Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 23:30
Behavioral task
behavioral1
Sample
6d0479215381cc80c40722f6ba4ddc40_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6d0479215381cc80c40722f6ba4ddc40_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
6d0479215381cc80c40722f6ba4ddc40_NeikiAnalytics.exe
-
Size
1.4MB
-
MD5
6d0479215381cc80c40722f6ba4ddc40
-
SHA1
e9e1276505a26d48e50c0a434160fd5b69b3289a
-
SHA256
0ef5f311f012290bbeab8187e8d6b51f65cc5aefb4ddcbcd4b2b58cd5129eae9
-
SHA512
0a3ec5ad7057fd91916f715401d429049bca39c4db1cdea70b4b7797e1f8c6bb4e639d0c1981911e1a744bdae7b480023e9b55cca245a4ec57207f5a02edee7c
-
SSDEEP
12288:+0zfqJBCzXjOYpV6yYPI3cpV6yYPeHCXwpnsKvNA+XTvZHWuEo3oWL5g:+0QBCzXjOYWHWIpsKv2EvZHp3oWNg
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ejkima32.exeHhjhkq32.exeLefdpe32.exeMgnfhlin.exeQcbllb32.exeAipddi32.exeBkommo32.exeCghggc32.exeLlkbap32.exeNlbeqb32.exeOqideepg.exePbfpik32.exeCojema32.exeChhjkl32.exeMpbaebdd.exeOnjgiiad.exeApimacnn.exeChpmpg32.exeDkcofe32.exeChcqpmep.exeFioija32.exeGpmjak32.exeIdfbkq32.exeJnclnihj.exeAffhncfc.exeMimbdhhb.exeOqmmpd32.exeFnbkddem.exeGelppaof.exeLbcnhjnj.exeEplkpgnh.exeLimfed32.exeLkppbl32.exeLmolnh32.exeEnhacojl.exeFmhheqje.exeGieojq32.exeJbjochdi.exeNacgdhlp.exeOjfaijcc.exeCdbdjhmp.exeEqgnokip.exeGicbeald.exeDlgldibq.exeEeempocb.exeFfpmnf32.exeJmocpado.exeKbqecg32.exeKcfkfo32.exeOclilp32.exeBdgafdfp.exeLpdbloof.exeDojald32.exeIkbgmj32.exeJifdebic.exeKnjbnh32.exeObafnlpn.exeDpeekh32.exeEgjpkffe.exeFpfdalii.exeGonnhhln.exeBdeeqehb.exeMmfbogcn.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejkima32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjhkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgnfhlin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qcbllb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aipddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkommo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cghggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llkbap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlbeqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqideepg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbfpik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cojema32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chhjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpbaebdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjgiiad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apimacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chpmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkcofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chcqpmep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fioija32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpmjak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idfbkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnclnihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Affhncfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mimbdhhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqmmpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fnbkddem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gelppaof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbcnhjnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eplkpgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Limfed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lkppbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmolnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhacojl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmhheqje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbjochdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacgdhlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojfaijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdbdjhmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqgnokip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gicbeald.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlgldibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eeempocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffpmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmocpado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbqecg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcfkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oclilp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdgafdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpdbloof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dojald32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikbgmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jifdebic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knjbnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obafnlpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpeekh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egjpkffe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpfdalii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lefdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdeeqehb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmfbogcn.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Affhncfc.exe family_berbew \Windows\SysWOW64\Aiinen32.exe family_berbew \Windows\SysWOW64\Bagpopmj.exe family_berbew \Windows\SysWOW64\Bhfagipa.exe family_berbew C:\Windows\SysWOW64\Ckignd32.exe family_berbew \Windows\SysWOW64\Chcqpmep.exe family_berbew C:\Windows\SysWOW64\Chhjkl32.exe family_berbew behavioral1/memory/2504-97-0x00000000002F0000-0x0000000000332000-memory.dmp family_berbew C:\Windows\SysWOW64\Dbbkja32.exe family_berbew C:\Windows\SysWOW64\Dodonf32.exe family_berbew \Windows\SysWOW64\Eecqjpee.exe family_berbew C:\Windows\SysWOW64\Fkckeh32.exe family_berbew C:\Windows\SysWOW64\Fjaonpnn.exe family_berbew C:\Windows\SysWOW64\Ebjglbml.exe family_berbew C:\Windows\SysWOW64\Eplkpgnh.exe family_berbew C:\Windows\SysWOW64\Eibbcm32.exe family_berbew C:\Windows\SysWOW64\Egafleqm.exe family_berbew C:\Windows\SysWOW64\Eqgnokip.exe family_berbew C:\Windows\SysWOW64\Enhacojl.exe family_berbew C:\Windows\SysWOW64\Egoife32.exe family_berbew C:\Windows\SysWOW64\Eqdajkkb.exe family_berbew C:\Windows\SysWOW64\Ejkima32.exe family_berbew C:\Windows\SysWOW64\Ecqqpgli.exe family_berbew C:\Windows\SysWOW64\Eqbddk32.exe family_berbew C:\Windows\SysWOW64\Endhhp32.exe family_berbew C:\Windows\SysWOW64\Egjpkffe.exe family_berbew C:\Windows\SysWOW64\Edkcojga.exe family_berbew C:\Windows\SysWOW64\Ebmgcohn.exe family_berbew C:\Windows\SysWOW64\Enakbp32.exe family_berbew C:\Windows\SysWOW64\Dkcofe32.exe family_berbew C:\Windows\SysWOW64\Dhdcji32.exe family_berbew C:\Windows\SysWOW64\Dfffnn32.exe family_berbew C:\Windows\SysWOW64\Dnoomqbg.exe family_berbew C:\Windows\SysWOW64\Dkqbaecc.exe family_berbew C:\Windows\SysWOW64\Dhbfdjdp.exe family_berbew C:\Windows\SysWOW64\Dfdjhndl.exe family_berbew C:\Windows\SysWOW64\Dojald32.exe family_berbew C:\Windows\SysWOW64\Dlkepi32.exe family_berbew C:\Windows\SysWOW64\Djmicm32.exe family_berbew C:\Windows\SysWOW64\Dbfabp32.exe family_berbew C:\Windows\SysWOW64\Dpeekh32.exe family_berbew C:\Windows\SysWOW64\Dhnmij32.exe family_berbew C:\Windows\SysWOW64\Dfoqmo32.exe family_berbew C:\Windows\SysWOW64\Doehqead.exe family_berbew C:\Windows\SysWOW64\Dlgldibq.exe family_berbew C:\Windows\SysWOW64\Djhphncm.exe family_berbew C:\Windows\SysWOW64\Dgjclbdi.exe family_berbew C:\Windows\SysWOW64\Cppkph32.exe family_berbew C:\Windows\SysWOW64\Cnaocmmi.exe family_berbew C:\Windows\SysWOW64\Cghggc32.exe family_berbew C:\Windows\SysWOW64\Cpnojioo.exe family_berbew C:\Windows\SysWOW64\Cnobnmpl.exe family_berbew C:\Windows\SysWOW64\Ckafbbph.exe family_berbew C:\Windows\SysWOW64\Chbjffad.exe family_berbew C:\Windows\SysWOW64\Cpkbdiqb.exe family_berbew C:\Windows\SysWOW64\Cahail32.exe family_berbew C:\Windows\SysWOW64\Cojema32.exe family_berbew C:\Windows\SysWOW64\Cgcmlcja.exe family_berbew C:\Windows\SysWOW64\Chpmpg32.exe family_berbew C:\Windows\SysWOW64\Ceaadk32.exe family_berbew C:\Windows\SysWOW64\Cnkicn32.exe family_berbew C:\Windows\SysWOW64\Cklmgb32.exe family_berbew C:\Windows\SysWOW64\Chnqkg32.exe family_berbew C:\Windows\SysWOW64\Cdbdjhmp.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Affhncfc.exeAiinen32.exeBagpopmj.exeBhfagipa.exeCkignd32.exeChcqpmep.exeChhjkl32.exeDodonf32.exeDbbkja32.exeEecqjpee.exeEeempocb.exeEnnaieib.exeFehjeo32.exeFlabbihl.exeFmcoja32.exeFaokjpfd.exeFhhcgj32.exeFnbkddem.exeFpdhklkl.exeFjilieka.exeFmhheqje.exeFpfdalii.exeFfpmnf32.exeFioija32.exeFbgmbg32.exeGloblmmj.exeGfefiemq.exeGicbeald.exeGpmjak32.exeGbkgnfbd.exeGieojq32.exeGldkfl32.exeGbnccfpb.exeGelppaof.exeGhkllmoi.exeGmgdddmq.exeGeolea32.exeGgpimica.exeGmjaic32.exeHgbebiao.exeHahjpbad.exeHgdbhi32.exeHnojdcfi.exeHdhbam32.exeHlcgeo32.exeHobcak32.exeHgilchkf.exeHhjhkq32.exeHpapln32.exeHacmcfge.exeHjjddchg.exeHlhaqogk.exeHogmmjfo.exeIeqeidnl.exeIhoafpmp.exeIdfbkq32.exeIkpjgkjq.exeIdhopq32.exeIkbgmj32.exeIqopea32.exeIkddbj32.exeIdmhkpml.exeJnemdecl.exeJcbellac.exepid process 1220 Affhncfc.exe 2584 Aiinen32.exe 2716 Bagpopmj.exe 2692 Bhfagipa.exe 2204 Ckignd32.exe 2504 Chcqpmep.exe 2560 Chhjkl32.exe 2840 Dodonf32.exe 2376 Dbbkja32.exe 1584 Eecqjpee.exe 1620 Eeempocb.exe 3016 Ennaieib.exe 2244 Fehjeo32.exe 1916 Flabbihl.exe 2280 Fmcoja32.exe 1476 Faokjpfd.exe 1840 Fhhcgj32.exe 2464 Fnbkddem.exe 280 Fpdhklkl.exe 1548 Fjilieka.exe 1824 Fmhheqje.exe 744 Fpfdalii.exe 3060 Ffpmnf32.exe 2004 Fioija32.exe 3036 Fbgmbg32.exe 2052 Globlmmj.exe 2444 Gfefiemq.exe 2328 Gicbeald.exe 2708 Gpmjak32.exe 2096 Gbkgnfbd.exe 2784 Gieojq32.exe 2600 Gldkfl32.exe 2980 Gbnccfpb.exe 2512 Gelppaof.exe 2372 Ghkllmoi.exe 2216 Gmgdddmq.exe 348 Geolea32.exe 2380 Ggpimica.exe 2760 Gmjaic32.exe 1272 Hgbebiao.exe 2896 Hahjpbad.exe 1708 Hgdbhi32.exe 2460 Hnojdcfi.exe 1760 Hdhbam32.exe 304 Hlcgeo32.exe 2908 Hobcak32.exe 2036 Hgilchkf.exe 1580 Hhjhkq32.exe 1368 Hpapln32.exe 2776 Hacmcfge.exe 2540 Hjjddchg.exe 1252 Hlhaqogk.exe 2664 Hogmmjfo.exe 2944 Ieqeidnl.exe 2148 Ihoafpmp.exe 440 Idfbkq32.exe 780 Ikpjgkjq.exe 1692 Idhopq32.exe 1960 Ikbgmj32.exe 2116 Iqopea32.exe 1948 Ikddbj32.exe 1968 Idmhkpml.exe 2596 Jnemdecl.exe 2648 Jcbellac.exe -
Loads dropped DLL 64 IoCs
Processes:
6d0479215381cc80c40722f6ba4ddc40_NeikiAnalytics.exeAffhncfc.exeAiinen32.exeBagpopmj.exeBhfagipa.exeCkignd32.exeChcqpmep.exeChhjkl32.exeDodonf32.exeDbbkja32.exeEecqjpee.exeEeempocb.exeEnnaieib.exeFehjeo32.exeFlabbihl.exeFmcoja32.exeFaokjpfd.exeFhhcgj32.exeFnbkddem.exeFpdhklkl.exeFjilieka.exeFmhheqje.exeFpfdalii.exeFfpmnf32.exeFioija32.exeFbgmbg32.exeGonnhhln.exeGfefiemq.exeGicbeald.exeGpmjak32.exeGbkgnfbd.exeGieojq32.exepid process 3044 6d0479215381cc80c40722f6ba4ddc40_NeikiAnalytics.exe 3044 6d0479215381cc80c40722f6ba4ddc40_NeikiAnalytics.exe 1220 Affhncfc.exe 1220 Affhncfc.exe 2584 Aiinen32.exe 2584 Aiinen32.exe 2716 Bagpopmj.exe 2716 Bagpopmj.exe 2692 Bhfagipa.exe 2692 Bhfagipa.exe 2204 Ckignd32.exe 2204 Ckignd32.exe 2504 Chcqpmep.exe 2504 Chcqpmep.exe 2560 Chhjkl32.exe 2560 Chhjkl32.exe 2840 Dodonf32.exe 2840 Dodonf32.exe 2376 Dbbkja32.exe 2376 Dbbkja32.exe 1584 Eecqjpee.exe 1584 Eecqjpee.exe 1620 Eeempocb.exe 1620 Eeempocb.exe 3016 Ennaieib.exe 3016 Ennaieib.exe 2244 Fehjeo32.exe 2244 Fehjeo32.exe 1916 Flabbihl.exe 1916 Flabbihl.exe 2280 Fmcoja32.exe 2280 Fmcoja32.exe 1476 Faokjpfd.exe 1476 Faokjpfd.exe 1840 Fhhcgj32.exe 1840 Fhhcgj32.exe 2464 Fnbkddem.exe 2464 Fnbkddem.exe 280 Fpdhklkl.exe 280 Fpdhklkl.exe 1548 Fjilieka.exe 1548 Fjilieka.exe 1824 Fmhheqje.exe 1824 Fmhheqje.exe 744 Fpfdalii.exe 744 Fpfdalii.exe 3060 Ffpmnf32.exe 3060 Ffpmnf32.exe 2004 Fioija32.exe 2004 Fioija32.exe 3036 Fbgmbg32.exe 3036 Fbgmbg32.exe 1572 Gonnhhln.exe 1572 Gonnhhln.exe 2444 Gfefiemq.exe 2444 Gfefiemq.exe 2328 Gicbeald.exe 2328 Gicbeald.exe 2708 Gpmjak32.exe 2708 Gpmjak32.exe 2096 Gbkgnfbd.exe 2096 Gbkgnfbd.exe 2784 Gieojq32.exe 2784 Gieojq32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Bhkdeggl.exeEnhacojl.exeQmfgjh32.exeGfefiemq.exeCklmgb32.exeIhoafpmp.exePedleg32.exeCgcmlcja.exeFbgmbg32.exeKemejc32.exeDoehqead.exeEbmgcohn.exeKbqecg32.exeAjjcbpdd.exeCojema32.exeFmhheqje.exeIdmhkpml.exeJnclnihj.exeKgkafo32.exeKgpjanje.exeHpapln32.exePamiog32.exeEjkima32.exeGbkgnfbd.exeMgnfhlin.exeMkgfckcj.exeOlpdjf32.exeDhdcji32.exeJnqphi32.exeEibbcm32.exeNgnbgplj.exePnlqnl32.exeAadloj32.exeGeolea32.exeBlbfjg32.exeFhhcgj32.exeFpdhklkl.exeHgbebiao.exeNlbeqb32.exeOklkmnbp.exeAaaoij32.exeEecqjpee.exeGpmjak32.exeHgdbhi32.exeHhjhkq32.exeMonhhk32.exeBdgafdfp.exeIeqeidnl.exeIdhopq32.exeJnemdecl.exeNdbcpd32.exeCnaocmmi.exeHahjpbad.exeLlkbap32.exeMcegmm32.exeOclilp32.exeBlpjegfm.exeEeempocb.exeKcfkfo32.exeLfjqnjkh.exedescription ioc process File created C:\Windows\SysWOW64\Eekkdc32.dll Bhkdeggl.exe File created C:\Windows\SysWOW64\Eqgnokip.exe Enhacojl.exe File created C:\Windows\SysWOW64\Hjkbhikj.dll Qmfgjh32.exe File opened for modification C:\Windows\SysWOW64\Gicbeald.exe Gfefiemq.exe File created C:\Windows\SysWOW64\Cnkicn32.exe Cklmgb32.exe File opened for modification C:\Windows\SysWOW64\Idfbkq32.exe Ihoafpmp.exe File created C:\Windows\SysWOW64\Pkndaa32.exe Pedleg32.exe File opened for modification C:\Windows\SysWOW64\Cojema32.exe Cgcmlcja.exe File created C:\Windows\SysWOW64\Globlmmj.exe Fbgmbg32.exe File created C:\Windows\SysWOW64\Kgkafo32.exe Kemejc32.exe File created C:\Windows\SysWOW64\Dfoqmo32.exe Doehqead.exe File created C:\Windows\SysWOW64\Gogcek32.dll Ebmgcohn.exe File created C:\Windows\SysWOW64\Mdnfbe32.dll Kbqecg32.exe File opened for modification C:\Windows\SysWOW64\Aadloj32.exe Ajjcbpdd.exe File created C:\Windows\SysWOW64\Ejmmiihp.dll Cojema32.exe File created C:\Windows\SysWOW64\Fpfdalii.exe Fmhheqje.exe File opened for modification C:\Windows\SysWOW64\Jnemdecl.exe Idmhkpml.exe File opened for modification C:\Windows\SysWOW64\Kemejc32.exe Jnclnihj.exe File created C:\Windows\SysWOW64\Jjpbahga.dll Kgkafo32.exe File opened for modification C:\Windows\SysWOW64\Knjbnh32.exe Kgpjanje.exe File created C:\Windows\SysWOW64\Alogkm32.dll Hpapln32.exe File created C:\Windows\SysWOW64\Pclfkc32.exe Pamiog32.exe File created C:\Windows\SysWOW64\Eqdajkkb.exe Ejkima32.exe File created C:\Windows\SysWOW64\Lkoabpeg.dll Gbkgnfbd.exe File created C:\Windows\SysWOW64\Oincig32.dll Mgnfhlin.exe File opened for modification C:\Windows\SysWOW64\Fpfdalii.exe Fmhheqje.exe File opened for modification C:\Windows\SysWOW64\Mmfbogcn.exe Mkgfckcj.exe File created C:\Windows\SysWOW64\Inlepd32.dll Olpdjf32.exe File created C:\Windows\SysWOW64\Dkcofe32.exe Dhdcji32.exe File created C:\Windows\SysWOW64\Jfghif32.exe Jnqphi32.exe File created C:\Windows\SysWOW64\Ahoanjcc.dll Eibbcm32.exe File created C:\Windows\SysWOW64\Hacmcfge.exe Hpapln32.exe File created C:\Windows\SysWOW64\Njlockkm.exe Ngnbgplj.exe File opened for modification C:\Windows\SysWOW64\Pqkmjh32.exe Pnlqnl32.exe File created C:\Windows\SysWOW64\Fbgkoe32.dll Aadloj32.exe File created C:\Windows\SysWOW64\Ggpimica.exe Geolea32.exe File created C:\Windows\SysWOW64\Boqbfb32.exe Blbfjg32.exe File created C:\Windows\SysWOW64\Iaeldika.dll Fhhcgj32.exe File created C:\Windows\SysWOW64\Bnkajj32.dll Fpdhklkl.exe File created C:\Windows\SysWOW64\Njmekj32.dll Hgbebiao.exe File opened for modification C:\Windows\SysWOW64\Noqamn32.exe Nlbeqb32.exe File created C:\Windows\SysWOW64\Onjgiiad.exe Oklkmnbp.exe File opened for modification C:\Windows\SysWOW64\Adpkee32.exe Aaaoij32.exe File opened for modification C:\Windows\SysWOW64\Eeempocb.exe Eecqjpee.exe File created C:\Windows\SysWOW64\Qahefm32.dll Gpmjak32.exe File created C:\Windows\SysWOW64\Hnojdcfi.exe Hgdbhi32.exe File created C:\Windows\SysWOW64\Glqllcbf.dll Hhjhkq32.exe File created C:\Windows\SysWOW64\Lnmfog32.dll Monhhk32.exe File opened for modification C:\Windows\SysWOW64\Pclfkc32.exe Pamiog32.exe File created C:\Windows\SysWOW64\Agjiphda.dll Bdgafdfp.exe File opened for