Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 14:38
Behavioral task
behavioral1
Sample
d2322c91785d5a69230024e32dfba700_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
d2322c91785d5a69230024e32dfba700_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
d2322c91785d5a69230024e32dfba700_NeikiAnalytics.exe
-
Size
256KB
-
MD5
d2322c91785d5a69230024e32dfba700
-
SHA1
d625491263471dfa5afa2b3877df589f39fd437a
-
SHA256
96ebbc4841bcfb36c03e8789bed628d908553c550baf291e30b05cc3867a23fd
-
SHA512
1facec7a01c97591eb6ccf1340676edd82b22e701426e4ea560980189468785201d11b21b3ead0a73f65aa25e691dce838b1c9e7c3830ae2efcabb3d83af0c1c
-
SSDEEP
6144:DPWBjlpmmxieQbWGRdA6sQc/Yp7TVX3J/1awbWGRdA6sQc/YRU:qBlpJxifbWGRdA6sQhPbWGRdA6sQxU
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Labhkh32.exeNhlifi32.exePcfcmd32.exePeiljl32.exeDmafennb.exeFddmgjpo.exeHjhhocjj.exePmqdkj32.exeHpapln32.exeJebiaelb.exeKbcicmpj.exeHjhhocjj.exeJklanp32.exePabjem32.exeBopicc32.exeDjefobmk.exeEihfjo32.exeEloemi32.exeMkobnqan.exeEalnephf.exeNofabc32.exePfdpip32.exePigeqkai.exeChcqpmep.exeCkdjbh32.exeDqelenlc.exeNqqdag32.exePaggai32.exeCfgaiaci.exeAdmemg32.exeBnbjopoi.exeDgodbh32.exeHogmmjfo.exeKomfnnck.exeKlqfhbbe.exeMenakj32.exeCcdlbf32.exeCbkeib32.exeNmjblg32.exeCobbhfhg.exeDbpodagk.exeDkhcmgnl.exeDoobajme.exeFacdeo32.exeNpnhlg32.exeNfkpdn32.exePbiciana.exeCngcjo32.exeNjgldmdc.exePminkk32.exeDgaqgh32.exeGdopkn32.exeNjkfpl32.exeQlhnbf32.exeAiinen32.exeEajaoq32.exeMepnpj32.exeOojknblb.exePndniaop.exeDkmmhf32.exeFpdhklkl.exeGlfhll32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Labhkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhlifi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcfcmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peiljl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmafennb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjhhocjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmqdkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jebiaelb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbcicmpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jklanp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pabjem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bopicc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djefobmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eihfjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkobnqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ealnephf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nofabc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfdpip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pigeqkai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chcqpmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckdjbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqqdag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paggai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfgaiaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Admemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnbjopoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgodbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Komfnnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klqfhbbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Menakj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbkeib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmjblg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cobbhfhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbpodagk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhcmgnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doobajme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Facdeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npnhlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfkpdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nofabc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbiciana.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cngcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njgldmdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pminkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgaqgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdopkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njkfpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlhnbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiinen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbkeib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eajaoq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mepnpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oojknblb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pndniaop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkmmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpdhklkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glfhll32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule behavioral1/memory/1680-6-0x0000000000250000-0x0000000000290000-memory.dmp family_berbew \Windows\SysWOW64\Infdolgh.exe family_berbew \Windows\SysWOW64\Ibapoj32.exe family_berbew \Windows\SysWOW64\Jeplkf32.exe family_berbew behavioral1/memory/2964-30-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew