceea32.exe File opened for modification C:\Windows\SysWOW64\Dhpiojfb.exe Dbfabp32.exe File created C:\Windows\SysWOW64\Bldcpf32.exe Bifgdk32.exe File opened for modification C:\Windows\SysWOW64\Gacpdbej.exe Glfhll32.exe File created C:\Windows\SysWOW64\Pggbla32.exe Peiepfgg.exe File created C:\Windows\SysWOW64\Cfgnhbba.dll Cohigamf.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3624 3612 WerFault.exe Fkckeh32.exe -
Modifies registry class 64 IoCs
Processes:
Cafecmlj.exeDoehqead.exeDpeekh32.exeDccagcgk.exeEgllae32.exeNgpolo32.exePcnbablo.exeAadloj32.exeDojald32.exePedleg32.exeAnojbobe.exeAoepcn32.exeKgpjanje.exeMlibjc32.exeMoiklogi.exeBldcpf32.exeCnobnmpl.exeDglpbbbg.exeMmahdggc.exePbhmnkjf.exePqkmjh32.exeEccmffjf.exeGlfhll32.exeKeoapb32.exeCnmehnan.exeDdigjkid.exeIajcde32.exePikkiijf.exeQbelgood.exe03031f397f738a3d2cc5913a779d3180_NeikiAnalytics.exeNlbeqb32.exeDhpiojfb.exeFddmgjpo.exeAlbjlcao.exeOddpfc32.exePgbhabjp.exeKjjmbj32.exeMlmlecec.exeCghggc32.exeFiaeoang.exeIdfbkq32.exeLefdpe32.exeNkgbbo32.exeQedhdjnh.exeImfqjbli.exeKcbakpdo.exeLbeknj32.exeAidnohbk.exeHnojdcfi.exeLecgje32.exePflomnkb.exeFbdqmghm.exeHpmgqnfl.exeAnafhopc.exeBlgpef32.exeMihiih32.exeBifgdk32.exeCddaphkn.exeEjmebq32.exeFacdeo32.exeInljnfkg.exeEndhhp32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cafecmlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doehqead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifjjk32.dll" Dpeekh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dccagcgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nneloe32.dll" Ngpolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcnbablo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aadloj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dojald32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpkof32.dll" Pedleg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anojbobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncdbcl32.dll" Aoepcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgpjanje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoacn32.dll" Mlibjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijlhmj32.dll" Moiklogi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bldcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnobnmpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dglpbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmahdggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbhmnkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkemkhcd.dll" Pqkmjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eccmffjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glfhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keoapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmnlfg32.dll" Cnmehnan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddigjkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iajcde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amaipodm.dll" Pikkiijf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbelgood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 03031f397f738a3d2cc5913a779d3180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkhilpb.dll" Nlbeqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfaqa32.dll" Dhpiojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fddmgjpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Albjlcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nadddkfi.dll" Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndcpj32.dll" Pgbhabjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjjmbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlmlecec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fahgfoih.dll" Cghggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll" Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehllae32.dll" Idfbkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjjmbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lefdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijmee32.dll" Nkgbbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qedhdjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imfqjbli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcbakpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minceo32.dll" Lbeknj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aidnohbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blleofcd.dll" Lecgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pflomnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbdqmghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknfklng.dll" Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjchig32.dll" Albjlcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anafhopc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekkdc32.dll" Blgpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mihiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bifgdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cddaphkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgllco32.dll" Ejmebq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Facdeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inljnfkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Endhhp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
03031f397f738a3d2cc5913a779d3180_NeikiAnalytics.exeFmekoalh.exeFacdeo32.exeFbdqmghm.exeFddmgjpo.exeFiaeoang.exeGonnhhln.exeGbijhg32.exeGbkgnfbd.exeGhhofmql.exeGaqcoc32.exeGlfhll32.exeGacpdbej.exeGkkemh32.exeGphmeo32.exeHiqbndpb.exedescription pid process target process PID 2020 wrote to memory of 2216 2020 03031f397f738a3d2cc5913a779d3180_NeikiAnalytics.exe Fmekoalh.exe PID 2020 wrote to memory of 2216 2020 03031f397f738a3d2cc5913a779d3180_NeikiAnalytics.exe Fmekoalh.exe PID 2020 wrote to memory of 2216 2020 03031f397f738a3d2cc5913a779d3180_NeikiAnalytics.exe Fmekoalh.exe PID 2020 wrote to memory of 2216 2020 03031f397f738a3d2cc5913a779d3180_NeikiAnalytics.exe Fmekoalh.exe PID 2216 wrote to memory of 2344 2216 Fmekoalh.exe Facdeo32.exe PID 2216 wrote to memory of 2344 2216 Fmekoalh.exe Facdeo32.exe PID 2216 wrote to memory of 2344 2216 Fmekoalh.exe Facdeo32.exe PID 2216 wrote to memory of 2344 2216 Fmekoalh.exe Facdeo32.exe PID 2344 wrote to memory of 2808 2344 Facdeo32.exe Fbdqmghm.exe PID 2344 wrote to memory of 2808 2344 Facdeo32.exe Fbdqmghm.exe PID 2344 wrote to memory of 2808 2344 Facdeo32.exe Fbdqmghm.exe PID 2344 wrote to memory of 2808 2344 Facdeo32.exe Fbdqmghm.exe PID 2808 wrote to memory of 2820 2808 Fbdqmghm.exe Fddmgjpo.exe PID 2808 wrote to memory of 2820 2808 Fbdqmghm.exe Fddmgjpo.exe PID 2808 wrote to memory of 2820 2808 Fbdqmghm.exe Fddmgjpo.exe PID 2808 wrote to memory of 2820 2808 Fbdqmghm.exe Fddmgjpo.exe PID 2820 wrote to memory of 2544 2820 Fddmgjpo.exe Fiaeoang.exe PID 2820 wrote to memory of 2544 2820 Fddmgjpo.exe Fiaeoang.exe PID 2820 wrote to memory of 2544 2820 Fddmgjpo.exe Fiaeoang.exe PID 2820 wrote to memory of 2544 2820 Fddmgjpo.exe Fiaeoang.exe PID 2544 wrote to memory of 2524 2544 Fiaeoang.exe Gonnhhln.exe PID 2544 wrote to memory of 2524 2544 Fiaeoang.exe Gonnhhln.exe PID 2544 wrote to memory of 2524 2544 Fiaeoang.exe Gonnhhln.exe PID 2544 wrote to memory of 2524 2544 Fiaeoang.exe Gonnhhln.exe PID 2524 wrote to memory of 2992 2524 Gonnhhln.exe Gbijhg32.exe PID 2524 wrote to memory of 2992 2524 Gonnhhln.exe Gbijhg32.exe PID 2524 wrote to memory of 2992 2524 Gonnhhln.exe Gbijhg32.exe PID 2524 wrote to memory of 2992 2524 Gonnhhln.exe Gbijhg32.exe PID 2992 wrote to memory of 352 2992 Gbijhg32.exe Gbkgnfbd.exe PID 2992 wrote to memory of 352 2992 Gbijhg32.exe Gbkgnfbd.exe PID 2992 wrote to memory of 352 2992 Gbijhg32.exe Gbkgnfbd.exe PID 2992 wrote to memory of 352 2992 Gbijhg32.exe Gbkgnfbd.exe PID 352 wrote to memory of 2756 352 Gbkgnfbd.exe Ghhofmql.exe PID 352 wrote to memory of 2756 352 Gbkgnfbd.exe Ghhofmql.exe PID 352 wrote to memory of 2756 352 Gbkgnfbd.exe Ghhofmql.exe PID 352 wrote to memory of 2756 352 Gbkgnfbd.exe Ghhofmql.exe PID 2756 wrote to memory of 1940 2756 Ghhofmql.exe Gaqcoc32.exe PID 2756 wrote to memory of 1940 2756 Ghhofmql.exe Gaqcoc32.exe PID 2756 wrote to memory of 1940 2756 Ghhofmql.exe Gaqcoc32.exe PID 2756 wrote to memory of 1940 2756 Ghhofmql.exe Gaqcoc32.exe PID 1940 wrote to memory of 1976 1940 Gaqcoc32.exe Glfhll32.exe PID 1940 wrote to memory of 1976 1940 Gaqcoc32.exe Glfhll32.exe PID 1940 wrote to memory of 1976 1940 Gaqcoc32.exe Glfhll32.exe PID 1940 wrote to memory of 1976 1940 Gaqcoc32.exe Glfhll32.exe PID 1976 wrote to memory of 1968 1976 Glfhll32.exe Gacpdbej.exe PID 1976 wrote to memory of 1968 1976 Glfhll32.exe Gacpdbej.exe PID 1976 wrote to memory of 1968 1976 Glfhll32.exe Gacpdbej.exe PID 1976 wrote to memory of 1968 1976 Glfhll32.exe Gacpdbej.exe PID 1968 wrote to memory of 320 1968 Gacpdbej.exe Gkkemh32.exe PID 1968 wrote to memory of 