modification C:\Windows\SysWOW64\Ihoafpmp.exe Ieqeidnl.exe File opened for modification C:\Windows\SysWOW64\Ikbgmj32.exe Idhopq32.exe File created C:\Windows\SysWOW64\Emdipg32.dll Jnemdecl.exe File created C:\Windows\SysWOW64\Mppepcfg.exe Monhhk32.exe File created C:\Windows\SysWOW64\Ngpolo32.exe Ndbcpd32.exe File created C:\Windows\SysWOW64\Cppkph32.exe Cnaocmmi.exe File opened for modification C:\Windows\SysWOW64\Hgdbhi32.exe Hahjpbad.exe File created C:\Windows\SysWOW64\Lbeknj32.exe Llkbap32.exe File opened for modification C:\Windows\SysWOW64\Miooigfo.exe Mcegmm32.exe File created C:\Windows\SysWOW64\Heldepab.dll Oclilp32.exe File created C:\Windows\SysWOW64\Bdgafdfp.exe Blpjegfm.exe File created C:\Windows\SysWOW64\Ennaieib.exe Eeempocb.exe File created C:\Windows\SysWOW64\Kokbpahm.dll Kcfkfo32.exe File opened for modification C:\Windows\SysWOW64\Lihmjejl.exe Lfjqnjkh.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process 4608 2012 WerFault.exe -
Modifies registry class 64 IoCs
Processes:
Aiinen32.exeIkbgmj32.exeJnqphi32.exeNkbhgojk.exeNaoniipe.exeDfoqmo32.exeOdobjg32.exeMiooigfo.exeEgjpkffe.exeGgpimica.exeQimhoi32.exeGloblmmj.exeMhgmapfi.exeOonafa32.exeLoeebl32.exeOqideepg.exePapfegmk.exeBiamilfj.exeEcqqpgli.exeFmhheqje.exeIqopea32.exeOjahnj32.exeCpkbdiqb.exeChbjffad.exeMmceigep.exeEqgnokip.exeFfpmnf32.exeIeqeidnl.exeBkommo32.exeIhoafpmp.exeAbhimnma.exeDfffnn32.exeKbqecg32.exeNcjqhmkm.exeNdmjedoi.exeEibbcm32.exeFaokjpfd.exeFpdhklkl.exeLpdbloof.exeCpnojioo.exeKnjbnh32.exeLfjqnjkh.exeMcegmm32.exeNaajoinb.exePkndaa32.exeLimfed32.exeNacgdhlp.exeAjhgmpfg.exeHpapln32.exeJiakjb32.exeKkijmm32.exeNjlockkm.exeEqdajkkb.exeCkignd32.exeGldkfl32.exeHobcak32.exeIdhopq32.exeNgnbgplj.exePkpagq32.exeOhfeog32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aiinen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjlcgibn.dll" Ikbgmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jnqphi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nkbhgojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Naoniipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfoqmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Miooigfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Egjpkffe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpioaoic.dll" Qimhoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Globlmmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhgmapfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oonafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhhognbb.dll" Loeebl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nadddkfi.dll" Oqideepg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Papfegmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjale32.dll" Ecqqpgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbepi32.dll" Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dejpca32.dll" Iqopea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojahnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgjcijfp.dll" Cpkbdiqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chbjffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mmceigep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiebec32.dll" Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eqgnokip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghqknigk.dll" Ffpmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecenlqh.dll" Bkommo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jobjlngg.dll" Ihoafpmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Abhimnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncphpjl.dll" Dfffnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kbqecg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncjqhmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gonahjjd.dll" Ndmjedoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eibbcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egadpgfp.dll" Faokjpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnkajj32.dll" Fpdhklkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lpdbloof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkmcgmjk.dll" Ojahnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cpnojioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Knjbnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckqfeoma.dll" Lfjqnjkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mcegmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biapcobb.dll" Jnqphi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Naajoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolpjf32.dll" Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfcml32.dll" Limfed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmbgl32.dll" Nacgdhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajhgmpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll" Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loclnq32.dll" Jiakjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfmepigc.dll" Kkijmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njlockkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eqdajkkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhfilfi.dll" Ckignd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll" Gldkfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hobcak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Idhopq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oceaboqg.dll" Ngnbgplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkpagq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ohfeog32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6d0479215381cc80c40722f6ba4ddc40_NeikiAnalytics.exeAffhncfc.exeAiinen32.exeBagpopmj.exeBhfagipa.exeCkignd32.exeChcqpmep.exeChhjkl32.exeDodonf32.exeDbbkja32.exeEecqjpee.exeEeempocb.exeEnnaieib.exeFehjeo32.exeFlabbihl.exeFmcoja32.exedescription