Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 23:50
Behavioral task
behavioral1
Sample
6daeda287d1944f713fafdc0a1ba0c20_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6daeda287d1944f713fafdc0a1ba0c20_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
6daeda287d1944f713fafdc0a1ba0c20_NeikiAnalytics.exe
-
Size
548KB
-
MD5
6daeda287d1944f713fafdc0a1ba0c20
-
SHA1
f21dc6149d00d887d9123903e5d130d375b441a3
-
SHA256
8c043dd159d32543b79016c55aa840b87d7255c1e2ba3f2716b7e74608e0af64
-
SHA512
5cb9ef3ee41d0ff6016825d4c0c2009b0fee5744b986e5c598c8070e777db043dfc4cbbf5154bdbd902e249da7b5408197be2a83fff34109fad459bc4cf5ac4b
-
SSDEEP
12288:jXzVvq6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvGZ+C8lM1:j4q5htaSHFaZRBEYyqmaf2qwiHPKgRCW
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Gacpdbej.exeOddpfc32.exeCdbdjhmp.exeGohjaf32.exeHmbpmapf.exeNgpolo32.exeEplkpgnh.exeLmebnb32.exeMagqncba.exeLlnofpcg.exeOclilp32.exeQcpofbjl.exeBioqclil.exeBppoqeja.exeBbokmqie.exeIdnaoohk.exeBfadgq32.exeNigome32.exeEajaoq32.exeHgilchkf.exeJkbcln32.exeDlnbeh32.exeIkhjki32.exeKkgmgmfd.exeEfaibbij.exeFlehkhai.exeFenmdm32.exeHakphqja.exeEfppoc32.exeJgnamk32.exeNacgdhlp.exeAfcenm32.exeKebgia32.exeKgemplap.exeGicbeald.exeGgpimica.exeOnmdoioa.exeAjejgp32.exeFmpkjkma.exeKaldcb32.exeIcmegf32.exeLbfdaigg.exeMholen32.exeInljnfkg.exeNlphkb32.exeOobjaqaj.exeCgcmlcja.exeKconkibf.exeLgjfkk32.exeLkncmmle.exeNhiffc32.exeCpkbdiqb.exeIchllgfb.exeLoeebl32.exeBehnnm32.exeJnkpbcjg.exeKeednado.exeLjibgg32.exeHhmepp32.exeJfcnngnd.exeAmkpegnj.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gacpdbej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oddpfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdbdjhmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohjaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmbpmapf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngpolo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eplkpgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmebnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Magqncba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llnofpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oclilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcpofbjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bioqclil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bppoqeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idnaoohk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfadgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bioqclil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nigome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eajaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkbcln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlnbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikhjki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgmgmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efaibbij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flehkhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fenmdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakphqja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgnamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nacgdhlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afcenm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kebgia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgemplap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gicbeald.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onmdoioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajejgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmpkjkma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaldcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icmegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbfdaigg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mholen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inljnfkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlphkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oobjaqaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcmlcja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kconkibf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgjfkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gicbeald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkncmmle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhiffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpkbdiqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmpkjkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ichllgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loeebl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behnnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnkpbcjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keednado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljibgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhmepp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcnngnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkpegnj.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Djefobmk.exe family_berbew \Windows\SysWOW64\Ecpgmhai.exe family_berbew C:\Windows\SysWOW64\Efppoc32.exe family_berbew \Windows\SysWOW64\Eajaoq32.exe family_berbew \Windows\SysWOW64\Fhffaj32.exe family_berbew \Windows\SysWOW64\Fhhcgj32.exe family_berbew C:\Windows\SysWOW64\Fjilieka.exe family_berbew \Windows\SysWOW64\Fmjejphb.exe family_berbew C:\Windows\SysWOW64\Ffbicfoc.exe family_berbew \Windows\SysWOW64\Gicbeald.exe family_berbew C:\Windows\SysWOW64\Gejcjbah.exe family_berbew C:\Windows\SysWOW64\Gobgcg32.exe family_berbew C:\Windows\SysWOW64\Gelppaof.exe family_berbew \Windows\SysWOW64\Glfhll32.exe family_berbew C:\Windows\SysWOW64\Ggpimica.exe family_berbew C:\Windows\SysWOW64\Hiqbndpb.exe family_berbew C:\Windows\SysWOW64\Hicodd32.exe family_berbew C:\Windows\SysWOW64\Hpmgqnfl.exe family_berbew C:\Windows\SysWOW64\Hobcak32.exe family_berbew C:\Windows\SysWOW64\Hgilchkf.exe family_berbew C:\Windows\SysWOW64\Hpapln32.exe family_berbew C:\Windows\SysWOW64\Hkkalk32.exe family_berbew C:\Windows\SysWOW64\Iaeiieeb.exe family_berbew C:\Windows\SysWOW64\Ilknfn32.exe family_berbew C:\Windows\SysWOW64\Ihankokm.exe family_berbew C:\Windows\SysWOW64\Iggkllpe.exe family_berbew C:\Windows\SysWOW64\Inqcif32.exe family_berbew C:\Windows\SysWOW64\Ikddbj32.exe family_berbew C:\Windows\SysWOW64\Idmhkpml.exe family_berbew C:\Windows\SysWOW64\Jjjacf32.exe family_berbew C:\Windows\SysWOW64\Jmhmpb32.exe family_berbew C:\Windows\SysWOW64\Jofiln32.exe family_berbew C:\Windows\SysWOW64\Jjlnif32.exe family_berbew C:\Windows\SysWOW64\Joifam32.exe family_berbew C:\Windows\SysWOW64\Jfcnngnd.exe family_berbew C:\Windows\SysWOW64\Jmjjea32.exe family_berbew C:\Windows\SysWOW64\Jgnamk32.exe family_berbew C:\Windows\SysWOW64\Igkdgk32.exe family_berbew C:\Windows\SysWOW64\Imfqjbli.exe family_berbew C:\Windows\SysWOW64\Icmlam32.exe family_berbew C:\Windows\SysWOW64\Iajcde32.exe family_berbew C:\Windows\SysWOW64\Ikpjgkjq.exe family_berbew C:\Windows\SysWOW64\Ifcbodli.exe family_berbew C:\Windows\SysWOW64\Inljnfkg.exe family_berbew C:\Windows\SysWOW64\Hhmepp32.exe family_berbew C:\Windows\SysWOW64\Henidd32.exe family_berbew C:\Windows\SysWOW64\Hodpgjha.exe family_berbew C:\Windows\SysWOW64\Hjhhocjj.exe family_berbew C:\Windows\SysWOW64\Hlcgeo32.exe family_berbew C:\Windows\SysWOW64\Hiekid32.exe family_berbew C:\Windows\SysWOW64\Hggomh32.exe family_berbew C:\Windows\SysWOW64\Hdfflm32.exe family_berbew C:\Windows\SysWOW64\Ghoegl32.exe family_berbew C:\Windows\SysWOW64\Gmjaic32.exe family_berbew C:\Windows\SysWOW64\Gacpdbej.exe family_berbew behavioral1/memory/2364-543-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew C:\Windows\SysWOW64\Jkbcln32.exe family_berbew C:\Windows\SysWOW64\Jnclnihj.exe family_berbew C:\Windows\SysWOW64\Kkgmgmfd.exe family_berbew C:\Windows\SysWOW64\Jbllihbf.exe family_berbew behavioral1/memory/2680-553-0x0000000000260000-0x0000000000293000-memory.dmp family_berbew C:\Windows\SysWOW64\Kjcpii32.exe family_berbew C:\Windows\SysWOW64\Lpphap32.exe family_berbew C:\Windows\SysWOW64\Lfjqnjkh.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Djefobmk.exeEcpgmhai.exeEfppoc32.exeEajaoq32.exeFhffaj32.exeFhhcgj32.exeFjilieka.exeFmjejphb.exeFfbicfoc.exeGicbeald.exeGejcjbah.exeGobgcg32.exeGelppaof.exeGlfhll32.exeGacpdbej.exeGgpimica.exeGmjaic32.exeGhoegl32.exeHiqbndpb.exeHdfflm32.exeHicodd32.exeHpmgqnfl.exeHggomh32.exeHiekid32.exeHlcgeo32.exeHobcak32.exeHgilchkf.exeHjhhocjj.exeHpapln32.exeHodpgjha.exeHenidd32.exeHhmepp32.exeHkkalk32.exeIaeiieeb.exeIlknfn32.exeInljnfkg.exeIfcbodli.exeIhankokm.exeIkpjgkjq.exeIajcde32.exeIggkllpe.exeInqcif32.exeIcmlam32.exeIkddbj32.exeImfqjbli.exeIdmhkpml.exeIgkdgk32.exeJjjacf32.exeJmhmpb32.exeJofiln32.exeJgnamk32.exeJjlnif32.exeJmjjea32.exeJoifam32.exeJfcnngnd.exeJkbcln32.exeJbllihbf.exeJnclnihj.exeKkgmgmfd.exeKjcpii32.exeLpphap32.exeLfjqnjkh.exeLlfifq32.exeLoeebl32.exepid process 3036 Djefobmk.exe 2628 Ecpgmhai.exe 2652 Efppoc32.exe 2768 Eajaoq32.exe 2612 Fhffaj32.exe 2620 Fhhcgj32.exe 2420 Fjilieka.exe 1472 Fmjejphb.exe 760 Ffbicfoc.exe 2408 Gicbeald.exe 2012 Gejcjbah.exe 996 Gobgcg32.exe 1244 Gelppaof.exe 2676 Glfhll32.exe 1268 Gacpdbej.exe 2968 Ggpimica.exe 2712 Gmjaic32.exe 2364 Ghoegl32.exe 1096 Hiqbndpb.exe 2680 Hdfflm32.exe 1316 Hicodd32.exe 1800 Hpmgqnfl.exe 1920 Hggomh32.exe 1120 Hiekid32.exe 1696 Hlcgeo32.exe 2584 Hobcak32.exe 2904 Hgilchkf.exe 2908 Hjhhocjj.exe 2176 Hpapln32.exe 1492 Hodpgjha.exe 2320 Henidd32.exe 3044 Hhmepp32.exe 2704 Hkkalk32.exe 2632 Iaeiieeb.exe 2660 Ilknfn32.exe 2524 Inljnfkg.exe 1624 Ifcbodli.exe 2520 Ihankokm.exe 2244 Ikpjgkjq.exe 2396 Iajcde32.exe 2180 Iggkllpe.exe 2488 Inqcif32.exe 2436 Icmlam32.exe 1864 Ikddbj32.exe 1032 Imfqjbli.exe 2744 Idmhkpml.exe 2824 Igkdgk32.exe 2060 Jjjacf32.exe 1668 Jmhmpb32.exe 684 Jofiln32.exe 404 Jgnamk32.exe 2332 Jjlnif32.exe 1892 Jmjjea32.exe 1204 Joifam32.exe 2724 Jfcnngnd.exe 2992 Jkbcln32.exe 2112 Jbllihbf.exe 2624 Jnclnihj.exe 2188 Kkgmgmfd.exe 2860 Kjcpii32.exe 2560 Lpphap32.exe 2700 Lfjqnjkh.exe 2636 Llfifq32.exe 1900 Loeebl32.exe -
Loads dropped DLL 64 IoCs
Processes:
6daeda287d1944f713fafdc0a1ba0c20_NeikiAnalytics.exeDjefobmk.exeEcpgmhai.exeEfppoc32.exeEajaoq32.exeFhffaj32.exeFhhcgj32.exeFjilieka.exeFmjejphb.exeFfbicfoc.exeGicbeald.exeGejcjbah.exeGobgcg32.exeGelppaof.exeGlfhll32.exeGacpdbej.exeGgpimica.exeGmjaic32.exeGhoegl32.exeHiqbndpb.exeHdfflm32.exeHicodd32.exeHpmgqnfl.exeHggomh32.exeHiekid32.exeHlcgeo32.exeHobcak32.exeHgilchkf.exeHjhhocjj.exeHpapln32.exeHodpgjha.exeHenidd32.exepid process 1972 6daeda287d1944f713fafdc0a1ba0c20_NeikiAnalytics.exe 1972 6daeda287d1944f713fafdc0a1ba0c20_NeikiAnalytics.exe 3036 Djefobmk.exe 3036 Djefobmk.exe 2628 Ecpgmhai.exe 2628 Ecpgmhai.exe 2652 Efppoc32.exe 2652 Efppoc32.exe 2768 Eajaoq32.exe 2768 Eajaoq32.exe 2612 Fhffaj32.exe 2612 Fhffaj32.exe 2620 Fhhcgj32.exe 2620 Fhhcgj32.exe 2420 Fjilieka.exe 2420 Fjilieka.exe 1472 Fmjejphb.exe 1472 Fmjejphb.exe 760 Ffbicfoc.exe 760 Ffbicfoc.exe 2408 Gicbeald.exe 2408 Gicbeald.exe 2012 Gejcjbah.exe 2012 Gejcjbah.exe 996 Gobgcg32.exe 996 Gobgcg32.exe 1244 Gelppaof.exe 1244 Gelppaof.exe 2676 Glfhll32.exe 2676 Glfhll32.exe 1268 Gacpdbej.exe 1268 Gacpdbej.exe 2968 Ggpimica.exe 2968 Ggpimica.exe 2712 Gmjaic32.exe 2712 Gmjaic32.exe 2364 Ghoegl32.exe 2364 Ghoegl32.exe 1096 Hiqbndpb.exe 1096 Hiqbndpb.exe 2680 Hdfflm32.exe 2680 Hdfflm32.exe 1316 Hicodd32.exe 1316 Hicodd32.exe 1800 Hpmgqnfl.exe 1800 Hpmgqnfl.exe 1920 Hggomh32.exe 1920 Hggomh32.exe 1120 Hiekid32.exe 1120 Hiekid32.exe 1696 Hlcgeo32.exe 1696 Hlcgeo32.exe 2584 Hobcak32.exe 2584 Hobcak32.exe 2904 Hgilchkf.exe 2904 Hgilchkf.exe 2908 Hjhhocjj.exe 2908 Hjhhocjj.exe 2176 Hpapln32.exe 2176 Hpapln32.exe 1492 Hodpgjha.exe 1492 Hodpgjha.exe 2320 Henidd32.exe 2320 Henidd32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Imfqjbli.exeIedkbc32.exeHpapln32.exeJoaeeklp.exeFbmcbbki.exeIjdqna32.exeHgilchkf.exeClilkfnb.exeKconkibf.exeKaldcb32.exeAlbjlcao.exeIoolqh32.exe6daeda287d1944f713fafdc0a1ba0c20_NeikiAnalytics.exePjadmnic.exeJfnnha32.exeMiooigfo.exeIcmegf32.exeKebgia32.exeFhffaj32.exeJofiln32.exeNhfipcid.exePqhpdhcc.exeBoqbfb32.exeHakphqja.exeLoeebl32.exeNejiih32.exeLgmcqkkh.exeIgkdgk32.exeNamqci32.exeOgeigofa.exeApimacnn.exeKiijnq32.exeKnpemf32.exeMgalqkbk.exeNlcnda32.exePjhknm32.exeAmkpegnj.exeCpkbdiqb.exeEqdajkkb.exeFhneehek.exeIlcmjl32.exeLmebnb32.exeGhoegl32.exeOobjaqaj.exePgplkb32.exeNoqamn32.exeAhlgfdeq.exeLlfifq32.exeNdpfkdmf.exeJkjfah32.exeJdgdempa.exeNigome32.exeGohjaf32.exeGhqnjk32.exeJjlnif32.exeJmjjea32.exeMoiklogi.exeFlehkhai.exeHhjapjmi.exeJhngjmlo.exeMencccop.exeIdcokkak.exedescription ioc process File created C:\Windows\SysWOW64\Idmhkpml.exe Imfqjbli.exe File created C:\Windows\SysWOW64\Cinekb32.dll Iedkbc32.exe File opened for modification C:\Windows\SysWOW64\Hodpgjha.exe Hpapln32.exe File created C:\Windows\SysWOW64\Hebpjd32.dll Joaeeklp.exe File opened for modification C:\Windows\SysWOW64\Figlolbf.exe Fbmcbbki.exe File opened for modification C:\Windows\SysWOW64\Ilcmjl32.exe Ijdqna32.exe File created C:\Windows\SysWOW64\Fenhecef.dll Hgilchkf.exe File created C:\Windows\SysWOW64\Cddaphkn.exe Clilkfnb.exe File created C:\Windows\SysWOW64\Kbbngf32.exe Kconkibf.exe File created C:\Windows\SysWOW64\Allepo32.dll Kaldcb32.exe File created C:\Windows\SysWOW64\Ajejgp32.exe Albjlcao.exe File created C:\Windows\SysWOW64\Kkmgjljo.dll Ioolqh32.exe File created C:\Windows\SysWOW64\Djefobmk.exe 6daeda287d1944f713fafdc0a1ba0c20_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Pbhmnkjf.exe Pjadmnic.exe File opened for modification C:\Windows\SysWOW64\Jkjfah32.exe Jfnnha32.exe File created C:\Windows\SysWOW64\Mlmlecec.exe Miooigfo.exe File created C:\Windows\SysWOW64\Dkqahbgm.dll Icmegf32.exe File opened for modification C:\Windows\SysWOW64\Kklpekno.exe Kebgia32.exe File opened for modification C:\Windows\SysWOW64\Fhhcgj32.exe Fhffaj32.exe File opened for modification C:\Windows\SysWOW64\Jgnamk32.exe Jofiln32.exe File created C:\Windows\SysWOW64\Noqamn32.exe Nhfipcid.exe File created C:\Windows\SysWOW64\Lhnffb32.dll Pqhpdhcc.exe File created C:\Windows\SysWOW64\Fgpimg32.dll Boqbfb32.exe File created C:\Windows\SysWOW64\Obojmk32.dll Hakphqja.exe File opened for modification C:\Windows\SysWOW64\Leonofpp.exe Loeebl32.exe File created C:\Windows\SysWOW64\Bbnhbg32.dll Nejiih32.exe File opened for modification C:\Windows\SysWOW64\Lmikibio.exe Lgmcqkkh.exe File created C:\Windows\SysWOW64\Jjjacf32.exe Igkdgk32.exe File created C:\Windows\SysWOW64\Nhfipcid.exe Namqci32.exe File created C:\Windows\SysWOW64\Llgodg32.dll Ogeigofa.exe File created C:\Windows\SysWOW64\Afcenm32.exe Apimacnn.exe File created C:\Windows\SysWOW64\Kconkibf.exe Kiijnq32.exe File created C:\Windows\SysWOW64\Leimip32.exe Knpemf32.exe File created C:\Windows\SysWOW64\Elonamqm.dll Mgalqkbk.exe File created C:\Windows\SysWOW64\Ndjfeo32.exe Nlcnda32.exe File opened for modification C:\Windows\SysWOW64\Qcpofbjl.exe Pjhknm32.exe File opened for modification C:\Windows\SysWOW64\Apimacnn.exe Amkpegnj.exe File opened for modification C:\Windows\SysWOW64\Chbjffad.exe Cpkbdiqb.exe File opened for modification C:\Windows\SysWOW64\Efaibbij.exe Eqdajkkb.exe File created C:\Windows\SysWOW64\Fagjnn32.exe Fhneehek.exe File created C:\Windows\SysWOW64\Jnbfqn32.dll Ilcmjl32.exe File opened for modification C:\Windows\SysWOW64\Leljop32.exe Lmebnb32.exe File created C:\Windows\SysWOW64\Magqncba.exe Mgalqkbk.exe File created C:\Windows\SysWOW64\Omabcb32.dll Ghoegl32.exe File created C:\Windows\SysWOW64\Nchnel32.dll Oobjaqaj.exe File created C:\Windows\SysWOW64\Ehkdaf32.dll Pgplkb32.exe File created C:\Windows\SysWOW64\Nejiih32.exe Noqamn32.exe File opened for modification C:\Windows\SysWOW64\Aoepcn32.exe Ahlgfdeq.exe File created C:\Windows\SysWOW64\Loeebl32.exe Llfifq32.exe File opened for modification C:\Windows\SysWOW64\Nkiogn32.exe Ndpfkdmf.exe File created C:\Windows\SysWOW64\Lekjcmbe.dll Jkjfah32.exe File opened for modification C:\Windows\SysWOW64\Jnpinc32.exe Jdgdempa.exe File created C:\Windows\SysWOW64\Nmbknddp.exe Nigome32.exe File created C:\Windows\SysWOW64\Nhhbld32.dll Gohjaf32.exe File created C:\Windows\SysWOW64\Mdghad32.dll Ghqnjk32.exe File opened for modification C:\Windows\SysWOW64\Jmjjea32.exe Jjlnif32.exe File opened for modification C:\Windows\SysWOW64\Joifam32.exe Jmjjea32.exe File created C:\Windows\SysWOW64\Miooigfo.exe Moiklogi.exe File created C:\Windows\SysWOW64\Nhiffc32.exe Nejiih32.exe File created C:\Windows\SysWOW64\Fkcpip32.dll Flehkhai.exe File created C:\Windows\SysWOW64\Ibeogebm.dll Hhjapjmi.exe File opened for modification C:\Windows\SysWOW64\Jnkpbcjg.exe Jhngjmlo.exe File opened for modification C:\Windows\SysWOW64\Mlhkpm32.exe Mencccop.exe File created C:\Windows\SysWOW64\Fffdil32.dll Idcokkak.exe -