320 1968 Gacpdbej.exe Gkkemh32.exe PID 1968 wrote to memory of 320 1968 Gacpdbej.exe Gkkemh32.exe PID 1968 wrote to memory of 320 1968 Gacpdbej.exe Gkkemh32.exe PID 320 wrote to memory of 1260 320 Gkkemh32.exe Gphmeo32.exe PID 320 wrote to memory of 1260 320 Gkkemh32.exe Gphmeo32.exe PID 320 wrote to memory of 1260 320 Gkkemh32.exe Gphmeo32.exe PID 320 wrote to memory of 1260 320 Gkkemh32.exe Gphmeo32.exe PID 1260 wrote to memory of 1544 1260 Gphmeo32.exe Hiqbndpb.exe PID 1260 wrote to memory of 1544 1260 Gphmeo32.exe Hiqbndpb.exe PID 1260 wrote to memory of 1544 1260 Gphmeo32.exe Hiqbndpb.exe PID 1260 wrote to memory of 1544 1260 Gphmeo32.exe Hiqbndpb.exe PID 1544 wrote to memory of 2360 1544 Hiqbndpb.exe Hcifgjgc.exe PID 1544 wrote to memory of 2360 1544 Hiqbndpb.exe Hcifgjgc.exe PID 1544 wrote to memory of 2360 1544 Hiqbndpb.exe Hcifgjgc.exe PID 1544 wrote to memory of 2360 1544 Hiqbndpb.exe Hcifgjgc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03031f397f738a3d2cc5913a779d3180_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\03031f397f738a3d2cc5913a779d3180_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:540 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:376 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1328 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe33⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe36⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe38⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe40⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe41⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe43⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe45⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1256 -
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1028 -
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1188 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe51⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe53⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe55⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe56⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe57⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe59⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe62⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe63⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe64⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe65⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe66⤵PID:2432
-
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe67⤵
- Drops file in System32 directory
PID:1192 -
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe68⤵PID:3060
-
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe69⤵
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:656 -
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe71⤵PID:1776
-
C:\Windows\SysWOW64\Logbhl32.exeC:\Windows\system32\Logbhl32.exe72⤵PID:2080
-
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe73⤵PID:2180
-
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe74⤵PID:3020
-
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe75⤵
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe76⤵PID:2876
-
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe77⤵
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe78⤵
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe79⤵PID:2196
-
C:\Windows\SysWOW64\Lkppbl32.exeC:\Windows\system32\Lkppbl32.exe80⤵
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe81⤵PID:1676
-
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe82⤵
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe83⤵PID:2708
-
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe84⤵PID:2028
-
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe85⤵
- Modifies registry class
PID:800 -
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe86⤵PID:2388
-
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe87⤵
- Drops file in System32 directory
PID:396 -
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe89⤵PID:3044
-
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe90⤵PID:2660
-
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe91⤵PID:1804
-
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe92⤵
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe93⤵
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1972 -
C:\Windows\SysWOW64\Mgnfhlin.exeC:\Windows\system32\Mgnfhlin.exe95⤵PID:2856
-