C:\Windows\SysWOW64\Joepio32.exe family_berbew behavioral1/memory/2848-59-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew C:\Windows\SysWOW64\Jnhqdkde.exe family_berbew \Windows\SysWOW64\Jebiaelb.exe family_berbew \Windows\SysWOW64\Jklanp32.exe family_berbew C:\Windows\SysWOW64\Jnkmjk32.exe family_berbew behavioral1/memory/820-108-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew \Windows\SysWOW64\Jaiiff32.exe family_berbew behavioral1/memory/2892-135-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew C:\Windows\SysWOW64\Jjanolhg.exe family_berbew \Windows\SysWOW64\Jgenhp32.exe family_berbew \Windows\SysWOW64\Jnofejom.exe family_berbew behavioral1/memory/1548-177-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/2416-191-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew C:\Windows\SysWOW64\Jpqclb32.exe family_berbew C:\Windows\SysWOW64\Jmdcfg32.exe family_berbew behavioral1/memory/1136-258-0x00000000002D0000-0x0000000000310000-memory.dmp family_berbew C:\Windows\SysWOW64\Kbcicmpj.exe family_berbew behavioral1/memory/276-281-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew C:\Windows\SysWOW64\Kmimafop.exe family_berbew behavioral1/memory/1560-313-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/2744-356-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew C:\Windows\SysWOW64\Klqfhbbe.exe family_berbew behavioral1/memory/2544-409-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/2224-443-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew C:\Windows\SysWOW64\Lodlom32.exe family_berbew C:\Windows\SysWOW64\Labhkh32.exe family_berbew C:\Windows\SysWOW64\Lkkmdn32.exe family_berbew C:\Windows\SysWOW64\Ldcamcih.exe family_berbew C:\Windows\SysWOW64\Lkmjin32.exe family_berbew C:\Windows\SysWOW64\Llnfaffc.exe family_berbew C:\Windows\SysWOW64\Lipjejgp.exe family_berbew C:\Windows\SysWOW64\Lmnbkinf.exe family_berbew C:\Windows\SysWOW64\Lplogdmj.exe family_berbew C:\Windows\SysWOW64\Mgfgdn32.exe family_berbew C:\Windows\SysWOW64\Mlcple32.exe family_berbew C:\Windows\SysWOW64\Maphdl32.exe family_berbew C:\Windows\SysWOW64\Mhjpaf32.exe family_berbew C:\Windows\SysWOW64\Mochnppo.exe family_berbew C:\Windows\SysWOW64\Mlgigdoh.exe family_berbew C:\Windows\SysWOW64\Madapkmp.exe family_berbew C:\Windows\SysWOW64\Mgajhbkg.exe family_berbew C:\Windows\SysWOW64\Mdejaf32.exe family_berbew C:\Windows\SysWOW64\Naikkk32.exe family_berbew C:\Windows\SysWOW64\Ncjgbcoi.exe family_berbew C:\Windows\SysWOW64\Nkaocp32.exe family_berbew C:\Windows\SysWOW64\Ncmdhb32.exe family_berbew C:\Windows\SysWOW64\Nfkpdn32.exe family_berbew C:\Windows\SysWOW64\Ngkmnacm.exe family_berbew C:\Windows\SysWOW64\Nhlifi32.exe family_berbew C:\Windows\SysWOW64\Nfpjomgd.exe family_berbew C:\Windows\SysWOW64\Nmjblg32.exe family_berbew C:\Windows\SysWOW64\Nccjhafn.exe family_berbew C:\Windows\SysWOW64\Nbfjdn32.exe family_berbew C:\Windows\SysWOW64\Ohqbqhde.exe family_berbew C:\Windows\SysWOW64\Omloag32.exe family_berbew C:\Windows\SysWOW64\Okalbc32.exe family_berbew C:\Windows\SysWOW64\Oqndkj32.exe family_berbew C:\Windows\SysWOW64\Odjpkihg.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Infdolgh.exeIbapoj32.exeJeplkf32.exeJoepio32.exeJnhqdkde.exeJebiaelb.exeJklanp32.exeJnkmjk32.exeJaiiff32.exeJjanolhg.exeJegble32.exeJgenhp32.exeJnofejom.exeJpqclb32.exeJiigehkl.exeJmdcfg32.exeKbalnnam.exeKikdkh32.exeKljqgc32.exeKpemgbqf.exeKbcicmpj.exeKebepion.exeKmimafop.exeKnjiin32.exeKfaajlfp.exeKhcnad32.exeKomfnnck.exeKakbjibo.exeKegnkh32.exeKibjkgca.exeKlqfhbbe.exeKbkodl32.exeKanopipl.exeKeikqhhe.exeLhggmchi.exeLkfciogm.exeLhjdbcef.exeLkhpnnej.exeLodlom32.exeLabhkh32.exeLhlqhb32.exeLkkmdn32.exeLimmokib.exeLmiipi32.exeLpgele32.exeLdcamcih.exeLganiohl.exeLkmjin32.exeLipjejgp.exeLlnfaffc.exeLchnnp32.exeLgdjnofi.exeLefkjkmc.exeLmnbkinf.exeLlqcfe32.exeLplogdmj.exeMcjkcplm.exeMgfgdn32.exeMeigpkka.exeMidcpj32.exeMlcple32.exeMoalhq32.exeMaphdl32.exeMigpeiag.exepid process 2136 Infdolgh.exe 2964 Ibapoj32.exe 2664 Jeplkf32.exe 2848 Joepio32.exe 2496 Jnhqdkde.exe 2764 Jebiaelb.exe 2940 Jklanp32.exe 820 Jnkmjk32.exe 2652 Jaiiff32.exe 2892 Jjanolhg.exe 2876 Jegble32.exe 2704 Jgenhp32.exe 1548 Jnofejom.exe 2416 Jpqclb32.exe 1112 Jiigehkl.exe 564 Jmdcfg32.exe 1464 Kbalnnam.exe 848 Kikdkh32.exe 1136 Kljqgc32.exe 2044 Kpemgbqf.exe 1840 Kbcicmpj.exe 276 Kebepion.exe 1980 Kmimafop.exe 2116 Knjiin32.exe 1560 Kfaajlfp.exe 2844 Khcnad32.exe 1856 Komfnnck.exe 2628 Kakbjibo.exe 2744 Kegnkh32.exe 2948 Kibjkgca.exe 2864 Klqfhbbe.exe 2692 Kbkodl32.exe 2636 Kanopipl.exe 2544 Keikqhhe.exe 2932 Lhggmchi.exe 1704 Lkfciogm.exe 2224 Lhjdbcef.exe 1188 Lkhpnnej.exe 1204 Lodlom32.exe 1476 Labhkh32.exe 2564 Lhlqhb32.exe 708 Lkkmdn32.exe 1372 Limmokib.exe 1168 Lmiipi32.exe 1076 Lpgele32.exe 668 Ldcamcih.exe 920 Lganiohl.exe 1668 Lkmjin32.exe 1436 Lipjejgp.exe 2688 Llnfaffc.exe 2600 Lchnnp32.exe 2952 Lgdjnofi.exe 2992 Lefkjkmc.exe 2904 Lmnbkinf.exe 940 Llqcfe32.exe 1648 Lplogdmj.exe 3056 Mcjkcplm.exe 792 Mgfgdn32.exe 1096 Meigpkka.exe 1072 Midcpj32.exe 1832 Mlcple32.exe 2016 Moalhq32.exe 1976 Maphdl32.exe 1900 Migpeiag.exe -
Loads dropped DLL 64 IoCs
Processes:
d2322c91785d5a69230024e32dfba700_NeikiAnalytics.exeInfdolgh.exeIbapoj32.exeJeplkf32.exeJoepio32.exeJnhqdkde.exeJebiaelb.exeJklanp32.exeJnkmjk32.exeJaiiff32.exeJjanolhg.exeJegble32.exeJgenhp32.exeJnofejom.exeJpqclb32.exeJiigehkl.exeJmdcfg32.exeKbalnnam.exeKikdkh32.exeKljqgc32.exeKpemgbqf.exeKbcicmpj.exeKebepion.exeKmimafop.exeKnjiin32.exeKfaajlfp.exeKhcnad32.exeKomfnnck.exeKakbjibo.exeKegnkh32.exeKibjkgca.exeKlqfhbbe.exepid process 1680 d2322c91785d5a69230024e32dfba700_NeikiAnalytics.exe 1680 d2322c91785d5a69230024e32dfba700_NeikiAnalytics.exe 2136 Infdolgh.exe 2136 Infdolgh.exe 2964 Ibapoj32.exe 2964 Ibapoj32.exe 2664 Jeplkf32.exe 2664 Jeplkf32.exe 2848 Joepio32.exe 2848 Joepio32.exe 2496 Jnhqdkde.exe 2496 Jnhqdkde.exe 2764 Jebiaelb.exe 2764 Jebiaelb.exe 2940 Jklanp32.exe 2940 Jklanp32.exe 820 Jnkmjk32.exe 820 Jnkmjk32.exe 2652 Jaiiff32.exe 2652 Jaiiff32.exe 2892 Jjanolhg.exe 2892 Jjanolhg.exe 2876 Jegble32.exe 2876 Jegble32.exe 2704 Jgenhp32.exe 2704 Jgenhp32.exe 1548 Jnofejom.exe 1548 Jnofejom.exe 2416 Jpqclb32.exe 2416 Jpqclb32.exe 1112 Jiigehkl.exe 1112 Jiigehkl.exe 564 Jmdcfg32.exe 564 Jmdcfg32.exe 1464 Kbalnnam.exe 1464 Kbalnnam.exe 848 Kikdkh32.exe 848 Kikdkh32.exe 1136 Kljqgc32.exe 1136 Kljqgc32.exe 2044 Kpemgbqf.exe 2044 Kpemgbqf.exe 1840 Kbcicmpj.exe 1840 Kbcicmpj.exe 276 Kebepion.exe 276 Kebepion.exe 1980 Kmimafop.exe 1980 Kmimafop.exe 2116 Knjiin32.exe 2116 Knjiin32.exe 1560 Kfaajlfp.exe 1560 Kfaajlfp.exe 2844 Khcnad32.exe 2844 Khcnad32.exe 1856 Komfnnck.exe 1856 Komfnnck.exe 2628 Kakbjibo.exe 2628 Kakbjibo.exe 2744 Kegnkh32.exe 2744 Kegnkh32.exe 2948 Kibjkgca.exe 2948 Kibjkgca.exe 2864 Klqfhbbe.exe 2864 Klqfhbbe.exe -
Drops file in System32 directory 64 IoCs
Processes:
Mgajhbkg.exePbiciana.exeAhakmf32.exeAilkjmpo.exeBbdocc32.exeCjbmjplb.exeDcknbh32.exeFdoclk32.exeJeplkf32.exeLgdjnofi.exeLchnnp32.exePphjgfqq.exeCcfhhffh.exeClcflkic.exeDjbiicon.exeHhjhkq32.exeIknnbklc.exeMkobnqan.exePiehkkcl.exeDmoipopd.exeEbedndfa.exeKebepion.exeKmimafop.exeAnkdiqih.exeAmejeljk.exeCkffgg32.exeFphafl32.exeOdjpkihg.exePpoqge32.exeDqlafm32.exeFioija32.exeNfmmin32.exeOmgaek32.exeAfmonbqk.exeCfgaiaci.exeEmeopn32.exeFdapak32.exeFddmgjpo.exeNfpjomgd.exeOdgcfijj.exeQlhnbf32.exeCgmkmecg.exeGmjaic32.exeHgdbhi32.exeHacmcfge.exeNcoamb32.exeDkkpbgli.exeGegfdb32.exeKpemgbqf.exeNaikkk32.exeOkchhc32.exeJebiaelb.exeJiigehkl.exeBloqah32.exeCjpqdp32.exeMaphdl32.exeQmlgonbe.exeCjlgiqbk.exeCcdlbf32.exeEcmkghcl.exedescription ioc process File created C:\Windows\SysWOW64\Hafakdgi.dll Mgajhbkg.exe File created C:\Windows\SysWOW64\Dlmdloao.dll Pbiciana.exe File opened for modification C:\Windows\SysWOW64\Afdlhchf.exe Ahakmf32.exe File created C:\Windows\SysWOW64\Ahokfj32.exe Ailkjmpo.exe File created C:\Windows\SysWOW64\Bagpopmj.exe Bbdocc32.exe File opened for modification C:\Windows\SysWOW64\Chemfl32.exe Cjbmjplb.exe File opened for modification C:\Windows\SysWOW64\Dgfjbgmh.exe Dcknbh32.exe File created C:\Windows\SysWOW64\Fhkpmjln.exe Fdoclk32.exe File created C:\Windows\SysWOW64\Joepio32.exe Jeplkf32.exe File created C:\Windows\SysWOW64\Jkiabffn.dll Lgdjnofi.exe File opened for modification C:\Windows\SysWOW64\Lgdjnofi.exe Lchnnp32.exe File created C:\Windows\SysWOW64\Pccfge32.exe Pphjgfqq.exe File opened for modification C:\Windows\SysWOW64\Cgbdhd32.exe Ccfhhffh.exe File created C:\Windows\SysWOW64\Omeope32.dll Clcflkic.exe File created C:\Windows\SysWOW64\Dnneja32.exe Djbiicon.exe File opened for modification C:\Windows\SysWOW64\Hlfdkoin.exe Hhjhkq32.exe File created C:\Windows\SysWOW64\Dgnijonn.dll Iknnbklc.exe File opened for modification C:\Windows\SysWOW64\Njbcim32.exe Mkobnqan.exe File created C:\Windows\SysWOW64\Mhhaff32.dll Piehkkcl.exe File created C:\Windows\SysWOW64\Elbepj32.dll Dmoipopd.exe File opened for modification C:\Windows\SysWOW64\Efppoc32.exe Ebedndfa.exe File created C:\Windows\SysWOW64\Kmimafop.exe Kebepion.exe File opened for modification C:\Windows\SysWOW64\Knjiin32.exe Kmimafop.exe File created C:\Windows\SysWOW64\Ipghqomc.dll Ankdiqih.exe File created C:\Windows\SysWOW64\Jeahel32.dll Amejeljk.exe File created C:\Windows\SysWOW64\Cobbhfhg.exe Ckffgg32.exe File created C:\Windows\SysWOW64\Fphafl32.exe Fphafl32.exe File created C:\Windows\SysWOW64\Opbnpqjl.dll Odjpkihg.exe File opened for modification C:\Windows\SysWOW64\Pnbacbac.exe Ppoqge32.exe File created C:\Windows\SysWOW64\Cillgpen.dll Dqlafm32.exe File created C:\Windows\SysWOW64\Fmjejphb.exe Fioija32.exe File opened for modification C:\Windows\SysWOW64\Nhlifi32.exe Nfmmin32.exe File created C:\Windows\SysWOW64\Oqcnfjli.exe Omgaek32.exe File opened for modification C:\Windows\SysWOW64\Aepojo32.exe Afmonbqk.exe File created C:\Windows\SysWOW64\Cjbmjplb.exe Cfgaiaci.exe File created C:\Windows\SysWOW64\Ekholjqg.exe Emeopn32.exe File opened for modification C:\Windows\SysWOW64\Ffpmnf32.exe Fdapak32.exe File created C:\Windows\SysWOW64\Ipjchc32.dll Fddmgjpo.exe File opened for modification C:\Windows\SysWOW64\Njkfpl32.exe Nfpjomgd.exe File opened for modification C:\Windows\SysWOW64\Cobbhfhg.exe Ckffgg32.exe File created C:\Windows\SysWOW64\Ogfpbeim.exe Odgcfijj.exe File created C:\Windows\SysWOW64\Qjknnbed.exe Qlhnbf32.exe File created C:\Windows\SysWOW64\Alhjai32.exe Amejeljk.exe File created C:\Windows\SysWOW64\Aiabof32.dll Cgmkmecg.exe File created