pid process target process PID 3044 wrote to memory of 1220 3044 6d0479215381cc80c40722f6ba4ddc40_NeikiAnalytics.exe Affhncfc.exe PID 3044 wrote to memory of 1220 3044 6d0479215381cc80c40722f6ba4ddc40_NeikiAnalytics.exe Affhncfc.exe PID 3044 wrote to memory of 1220 3044 6d0479215381cc80c40722f6ba4ddc40_NeikiAnalytics.exe Affhncfc.exe PID 3044 wrote to memory of 1220 3044 6d0479215381cc80c40722f6ba4ddc40_NeikiAnalytics.exe Affhncfc.exe PID 1220 wrote to memory of 2584 1220 Affhncfc.exe Aiinen32.exe PID 1220 wrote to memory of 2584 1220 Affhncfc.exe Aiinen32.exe PID 1220 wrote to memory of 2584 1220 Affhncfc.exe Aiinen32.exe PID 1220 wrote to memory of 2584 1220 Affhncfc.exe Aiinen32.exe PID 2584 wrote to memory of 2716 2584 Aiinen32.exe Bagpopmj.exe PID 2584 wrote to memory of 2716 2584 Aiinen32.exe Bagpopmj.exe PID 2584 wrote to memory of 2716 2584 Aiinen32.exe Bagpopmj.exe PID 2584 wrote to memory of 2716 2584 Aiinen32.exe Bagpopmj.exe PID 2716 wrote to memory of 2692 2716 Bagpopmj.exe Bhfagipa.exe PID 2716 wrote to memory of 2692 2716 Bagpopmj.exe Bhfagipa.exe PID 2716 wrote to memory of 2692 2716 Bagpopmj.exe Bhfagipa.exe PID 2716 wrote to memory of 2692 2716 Bagpopmj.exe Bhfagipa.exe PID 2692 wrote to memory of 2204 2692 Bhfagipa.exe Ckignd32.exe PID 2692 wrote to memory of 2204 2692 Bhfagipa.exe Ckignd32.exe PID 2692 wrote to memory of 2204 2692 Bhfagipa.exe Ckignd32.exe PID 2692 wrote to memory of 2204 2692 Bhfagipa.exe Ckignd32.exe PID 2204 wrote to memory of 2504 2204 Ckignd32.exe Chcqpmep.exe PID 2204 wrote to memory of 2504 2204 Ckignd32.exe Chcqpmep.exe PID 2204 wrote to memory of 2504 2204 Ckignd32.exe Chcqpmep.exe PID 2204 wrote to memory of 2504 2204 Ckignd32.exe Chcqpmep.exe PID 2504 wrote to memory of 2560 2504 Chcqpmep.exe Chhjkl32.exe PID 2504 wrote to memory of 2560 2504 Chcqpmep.exe Chhjkl32.exe PID 2504 wrote to memory of 2560 2504 Chcqpmep.exe Chhjkl32.exe PID 2504 wrote to memory of 2560 2504 Chcqpmep.exe Chhjkl32.exe PID 2560 wrote to memory of 2840 2560 Chhjkl32.exe Dodonf32.exe PID 2560 wrote to memory of 2840 2560 Chhjkl32.exe Dodonf32.exe PID 2560 wrote to memory of 2840 2560 Chhjkl32.exe Dodonf32.exe PID 2560 wrote to memory of 2840 2560 Chhjkl32.exe Dodonf32.exe PID 2840 wrote to memory of 2376 2840 Dodonf32.exe Dbbkja32.exe PID 2840 wrote to memory of 2376 2840 Dodonf32.exe Dbbkja32.exe PID 2840 wrote to memory of 2376 2840 Dodonf32.exe Dbbkja32.exe PID 2840 wrote to memory of 2376 2840 Dodonf32.exe Dbbkja32.exe PID 2376 wrote to memory of 1584 2376 Dbbkja32.exe Eecqjpee.exe PID 2376 wrote to memory of 1584 2376 Dbbkja32.exe Eecqjpee.exe PID 2376 wrote to memory of 1584 2376 Dbbkja32.exe Eecqjpee.exe PID 2376 wrote to memory of 1584 2376 Dbbkja32.exe Eecqjpee.exe PID 1584 wrote to memory of 1620 1584 Eecqjpee.exe Eeempocb.exe PID 1584 wrote to memory of 1620 1584 Eecqjpee.exe Eeempocb.exe PID 1584 wrote to memory of 1620 1584 Eecqjpee.exe Eeempocb.exe PID 1584 wrote to memory of 1620 1584 Eecqjpee.exe Eeempocb.exe PID 1620 wrote to memory of 3016 1620 Eeempocb.exe Ennaieib.exe PID 1620 wrote to memory of 3016 1620 Eeempocb.exe Ennaieib.exe PID 1620 wrote to memory of 3016 1620 Eeempocb.exe Ennaieib.exe PID 1620 wrote to memory of 3016 1620 Eeempocb.exe Ennaieib.exe PID 3016 wrote to memory of 2244 3016 Ennaieib.exe Fehjeo32.exe PID 3016 wrote to memory of 2244 3016 Ennaieib.exe Fehjeo32.exe PID 3016 wrote to memory of 2244 3016 Ennaieib.exe Fehjeo32.exe PID 3016 wrote to memory of 2244 3016 Ennaieib.exe Fehjeo32.exe PID 2244 wrote to memory of 1916 2244 Fehjeo32.exe Flabbihl.exe PID 2244 wrote to memory of 1916 2244 Fehjeo32.exe Flabbihl.exe PID 2244 wrote to memory of 1916 2244 Fehjeo32.exe Flabbihl.exe PID 2244 wrote to memory of 1916 2244 Fehjeo32.exe Flabbihl.exe PID 1916 wrote to memory of 2280 1916 Flabbihl.exe Fmcoja32.exe PID 1916 wrote to memory of 2280 1916 Flabbihl.exe Fmcoja32.exe PID 1916 wrote to memory of 2280 1916 Flabbihl.exe Fmcoja32.exe PID 1916 wrote to memory of 2280 1916 Flabbihl.exe Fmcoja32.exe PID 2280 wrote to memory of 1476 2280 Fmcoja32.exe Faokjpfd.exe PID 2280 wrote to memory of 1476 2280 Fmcoja32.exe Faokjpfd.exe PID 2280 wrote to memory of 1476 2280 Fmcoja32.exe Faokjpfd.exe PID 2280 wrote to memory of 1476 2280 Fmcoja32.exe Faokjpfd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d0479215381cc80c40722f6ba4ddc40_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6d0479215381cc80c40722f6ba4ddc40_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1476 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:280 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:744 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe35⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe37⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe38⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:348 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe41⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1272 -