C:\Windows\SysWOW64\Mmhodf32.exeC:\Windows\system32\Mmhodf32.exe96⤵
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Mpfkqb32.exeC:\Windows\system32\Mpfkqb32.exe97⤵PID:2188
-
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2488 -
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe100⤵PID:1716
-
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Nolhan32.exeC:\Windows\system32\Nolhan32.exe102⤵PID:1708
-
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe103⤵PID:2528
-
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2640 -
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe105⤵
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe106⤵PID:2588
-
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe107⤵PID:1580
-
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe108⤵
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Noqamn32.exeC:\Windows\system32\Noqamn32.exe109⤵PID:1884
-
C:\Windows\SysWOW64\Naoniipe.exeC:\Windows\system32\Naoniipe.exe110⤵
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe111⤵PID:644
-
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe112⤵PID:2116
-
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe113⤵
- Modifies registry class
PID:588 -
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe114⤵PID:1148
-
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1456 -
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe116⤵PID:2008
-
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2176 -
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe118⤵PID:1596
-
C:\Windows\SysWOW64\Nceclqan.exeC:\Windows\system32\Nceclqan.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2676 -
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe120⤵
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe121⤵PID:1684
-
C:\Windows\SysWOW64\Onjgiiad.exeC:\Windows\system32\Onjgiiad.exe122⤵PID:2748
-
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe123⤵
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Ocgpappk.exeC:\Windows\system32\Ocgpappk.exe124⤵
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Ofelmloo.exeC:\Windows\system32\Ofelmloo.exe125⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2372 -
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe126⤵PID:2956
-
C:\Windows\SysWOW64\Oqkqkdne.exeC:\Windows\system32\Oqkqkdne.exe127⤵PID:2332
-
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe128⤵PID:1496
-
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe129⤵PID:1648
-
C:\Windows\SysWOW64\Ojcecjee.exeC:\Windows\system32\Ojcecjee.exe130⤵PID:1980
-
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe131⤵PID:1588
-
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe132⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2604 -
C:\Windows\SysWOW64\Obojhlbq.exeC:\Windows\system32\Obojhlbq.exe133⤵PID:2776
-
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2552 -
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe135⤵
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe136⤵PID:2232
-
C:\Windows\SysWOW64\Ocnfbo32.exeC:\Windows\system32\Ocnfbo32.exe137⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1296 -
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe138⤵PID:2368
-
C:\Windows\SysWOW64\Odobjg32.exeC:\Windows\system32\Odobjg32.exe139⤵PID:2732
-
C:\Windows\SysWOW64\Omfkke32.exeC:\Windows\system32\Omfkke32.exe140⤵PID:2304
-
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe141⤵PID:2924
-
C:\Windows\SysWOW64\Obcccl32.exeC:\Windows\system32\Obcccl32.exe142⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2032 -
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe143⤵PID:2904
-
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe144⤵PID:2664
-
C:\Windows\SysWOW64\Pgplkb32.exeC:\Windows\system32\Pgplkb32.exe145⤵PID:2352
-
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe146⤵PID:892
-
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe147⤵PID:592
-
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe148⤵
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe149⤵
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe150⤵PID:1836
-
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe151⤵
- Drops file in System32 directory
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Pqkmjh32.exeC:\Windows\system32\Pqkmjh32.exe152⤵
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Pciifc32.exeC:\Windows\system32\Pciifc32.exe153⤵PID:2520
-