C:\Windows\SysWOW64\Pfabenjd.dll Gmjaic32.exe File opened for modification C:\Windows\SysWOW64\Hkpnhgge.exe Hgdbhi32.exe File created C:\Windows\SysWOW64\Polebcgg.dll Hacmcfge.exe File created C:\Windows\SysWOW64\Nplhpb32.dll Ncoamb32.exe File created C:\Windows\SysWOW64\Oadqjk32.dll Dkkpbgli.exe File created C:\Windows\SysWOW64\Ghfbqn32.exe Gegfdb32.exe File opened for modification C:\Windows\SysWOW64\Kbcicmpj.exe Kpemgbqf.exe File created C:\Windows\SysWOW64\Ndgggf32.exe Naikkk32.exe File opened for modification C:\Windows\SysWOW64\Ojficpfn.exe Okchhc32.exe File opened for modification C:\Windows\SysWOW64\Jklanp32.exe Jebiaelb.exe File created C:\Windows\SysWOW64\Mkoffo32.dll Jiigehkl.exe File opened for modification C:\Windows\SysWOW64\Bkaqmeah.exe Bloqah32.exe File created C:\Windows\SysWOW64\Chcqpmep.exe Cjpqdp32.exe File opened for modification C:\Windows\SysWOW64\Ghfbqn32.exe Gegfdb32.exe File created C:\Windows\SysWOW64\Aodnnc32.dll Maphdl32.exe File created C:\Windows\SysWOW64\Qmlgonbe.exe Qmlgonbe.exe File created C:\Windows\SysWOW64\Cngcjo32.exe Cjlgiqbk.exe File created C:\Windows\SysWOW64\Jmdcfg32.exe Jiigehkl.exe File opened for modification C:\Windows\SysWOW64\Cgpgce32.exe Ccdlbf32.exe File opened for modification C:\Windows\SysWOW64\Ebpkce32.exe Ecmkghcl.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process 5608 5568 WerFault.exe -
Modifies registry class 64 IoCs
Processes:
Epieghdk.exeCcdlbf32.exeCjndop32.exeDqjepm32.exeEpfhbign.exeMlcple32.exeMpjoqhah.exeOelmai32.exeAbbbnchb.exeIaeiieeb.exeOelmai32.exeQmlgonbe.exeQagcpljo.exeAlenki32.exeIbapoj32.exeKanopipl.exeLhjdbcef.exeLplogdmj.exeBlmdlhmp.exeEmhlfmgj.exeFlabbihl.exeGeolea32.exeIlknfn32.exeOcomlemo.exeDkkpbgli.exeEbpkce32.exeEbbgid32.exeOdgcfijj.exeOjkboo32.exeEnnaieib.exeFfpmnf32.exeFjlhneio.exeLhlqhb32.exePndniaop.exeAffhncfc.exeDflkdp32.exeLganiohl.exeComimg32.exeLkhpnnej.exePfdpip32.exeApajlhka.exeBalijo32.exeFioija32.exePeiljl32.exeCfinoq32.exeDdokpmfo.exeEcpgmhai.exeAigaon32.exeBbdocc32.exeDchali32.exeEloemi32.exeLlnfaffc.exeNqqdag32.exeOjieip32.exePjmodopf.exeFjgoce32.exeHcnpbi32.exeNlblkhei.exeAfdlhchf.exeAplpai32.exeAmpqjm32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjndop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqjepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epfhbign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlcple32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkiklhim.dll" Mpjoqhah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oelmai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbeccf32.dll" Abbbnchb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaeiieeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqpnhgek.dll" Oelmai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdamlbjc.dll" Qmlgonbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qagcpljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alenki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehifjpg.dll" Ibapoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlgdf32.dll" Kanopipl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igoopg32.dll" Lhjdbcef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lplogdmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blmdlhmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emhlfmgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll" Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilknfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocomlemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkkpbgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odbhmo32.dll" Ebpkce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkojpojq.dll" Ebbgid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpjoqhah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odgcfijj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbkoipg.dll" Ojkboo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ennaieib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffpmnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blipbfpp.dll" Lhlqhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pndniaop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojgnpb.dll" Affhncfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dflkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcmkmii.dll" Lganiohl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdljffa.dll" Dflkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpidpbna.dll" Lkhpnnej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfammbdf.dll" Pfdpip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jolfcj32.dll" Apajlhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihomanac.dll" Balijo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fioija32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peiljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfinoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddokpmfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecpgmhai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aigaon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbdocc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dchali32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