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe45⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe46⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe47⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe49⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe52⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe53⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe54⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe55⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe59⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe63⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe66⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe67⤵PID:352
-
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe68⤵PID:1424
-
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe69⤵
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe70⤵PID:624
-
C:\Windows\SysWOW64\Jbjochdi.exeC:\Windows\system32\Jbjochdi.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:264 -
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe72⤵PID:2324
-
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2208 -
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe75⤵PID:2704
-
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2732 -
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe77⤵PID:3088
-
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3140 -
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe79⤵
- Drops file in System32 directory
PID:3200 -
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe80⤵
- Drops file in System32 directory
PID:3260 -
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3312 -
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe82⤵
- Modifies registry class
PID:3372 -
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe83⤵PID:3432
-
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe84⤵
- Drops file in System32 directory
PID:3492 -
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3552 -
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3616 -
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe87⤵PID:3668
-
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe88⤵PID:3728
-
C:\Windows\SysWOW64\Kmaled32.exeC:\Windows\system32\Kmaled32.exe89⤵PID:3788
-
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe90⤵PID:3848
-
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:3908 -
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe92⤵PID:3964
-
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe93⤵PID:4016
-
C:\Windows\SysWOW64\Loeebl32.exeC:\Windows\system32\Loeebl32.exe94⤵
- Modifies registry class
PID:4076 -
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe95⤵PID:2568
-
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe96⤵PID:2792
-
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1124 -
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe101⤵PID:2220
-
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe102⤵PID:1932
-
C:\Windows\SysWOW64\Lkppbl32.exeC:\Windows\system32\Lkppbl32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2164 -
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2676 -
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2520 -
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe106⤵PID:3220
-
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe107⤵
- Drops file in System32 directory
PID:3168 -
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe108⤵PID:3308
-
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe109⤵
- Modifies registry class
PID:3340 -
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe110⤵
- Modifies registry class
PID:3428 -
C:\Windows\SysWOW64\Mpbaebdd.exeC:\Windows\system32\Mpbaebdd.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3500 -
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe112⤵PID:3596
-
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe113⤵
- Drops file in System32 directory
PID:3624 -
C:\Windows\SysWOW64\Mmfbogcn.exeC:\Windows\system32\Mmfbogcn.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3712 -
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe115⤵PID:3776
-
C:\Windows\SysWOW64\Mgnfhlin.exeC:\Windows\system32\Mgnfhlin.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3752 -
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3888 -
C:\Windows\SysWOW64\Mpfkqb32.exeC:\Windows\system32\Mpfkqb32.exe118⤵PID:4032
-
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:3996 -
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe120⤵
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe121⤵PID:2744
-
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe122⤵PID:3000
-
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe123⤵PID:2040
-
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe124⤵
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe125⤵
- Modifies registry class
PID:1004 -
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe126⤵PID:2320
-
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe127⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Noqamn32.exeC:\Windows\system32\Noqamn32.exe128⤵PID:3080
