Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 00:33
Behavioral task
behavioral1
Sample
6f6c6be662cd9dc224dba861fbeef200_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6f6c6be662cd9dc224dba861fbeef200_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
6f6c6be662cd9dc224dba861fbeef200_NeikiAnalytics.exe
-
Size
548KB
-
MD5
6f6c6be662cd9dc224dba861fbeef200
-
SHA1
a64250afcc306b4042a4480abef7747ae496fdfd
-
SHA256
e5734f944b259d14b261291e0fbb350e37f18da58a12e42a434718b8b10f81ca
-
SHA512
e21e7ea1e0109da8f0a4b17cc7a6c0c17a7e127b2b8282f1084410255c428f96db427eb494b288fb769588e8c8b51352132a7e496554a078b78ee2bdf15d51dc
-
SSDEEP
12288:IcpEFaaGvn6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvGZ+C8lM1:NNq5htaSHFaZRBEYyqmaf2qwiHPKgRCW
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Obafnlpn.exeCohigamf.exeFhqbkhch.exeLghjel32.exe6f6c6be662cd9dc224dba861fbeef200_NeikiAnalytics.exeNehmdhja.exeQbcpbo32.exeFbdjbaea.exeGmgninie.exeKocbkk32.exeNhdlkdkg.exeNacgdhlp.exeNgpolo32.exeAekodi32.exeFekpnn32.exeKnmhgf32.exeAcfaeq32.exeAganeoip.exeIdklfpon.exeFmmkcoap.exeLjibgg32.exeAjbggjfq.exeCddaphkn.exeQcpofbjl.exeHmfjha32.exeKilfcpqm.exeLeajdfnm.exeCgejac32.exeEqdajkkb.exeQbplbi32.exeKaklpcoc.exeMgqcmlgl.exePbhmnkjf.exeGbaileio.exeJmbiipml.exePbnoliap.exeMcbjgn32.exeNkiogn32.exeHggomh32.exeIoaifhid.exeOmbapedi.exeQabcjgkh.exeHcnpbi32.exeAnccmo32.exeAfohaa32.exeBdgafdfp.exeDfmdho32.exeJkjfah32.exeMhloponc.exeFdoclk32.exeAfiglkle.exeOcalkn32.exeEplkpgnh.exeIpgbjl32.exePjpnbg32.exeBfenbpec.exeDlgldibq.exeEqgnokip.exeGpncej32.exePdaoog32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obafnlpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhqbkhch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lghjel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 6f6c6be662cd9dc224dba861fbeef200_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehmdhja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbcpbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbdjbaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmgninie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kocbkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdlkdkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacgdhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngpolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aekodi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fekpnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knmhgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfaeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aganeoip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idklfpon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmmkcoap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljibgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajbggjfq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cddaphkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcpofbjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmfjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kilfcpqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leajdfnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgejac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqdajkkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbplbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaklpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgqcmlgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbhmnkjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbaileio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmbiipml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbnoliap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aganeoip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcbjgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkiogn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioaifhid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ombapedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cddaphkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qabcjgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcnpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anccmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afohaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdgafdfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfmdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkjfah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhloponc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdoclk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afiglkle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocalkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eplkpgnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipgbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjpnbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfenbpec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlgldibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqgnokip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpncej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdaoog32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Baqbenep.exe family_berbew \Windows\SysWOW64\Cjndop32.exe family_berbew \Windows\SysWOW64\Comimg32.exe family_berbew \Windows\SysWOW64\Cdlnkmha.exe family_berbew \Windows\SysWOW64\Dodonf32.exe family_berbew C:\Windows\SysWOW64\Dcfdgiid.exe family_berbew \Windows\SysWOW64\Dmafennb.exe family_berbew \Windows\SysWOW64\Eihfjo32.exe family_berbew \Windows\SysWOW64\Emhlfmgj.exe family_berbew C:\Windows\SysWOW64\Ebedndfa.exe family_berbew \Windows\SysWOW64\Faokjpfd.exe family_berbew C:\Windows\SysWOW64\Fdoclk32.exe family_berbew \Windows\SysWOW64\Fioija32.exe family_berbew \Windows\SysWOW64\Feeiob32.exe family_berbew \Windows\SysWOW64\Gldkfl32.exe family_berbew \Windows\SysWOW64\Gmgdddmq.exe family_berbew C:\Windows\SysWOW64\Hknach32.exe family_berbew C:\Windows\SysWOW64\Hdfflm32.exe family_berbew C:\Windows\SysWOW64\Hkpnhgge.exe family_berbew C:\Windows\SysWOW64\Hggomh32.exe family_berbew C:\Windows\SysWOW64\Hcnpbi32.exe family_berbew C:\Windows\SysWOW64\Hlfdkoin.exe family_berbew C:\Windows\SysWOW64\Hodpgjha.exe family_berbew C:\Windows\SysWOW64\Hkkalk32.exe family_berbew C:\Windows\SysWOW64\Ihoafpmp.exe family_berbew behavioral1/memory/1504-313-0x0000000000290000-0x00000000002C3000-memory.dmp family_berbew C:\Windows\SysWOW64\Ioijbj32.exe family_berbew C:\Windows\SysWOW64\Iajcde32.exe family_berbew behavioral1/memory/2912-338-0x0000000000300000-0x0000000000333000-memory.dmp family_berbew C:\Windows\SysWOW64\Ihdkao32.exe family_berbew C:\Windows\SysWOW64\Idklfpon.exe family_berbew C:\Windows\SysWOW64\Ijgdngmf.exe family_berbew C:\Windows\SysWOW64\Ifnechbj.exe family_berbew C:\Windows\SysWOW64\Jmhmpb32.exe family_berbew C:\Windows\SysWOW64\Jmjjea32.exe family_berbew behavioral1/memory/3056-405-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew behavioral1/memory/3056-406-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew C:\Windows\SysWOW64\Joifam32.exe family_berbew C:\Windows\SysWOW64\Jokcgmee.exe family_berbew C:\Windows\SysWOW64\Jbllihbf.exe family_berbew behavioral1/memory/2828-441-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew C:\Windows\SysWOW64\Jnclnihj.exe family_berbew C:\Windows\SysWOW64\Kaaijdgn.exe family_berbew behavioral1/memory/2796-452-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew C:\Windows\SysWOW64\Kgnnln32.exe family_berbew behavioral1/memory/2780-462-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew C:\Windows\SysWOW64\Kjljhjkl.exe family_berbew C:\Windows\SysWOW64\Kgpjanje.exe family_berbew C:\Windows\SysWOW64\Kpkofpgq.exe family_berbew C:\Windows\SysWOW64\Kfegbj32.exe family_berbew C:\Windows\SysWOW64\Kaklpcoc.exe family_berbew C:\Windows\SysWOW64\Kjcpii32.exe family_berbew C:\Windows\SysWOW64\Lldlqakb.exe family_berbew C:\Windows\SysWOW64\Lbnemk32.exe family_berbew C:\Windows\SysWOW64\Lihmjejl.exe family_berbew C:\Windows\SysWOW64\Lpbefoai.exe family_berbew C:\Windows\SysWOW64\Lflmci32.exe family_berbew C:\Windows\SysWOW64\Lhmjkaoc.exe family_berbew C:\Windows\SysWOW64\Leajdfnm.exe family_berbew C:\Windows\SysWOW64\Llkbap32.exe family_berbew C:\Windows\SysWOW64\Lahkigca.exe family_berbew C:\Windows\SysWOW64\Ldfgebbe.exe family_berbew C:\Windows\SysWOW64\Lmolnh32.exe family_berbew C:\Windows\SysWOW64\Lefdpe32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Baqbenep.exeCjndop32.exeComimg32.exeCdlnkmha.exeDodonf32.exeDcfdgiid.exeDmafennb.exeEihfjo32.exeEmhlfmgj.exeEbedndfa.exeFaokjpfd.exeFdoclk32.exeFioija32.exeFeeiob32.exeGldkfl32.exeGmgdddmq.exeHknach32.exeHdfflm32.exeHkpnhgge.exeHggomh32.exeHcnpbi32.exeHlfdkoin.exeHodpgjha.exeHkkalk32.exeIhoafpmp.exeIoijbj32.exeIajcde32.exeIhdkao32.exeIdklfpon.exeIjgdngmf.exeIfnechbj.exeJmhmpb32.exeJmjjea32.exeJoifam32.exeJokcgmee.exeJbllihbf.exeJnclnihj.exeKaaijdgn.exeKgnnln32.exeKjljhjkl.exeKgpjanje.exeKpkofpgq.exeKfegbj32.exeKaklpcoc.exeKjcpii32.exeLldlqakb.exeLbnemk32.exeLihmjejl.exeLpbefoai.exeLflmci32.exeLhmjkaoc.exeLeajdfnm.exeLlkbap32.exeLahkigca.exeLdfgebbe.exeLmolnh32.exeLefdpe32.exeMkclhl32.exeMppepcfg.exeMgimmm32.exeMihiih32.exeMbpnanch.exeMkgfckcj.exeMcbjgn32.exepid process 292 Baqbenep.exe 2072 Cjndop32.exe 2636 Comimg32.exe 2748 Cdlnkmha.exe 2736 Dodonf32.exe 2500 Dcfdgiid.exe 3032 Dmafennb.exe 3004 Eihfjo32.exe 2272 Emhlfmgj.exe 2772 Ebedndfa.exe 1744 Faokjpfd.exe 1380 Fdoclk32.exe 2012 Fioija32.exe 1864 Feeiob32.exe 2536 Gldkfl32.exe 1496 Gmgdddmq.exe 1736 Hknach32.exe 412 Hdfflm32.exe 2160 Hkpnhgge.exe 1664 Hggomh32.exe 864 Hcnpbi32.exe 332 Hlfdkoin.exe 1376 Hodpgjha.exe 1504 Hkkalk32.exe 2044 Ihoafpmp.exe 2912 Ioijbj32.exe 2352 Iajcde32.exe 2620 Ihdkao32.exe 2588 Idklfpon.exe 2196 Ijgdngmf.exe 2744 Ifnechbj.exe 3056 Jmhmpb32.exe 2468 Jmjjea32.exe 2124 Joifam32.exe 2996 Jokcgmee.exe 2828 Jbllihbf.exe 2796 Jnclnihj.exe 2780 Kaaijdgn.exe 2932 Kgnnln32.exe 1284 Kjljhjkl.exe 2256 Kgpjanje.exe 2672 Kpkofpgq.exe 672 Kfegbj32.exe 2136 Kaklpcoc.exe 636 Kjcpii32.exe 632 Lldlqakb.exe 1144 Lbnemk32.exe 1552 Lihmjejl.exe 1892 Lpbefoai.exe 896 Lflmci32.exe 2148 Lhmjkaoc.exe 2316 Leajdfnm.exe 1592 Llkbap32.exe 2572 Lahkigca.exe 2632 Ldfgebbe.exe 2752 Lmolnh32.exe 2608 Lefdpe32.exe 2984 Mkclhl32.exe 1452 Mppepcfg.exe 2268 Mgimmm32.exe 1516 Mihiih32.exe 2704 Mbpnanch.exe 2944 Mkgfckcj.exe 1296 Mcbjgn32.exe -
Loads dropped DLL 64 IoCs
Processes:
6f6c6be662cd9dc224dba861fbeef200_NeikiAnalytics.exeBaqbenep.exeCjndop32.exeComimg32.exeCdlnkmha.exeDodonf32.exeDcfdgiid.exeDmafennb.exeEihfjo32.exeEmhlfmgj.exeEbedndfa.exeFaokjpfd.exeFdoclk32.exeFioija32.exeFeeiob32.exeGldkfl32.exeGmgdddmq.exeHknach32.exeHdfflm32.exeHkpnhgge.exeHggomh32.exeHcnpbi32.exeHlfdkoin.exeHodpgjha.exeHkkalk32.exeIhoafpmp.exeIoijbj32.exeIajcde32.exeIhdkao32.exeIdklfpon.exeIjgdngmf.exeIfnechbj.exepid process 3048 6f6c6be662cd9dc224dba861fbeef200_NeikiAnalytics.exe 3048 6f6c6be662cd9dc224dba861fbeef200_NeikiAnalytics.exe 292 Baqbenep.exe 292 Baqbenep.exe 2072 Cjndop32.exe 2072 Cjndop32.exe 2636 Comimg32.exe 2636 Comimg32.exe 2748 Cdlnkmha.exe 2748 Cdlnkmha.exe 2736 Dodonf32.exe 2736 Dodonf32.exe 2500 Dcfdgiid.exe 2500 Dcfdgiid.exe 3032 Dmafennb.exe 3032 Dmafennb.exe 3004 Eihfjo32.exe 3004 Eihfjo32.exe 2272 Emhlfmgj.exe 2272 Emhlfmgj.exe 2772 Ebedndfa.exe 2772 Ebedndfa.exe 1744 Faokjpfd.exe 1744 Faokjpfd.exe 1380 Fdoclk32.exe 1380 Fdoclk32.exe 2012 Fioija32.exe 2012 Fioija32.exe 1864 Feeiob32.exe 1864 Feeiob32.exe 2536 Gldkfl32.exe 2536 Gldkfl32.exe 1496 Gmgdddmq.exe 1496 Gmgdddmq.exe 1736 Hknach32.exe 1736 Hknach32.exe 412 Hdfflm32.exe 412 Hdfflm32.exe 2160 Hkpnhgge.exe 2160 Hkpnhgge.exe 1664 Hggomh32.exe 1664 Hggomh32.exe 864 Hcnpbi32.exe 864 Hcnpbi32.exe 332 Hlfdkoin.exe 332 Hlfdkoin.exe 1376 Hodpgjha.exe 1376 Hodpgjha.exe 1504 Hkkalk32.exe 1504 Hkkalk32.exe 2044 Ihoafpmp.exe 2044 Ihoafpmp.exe 2912 Ioijbj32.exe 2912 Ioijbj32.exe 2352 Iajcde32.exe 2352 Iajcde32.exe 2620 Ihdkao32.exe 2620 Ihdkao32.exe 2588 Idklfpon.exe 2588 Idklfpon.exe 2196 Ijgdngmf.exe 2196 Ijgdngmf.exe 2744 Ifnechbj.exe 2744 Ifnechbj.exe -
Drops file in System32 directory 64 IoCs
Processes:
Olmhdf32.exeBejdiffp.exeGebbnpfp.exeInkccpgk.exeIoaifhid.exePbnoliap.exeAcpdko32.exeLahkigca.exeNncahjgl.exeAehboi32.exeFikejl32.exeJnclnihj.exeAnlmmp32.exeOcdmaj32.exePjenhm32.exeBmkmdk32.exeHanlnp32.exeJnkpbcjg.exeDmafennb.exeNkgbbo32.exeIfnechbj.exeDlgldibq.exeIpgbjl32.exeIhoafpmp.exeLmolnh32.exeBlaopqpo.exeHpefdl32.exePfgngh32.exeBjlqhoba.exeFbdjbaea.exeLfdmggnm.exePjpnbg32.exeFmmkcoap.exeAdpkee32.exeCldooj32.exeEbmgcohn.exeDodonf32.exeLldlqakb.exeKaklpcoc.exeNmpnhdfc.exeBoplllob.exeHodpgjha.exeEplkpgnh.exeAecaidjl.exeBlbfjg32.exeEfcfga32.exeGbcfadgl.exeAigchgkh.exeAmelne32.exeLefdpe32.exeOklkmnbp.exeNehmdhja.exeJabbhcfe.exeQbelgood.exeFhqbkhch.exeJkjfah32.exeJchhkjhn.exeCdlnkmha.exedescription ioc process File created C:\Windows\SysWOW64\Oqideepg.exe Olmhdf32.exe File opened for modification C:\Windows\SysWOW64\Bdmddc32.exe Bejdiffp.exe File created C:\Windows\SysWOW64\Piccpc32.dll Gebbnpfp.exe File opened for modification C:\Windows\SysWOW64\Iefhhbef.exe Inkccpgk.exe File created C:\Windows\SysWOW64\Qdkghm32.dll Ioaifhid.exe File created C:\Windows\SysWOW64\Pihgic32.exe Pbnoliap.exe File opened for modification C:\Windows\SysWOW64\Bmhideol.exe Acpdko32.exe File created C:\Windows\SysWOW64\Ldfgebbe.exe Lahkigca.exe File created C:\Windows\SysWOW64\Nhiffc32.exe Nncahjgl.exe File created C:\Windows\SysWOW64\Jjifqd32.dll Aehboi32.exe File created C:\Windows\SysWOW64\Fjmaaddo.exe Fikejl32.exe File opened for modification C:\Windows\SysWOW64\Kaaijdgn.exe Jnclnihj.exe File created C:\Windows\SysWOW64\Onqamf32.dll Anlmmp32.exe File created C:\Windows\SysWOW64\Odeiibdq.exe Ocdmaj32.exe File opened for modification C:\Windows\SysWOW64\Pflomnkb.exe Pjenhm32.exe File created C:\Windows\SysWOW64\Iecenlqh.dll Bmkmdk32.exe File created C:\Windows\SysWOW64\Odmfgh32.dll Hanlnp32.exe File created C:\Windows\SysWOW64\Nqdgapkm.dll Jnkpbcjg.exe File created C:\Windows\SysWOW64\Fclomp32.dll