Modifies registry class 64 IoCs
Processes:
Jjbpgd32.exeKgcpjmcb.exeEjobhppq.exeKfpgmdog.exeLpekon32.exeQbelgood.exeAmfcikek.exeGnmgmbhb.exeLafndg32.exeIgonafba.exeJqgoiokm.exeHkaglf32.exeKkjcplpa.exeMgimmm32.exeDjklnnaj.exeGedbdlbb.exeFiglolbf.exeNmnace32.exeNenobfak.exeGgpimica.exeHlcgeo32.exeMiooigfo.exeGelppaof.exeHhmepp32.exeLclnemgd.exeLeonofpp.exeQmicohqm.exeJkjfah32.exeGfjhgdck.exeGhoegl32.exeBpleef32.exeLgmcqkkh.exeLlnofpcg.exeNejiih32.exeLgjfkk32.exeBbokmqie.exeGdjpeifj.exeKaldcb32.exeMpjqiq32.exeNdjfeo32.exeOddpfc32.exeOdobjg32.exeAemkjiem.exeOoeggp32.exeFmpkjkma.exeHhjapjmi.exeIlknfn32.exeJkbcln32.exeLbeknj32.exeLaegiq32.exeJbllihbf.exeMoiklogi.exeFagjnn32.exeHoamgd32.exeKklpekno.exeMhjbjopf.exeIkhjki32.exeAbjebn32.exeDfamcogo.exeMggpgmof.exeCpkbdiqb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdpoifde.dll" Jjbpgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgcpjmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejobhppq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfpgmdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpekon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbelgood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amfcikek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnmgmbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goedqe32.dll" Lafndg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igonafba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqgoiokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkaglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkjcplpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbcjffka.dll" Mgimmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epjomppp.dll" Djklnnaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gedbdlbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Figlolbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmnace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll" Nenobfak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll" Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll" Hlcgeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miooigfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gelppaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll" Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpfppg32.dll" Lclnemgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkdneid.dll" Leonofpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lekjcmbe.dll" Jkjfah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfjhgdck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpleef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djklnnaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgmcqkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijqnib32.dll" Llnofpcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nejiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgjfkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdjpeifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaldcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdalp32.dll" Mpjqiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndjfeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmeabq32.dll" Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cahqdihi.dll" Aemkjiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooeggp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmpkjkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibeogebm.dll" Hhjapjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnaob32.dll" Ilknfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkbcln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minceo32.dll" Lbeknj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laegiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbllihbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moiklogi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fagjnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmhbhf32.dll" Hoamgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjfhfnim.dll" Kklpekno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcpbee32.dll" Mhjbjopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikhjki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbelgood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifjeknjd.dll" Abjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfaqa32.dll" Dfamcogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfamcogo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mggpgmof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpkbdiqb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6daeda287d1944f713fafdc0a1ba0c20_NeikiAnalytics.exeDjefobmk.exeEcpgmhai.exeEfppoc32.exeEajaoq32.exeFhffaj32.exeFhhcgj32.exeFjilieka.exeFmjejphb.exeFfbicfoc.exeGicbeald.exeGejcjbah.exeGobgcg32.exeGelppaof.exeGlfhll32.exeGacpdbej.exedescription