Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 13:21
Behavioral task
behavioral1
Sample
fc05d7f67a375700e42284fdf43e2bb0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fc05d7f67a375700e42284fdf43e2bb0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
fc05d7f67a375700e42284fdf43e2bb0_NeikiAnalytics.exe
-
Size
94KB
-
MD5
fc05d7f67a375700e42284fdf43e2bb0
-
SHA1
4f7e897276285e384782e72b56631dcf6cc82a45
-
SHA256
4e63170aa477645fed390e0e02384aabf1d39d576058ea9147b0846e377898f0
-
SHA512
d08581f587afd4ab0cf8d98dbd94b46323b57073b46d6f1650d7a03e0eba1ce3e58fcd5ec15ef36331527036e1f0c2f510b14a9f0c2599da2b8df4f8aab47098
-
SSDEEP
1536:zU3/337J13JahXZlWsDE96Js3X+PIEEUrW+B6Y3AJDGRQDsRfRa9HprmRfRZ:4P7J13+1LJs3uv5eDs5wkpv
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Aajpelhl.exeEkklaj32.exeOgblbo32.exeEmkaol32.exeEjobhppq.exeCghggc32.exeOnmdoioa.exePgbhabjp.exeGldkfl32.exeGkihhhnm.exeHnojdcfi.exeNolhan32.exeCeodnl32.exeChpmpg32.exeMlgigdoh.exeCfeddafl.exeFfkcbgek.exeMhbped32.exeApimacnn.exeCnkicn32.exeGelppaof.exeHgbebiao.exeJmocpado.exeNkiogn32.exeEflgccbp.exeNcgdbmmp.exeEgjpkffe.exeEplkpgnh.exeBebkpn32.exeFiaeoang.exeEjhlgaeh.exeEmnndlod.exeLdenbcge.exeJoplbl32.exeOklkmnbp.exeDojald32.exeIfnechbj.exeCkjpacfp.exeEnakbp32.exeEdkcojga.exeBhahlj32.exeHpkjko32.exeIqopea32.exeQmicohqm.exeMlelaeqk.exeJfcnngnd.exeDlkepi32.exeNfpjomgd.exeDfoqmo32.exeImfqjbli.exeKfbkmk32.exeChnqkg32.exeGbijhg32.exeBhkdeggl.exeCclkfdnc.exeDkcofe32.exePminkk32.exeHobcak32.exeNpdjje32.exeCnmehnan.exeDflkdp32.exeMpfkqb32.exeOnhgbmfb.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajpelhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekklaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogblbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emkaol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejobhppq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cghggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onmdoioa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgbhabjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gldkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkihhhnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnojdcfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nolhan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ceodnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chpmpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlgigdoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfeddafl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Apimacnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gelppaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgbebiao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmocpado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkiogn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eflgccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncgdbmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egjpkffe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eplkpgnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bebkpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiaeoang.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejhlgaeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejhlgaeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emnndlod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldenbcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joplbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oklkmnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dojald32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifnechbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckjpacfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enakbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edkcojga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhahlj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iqopea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmicohqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlelaeqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfcnngnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlkepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfpjomgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfoqmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imfqjbli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfbkmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chnqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhkdeggl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cclkfdnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkcofe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pminkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npdjje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmehnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dflkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpfkqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onhgbmfb.