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe154⤵PID:1812
-
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe155⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2416 -
C:\Windows\SysWOW64\Pmanoifd.exeC:\Windows\system32\Pmanoifd.exe156⤵PID:1100
-
C:\Windows\SysWOW64\Peiepfgg.exeC:\Windows\system32\Peiepfgg.exe157⤵
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe158⤵PID:2752
-
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe159⤵PID:1772
-
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe160⤵PID:2832
-
C:\Windows\SysWOW64\Papfegmk.exeC:\Windows\system32\Papfegmk.exe161⤵PID:2580
-
C:\Windows\SysWOW64\Pcnbablo.exeC:\Windows\system32\Pcnbablo.exe162⤵
- Drops file in System32 directory
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Pflomnkb.exeC:\Windows\system32\Pflomnkb.exe163⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Pikkiijf.exeC:\Windows\system32\Pikkiijf.exe164⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Qabcjgkh.exeC:\Windows\system32\Qabcjgkh.exe165⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Qcpofbjl.exeC:\Windows\system32\Qcpofbjl.exe166⤵PID:2632
-
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe167⤵PID:780
-
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe168⤵PID:2248
-
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe169⤵PID:2996
-
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe170⤵PID:2800
-
C:\Windows\SysWOW64\Qbelgood.exeC:\Windows\system32\Qbelgood.exe171⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Qedhdjnh.exeC:\Windows\system32\Qedhdjnh.exe172⤵
- Drops file in System32 directory
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Amkpegnj.exeC:\Windows\system32\Amkpegnj.exe173⤵PID:2960
-
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe174⤵PID:2548
-
C:\Windows\SysWOW64\Anlmmp32.exeC:\Windows\system32\Anlmmp32.exe175⤵PID:1352
-
C:\Windows\SysWOW64\Afcenm32.exeC:\Windows\system32\Afcenm32.exe176⤵PID:1792
-
C:\Windows\SysWOW64\Aibajhdn.exeC:\Windows\system32\Aibajhdn.exe177⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2852 -
C:\Windows\SysWOW64\Alpmfdcb.exeC:\Windows\system32\Alpmfdcb.exe178⤵PID:3064
-
C:\Windows\SysWOW64\Anojbobe.exeC:\Windows\system32\Anojbobe.exe179⤵
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Abjebn32.exeC:\Windows\system32\Abjebn32.exe180⤵PID:2256
-
C:\Windows\SysWOW64\Aehboi32.exeC:\Windows\system32\Aehboi32.exe181⤵PID:2688
-
C:\Windows\SysWOW64\Aidnohbk.exeC:\Windows\system32\Aidnohbk.exe182⤵
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Albjlcao.exeC:\Windows\system32\Albjlcao.exe183⤵
- Drops file in System32 directory
- Modifies registry class
PID:328 -
C:\Windows\SysWOW64\Anafhopc.exeC:\Windows\system32\Anafhopc.exe184⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Aaobdjof.exeC:\Windows\system32\Aaobdjof.exe185⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Aekodi32.exeC:\Windows\system32\Aekodi32.exe186⤵PID:2780
-
C:\Windows\SysWOW64\Ahikqd32.exeC:\Windows\system32\Ahikqd32.exe187⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3108 -
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe188⤵
- Drops file in System32 directory
PID:3148 -
C:\Windows\SysWOW64\Amfcikek.exeC:\Windows\system32\Amfcikek.exe189⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3188 -
C:\Windows\SysWOW64\Aaaoij32.exeC:\Windows\system32\Aaaoij32.exe190⤵PID:3228
-
C:\Windows\SysWOW64\Adpkee32.exeC:\Windows\system32\Adpkee32.exe191⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3268 -
C:\Windows\SysWOW64\Ahlgfdeq.exeC:\Windows\system32\Ahlgfdeq.exe192⤵PID:3308
-
C:\Windows\SysWOW64\Ajjcbpdd.exeC:\Windows\system32\Ajjcbpdd.exe193⤵PID:3348
-
C:\Windows\SysWOW64\Aoepcn32.exeC:\Windows\system32\Aoepcn32.exe194⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3388 -
C:\Windows\SysWOW64\Aadloj32.exeC:\Windows\system32\Aadloj32.exe195⤵
- Modifies registry class
PID:3428 -
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe196⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3468 -
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe197⤵PID:3508
-
C:\Windows\SysWOW64\Bpiipf32.exeC:\Windows\system32\Bpiipf32.exe198⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3548 -
C:\Windows\SysWOW64\Bfcampgf.exeC:\Windows\system32\Bfcampgf.exe199⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3588 -
C:\Windows\SysWOW64\Bmmiij32.exeC:\Windows\system32\Bmmiij32.exe200⤵PID:3628