-
C:\Windows\SysWOW64\Naoniipe.exeC:\Windows\system32\Naoniipe.exe129⤵
- Modifies registry class
PID:3228 -
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe130⤵
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Nglfapnl.exeC:\Windows\system32\Nglfapnl.exe131⤵PID:480
-
C:\Windows\SysWOW64\Nocnbmoo.exeC:\Windows\system32\Nocnbmoo.exe132⤵PID:1092
-
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe133⤵
- Modifies registry class
PID:3400 -
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe134⤵PID:3572
-
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe135⤵
- Drops file in System32 directory
- Modifies registry class
PID:3548 -
C:\Windows\SysWOW64\Njlockkm.exeC:\Windows\system32\Njlockkm.exe136⤵
- Modifies registry class
PID:3656 -
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe137⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe138⤵
- Drops file in System32 directory
PID:3736 -
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe139⤵PID:3832
-
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe140⤵
- Drops file in System32 directory
PID:3916 -
C:\Windows\SysWOW64\Onjgiiad.exeC:\Windows\system32\Onjgiiad.exe141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3864 -
C:\Windows\SysWOW64\Oqideepg.exeC:\Windows\system32\Oqideepg.exe142⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4024 -
C:\Windows\SysWOW64\Ocgpappk.exeC:\Windows\system32\Ocgpappk.exe143⤵PID:4060
-
C:\Windows\SysWOW64\Ojahnj32.exeC:\Windows\system32\Ojahnj32.exe144⤵
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe145⤵
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe146⤵
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe147⤵PID:856
-
C:\Windows\SysWOW64\Ohfeog32.exeC:\Windows\system32\Ohfeog32.exe148⤵
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Oqmmpd32.exeC:\Windows\system32\Oqmmpd32.exe149⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2016 -
C:\Windows\SysWOW64\Oclilp32.exeC:\Windows\system32\Oclilp32.exe150⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1524 -
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe152⤵PID:2092
-
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe153⤵PID:2260
-
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe154⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2616 -
C:\Windows\SysWOW64\Odobjg32.exeC:\Windows\system32\Odobjg32.exe155⤵
- Modifies registry class
PID:3132 -
C:\Windows\SysWOW64\Omfkke32.exeC:\Windows\system32\Omfkke32.exe156⤵PID:3216
-
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe157⤵PID:3196
-
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe158⤵PID:3284
-
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe159⤵PID:3360
-
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe160⤵PID:3448
-
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe161⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3528 -
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe162⤵
- Drops file in System32 directory
PID:3408 -
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe163⤵
- Modifies registry class
PID:3696 -
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe164⤵
- Drops file in System32 directory
PID:3604 -
C:\Windows\SysWOW64\Pqkmjh32.exeC:\Windows\system32\Pqkmjh32.exe165⤵PID:3844
-
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe166⤵PID:3872
-
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe167⤵
- Modifies registry class
PID:3936 -
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe168⤵PID:4056
-
C:\Windows\SysWOW64\Pamiog32.exeC:\Windows\system32\Pamiog32.exe169⤵
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Pclfkc32.exeC:\Windows\system32\Pclfkc32.exe170⤵PID:1372
-
C:\Windows\SysWOW64\Pfjbgnme.exeC:\Windows\system32\Pfjbgnme.exe171⤵PID:804
-
C:\Windows\SysWOW64\Pnajilng.exeC:\Windows\system32\Pnajilng.exe172⤵PID:2112
-
C:\Windows\SysWOW64\Papfegmk.exeC:\Windows\system32\Papfegmk.exe173⤵
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Pgioaa32.exeC:\Windows\system32\Pgioaa32.exe174⤵PID:1588
-
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe175⤵
- Drops file in System32 directory
PID:1792 -
C:\Windows\SysWOW64\Qcpofbjl.exeC:\Windows\system32\Qcpofbjl.exe176⤵PID:3084
-
C:\Windows\SysWOW64\Qfokbnip.exeC:\Windows\system32\Qfokbnip.exe177⤵PID:3156
-
C:\Windows\SysWOW64\Qimhoi32.exeC:\Windows\system32\Qimhoi32.exe178⤵
- Modifies registry class
PID:3236 -
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe179⤵PID:3304
-
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe180⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3332 -
C:\Windows\SysWOW64\Qfahhm32.exeC:\Windows\system32\Qfahhm32.exe181⤵PID:3472
-
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe182⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3644 -
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe183⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3608 -
C:\Windows\SysWOW64\Abhimnma.exeC:\Windows\system32\Abhimnma.exe184⤵
- Modifies registry class
PID:3840 -
C:\Windows\SysWOW64\Aibajhdn.exeC:\Windows\system32\Aibajhdn.exe185⤵PID:3972
-
C:\Windows\SysWOW64\Aamfnkai.exeC:\Windows\system32\Aamfnkai.exe186⤵PID:4044
-
C:\Windows\SysWOW64\Ahgnke32.exeC:\Windows\system32\Ahgnke32.exe187⤵PID:2960
-