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule behavioral1/memory/2452-2-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Lganiohl.exe family_berbew behavioral1/memory/2452-6-0x0000000000390000-0x00000000003D1000-memory.dmp family_berbew \Windows\SysWOW64\Ldenbcge.exe family_berbew behavioral1/memory/2844-18-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2632-27-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Llqcfe32.exe family_berbew behavioral1/memory/2632-40-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew behavioral1/memory/2608-41-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Mcjkcplm.exe family_berbew behavioral1/memory/2456-54-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Mhgclfje.exe family_berbew behavioral1/memory/2456-62-0x0000000000270000-0x00000000002B1000-memory.dmp family_berbew behavioral1/memory/2480-73-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Mcmhiojk.exe family_berbew behavioral1/memory/2268-81-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Mlelaeqk.exe family_berbew behavioral1/memory/2268-93-0x0000000000450000-0x0000000000491000-memory.dmp family_berbew behavioral1/memory/1596-95-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Mabejlob.exe family_berbew behavioral1/memory/1596-108-0x0000000000260000-0x00000000002A1000-memory.dmp family_berbew behavioral1/memory/548-109-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Mlgigdoh.exe family_berbew behavioral1/memory/548-121-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew behavioral1/memory/2576-123-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Mepnpj32.exe family_berbew behavioral1/memory/2020-136-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Mkmfhacp.exe family_berbew behavioral1/memory/1592-149-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Mpjoqhah.exe family_berbew behavioral1/memory/2036-164-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1592-162-0x00000000003B0000-0x00000000003F1000-memory.dmp family_berbew \Windows\SysWOW64\Mgcgmb32.exe family_berbew behavioral1/memory/1620-176-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Nnnojlpa.exe family_berbew behavioral1/memory/2796-189-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Ngfcca32.exe family_berbew behavioral1/memory/2796-202-0x0000000000260000-0x00000000002A1000-memory.dmp family_berbew behavioral1/memory/1360-203-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Nnplpl32.exe family_berbew behavioral1/memory/684-216-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Nghphaeo.exe family_berbew behavioral1/memory/664-230-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Nnbhek32.exe family_berbew behavioral1/memory/648-235-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/620-245-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/648-244-0x0000000001FB0000-0x0000000001FF1000-memory.dmp family_berbew C:\Windows\SysWOW64\Ngkmnacm.exe family_berbew C:\Windows\SysWOW64\Ncoamb32.exe family_berbew behavioral1/memory/704-256-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Nhlifi32.exe family_berbew behavioral1/memory/3008-267-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Nfpjomgd.exe family_berbew behavioral1/memory/1896-282-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Nhnfkigh.exe family_berbew behavioral1/memory/1872-289-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Nkmbgdfl.exe family_berbew behavioral1/memory/1452-300-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Ohqbqhde.exe family_berbew behavioral1/memory/1680-315-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Omloag32.exe family_berbew behavioral1/memory/2724-326-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Onmkio32.exe family_berbew behavioral1/memory/2232-337-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Lganiohl.exeLdenbcge.exeLlqcfe32.exeMcjkcplm.exeMhgclfje.exeMcmhiojk.exeMlelaeqk.exeMabejlob.exeMlgigdoh.exeMepnpj32.exeMkmfhacp.exeMpjoqhah.exeMgcgmb32.exeNnnojlpa.exeNgfcca32.exeNnplpl32.exeNghphaeo.exeNnbhek32.exeNcoamb32.exeNgkmnacm.exeNhlifi32.exeNfpjomgd.exeNhnfkigh.exeNkmbgdfl.exeOhqbqhde.exeOmloag32.exeOnmkio32.exeOgfpbeim.exeOqndkj32.exeOkchhc32.exeOkfencna.exeOndajnme.exePminkk32.exePphjgfqq.exePgobhcac.exePmlkpjpj.exePcfcmd32.exePlahag32.exePlcdgfbo.exePnbacbac.exePelipl32.exePndniaop.exePabjem32.exeQjknnbed.exeQbbfopeg.exeQaefjm32.exeQdccfh32.exeQmlgonbe.exeQecoqk32.exeAhakmf32.exeAjphib32.exeAajpelhl.exeAdhlaggp.exeAiedjneg.exeAalmklfi.exeAdjigg32.exeAjdadamj.exeAigaon32.exeApajlhka.exeAdmemg32.exeAenbdoii.exeAlhjai32.exeApcfahio.exeAbbbnchb.exepid process 2844 Lganiohl.exe 2632 Ldenbcge.exe 2608 Llqcfe32.exe 2456 Mcjkcplm.exe 2480 Mhgclfje.exe 2268 Mcmhiojk.exe 1596 Mlelaeqk.exe 548 Mabejlob.exe 2576 Mlgigdoh.exe 2020 Mepnpj32.exe 1592 Mkmfhacp.exe 2036 Mpjoqhah.exe 1620 Mgcgmb32.exe 2796 Nnnojlpa.exe 1360 Ngfcca32.exe 684 Nnplpl32.exe 664 Nghphaeo.exe 648 Nnbhek32.exe 620 Ncoamb32.exe 704 Ngkmnacm.exe 3008 Nhlifi32.exe 1896 Nfpjomgd.exe 1872 Nhnfkigh.exe 1452 Nkmbgdfl.exe 1680 Ohqbqhde.exe 2724 Omloag32.exe 2232 Onmkio32.exe 1548 Ogfpbeim.exe 2740 Oqndkj32.exe 2528 Okchhc32.exe 2296 Okfencna.exe 2824 Ondajnme.exe 2828 Pminkk32.exe 1232 Pphjgfqq.exe 772 Pgobhcac.exe 1664 Pmlkpjpj.exe 1720 Pcfcmd32.exe 1908 Plahag32.exe 1692 Plcdgfbo.exe 2808 Pnbacbac.exe 2708 Pelipl32.exe 864 Pndniaop.exe 324 Pabjem32.exe 2344 Qjknnbed.exe 2328 Qbbfopeg.exe 2772 Qaefjm32.exe 880 Qdccfh32.exe 1288 Qmlgonbe.exe 1064 Qecoqk32.exe 1264 Ahakmf32.exe 1480 Ajphib32.exe 2284 Aajpelhl.exe 1544 Adhlaggp.exe 2660 Aiedjneg.exe 2028 Aalmklfi.exe 2368 Adjigg32.exe 2816 Ajdadamj.exe 1052 Aigaon32.exe 2340 Apajlhka.exe 1748 Admemg32.exe 2016 Aenbdoii.exe 1888 Alhjai32.exe 2044 Apcfahio.exe 2812 Abbbnchb.exe -