cddjolah.dll" Llnfaffc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqqdag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnelgk32.dll" Ojieip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjmodopf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geolea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcnpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlblkhei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afdlhchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndejjf32.dll" Aplpai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ampqjm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d2322c91785d5a69230024e32dfba700_NeikiAnalytics.exeInfdolgh.exeIbapoj32.exeJeplkf32.exeJoepio32.exeJnhqdkde.exeJebiaelb.exeJklanp32.exeJnkmjk32.exeJaiiff32.exeJjanolhg.exeJegble32.exeJgenhp32.exeJnofejom.exeJpqclb32.exeJiigehkl.exedescription pid process target process PID 1680 wrote to memory of 2136 1680 d2322c91785d5a69230024e32dfba700_NeikiAnalytics.exe Infdolgh.exe PID 1680 wrote to memory of 2136 1680 d2322c91785d5a69230024e32dfba700_NeikiAnalytics.exe Infdolgh.exe PID 1680 wrote to memory of 2136 1680 d2322c91785d5a69230024e32dfba700_NeikiAnalytics.exe Infdolgh.exe PID 1680 wrote to memory of 2136 1680 d2322c91785d5a69230024e32dfba700_NeikiAnalytics.exe Infdolgh.exe PID 2136 wrote to memory of 2964 2136 Infdolgh.exe Ibapoj32.exe PID 2136 wrote to memory of 2964 2136 Infdolgh.exe Ibapoj32.exe PID 2136 wrote to memory of 2964 2136 Infdolgh.exe Ibapoj32.exe PID 2136 wrote to memory of 2964 2136 Infdolgh.exe Ibapoj32.exe PID 2964 wrote to memory of 2664 2964 Ibapoj32.exe Jeplkf32.exe PID 2964 wrote to memory of 2664 2964 Ibapoj32.exe Jeplkf32.exe PID 2964 wrote to memory of 2664 2964 Ibapoj32.exe Jeplkf32.exe PID 2964 wrote to memory of 2664 2964 Ibapoj32.exe Jeplkf32.exe PID 2664 wrote to memory of 2848 2664 Jeplkf32.exe Joepio32.exe PID 2664 wrote to memory of 2848 2664 Jeplkf32.exe Joepio32.exe PID 2664 wrote to memory of 2848 2664 Jeplkf32.exe Joepio32.exe PID 2664 wrote to memory of 2848 2664 Jeplkf32.exe Joepio32.exe PID 2848 wrote to memory of 2496 2848 Joepio32.exe Jnhqdkde.exe PID 2848 wrote to memory of 2496 2848 Joepio32.exe Jnhqdkde.exe PID 2848 wrote to memory of 2496 2848 Joepio32.exe Jnhqdkde.exe PID 2848 wrote to memory of 2496 2848 Joepio32.exe Jnhqdkde.exe PID 2496 wrote to memory of 2764 2496 Jnhqdkde.exe Jebiaelb.exe PID 2496 wrote to memory of 2764 2496 Jnhqdkde.exe Jebiaelb.exe PID 2496 wrote to memory of 2764 2496 Jnhqdkde.exe Jebiaelb.exe PID 2496 wrote to memory of 2764 2496 Jnhqdkde.exe Jebiaelb.exe PID 2764 wrote to memory of 2940 2764 Jebiaelb.exe Jklanp32.exe PID 2764 wrote to memory of 2940 2764 Jebiaelb.exe Jklanp32.exe PID 2764 wrote to memory of 2940 2764 Jebiaelb.exe Jklanp32.exe PID 2764 wrote to memory of 2940 2764 Jebiaelb.exe Jklanp32.exe PID 2940 wrote to memory of 820 2940 Jklanp32.exe Jnkmjk32.exe PID 2940 wrote to memory of 820 2940 Jklanp32.exe Jnkmjk32.exe PID 2940 wrote to memory of 820 2940 Jklanp32.exe Jnkmjk32.exe PID 2940 wrote to memory of 820 2940 Jklanp32.exe Jnkmjk32.exe PID 820 wrote to memory of 2652 820 Jnkmjk32.exe Jaiiff32.exe PID 820 wrote to memory of 2652 820 Jnkmjk32.exe Jaiiff32.exe PID 820 wrote to memory of 2652 820 Jnkmjk32.exe Jaiiff32.exe PID 820 wrote to memory of 2652 820 Jnkmjk32.exe Jaiiff32.exe PID 2652 wrote to memory of 2892 2652 Jaiiff32.exe Jjanolhg.exe PID 2652 wrote to memory of 2892 2652 Jaiiff32.exe Jjanolhg.exe PID 2652 wrote to memory of 2892 2652 Jaiiff32.exe Jjanolhg.exe PID 2652 wrote to memory of 2892 2652 Jaiiff32.exe Jjanolhg.exe PID 2892 wrote to memory of 2876 2892 Jjanolhg.exe Jegble32.exe PID 2892 wrote to memory of 2876 2892 Jjanolhg.exe Jegble32.exe PID 2892 wrote to memory of 2876 2892 Jjanolhg.exe Jegble32.exe PID 2892 wrote to memory of 2876 2892 Jjanolhg.exe Jegble32.exe PID 2876 wrote to memory of 2704 2876 Jegble32.exe Jgenhp32.exe PID 2876 wrote to memory of 2704 2876 Jegble32.exe Jgenhp32.exe PID 2876 wrote to memory of 2704 2876 Jegble32.exe Jgenhp32.exe PID 2876 wrote to memory of 2704 2876 Jegble32.exe Jgenhp32.exe PID 2704 wrote to memory of 1548 2704 Jgenhp32.exe Jnofejom.exe PID 2704 wrote to memory of 1548 2704 Jgenhp32.exe Jnofejom.exe PID 2704 wrote to memory of 1548 2704 Jgenhp32.exe Jnofejom.exe PID 2704 wrote to memory of 1548 2704 Jgenhp32.exe Jnofejom.exe PID 1548 wrote to memory of 2416 1548 Jnofejom.exe Jpqclb32.exe PID 1548 wrote to memory of 2416 1548 Jnofejom.exe Jpqclb32.exe PID 1548 wrote to memory of 2416 1548 Jnofejom.exe Jpqclb32.exe PID 1548 wrote to memory of 2416 1548 Jnofejom.exe Jpqclb32.exe PID 2416 wrote to memory of 1112 2416 Jpqclb32.exe Jiigehkl.exe PID 2416 wrote to memory of 1112 2416 Jpqclb32.exe Jiigehkl.exe PID 2416 wrote to memory of 1112 2416 Jpqclb32.exe Jiigehkl.exe PID 2416 wrote to memory of 1112 2416 Jpqclb32.exe Jiigehkl.exe PID 1112 wrote to memory of 564 1112 Jiigehkl.exe Jmdcfg32.exe PID 1112 wrote to memory of 564 1112 Jiigehkl.exe Jmdcfg32.exe PID 1112 wrote to memory of 564 1112 Jiigehkl.exe Jmdcfg32.exe PID 1112 wrote to memory of 564 1112 Jiigehkl.exe Jmdcfg32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2322c91785d5a69230024e32dfba700_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d2322c91785d5a69230024e32dfba700_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Infdolgh.exeC:\Windows\system32\Infdolgh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Ibapoj32.exeC:\Windows\system32\Ibapoj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Jeplkf32.exeC:\Windows\system32\Jeplkf32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Joepio32.exeC:\Windows\system32\Joepio32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Jnhqdkde.exeC:\Windows\system32\Jnhqdkde.