pid process target process PID 1972 wrote to memory of 3036 1972 6daeda287d1944f713fafdc0a1ba0c20_NeikiAnalytics.exe Djefobmk.exe PID 1972 wrote to memory of 3036 1972 6daeda287d1944f713fafdc0a1ba0c20_NeikiAnalytics.exe Djefobmk.exe PID 1972 wrote to memory of 3036 1972 6daeda287d1944f713fafdc0a1ba0c20_NeikiAnalytics.exe Djefobmk.exe PID 1972 wrote to memory of 3036 1972 6daeda287d1944f713fafdc0a1ba0c20_NeikiAnalytics.exe Djefobmk.exe PID 3036 wrote to memory of 2628 3036 Djefobmk.exe Ecpgmhai.exe PID 3036 wrote to memory of 2628 3036 Djefobmk.exe Ecpgmhai.exe PID 3036 wrote to memory of 2628 3036 Djefobmk.exe Ecpgmhai.exe PID 3036 wrote to memory of 2628 3036 Djefobmk.exe Ecpgmhai.exe PID 2628 wrote to memory of 2652 2628 Ecpgmhai.exe Efppoc32.exe PID 2628 wrote to memory of 2652 2628 Ecpgmhai.exe Efppoc32.exe PID 2628 wrote to memory of 2652 2628 Ecpgmhai.exe Efppoc32.exe PID 2628 wrote to memory of 2652 2628 Ecpgmhai.exe Efppoc32.exe PID 2652 wrote to memory of 2768 2652 Efppoc32.exe Eajaoq32.exe PID 2652 wrote to memory of 2768 2652 Efppoc32.exe Eajaoq32.exe PID 2652 wrote to memory of 2768 2652 Efppoc32.exe Eajaoq32.exe PID 2652 wrote to memory of 2768 2652 Efppoc32.exe Eajaoq32.exe PID 2768 wrote to memory of 2612 2768 Eajaoq32.exe Fhffaj32.exe PID 2768 wrote to memory of 2612 2768 Eajaoq32.exe Fhffaj32.exe PID 2768 wrote to memory of 2612 2768 Eajaoq32.exe Fhffaj32.exe PID 2768 wrote to memory of 2612 2768 Eajaoq32.exe Fhffaj32.exe PID 2612 wrote to memory of 2620 2612 Fhffaj32.exe Fhhcgj32.exe PID 2612 wrote to memory of 2620 2612 Fhffaj32.exe Fhhcgj32.exe PID 2612 wrote to memory of 2620 2612 Fhffaj32.exe Fhhcgj32.exe PID 2612 wrote to memory of 2620 2612 Fhffaj32.exe Fhhcgj32.exe PID 2620 wrote to memory of 2420 2620 Fhhcgj32.exe Fjilieka.exe PID 2620 wrote to memory of 2420 2620 Fhhcgj32.exe Fjilieka.exe PID 2620 wrote to memory of 2420 2620 Fhhcgj32.exe Fjilieka.exe PID 2620 wrote to memory of 2420 2620 Fhhcgj32.exe Fjilieka.exe PID 2420 wrote to memory of 1472 2420 Fjilieka.exe Fmjejphb.exe PID 2420 wrote to memory of 1472 2420 Fjilieka.exe Fmjejphb.exe PID 2420 wrote to memory of 1472 2420 Fjilieka.exe Fmjejphb.exe PID 2420 wrote to memory of 1472 2420 Fjilieka.exe Fmjejphb.exe PID 1472 wrote to memory of 760 1472 Fmjejphb.exe Ffbicfoc.exe PID 1472 wrote to memory of 760 1472 Fmjejphb.exe Ffbicfoc.exe PID 1472 wrote to memory of 760 1472 Fmjejphb.exe Ffbicfoc.exe PID 1472 wrote to memory of 760 1472 Fmjejphb.exe Ffbicfoc.exe PID 760 wrote to memory of 2408 760 Ffbicfoc.exe Gicbeald.exe PID 760 wrote to memory of 2408 760 Ffbicfoc.exe Gicbeald.exe PID 760 wrote to memory of 2408 760 Ffbicfoc.exe Gicbeald.exe PID 760 wrote to memory of 2408 760 Ffbicfoc.exe Gicbeald.exe PID 2408 wrote to memory of 2012 2408 Gicbeald.exe Gejcjbah.exe PID 2408 wrote to memory of 2012 2408 Gicbeald.exe Gejcjbah.exe PID 2408 wrote to memory of 2012 2408 Gicbeald.exe Gejcjbah.exe PID 2408 wrote to memory of 2012 2408 Gicbeald.exe Gejcjbah.exe PID 2012 wrote to memory of 996 2012 Gejcjbah.exe Gobgcg32.exe PID 2012 wrote to memory of 996 2012 Gejcjbah.exe Gobgcg32.exe PID 2012 wrote to memory of 996 2012 Gejcjbah.exe Gobgcg32.exe PID 2012 wrote to memory of 996 2012 Gejcjbah.exe Gobgcg32.exe PID 996 wrote to memory of 1244 996 Gobgcg32.exe Gelppaof.exe PID 996 wrote to memory of 1244 996 Gobgcg32.exe Gelppaof.exe PID 996 wrote to memory of 1244 996 Gobgcg32.exe Gelppaof.exe PID 996 wrote to memory of 1244 996 Gobgcg32.exe Gelppaof.exe PID 1244 wrote to memory of 2676 1244 Gelppaof.exe Glfhll32.exe PID 1244 wrote to memory of 2676 1244 Gelppaof.exe Glfhll32.exe PID 1244 wrote to memory of 2676 1244 Gelppaof.exe Glfhll32.exe PID 1244 wrote to memory of 2676 1244 Gelppaof.exe Glfhll32.exe PID 2676 wrote to memory of 1268 2676 Glfhll32.exe Gacpdbej.exe PID 2676 wrote to memory of 1268 2676 Glfhll32.exe Gacpdbej.exe PID 2676 wrote to memory of 1268 2676 Glfhll32.exe Gacpdbej.exe PID 2676 wrote to memory of 1268 2676 Glfhll32.exe Gacpdbej.exe PID 1268 wrote to memory of 2968 1268 Gacpdbej.exe Ggpimica.exe PID 1268 wrote to memory of 2968 1268 Gacpdbej.exe Ggpimica.exe PID 1268 wrote to memory of 2968 1268 Gacpdbej.exe Ggpimica.exe PID 1268 wrote to memory of 2968 1268 Gacpdbej.exe Ggpimica.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6daeda287d1944f713fafdc0a1ba0c20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6daeda287d1944f713fafdc0a1ba0c20_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1316 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1920 -
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1120 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe34⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe35⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe38⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe39⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe40⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe41⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe42⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe43⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe44⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe45⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1032 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe47⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe49⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe50⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:684 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1892 -