Loads dropped DLL 64 IoCs
Processes:
fc05d7f67a375700e42284fdf43e2bb0_NeikiAnalytics.exeLganiohl.exeLdenbcge.exeLlqcfe32.exeMcjkcplm.exeMhgclfje.exeMcmhiojk.exeMlelaeqk.exeMabejlob.exeMlgigdoh.exeMepnpj32.exeMkmfhacp.exeMpjoqhah.exeMgcgmb32.exeNnnojlpa.exeNgfcca32.exeNnplpl32.exeNghphaeo.exeNnbhek32.exeNcoamb32.exeNgkmnacm.exeNhlifi32.exeNfpjomgd.exeNhnfkigh.exeNkmbgdfl.exeOhqbqhde.exeOmloag32.exeOnmkio32.exeOgfpbeim.exeOqndkj32.exeOkchhc32.exeOkfencna.exepid process 2452 fc05d7f67a375700e42284fdf43e2bb0_NeikiAnalytics.exe 2452 fc05d7f67a375700e42284fdf43e2bb0_NeikiAnalytics.exe 2844 Lganiohl.exe 2844 Lganiohl.exe 2632 Ldenbcge.exe 2632 Ldenbcge.exe 2608 Llqcfe32.exe 2608 Llqcfe32.exe 2456 Mcjkcplm.exe 2456 Mcjkcplm.exe 2480 Mhgclfje.exe 2480 Mhgclfje.exe 2268 Mcmhiojk.exe 2268 Mcmhiojk.exe 1596 Mlelaeqk.exe 1596 Mlelaeqk.exe 548 Mabejlob.exe 548 Mabejlob.exe 2576 Mlgigdoh.exe 2576 Mlgigdoh.exe 2020 Mepnpj32.exe 2020 Mepnpj32.exe 1592 Mkmfhacp.exe 1592 Mkmfhacp.exe 2036 Mpjoqhah.exe 2036 Mpjoqhah.exe 1620 Mgcgmb32.exe 1620 Mgcgmb32.exe 2796 Nnnojlpa.exe 2796 Nnnojlpa.exe 1360 Ngfcca32.exe 1360 Ngfcca32.exe 684 Nnplpl32.exe 684 Nnplpl32.exe 664 Nghphaeo.exe 664 Nghphaeo.exe 648 Nnbhek32.exe 648 Nnbhek32.exe 620 Ncoamb32.exe 620 Ncoamb32.exe 704 Ngkmnacm.exe 704 Ngkmnacm.exe 3008 Nhlifi32.exe 3008 Nhlifi32.exe 1896 Nfpjomgd.exe 1896 Nfpjomgd.exe 1872 Nhnfkigh.exe 1872 Nhnfkigh.exe 1452 Nkmbgdfl.exe 1452 Nkmbgdfl.exe 1680 Ohqbqhde.exe 1680 Ohqbqhde.exe 2724 Omloag32.exe 2724 Omloag32.exe 2232 Onmkio32.exe 2232 Onmkio32.exe 1548 Ogfpbeim.exe 1548 Ogfpbeim.exe 2740 Oqndkj32.exe 2740 Oqndkj32.exe 2528 Okchhc32.exe 2528 Okchhc32.exe 2296 Okfencna.exe 2296 Okfencna.exe -
Drops file in System32 directory 64 IoCs
Processes:
Pedleg32.exeIkddbj32.exeNhdlkdkg.exeMeagci32.exeImfqjbli.exeMihiih32.exeDqelenlc.exeQfahhm32.exeHpkjko32.exeMgqcmlgl.exeCppkph32.exeEmeopn32.exeGbnccfpb.exeGopkmhjk.exeGogangdc.exeNamqci32.exeOcimgp32.exePnlqnl32.exeChpmpg32.exeMepnpj32.exeNhnfkigh.exeDfffnn32.exeEojnkg32.exeIcmlam32.exeJgnamk32.exeLefdpe32.exePfoocjfd.exeBpleef32.exeCoklgg32.exeDgaqgh32.exeDlkepi32.exeCklmgb32.exeEmcbkn32.exeFpdhklkl.exeOdobjg32.exePnomcl32.exeMkmfhacp.exeOnmkio32.exeKbqecg32.exeLafndg32.exeLkncmmle.exeMpbaebdd.exeNondgn32.exefc05d7f67a375700e42284fdf43e2bb0_NeikiAnalytics.exeIlknfn32.exeJokcgmee.exeLecgje32.exeMhdplq32.exeDpeekh32.exeGkihhhnm.exeIknnbklc.exeLhbcfa32.exeNacgdhlp.exePamiog32.exeEbinic32.exeFfbicfoc.exeEgamfkdh.exeJfekcg32.exeDoehqead.exeBhcdaibd.exedescription ioc process File created C:\Windows\SysWOW64\Pgbhabjp.exe Pedleg32.exe File opened for modification C:\Windows\SysWOW64\Ijgdngmf.exe Ikddbj32.exe File opened for modification C:\Windows\SysWOW64\Nkbhgojk.exe Nhdlkdkg.exe File created C:\Windows\SysWOW64\Mmhodf32.exe Meagci32.exe File opened for modification C:\Windows\SysWOW64\Icpigm32.exe Imfqjbli.exe File opened for modification C:\Windows\SysWOW64\Maoajf32.exe Mihiih32.exe File created C:\Windows\SysWOW64\Dgodbh32.exe Dqelenlc.exe File created C:\Windows\SysWOW64\Qedhdjnh.exe Qfahhm32.exe File opened for modification C:\Windows\SysWOW64\Hdfflm32.exe Hpkjko32.exe File created C:\Windows\SysWOW64\Mhbped32.exe Mgqcmlgl.exe File opened for modification C:\Windows\SysWOW64\Cdlgpgef.exe Cppkph32.exe File opened for modification C:\Windows\SysWOW64\Ekholjqg.exe Emeopn32.exe File opened for modification C:\Windows\SysWOW64\Gelppaof.exe Gbnccfpb.exe File created C:\Windows\SysWOW64\Mncnkh32.dll Gopkmhjk.exe File opened for modification C:\Windows\SysWOW64\Gaemjbcg.exe Gogangdc.exe File created C:\Windows\SysWOW64\Ndkmpe32.exe Namqci32.exe File created C:\Windows\SysWOW64\Ofhick32.exe Ocimgp32.exe File created C:\Windows\SysWOW64\Pbhmnkjf.exe Pnlqnl32.exe File created C:\Windows\SysWOW64\Qfjnod32.dll Chpmpg32.exe File opened for modification C:\Windows\SysWOW64\Mkmfhacp.exe Mepnpj32.exe File created C:\Windows\SysWOW64\Hnbjle32.dll Nhnfkigh.exe File created C:\Windows\SysWOW64\Dhdcji32.exe Dfffnn32.exe File created C:\Windows\SysWOW64\Egafleqm.exe Eojnkg32.exe File created C:\Windows\SysWOW64\Dejpca32.dll Icmlam32.exe File created C:\Windows\SysWOW64\Gapiomln.dll Jgnamk32.exe File created C:\Windows\SysWOW64\Pcefke32.dll Lefdpe32.exe File opened for modification C:\Windows\SysWOW64\Ndkmpe32.exe Namqci32.exe File created C:\Windows\SysWOW64\Enbfpg32.dll Pfoocjfd.exe File created C:\Windows\SysWOW64\Pmbdhi32.dll Bpleef32.exe File created C:\Windows\SysWOW64\Cfeddafl.exe Coklgg32.exe File created C:\Windows\SysWOW64\Dqjepm32.exe Dgaqgh32.exe File created C:\Windows\SysWOW64\Dojald32.exe Dlkepi32.exe File created C:\Windows\SysWOW64\Dpiddoma.dll Cklmgb32.exe File opened for modification C:\Windows\SysWOW64\Cgcmlcja.exe Chpmpg32.exe File created C:\Windows\SysWOW64\Eqonkmdh.exe Emcbkn32.exe File created C:\Windows\SysWOW64\Fdoclk32.exe Fpdhklkl.exe File opened for modification C:\Windows\SysWOW64\Omfkke32.exe Odobjg32.exe File opened for modification C:\Windows\SysWOW64\Pamiog32.exe Pnomcl32.exe File opened for