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Jebiaelb.exeC:\Windows\system32\Jebiaelb.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Jklanp32.exeC:\Windows\system32\Jklanp32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Jnkmjk32.exeC:\Windows\system32\Jnkmjk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Jjanolhg.exeC:\Windows\system32\Jjanolhg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Jegble32.exeC:\Windows\system32\Jegble32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Jgenhp32.exeC:\Windows\system32\Jgenhp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Jnofejom.exeC:\Windows\system32\Jnofejom.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:564 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464 -
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:848 -
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1136 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Kbcicmpj.exeC:\Windows\system32\Kbcicmpj.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:276 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1856 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe33⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe35⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe36⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe37⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1188 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe40⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe43⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe44⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe45⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe46⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe47⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe49⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe50⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe54⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe55⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe56⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe58⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe59⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe60⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe61⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe63⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe65⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe66⤵PID:1792
-
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe67⤵PID:1728
-
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe68⤵PID:908
-
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe69⤵PID:2144
-
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2576 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe71⤵PID:1920
-
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe72⤵PID:2508
-
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe73⤵PID:2112
-
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe74⤵PID:2656
-
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe75⤵PID:1664
-
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2888 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe77⤵PID:2500
-
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe78⤵
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe79⤵PID:2072
-
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe80⤵PID:540
-
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe81⤵PID:3020
-
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe82⤵
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe83⤵PID:2756
-
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe84⤵PID:2696
-
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe86⤵PID:2264
-
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe87⤵PID:1788
-
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe88⤵
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe89⤵PID:944
-
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe90⤵PID:2912
-
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe91⤵PID:2944
-
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe92⤵PID:1972
-
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe93⤵PID:1708
-
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe94⤵
- Modifies registry class
PID:1236 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2840 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe96⤵PID:1660
-
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe97⤵PID:2868
-
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:952 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2584 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe100⤵PID:1904
-
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe102⤵PID:2452