-
C:\Windows\SysWOW64\Bpleef32.exeC:\Windows\system32\Bpleef32.exe201⤵PID:3668
-
C:\Windows\SysWOW64\Bbjbaa32.exeC:\Windows\system32\Bbjbaa32.exe202⤵PID:3708
-
C:\Windows\SysWOW64\Behnnm32.exeC:\Windows\system32\Behnnm32.exe203⤵PID:3748
-
C:\Windows\SysWOW64\Bmpfojmp.exeC:\Windows\system32\Bmpfojmp.exe204⤵PID:3788
-
C:\Windows\SysWOW64\Bpnbkeld.exeC:\Windows\system32\Bpnbkeld.exe205⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3828 -
C:\Windows\SysWOW64\Bghjhp32.exeC:\Windows\system32\Bghjhp32.exe206⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3868 -
C:\Windows\SysWOW64\Bifgdk32.exeC:\Windows\system32\Bifgdk32.exe207⤵
- Drops file in System32 directory
- Modifies registry class
PID:3908 -
C:\Windows\SysWOW64\Bldcpf32.exeC:\Windows\system32\Bldcpf32.exe208⤵
- Modifies registry class
PID:3948 -
C:\Windows\SysWOW64\Bocolb32.exeC:\Windows\system32\Bocolb32.exe209⤵PID:3988
-
C:\Windows\SysWOW64\Baakhm32.exeC:\Windows\system32\Baakhm32.exe210⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4028 -
C:\Windows\SysWOW64\Biicik32.exeC:\Windows\system32\Biicik32.exe211⤵
- Drops file in System32 directory
PID:4068 -
C:\Windows\SysWOW64\Blgpef32.exeC:\Windows\system32\Blgpef32.exe212⤵
- Modifies registry class
PID:3088 -
C:\Windows\SysWOW64\Coelaaoi.exeC:\Windows\system32\Coelaaoi.exe213⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3128 -
C:\Windows\SysWOW64\Cadhnmnm.exeC:\Windows\system32\Cadhnmnm.exe214⤵PID:3172
-
C:\Windows\SysWOW64\Cdbdjhmp.exeC:\Windows\system32\Cdbdjhmp.exe215⤵PID:3220
-
C:\Windows\SysWOW64\Chnqkg32.exeC:\Windows\system32\Chnqkg32.exe216⤵
- Drops file in System32 directory
PID:3276 -
C:\Windows\SysWOW64\Cohigamf.exeC:\Windows\system32\Cohigamf.exe217⤵
- Drops file in System32 directory
PID:3328 -
C:\Windows\SysWOW64\Cafecmlj.exeC:\Windows\system32\Cafecmlj.exe218⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3360 -
C:\Windows\SysWOW64\Cddaphkn.exeC:\Windows\system32\Cddaphkn.exe219⤵
- Modifies registry class
PID:3420 -
C:\Windows\SysWOW64\Cgcmlcja.exeC:\Windows\system32\Cgcmlcja.exe220⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3476 -
C:\Windows\SysWOW64\Cojema32.exeC:\Windows\system32\Cojema32.exe221⤵PID:3528
-
C:\Windows\SysWOW64\Cnmehnan.exeC:\Windows\system32\Cnmehnan.exe222⤵
- Drops file in System32 directory
- Modifies registry class
PID:3572 -
C:\Windows\SysWOW64\Cdgneh32.exeC:\Windows\system32\Cdgneh32.exe223⤵PID:3620
-
C:\Windows\SysWOW64\Chbjffad.exeC:\Windows\system32\Chbjffad.exe224⤵PID:3676
-
C:\Windows\SysWOW64\Ckafbbph.exeC:\Windows\system32\Ckafbbph.exe225⤵PID:3720
-
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe226⤵
- Drops file in System32 directory
- Modifies registry class
PID:3784 -
C:\Windows\SysWOW64\Cpnojioo.exeC:\Windows\system32\Cpnojioo.exe227⤵
- Drops file in System32 directory
PID:3824 -
C:\Windows\SysWOW64\Cdikkg32.exeC:\Windows\system32\Cdikkg32.exe228⤵PID:3884
-
C:\Windows\SysWOW64\Cghggc32.exeC:\Windows\system32\Cghggc32.exe229⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3944 -
C:\Windows\SysWOW64\Cjfccn32.exeC:\Windows\system32\Cjfccn32.exe230⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3976 -
C:\Windows\SysWOW64\Cldooj32.exeC:\Windows\system32\Cldooj32.exe231⤵PID:4016
-
C:\Windows\SysWOW64\Cdlgpgef.exeC:\Windows\system32\Cdlgpgef.exe232⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4060 -
C:\Windows\SysWOW64\Dgjclbdi.exeC:\Windows\system32\Dgjclbdi.exe233⤵PID:3080
-
C:\Windows\SysWOW64\Djhphncm.exeC:\Windows\system32\Djhphncm.exe234⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3168 -
C:\Windows\SysWOW64\Dlgldibq.exeC:\Windows\system32\Dlgldibq.exe235⤵PID:3212
-
C:\Windows\SysWOW64\Doehqead.exeC:\Windows\system32\Doehqead.exe236⤵
- Modifies registry class
PID:3284 -
C:\Windows\SysWOW64\Dglpbbbg.exeC:\Windows\system32\Dglpbbbg.exe237⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3340 -
C:\Windows\SysWOW64\Djklnnaj.exeC:\Windows\system32\Djklnnaj.exe238⤵PID:3408
-
C:\Windows\SysWOW64\Dliijipn.exeC:\Windows\system32\Dliijipn.exe239⤵PID:3464
-
C:\Windows\SysWOW64\Dpeekh32.exeC:\Windows\system32\Dpeekh32.exe240⤵
- Modifies registry class
PID:3532 -
C:\Windows\SysWOW64\Dccagcgk.exeC:\Windows\system32\Dccagcgk.exe241⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3604 -
C:\Windows\SysWOW64\Dbfabp32.exeC:\Windows\system32\Dbfabp32.exe242⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3652