modification C:\Windows\SysWOW64\Mpjoqhah.exe Mkmfhacp.exe File opened for modification C:\Windows\SysWOW64\Ogfpbeim.exe Onmkio32.exe File opened for modification C:\Windows\SysWOW64\Keoapb32.exe Kbqecg32.exe File created C:\Windows\SysWOW64\Leajdfnm.exe Lafndg32.exe File opened for modification C:\Windows\SysWOW64\Lojomkdn.exe Lkncmmle.exe File opened for modification C:\Windows\SysWOW64\Mgljbm32.exe Mpbaebdd.exe File opened for modification C:\Windows\SysWOW64\Namqci32.exe Nondgn32.exe File created C:\Windows\SysWOW64\Lganiohl.exe fc05d7f67a375700e42284fdf43e2bb0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Eqpofkjo.dll Ilknfn32.exe File opened for modification C:\Windows\SysWOW64\Jfekcg32.exe Jokcgmee.exe File opened for modification C:\Windows\SysWOW64\Ldfgebbe.exe Lecgje32.exe File created C:\Windows\SysWOW64\Mggpgmof.exe Mhdplq32.exe File opened for modification C:\Windows\SysWOW64\Dbfabp32.exe Dpeekh32.exe File created C:\Windows\SysWOW64\Poaljn32.dll Onmkio32.exe File opened for modification C:\Windows\SysWOW64\Gmgdddmq.exe Gkihhhnm.exe File created C:\Windows\SysWOW64\Inljnfkg.exe Iknnbklc.exe File opened for modification C:\Windows\SysWOW64\Lkppbl32.exe Lhbcfa32.exe File created C:\Windows\SysWOW64\Npfgpe32.exe Nacgdhlp.exe File opened for modification C:\Windows\SysWOW64\Pggbla32.exe Pamiog32.exe File created C:\Windows\SysWOW64\Dlgohm32.dll Ebinic32.exe File opened for modification C:\Windows\SysWOW64\Fiaeoang.exe Ffbicfoc.exe File created C:\Windows\SysWOW64\Ogjbla32.dll Egamfkdh.exe File created C:\Windows\SysWOW64\Eeoliecf.dll Jfekcg32.exe File created C:\Windows\SysWOW64\Mcfidhng.dll Doehqead.exe File created C:\Windows\SysWOW64\Mpjoqhah.exe Mkmfhacp.exe File created C:\Windows\SysWOW64\Bommnc32.exe Bhcdaibd.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5240 5216 WerFault.exe Fkckeh32.exe -
Modifies registry class 64 IoCs
Processes:
Cfgaiaci.exeEbmgcohn.exeEcqqpgli.exeEflgccbp.exeGlfhll32.exeMmhodf32.exeNacgdhlp.exeBpgljfbl.exeNgfcca32.exeCdakgibq.exeHejoiedd.exeIjgdngmf.exeKkgmgmfd.exeApimacnn.exeAbbbnchb.exeBhhnli32.exeDgmglh32.exeFfkcbgek.exeCdlgpgef.exePgobhcac.exeKmmcjehm.exeNpfgpe32.exeAehboi32.exeBdeeqehb.exeBhkdeggl.exeCdgneh32.exeCoklgg32.exeAlnqqd32.exeMepnpj32.exeNghphaeo.exeHgbebiao.exeKcdnao32.exeMggpgmof.exePgbhabjp.exeQedhdjnh.exeBemgilhh.exeApajlhka.exeBommnc32.exeDnilobkm.exeOddpfc32.exeObafnlpn.exeCeodnl32.exeFaokjpfd.exeMhdplq32.exeQfokbnip.exeCfeddafl.exeEloemi32.exeKgbggnhc.exeOnhgbmfb.exeBhndldcn.exeEojnkg32.exeFidoim32.exeFjilieka.exeQmfgjh32.exeCkjpacfp.exeChnqkg32.exeDhpiojfb.exeLoeebl32.exeOcimgp32.exeOmdneebf.exeDpbheh32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfgaiaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebmgcohn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ecqqpgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdnbg32.dll" Eflgccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcocb32.dll" Glfhll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mmhodf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nacgdhlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bpgljfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ecqqpgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ngfcca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cdakgibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll" Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niaokh32.dll" Ijgdngmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqljpedj.dll" Kkgmgmfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Apimacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abbbnchb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bhhnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjapnke.dll" Dgmglh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbgpffch.dll" Cdlgpgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pgobhcac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jooclokl.dll" Kmmcjehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Npfgpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aehboi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdeeqehb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bhkdeggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdjlnm32.dll" Cdgneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmljjm32.dll" Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfidj32.dll" Ecqqpgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Alnqqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mepnpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nghphaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll" Hgbebiao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kcdnao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mggpgmof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndcpj32.dll" Pgbhabjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bllbijej.dll" Qedhdjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bemgilhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jolfcj32.dll" Apajlhka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bommnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dnilobkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qiejdkkn.dll" Obafnlpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ceodnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Faokjpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmamfo32.dll" Mhdplq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhnfd32.dll" Qfokbnip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfeddafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Limilm32.dll" Kgbggnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Onhgbmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oegjkb32.dll" Bhndldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eojnkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fidoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fjilieka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qmfgjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckjpacfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chnqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhpiojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Loeebl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhdplq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ocimgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfjpdigc.dll" Omdneebf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpbheh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fc05d7f67a375700e42284fdf43e2bb0_NeikiAnalytics.exeLganiohl.exeLdenbcge.exeLlqcfe32.exeMcjkcplm.exeMhgclfje.exeMcmhiojk.exeMlelaeqk.exeMabejlob.exeMlgigdoh.exeMepnpj32.exeMkmfhacp.exeMpjoqhah.exeMgcgmb32.exeNnnojlpa.exeNgfcca32.exedescription pid process target process PID 2452 wrote to memory of 2844 2452 fc05d7f67a375700e42284fdf43e2bb0_NeikiAnalytics.exe Lganiohl.exe PID 2452 wrote to memory of 2844 2452 fc05d7f67a375700e42284fdf43e2bb0_NeikiAnalytics.exe Lganiohl.exe PID 2452 wrote to memory of 2844 2452 fc05d7f67a375700e42284fdf43e2bb0_NeikiAnalytics.exe Lganiohl.exe PID 2452 wrote to memory of 2844 2452 fc05d7f67a375700e42284fdf43e2bb0_NeikiAnalytics.exe Lganiohl.exe PID 2844 wrote to memory of 2632 2844 Lganiohl.exe Ldenbcge.exe PID 2844 wrote to memory of 2632 2844 Lganiohl.exe Ldenbcge.exe PID 2844 wrote to memory of 2632 2844 Lganiohl.exe Ldenbcge.exe PID 2844 wrote to memory of 2632 2844 Lganiohl.exe Ldenbcge.exe PID 2632 wrote to memory of 2608 2632 Ldenbcge.exe Llqcfe32.exe PID 2632 wrote to memory of 2608 2632 Ldenbcge.exe Llqcfe32.exe PID 2632 wrote to memory of 2608 2632 Ldenbcge.exe Llqcfe32.exe PID 2632 wrote to memory of 2608 2632 Ldenbcge.exe Llqcfe32.exe PID 2608 wrote to memory of 2456 2608 Llqcfe32.exe Mcjkcplm.exe PID 2608 wrote to memory of 2456 2608 Llqcfe32.exe Mcjkcplm.exe PID 2608 wrote to memory of 2456 2608 Llqcfe32.exe Mcjkcplm.exe PID 2608 wrote to memory of 2456 2608 Llqcfe32.exe Mcjkcplm.exe PID 2456 wrote to memory of 2480 2456 Mcjkcplm.exe Mhgclfje.exe PID 2456 wrote to memory of 2480 2456 Mcjkcplm.exe Mhgclfje.exe PID 2456 wrote to memory of 2480 2456 Mcjkcplm.exe Mhgclfje.exe PID 2456 wrote to memory of 2480 2456 Mcjkcplm.exe Mhgclfje.exe PID 2480 wrote to memory of 2268 2480 Mhgclfje.exe Mcmhiojk.exe PID 2480 wrote to memory of 2268 2480 Mhgclfje.exe Mcmhiojk.exe PID 2480 wrote to memory of 2268 2480 Mhgclfje.exe Mcmhiojk.exe PID 2480 wrote to memory of 2268 2480 Mhgclfje.exe Mcmhiojk.exe PID 2268 wrote to memory of 1596 2268 Mcmhiojk.exe Mlelaeqk.exe PID 2268 wrote to memory of 1596 2268 Mcmhiojk.exe Mlelaeqk.exe PID 2268 wrote to memory of 1596 2268 Mcmhiojk.exe Mlelaeqk.exe PID 2268 wrote to memory of 1596 2268 Mcmhiojk.exe Mlelaeqk.exe PID 1596 wrote to memory of 548 1596 Mlelaeqk.exe Mabejlob.exe PID 1596 wrote to memory of 548 1596 Mlelaeqk.exe Mabejlob.exe PID 1596 wrote to memory of 548 1596 Mlelaeqk.exe Mabejlob.exe PID 1596 wrote to memory of 548 1596 Mlelaeqk.exe Mabejlob.exe PID 548 wrote to memory of 2576 548 Mabejlob.exe Mlgigdoh.exe PID 548 wrote to memory of 2576 548 Mabejlob.exe Mlgigdoh.exe PID 548 wrote to memory of 2576 548 Mabejlob.exe Mlgigdoh.exe PID 548 wrote to memory of 2576 548 Mabejlob.exe Mlgigdoh.exe PID 2576 wrote to memory of 2020 2576 Mlgigdoh.exe Mepnpj32.exe PID 2576 wrote to memory of 2020 2576 Mlgigdoh.exe Mepnpj32.exe PID 2576 wrote to memory of 2020 2576 Mlgigdoh.exe Mepnpj32.exe PID 2576 wrote to memory of 2020 2576 Mlgigdoh.exe Mepnpj32.exe PID 2020 wrote to memory of 1592 2020 Mepnpj32.exe Mkmfhacp.exe PID 2020 wrote to memory of 1592 2020 Mepnpj32.exe Mkmfhacp.exe PID 2020 wrote to memory of 1592 2020 Mepnpj32.exe Mkmfhacp.exe PID 2020 wrote to memory of 1592 2020 Mepnpj32.exe Mkmfhacp.exe PID 1592 wrote to memory of 2036 1592 Mkmfhacp.exe Mpjoqhah.exe PID 1592 wrote to memory of 2036 1592 Mkmfhacp.exe Mpjoqhah.exe PID 1592 wrote to memory of 2036 1592 Mkmfhacp.exe Mpjoqhah.exe PID 1592 wrote to memory of 2036 1592 Mkmfhacp.exe Mpjoqhah.exe PID 2036 wrote to memory of 1620 2036 Mpjoqhah.exe Mgcgmb32.exe PID 2036 wrote to memory of 1620 2036 Mpjoqhah.exe Mgcgmb32.exe PID 2036 wrote to memory of 1620 2036 Mpjoqhah.exe Mgcgmb32.exe PID 2036 wrote to memory of 1620 2036 Mpjoqhah.exe Mgcgmb32.exe PID 1620 wrote to memory of 2796 1620 Mgcgmb32.exe Nnnojlpa.exe PID 1620 wrote to memory of 2796 1620 Mgcgmb32.exe Nnnojlpa.exe PID 1620 wrote to memory of 2796 1620 Mgcgmb32.exe Nnnojlpa.exe PID 1620 wrote to memory