-
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe103⤵
- Drops file in System32 directory
PID:1844 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe104⤵PID:704
-
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe105⤵
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2700 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe107⤵PID:2320
-
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2512 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe109⤵PID:2312
-
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe110⤵
- Drops file in System32 directory
PID:808 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2856 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe112⤵PID:2860
-
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2336 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe114⤵PID:2596
-
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe115⤵PID:2284
-
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe116⤵PID:2172
-
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe117⤵PID:2796
-
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe118⤵PID:2644
-
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe119⤵PID:1428
-
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe120⤵PID:2280
-
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2420 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe122⤵PID:2736
-
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe123⤵
- Drops file in System32 directory
- Modifies registry class
PID:1132 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe124⤵PID:1492
-
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe125⤵PID:2748
-
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe126⤵PID:1808
-
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe127⤵PID:2516
-
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe128⤵
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe129⤵PID:2400
-
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe130⤵PID:960
-
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe131⤵
- Drops file in System32 directory
PID:328 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe132⤵PID:2008
-
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe133⤵PID:844
-
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe134⤵
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe135⤵
- Modifies registry class
PID:112 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe136⤵
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe137⤵PID:1756
-
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe138⤵
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe139⤵PID:1460
-
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe140⤵
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe141⤵PID:980
-
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe142⤵PID:2552
-
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe143⤵PID:2788
-
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe144⤵PID:1992
-
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe145⤵PID:2568
-
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe146⤵
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe147⤵PID:2916
-
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe148⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2780 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe149⤵PID:2960
-
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe150⤵PID:1488
-
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe151⤵
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe152⤵PID:1960
-
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe153⤵PID:2588
-
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe154⤵PID:1944
-
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe155⤵
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe156⤵PID:2192
-
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe157⤵PID:2524
-
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe158⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2752 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe159⤵PID:1852
-
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe160⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3040 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe161⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe163⤵PID:604
-
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe164⤵PID:1772
-
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe165⤵PID:2924
-
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe166⤵PID:1984
-
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe167⤵PID:976
-
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe168⤵PID:2272
-
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe169⤵PID:1312
-
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe170⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe171⤵
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe172⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:644 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe173⤵
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe174⤵PID:3096
-
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe175⤵PID:3136
-
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe176⤵PID:3176