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe55⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe59⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe61⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe62⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe63⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Loeebl32.exeC:\Windows\system32\Loeebl32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1900 -
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe66⤵
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe67⤵PID:524
-
C:\Windows\SysWOW64\Lafndg32.exeC:\Windows\system32\Lafndg32.exe68⤵
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe69⤵PID:1460
-
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1328 -
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe71⤵
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe72⤵PID:2016
-
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe74⤵PID:1980
-
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe75⤵
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe76⤵PID:3028
-
C:\Windows\SysWOW64\Mgimmm32.exeC:\Windows\system32\Mgimmm32.exe77⤵
- Modifies registry class
PID:1220 -
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe78⤵PID:1724
-
C:\Windows\SysWOW64\Mpbaebdd.exeC:\Windows\system32\Mpbaebdd.exe79⤵PID:2360
-
C:\Windows\SysWOW64\Mmfbogcn.exeC:\Windows\system32\Mmfbogcn.exe80⤵PID:2272
-
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe81⤵PID:1976
-
C:\Windows\SysWOW64\Mmhodf32.exeC:\Windows\system32\Mmhodf32.exe82⤵PID:1436
-
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:344 -
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe85⤵PID:1912
-
C:\Windows\SysWOW64\Nolhan32.exeC:\Windows\system32\Nolhan32.exe86⤵PID:636
-
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe87⤵PID:3008
-
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:984 -
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe89⤵
- Drops file in System32 directory
PID:1916 -
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe90⤵
- Drops file in System32 directory
PID:340 -
C:\Windows\SysWOW64\Noqamn32.exeC:\Windows\system32\Noqamn32.exe91⤵
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2276 -
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe94⤵PID:2656
-
C:\Windows\SysWOW64\Ndpfkdmf.exeC:\Windows\system32\Ndpfkdmf.exe95⤵
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe96⤵PID:2668
-
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2580 -
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2452 -
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe99⤵PID:2024
-
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe101⤵PID:2400
-
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:844 -
C:\Windows\SysWOW64\Oqkqkdne.exeC:\Windows\system32\Oqkqkdne.exe103⤵PID:2844
-
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe104⤵PID:2504
-
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe105⤵
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Oclilp32.exeC:\Windows\system32\Oclilp32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:912 -
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe107⤵PID:680
-
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe109⤵PID:1632
-
C:\Windows\SysWOW64\Odobjg32.exeC:\Windows\system32\Odobjg32.exe110⤵
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe111⤵
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Obcccl32.exeC:\Windows\system32\Obcccl32.exe112⤵PID:2688
-
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe113⤵PID:2152
-
C:\Windows\SysWOW64\Pgplkb32.exeC:\Windows\system32\Pgplkb32.exe114⤵
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Pqhpdhcc.exeC:\Windows\system32\Pqhpdhcc.exe115⤵
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe116⤵
- Drops file in System32 directory
PID:348 -
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe117⤵PID:2872
-
C:\Windows\SysWOW64\Pciifc32.exeC:\Windows\system32\Pciifc32.exe118⤵PID:2224
-
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe119⤵PID:2672
-
C:\Windows\SysWOW64\Peiepfgg.exeC:\Windows\system32\Peiepfgg.exe120⤵PID:1516
-
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe121⤵PID:1932
-
C:\Windows\SysWOW64\Pnajilng.exeC:\Windows\system32\Pnajilng.exe122⤵PID:2884
-
C:\Windows\SysWOW64\Pcnbablo.exeC:\Windows\system32\Pcnbablo.exe123⤵PID:2468
-
C:\Windows\SysWOW64\Pflomnkb.exeC:\Windows\system32\Pflomnkb.exe124⤵PID:2196
-
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe125⤵
- Drops file in System32 directory
PID:1792 -
C:\Windows\SysWOW64\Qcpofbjl.exeC:\Windows\system32\Qcpofbjl.exe126⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:328 -
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe127⤵
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Qbelgood.exeC:\Windows\system32\Qbelgood.exe128⤵
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Qedhdjnh.exeC:\Windows\system32\Qedhdjnh.exe129⤵PID:2292
-
C:\Windows\SysWOW64\Amkpegnj.exeC:\Windows\system32\Amkpegnj.exe130⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe131⤵
- Drops file in System32 directory
PID:300 -