of 2796 1620 Mgcgmb32.exe Nnnojlpa.exe PID 2796 wrote to memory of 1360 2796 Nnnojlpa.exe Ngfcca32.exe PID 2796 wrote to memory of 1360 2796 Nnnojlpa.exe Ngfcca32.exe PID 2796 wrote to memory of 1360 2796 Nnnojlpa.exe Ngfcca32.exe PID 2796 wrote to memory of 1360 2796 Nnnojlpa.exe Ngfcca32.exe PID 1360 wrote to memory of 684 1360 Ngfcca32.exe Nnplpl32.exe PID 1360 wrote to memory of 684 1360 Ngfcca32.exe Nnplpl32.exe PID 1360 wrote to memory of 684 1360 Ngfcca32.exe Nnplpl32.exe PID 1360 wrote to memory of 684 1360 Ngfcca32.exe Nnplpl32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc05d7f67a375700e42284fdf43e2bb0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\fc05d7f67a375700e42284fdf43e2bb0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:684 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:664 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:648 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:620 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:704 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1896 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1452 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe33⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe35⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:772 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe37⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe38⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe39⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe40⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe41⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe42⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe43⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe44⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe45⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe46⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe47⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe48⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe49⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe50⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe51⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe52⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe54⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe55⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe56⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe57⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe58⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe59⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe61⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe62⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe63⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe64⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe66⤵PID:1920
-
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe67⤵PID:604
-
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe68⤵PID:2756
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2108 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1248 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe71⤵PID:1476
-
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe72⤵PID:2984
-
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe73⤵PID:2768
-
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe74⤵
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe75⤵
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe76⤵PID:2912
-
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe77⤵PID:2396
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe78⤵PID:2308
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe79⤵PID:1220
-
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe80⤵
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe81⤵PID:1928
-
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe82⤵PID:2716
-
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe83⤵PID:536
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe84⤵PID:2580
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe85⤵PID:2884
-
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe86⤵
- Modifies registry class
PID:1200 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe87⤵PID:2888
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe88⤵PID:900
-
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe91⤵PID:2736
-
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe92⤵PID:2432
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe93⤵
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe94⤵PID:1844
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe95⤵PID:2080
-
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe96⤵PID:1688
-
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe97⤵PID:1696
-
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe98⤵PID:3056
-
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:576 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe100⤵
- Modifies registry class
PID:796 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe101⤵PID:1792
-
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe102⤵
- Drops file in System32 directory
PID:108 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe103⤵PID:912
-