-
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe177⤵PID:3216
-
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3256 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe179⤵PID:3296
-
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe180⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3336 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe181⤵PID:3376
-
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe182⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3416 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe183⤵PID:3444
-
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe184⤵PID:3468
-
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe185⤵PID:3508
-
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe186⤵PID:3548
-
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe187⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3588 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe188⤵PID:3628
-
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe189⤵PID:3668
-
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe190⤵PID:3708
-
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe191⤵PID:3736
-
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe192⤵PID:3760
-
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe193⤵PID:3800
-
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe194⤵PID:3840
-
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe195⤵PID:3880
-
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe196⤵PID:3920
-
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe197⤵PID:3960
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe198⤵
- Drops file in System32 directory
PID:4000 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe199⤵
- Modifies registry class
PID:4028 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe200⤵
- Modifies registry class
PID:4052 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe201⤵PID:4092
-
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe202⤵PID:3104
-
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe203⤵
- Drops file in System32 directory
PID:3128 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe204⤵
- Modifies registry class
PID:3172 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe205⤵
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe206⤵PID:2372
-
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe207⤵
- Modifies registry class
PID:3320 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe208⤵PID:3196
-
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe209⤵PID:3388
-
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe210⤵PID:3236
-
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe211⤵
- Modifies registry class
PID:3476 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe212⤵PID:3076
-
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe213⤵PID:3584
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe214⤵
- Modifies registry class
PID:3636 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe215⤵PID:3688
-
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe216⤵PID:3748
-
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe217⤵PID:3808
-
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe218⤵PID:3276
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe219⤵
- Modifies registry class
PID:3908 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe220⤵PID:3952
-
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe221⤵
- Modifies registry class
PID:4008 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe222⤵
- Modifies registry class
PID:4048 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe223⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3080 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe224⤵PID:3940
-
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe225⤵PID:3208
-
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe226⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3264 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe227⤵PID:3312
-
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe228⤵
- Drops file in System32 directory
PID:3364 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe229⤵PID:3400
-
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe230⤵PID:3452
-
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe231⤵PID:3536
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe232⤵
- Modifies registry class
PID:3604 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe233⤵PID:3660
-
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe234⤵
- Drops file in System32 directory
PID:3724 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe235⤵PID:3772
-
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe236⤵PID:3556
-
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe237⤵
- Drops file in System32 directory
PID:3864 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe238⤵PID:3904
-
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe239⤵PID:3972
-
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe240⤵PID:3488
-
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe241⤵
- Drops file in System32 directory
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe242⤵PID:4088