C:\Windows\SysWOW64\Anafhopc.exeC:\Windows\system32\Anafhopc.exe188⤵PID:2768
-
C:\Windows\SysWOW64\Aaobdjof.exeC:\Windows\system32\Aaobdjof.exe189⤵PID:1184
-
C:\Windows\SysWOW64\Ahikqd32.exeC:\Windows\system32\Ahikqd32.exe190⤵PID:1648
-
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe191⤵
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Aaaoij32.exeC:\Windows\system32\Aaaoij32.exe192⤵
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Adpkee32.exeC:\Windows\system32\Adpkee32.exe193⤵PID:3176
-
C:\Windows\SysWOW64\Ajjcbpdd.exeC:\Windows\system32\Ajjcbpdd.exe194⤵
- Drops file in System32 directory
PID:3292 -
C:\Windows\SysWOW64\Aadloj32.exeC:\Windows\system32\Aadloj32.exe195⤵
- Drops file in System32 directory
PID:3424 -
C:\Windows\SysWOW64\Bhndldcn.exeC:\Windows\system32\Bhndldcn.exe196⤵PID:3544
-
C:\Windows\SysWOW64\Bjlqhoba.exeC:\Windows\system32\Bjlqhoba.exe197⤵PID:3704
-
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe198⤵PID:3960
-
C:\Windows\SysWOW64\Bdeeqehb.exeC:\Windows\system32\Bdeeqehb.exe199⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4128 -
C:\Windows\SysWOW64\Bkommo32.exeC:\Windows\system32\Bkommo32.exe200⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4168 -
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe201⤵
- Modifies registry class
PID:4208 -
C:\Windows\SysWOW64\Blpjegfm.exeC:\Windows\system32\Blpjegfm.exe202⤵
- Drops file in System32 directory
PID:4248 -
C:\Windows\SysWOW64\Bdgafdfp.exeC:\Windows\system32\Bdgafdfp.exe203⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4296 -
C:\Windows\SysWOW64\Bidjnkdg.exeC:\Windows\system32\Bidjnkdg.exe204⤵PID:4336
-
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe205⤵
- Drops file in System32 directory
PID:4376 -
C:\Windows\SysWOW64\Boqbfb32.exeC:\Windows\system32\Boqbfb32.exe206⤵PID:4416
-
C:\Windows\SysWOW64\Bghjhp32.exeC:\Windows\system32\Bghjhp32.exe207⤵PID:4456
-
C:\Windows\SysWOW64\Bhigphio.exeC:\Windows\system32\Bhigphio.exe208⤵PID:4496
-
C:\Windows\SysWOW64\Bocolb32.exeC:\Windows\system32\Bocolb32.exe209⤵PID:4536
-
C:\Windows\SysWOW64\Baakhm32.exeC:\Windows\system32\Baakhm32.exe210⤵PID:4576
-
C:\Windows\SysWOW64\Biicik32.exeC:\Windows\system32\Biicik32.exe211⤵PID:4616
-
C:\Windows\SysWOW64\Bhkdeggl.exeC:\Windows\system32\Bhkdeggl.exe212⤵
- Drops file in System32 directory
PID:4656 -
C:\Windows\SysWOW64\Coelaaoi.exeC:\Windows\system32\Coelaaoi.exe213⤵PID:4696
-
C:\Windows\SysWOW64\Cadhnmnm.exeC:\Windows\system32\Cadhnmnm.exe214⤵PID:4736
-
C:\Windows\SysWOW64\Cdbdjhmp.exeC:\Windows\system32\Cdbdjhmp.exe215⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4776 -
C:\Windows\SysWOW64\Chnqkg32.exeC:\Windows\system32\Chnqkg32.exe216⤵PID:4816
-
C:\Windows\SysWOW64\Cklmgb32.exeC:\Windows\system32\Cklmgb32.exe217⤵
- Drops file in System32 directory
PID:4856 -
C:\Windows\SysWOW64\Cnkicn32.exeC:\Windows\system32\Cnkicn32.exe218⤵PID:4896
-
C:\Windows\SysWOW64\Ceaadk32.exeC:\Windows\system32\Ceaadk32.exe219⤵PID:4936
-
C:\Windows\SysWOW64\Chpmpg32.exeC:\Windows\system32\Chpmpg32.exe220⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4976 -
C:\Windows\SysWOW64\Cgcmlcja.exeC:\Windows\system32\Cgcmlcja.exe221⤵
- Drops file in System32 directory
PID:5016 -
C:\Windows\SysWOW64\Cojema32.exeC:\Windows\system32\Cojema32.exe222⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5056 -
C:\Windows\SysWOW64\Cahail32.exeC:\Windows\system32\Cahail32.exe223⤵PID:5096
-
C:\Windows\SysWOW64\Cpkbdiqb.exeC:\Windows\system32\Cpkbdiqb.exe224⤵
- Modifies registry class
PID:3984 -
C:\Windows\SysWOW64\Chbjffad.exeC:\Windows\system32\Chbjffad.exe225⤵
- Modifies registry class
PID:4092 -
C:\Windows\SysWOW64\Ckafbbph.exeC:\Windows\system32\Ckafbbph.exe226⤵PID:1976
-
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe227⤵PID:3012
-
C:\Windows\SysWOW64\Cpnojioo.exeC:\Windows\system32\Cpnojioo.exe228⤵
- Modifies registry class
PID:1436 -
C:\Windows\SysWOW64\Cghggc32.exeC:\Windows\system32\Cghggc32.exe229⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2640 -
C:\Windows\SysWOW64\Cnaocmmi.exeC:\Windows\system32\Cnaocmmi.exe230⤵
- Drops file in System32 directory
PID:3268 -
C:\Windows\SysWOW64\Cppkph32.exeC:\Windows\system32\Cppkph32.exe231⤵PID:3356
-
C:\Windows\SysWOW64\Dgjclbdi.exeC:\Windows\system32\Dgjclbdi.exe232⤵PID:3560
-
C:\Windows\SysWOW64\Djhphncm.exeC:\Windows\system32\Djhphncm.exe233⤵PID:3760
-
C:\Windows\SysWOW64\Dlgldibq.exeC:\Windows\system32\Dlgldibq.exe234⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1784 -
C:\Windows\SysWOW64\Doehqead.exeC:\Windows\system32\Doehqead.exe235⤵
- Drops file in System32 directory
PID:4152 -
C:\Windows\SysWOW64\Dfoqmo32.exeC:\Windows\system32\Dfoqmo32.exe236⤵
- Modifies registry class
PID:4228 -
C:\Windows\SysWOW64\Dhnmij32.exeC:\Windows\system32\Dhnmij32.exe237⤵PID:4312
-
C:\Windows\SysWOW64\Dpeekh32.exeC:\Windows\system32\Dpeekh32.exe238⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4324 -
C:\Windows\SysWOW64\Dbfabp32.exeC:\Windows\system32\Dbfabp32.exe239⤵PID:4360
-
C:\Windows\SysWOW64\Djmicm32.exeC:\Windows\system32\Djmicm32.exe240⤵PID:4436
-
C:\Windows\SysWOW64\Dlkepi32.exeC:\Windows\system32\Dlkepi32.exe241⤵PID:4488
-
C:\Windows\SysWOW64\Dojald32.exeC:\Windows\system32\Dojald32.exe242⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4544