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe104⤵
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe105⤵PID:2476
-
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe106⤵
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe107⤵PID:2408
-
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe108⤵PID:1556
-
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe109⤵PID:768
-
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe110⤵PID:1932
-
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe111⤵PID:1744
-
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe112⤵PID:588
-
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe113⤵
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe114⤵PID:1416
-
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe115⤵PID:1136
-
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe117⤵
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe118⤵PID:568
-
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe119⤵PID:2612
-
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe120⤵PID:2500
-
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe121⤵PID:2360
-
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:320 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe123⤵PID:1756
-
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe124⤵PID:2684
-
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe125⤵
- Drops file in System32 directory
PID:284 -
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe126⤵PID:2060
-
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe127⤵PID:360
-
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe128⤵
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe129⤵
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe130⤵PID:2664
-
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe131⤵PID:328
-
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe132⤵PID:1800
-
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe133⤵
- Modifies registry class
PID:808 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe134⤵PID:592
-
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe135⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:572 -
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe136⤵
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe137⤵PID:904
-
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe138⤵
- Modifies registry class
PID:688 -
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe139⤵PID:2184
-
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe140⤵PID:2644
-
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe141⤵PID:2656
-
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe142⤵PID:2832
-
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe143⤵PID:2440
-
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe144⤵PID:1608
-
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe145⤵PID:1964
-
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe146⤵
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe147⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2332 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe148⤵PID:2568
-
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe149⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2116 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe150⤵PID:2180
-
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe151⤵PID:2472
-
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe152⤵
- Drops file in System32 directory
PID:1468 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe153⤵PID:2376
-
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe154⤵PID:2096
-
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe155⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:820 -
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe156⤵
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe157⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1628 -
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe158⤵
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe159⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe160⤵PID:1536
-
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe161⤵PID:940
-
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe162⤵PID:2088
-
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe163⤵
- Drops file in System32 directory
PID:480 -
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe164⤵PID:1420
-
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe165⤵PID:2900
-
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe166⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe167⤵PID:2636
-
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe168⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe169⤵PID:1472
-
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe170⤵PID:1116
-
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe171⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2104 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe172⤵PID:3064
-
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe173⤵PID:1956
-
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe174⤵
- Modifies registry class
PID:300 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe175⤵PID:720
-