C:\Windows\SysWOW64\Afcenm32.exeC:\Windows\system32\Afcenm32.exe132⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1648 -
C:\Windows\SysWOW64\Alpmfdcb.exeC:\Windows\system32\Alpmfdcb.exe133⤵PID:1968
-
C:\Windows\SysWOW64\Abjebn32.exeC:\Windows\system32\Abjebn32.exe134⤵
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Aehboi32.exeC:\Windows\system32\Aehboi32.exe135⤵PID:2840
-
C:\Windows\SysWOW64\Albjlcao.exeC:\Windows\system32\Albjlcao.exe136⤵
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Ajejgp32.exeC:\Windows\system32\Ajejgp32.exe137⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1012 -
C:\Windows\SysWOW64\Aaobdjof.exeC:\Windows\system32\Aaobdjof.exe138⤵PID:2728
-
C:\Windows\SysWOW64\Amfcikek.exeC:\Windows\system32\Amfcikek.exe139⤵
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Aemkjiem.exeC:\Windows\system32\Aemkjiem.exe140⤵
- Modifies registry class
PID:1420 -
C:\Windows\SysWOW64\Ahlgfdeq.exeC:\Windows\system32\Ahlgfdeq.exe141⤵
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Aoepcn32.exeC:\Windows\system32\Aoepcn32.exe142⤵PID:2836
-
C:\Windows\SysWOW64\Bdbhke32.exeC:\Windows\system32\Bdbhke32.exe143⤵PID:1380
-
C:\Windows\SysWOW64\Bfadgq32.exeC:\Windows\system32\Bfadgq32.exe144⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2940 -
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe145⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2388 -
C:\Windows\SysWOW64\Bdeeqehb.exeC:\Windows\system32\Bdeeqehb.exe146⤵PID:2040
-
C:\Windows\SysWOW64\Bkommo32.exeC:\Windows\system32\Bkommo32.exe147⤵PID:480
-
C:\Windows\SysWOW64\Bmmiij32.exeC:\Windows\system32\Bmmiij32.exe148⤵PID:532
-
C:\Windows\SysWOW64\Bpleef32.exeC:\Windows\system32\Bpleef32.exe149⤵
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Bfenbpec.exeC:\Windows\system32\Bfenbpec.exe150⤵PID:828
-
C:\Windows\SysWOW64\Behnnm32.exeC:\Windows\system32\Behnnm32.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1964 -
C:\Windows\SysWOW64\Boqbfb32.exeC:\Windows\system32\Boqbfb32.exe152⤵
- Drops file in System32 directory
PID:1084 -
C:\Windows\SysWOW64\Bifgdk32.exeC:\Windows\system32\Bifgdk32.exe153⤵PID:2716
-
C:\Windows\SysWOW64\Bppoqeja.exeC:\Windows\system32\Bppoqeja.exe154⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2572 -
C:\Windows\SysWOW64\Bbokmqie.exeC:\Windows\system32\Bbokmqie.exe155⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:668 -
C:\Windows\SysWOW64\Blgpef32.exeC:\Windows\system32\Blgpef32.exe156⤵PID:608
-
C:\Windows\SysWOW64\Ccahbp32.exeC:\Windows\system32\Ccahbp32.exe157⤵PID:908
-
C:\Windows\SysWOW64\Cdbdjhmp.exeC:\Windows\system32\Cdbdjhmp.exe158⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2780 -
C:\Windows\SysWOW64\Clilkfnb.exeC:\Windows\system32\Clilkfnb.exe159⤵
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Cddaphkn.exeC:\Windows\system32\Cddaphkn.exe160⤵PID:2548
-
C:\Windows\SysWOW64\Cgcmlcja.exeC:\Windows\system32\Cgcmlcja.exe161⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1556 -
C:\Windows\SysWOW64\Cpkbdiqb.exeC:\Windows\system32\Cpkbdiqb.exe162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Chbjffad.exeC:\Windows\system32\Chbjffad.exe163⤵PID:952
-
C:\Windows\SysWOW64\Caknol32.exeC:\Windows\system32\Caknol32.exe164⤵PID:2604
-
C:\Windows\SysWOW64\Cdikkg32.exeC:\Windows\system32\Cdikkg32.exe165⤵PID:2260
-
C:\Windows\SysWOW64\Cjfccn32.exeC:\Windows\system32\Cjfccn32.exe166⤵PID:2956
-
C:\Windows\SysWOW64\Cppkph32.exeC:\Windows\system32\Cppkph32.exe167⤵PID:1744
-
C:\Windows\SysWOW64\Dgjclbdi.exeC:\Windows\system32\Dgjclbdi.exe168⤵PID:800
-
C:\Windows\SysWOW64\Dlgldibq.exeC:\Windows\system32\Dlgldibq.exe169⤵PID:2832
-
C:\Windows\SysWOW64\Doehqead.exeC:\Windows\system32\Doehqead.exe170⤵PID:2136
-
C:\Windows\SysWOW64\Djklnnaj.exeC:\Windows\system32\Djklnnaj.exe171⤵
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Dliijipn.exeC:\Windows\system32\Dliijipn.exe172⤵PID:832
-
C:\Windows\SysWOW64\Dfamcogo.exeC:\Windows\system32\Dfamcogo.exe173⤵
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Dlkepi32.exeC:\Windows\system32\Dlkepi32.exe174⤵PID:940
-
C:\Windows\SysWOW64\Dfdjhndl.exeC:\Windows\system32\Dfdjhndl.exe175⤵PID:1988
-
C:\Windows\SysWOW64\Dlnbeh32.exeC:\Windows\system32\Dlnbeh32.exe176⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2404 -
C:\Windows\SysWOW64\Dfffnn32.exeC:\Windows\system32\Dfffnn32.exe177⤵PID:1712
-
C:\Windows\SysWOW64\Dggcffhg.exeC:\Windows\system32\Dggcffhg.exe178⤵PID:2516
-
C:\Windows\SysWOW64\Eqpgol32.exeC:\Windows\system32\Eqpgol32.exe179⤵PID:1788
-
C:\Windows\SysWOW64\Egjpkffe.exeC:\Windows\system32\Egjpkffe.exe180⤵PID:2100
-
C:\Windows\SysWOW64\Ebodiofk.exeC:\Windows\system32\Ebodiofk.exe181⤵PID:2160
-
C:\Windows\SysWOW64\Ednpej32.exeC:\Windows\system32\Ednpej32.exe182⤵PID:2812
-
C:\Windows\SysWOW64\Ejkima32.exeC:\Windows\system32\Ejkima32.exe183⤵PID:1664
-
C:\Windows\SysWOW64\Eqdajkkb.exeC:\Windows\system32\Eqdajkkb.exe184⤵
- Drops file in System32 directory
PID:824 -
C:\Windows\SysWOW64\Efaibbij.exeC:\Windows\system32\Efaibbij.exe185⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1468 -
C:\Windows\SysWOW64\Eqgnokip.exeC:\Windows\system32\Eqgnokip.exe186⤵PID:1936
-
C:\Windows\SysWOW64\Ejobhppq.exeC:\Windows\system32\Ejobhppq.exe187⤵
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Eplkpgnh.exeC:\Windows\system32\Eplkpgnh.exe188⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2760 -
C:\Windows\SysWOW64\Fjaonpnn.exeC:\Windows\system32\Fjaonpnn.exe189⤵PID:2508