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe176⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1308 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe177⤵PID:2272
-
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe178⤵PID:2196
-
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe179⤵PID:2972
-
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe180⤵PID:2532
-
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe181⤵PID:876
-
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe182⤵PID:1320
-
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe183⤵PID:2628
-
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe184⤵PID:1520
-
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe185⤵PID:2248
-
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe186⤵PID:1648
-
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe187⤵
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe188⤵
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe189⤵PID:1848
-
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe190⤵PID:892
-
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe191⤵PID:2336
-
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe192⤵PID:1604
-
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe193⤵PID:3080
-
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe194⤵PID:3120
-
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe195⤵PID:3160
-
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe196⤵PID:3200
-
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe197⤵PID:3240
-
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe198⤵PID:3280
-
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe199⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3320 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe200⤵PID:3360
-
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe201⤵
- Drops file in System32 directory
PID:3400 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe202⤵
- Drops file in System32 directory
PID:3440 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe203⤵
- Modifies registry class
PID:3480 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe204⤵PID:3520
-
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe205⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3564 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe206⤵PID:3604
-
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe207⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3644 -
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe208⤵PID:3684
-
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe209⤵PID:3732
-
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe210⤵PID:3772
-
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe211⤵
- Drops file in System32 directory
PID:3812 -
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe212⤵PID:3852
-
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe213⤵PID:3892
-
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe214⤵PID:3932
-
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe215⤵PID:3972
-
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe216⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4012 -
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe217⤵PID:4052
-
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe218⤵PID:4092
-
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe219⤵
- Drops file in System32 directory
PID:3108 -
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe220⤵
- Drops file in System32 directory
PID:3148 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe221⤵PID:3220
-
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe222⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3212 -
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe223⤵PID:3312
-
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe224⤵PID:3356
-
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe225⤵PID:3408
-
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe226⤵PID:3452
-
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe227⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3512 -
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe228⤵PID:3544
-
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe229⤵PID:3616
-
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe230⤵PID:3624
-
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe231⤵
- Modifies registry class
PID:3728 -
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe232⤵PID:3760
-
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe233⤵
- Drops file in System32 directory
PID:3804 -
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe234⤵PID:3864
-
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe235⤵PID:3920
-
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe236⤵PID:3964
-
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe237⤵PID:4008
-
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe238⤵PID:4068
-
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe239⤵
- Modifies registry class
PID:1000 -
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe240⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3152 -
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe241⤵PID:3192
-
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe242⤵
- Modifies registry class
PID:3272