-
C:\Windows\SysWOW64\Fmpkjkma.exeC:\Windows\system32\Fmpkjkma.exe190⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Fbmcbbki.exeC:\Windows\system32\Fbmcbbki.exe191⤵
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Figlolbf.exeC:\Windows\system32\Figlolbf.exe192⤵
- Modifies registry class
PID:600 -
C:\Windows\SysWOW64\Flehkhai.exeC:\Windows\system32\Flehkhai.exe193⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:264 -
C:\Windows\SysWOW64\Fpqdkf32.exeC:\Windows\system32\Fpqdkf32.exe194⤵PID:900
-
C:\Windows\SysWOW64\Fenmdm32.exeC:\Windows\system32\Fenmdm32.exe195⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2316 -
C:\Windows\SysWOW64\Flgeqgog.exeC:\Windows\system32\Flgeqgog.exe196⤵PID:3096
-
C:\Windows\SysWOW64\Fbamma32.exeC:\Windows\system32\Fbamma32.exe197⤵PID:3136
-
C:\Windows\SysWOW64\Fhneehek.exeC:\Windows\system32\Fhneehek.exe198⤵
- Drops file in System32 directory
PID:3176 -
C:\Windows\SysWOW64\Fagjnn32.exeC:\Windows\system32\Fagjnn32.exe199⤵
- Modifies registry class
PID:3216 -
C:\Windows\SysWOW64\Fllnlg32.exeC:\Windows\system32\Fllnlg32.exe200⤵PID:3256
-
C:\Windows\SysWOW64\Fmmkcoap.exeC:\Windows\system32\Fmmkcoap.exe201⤵PID:3296
-
C:\Windows\SysWOW64\Gedbdlbb.exeC:\Windows\system32\Gedbdlbb.exe202⤵
- Modifies registry class
PID:3336 -
C:\Windows\SysWOW64\Gffoldhp.exeC:\Windows\system32\Gffoldhp.exe203⤵PID:3380
-
C:\Windows\SysWOW64\Gnmgmbhb.exeC:\Windows\system32\Gnmgmbhb.exe204⤵
- Modifies registry class
PID:3420 -
C:\Windows\SysWOW64\Gdjpeifj.exeC:\Windows\system32\Gdjpeifj.exe205⤵
- Modifies registry class
PID:3460 -
C:\Windows\SysWOW64\Gmbdnn32.exeC:\Windows\system32\Gmbdnn32.exe206⤵PID:3500
-
C:\Windows\SysWOW64\Gbomfe32.exeC:\Windows\system32\Gbomfe32.exe207⤵PID:3540
-
C:\Windows\SysWOW64\Gfjhgdck.exeC:\Windows\system32\Gfjhgdck.exe208⤵
- Modifies registry class
PID:3580 -
C:\Windows\SysWOW64\Gdniqh32.exeC:\Windows\system32\Gdniqh32.exe209⤵PID:3620
-
C:\Windows\SysWOW64\Gmgninie.exeC:\Windows\system32\Gmgninie.exe210⤵PID:3660
-
C:\Windows\SysWOW64\Gohjaf32.exeC:\Windows\system32\Gohjaf32.exe211⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3700 -
C:\Windows\SysWOW64\Gfobbc32.exeC:\Windows\system32\Gfobbc32.exe212⤵PID:3740
-
C:\Windows\SysWOW64\Ghqnjk32.exeC:\Windows\system32\Ghqnjk32.exe213⤵
- Drops file in System32 directory
PID:3780 -
C:\Windows\SysWOW64\Hojgfemq.exeC:\Windows\system32\Hojgfemq.exe214⤵PID:3908
-
C:\Windows\SysWOW64\Hkaglf32.exeC:\Windows\system32\Hkaglf32.exe215⤵
- Modifies registry class
PID:3948 -
C:\Windows\SysWOW64\Hakphqja.exeC:\Windows\system32\Hakphqja.exe216⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3988 -
C:\Windows\SysWOW64\Hlqdei32.exeC:\Windows\system32\Hlqdei32.exe217⤵PID:4028
-
C:\Windows\SysWOW64\Hmbpmapf.exeC:\Windows\system32\Hmbpmapf.exe218⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4068 -
C:\Windows\SysWOW64\Hgjefg32.exeC:\Windows\system32\Hgjefg32.exe219⤵PID:3092
-
C:\Windows\SysWOW64\Hoamgd32.exeC:\Windows\system32\Hoamgd32.exe220⤵
- Modifies registry class
PID:3124 -
C:\Windows\SysWOW64\Hhjapjmi.exeC:\Windows\system32\Hhjapjmi.exe221⤵
- Drops file in System32 directory
- Modifies registry class
PID:3164 -
C:\Windows\SysWOW64\Hkhnle32.exeC:\Windows\system32\Hkhnle32.exe222⤵PID:3224
-
C:\Windows\SysWOW64\Hpefdl32.exeC:\Windows\system32\Hpefdl32.exe223⤵PID:3228
-
C:\Windows\SysWOW64\Igonafba.exeC:\Windows\system32\Igonafba.exe224⤵
- Modifies registry class
PID:3324 -
C:\Windows\SysWOW64\Inifnq32.exeC:\Windows\system32\Inifnq32.exe225⤵PID:3368
-
C:\Windows\SysWOW64\Idcokkak.exeC:\Windows\system32\Idcokkak.exe226⤵
- Drops file in System32 directory
PID:3440 -
C:\Windows\SysWOW64\Iedkbc32.exeC:\Windows\system32\Iedkbc32.exe227⤵
- Drops file in System32 directory
PID:3496 -
C:\Windows\SysWOW64\Inkccpgk.exeC:\Windows\system32\Inkccpgk.exe228⤵PID:3536
-
C:\Windows\SysWOW64\Ichllgfb.exeC:\Windows\system32\Ichllgfb.exe229⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3564 -
C:\Windows\SysWOW64\Iefhhbef.exeC:\Windows\system32\Iefhhbef.exe230⤵PID:3632
-
C:\Windows\SysWOW64\Ilqpdm32.exeC:\Windows\system32\Ilqpdm32.exe231⤵PID:3672
-
C:\Windows\SysWOW64\Ioolqh32.exeC:\Windows\system32\Ioolqh32.exe232⤵
- Drops file in System32 directory
PID:3732 -
C:\Windows\SysWOW64\Ijdqna32.exeC:\Windows\system32\Ijdqna32.exe233⤵
- Drops file in System32 directory
PID:3768 -
C:\Windows\SysWOW64\Ilcmjl32.exeC:\Windows\system32\Ilcmjl32.exe234⤵
- Drops file in System32 directory
PID:3820 -
C:\Windows\SysWOW64\Icmegf32.exeC:\Windows\system32\Icmegf32.exe235⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3860 -
C:\Windows\SysWOW64\Idnaoohk.exeC:\Windows\system32\Idnaoohk.exe236⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3896 -
C:\Windows\SysWOW64\Ikhjki32.exeC:\Windows\system32\Ikhjki32.exe237⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3944 -
C:\Windows\SysWOW64\Jnffgd32.exeC:\Windows\system32\Jnffgd32.exe238⤵PID:4008
-
C:\Windows\SysWOW64\Jfnnha32.exeC:\Windows\system32\Jfnnha32.exe239⤵
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\Jkjfah32.exeC:\Windows\system32\Jkjfah32.exe240⤵
- Drops file in System32 directory
- Modifies registry class
PID:4092 -
C:\Windows\SysWOW64\Jqgoiokm.exeC:\Windows\system32\Jqgoiokm.exe241⤵
- Modifies registry class
PID:3108 -
C:\Windows\SysWOW64\Jhngjmlo.exeC:\Windows\system32\Jhngjmlo.exe242⤵
- Drops file in System32 directory
PID:3160