Dmafennb.exe File created C:\Windows\SysWOW64\Iigpciig.dll Nkgbbo32.exe File opened for modification C:\Windows\SysWOW64\Jmhmpb32.exe Ifnechbj.exe File created C:\Windows\SysWOW64\Dfoqmo32.exe Dlgldibq.exe File opened for modification C:\Windows\SysWOW64\Iedkbc32.exe Ipgbjl32.exe File created C:\Windows\SysWOW64\Dgnijonn.dll Ihoafpmp.exe File created C:\Windows\SysWOW64\Jndkpj32.dll Fikejl32.exe File created C:\Windows\SysWOW64\Gpdgnh32.dll Lmolnh32.exe File created C:\Windows\SysWOW64\Fpcopobi.dll Blaopqpo.exe File created C:\Windows\SysWOW64\Nldjnfaf.dll Hpefdl32.exe File opened for modification C:\Windows\SysWOW64\Pbnoliap.exe Pfgngh32.exe File opened for modification C:\Windows\SysWOW64\Bmkmdk32.exe Bjlqhoba.exe File opened for modification C:\Windows\SysWOW64\Fhqbkhch.exe Fbdjbaea.exe File created C:\Windows\SysWOW64\Mbkmlh32.exe Lfdmggnm.exe File opened for modification C:\Windows\SysWOW64\Pcibkm32.exe Pjpnbg32.exe File created C:\Windows\SysWOW64\Gedbdlbb.exe Fmmkcoap.exe File created C:\Windows\SysWOW64\Hnhijl32.dll Adpkee32.exe File opened for modification C:\Windows\SysWOW64\Dfmdho32.exe Cldooj32.exe File created C:\Windows\SysWOW64\Gogcek32.dll Ebmgcohn.exe File created C:\Windows\SysWOW64\Dcfdgiid.exe Dodonf32.exe File opened for modification C:\Windows\SysWOW64\Lbnemk32.exe Lldlqakb.exe File opened for modification C:\Windows\SysWOW64\Kjcpii32.exe Kaklpcoc.exe File created C:\Windows\SysWOW64\Aibajhdn.exe Anlmmp32.exe File opened for modification C:\Windows\SysWOW64\Fjmaaddo.exe Fikejl32.exe File created C:\Windows\SysWOW64\Ndjfeo32.exe Nmpnhdfc.exe File opened for modification C:\Windows\SysWOW64\Bejdiffp.exe Boplllob.exe File created C:\Windows\SysWOW64\Hkkalk32.exe Hodpgjha.exe File created C:\Windows\SysWOW64\Immfnjan.dll Kaklpcoc.exe File created C:\Windows\SysWOW64\Hoogfn32.dll Eplkpgnh.exe File opened for modification C:\Windows\SysWOW64\Acfaeq32.exe Aecaidjl.exe File opened for modification C:\Windows\SysWOW64\Bblogakg.exe Blbfjg32.exe File created C:\Windows\SysWOW64\Eplkpgnh.exe Efcfga32.exe File opened for modification C:\Windows\SysWOW64\Gebbnpfp.exe Gbcfadgl.exe File created C:\Windows\SysWOW64\Oilpcd32.dll Aigchgkh.exe File created C:\Windows\SysWOW64\Acpdko32.exe Amelne32.exe File opened for modification C:\Windows\SysWOW64\Mkclhl32.exe Lefdpe32.exe File created C:\Windows\SysWOW64\Acahnedo.dll Oklkmnbp.exe File created C:\Windows\SysWOW64\Amdhhh32.dll Nehmdhja.exe File created C:\Windows\SysWOW64\Dpcfqoam.dll Jabbhcfe.exe File created C:\Windows\SysWOW64\Moljch32.dll Qbelgood.exe File opened for modification C:\Windows\SysWOW64\Afohaa32.exe Adpkee32.exe File created C:\Windows\SysWOW64\Fmmkcoap.exe Fhqbkhch.exe File created C:\Windows\SysWOW64\Cehkbgdf.dll Gbcfadgl.exe File opened for modification C:\Windows\SysWOW64\Jnicmdli.exe Jkjfah32.exe File created C:\Windows\SysWOW64\Qkhgoi32.dll Jchhkjhn.exe File created C:\Windows\SysWOW64\Memeaofm.dll Cdlnkmha.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3328 3884 WerFault.exe Cacacg32.exe -
Modifies registry class 64 IoCs
Processes:
Bblogakg.exeOmdneebf.exeEbmgcohn.exeEdkcojga.exePbnoliap.exeAmelne32.exeBjbcfn32.exeDfoqmo32.exeMmihhelk.exeIhoafpmp.exeAlbjlcao.exeCohigamf.exeLihmjejl.exeMppepcfg.exeNacgdhlp.exeGbcfadgl.exeMoidahcn.exeKaaijdgn.exeGbaileio.exeHaiccald.exeAfgkfl32.exeIfnechbj.exeEqbddk32.exeDfmdho32.exeKocbkk32.exeMieeibkn.exeQeohnd32.exeIoijbj32.exeMbpnanch.exeCnmehnan.exeKaldcb32.exeBlmfea32.exeBlaopqpo.exeBaqbenep.exeComimg32.exeDcfdgiid.exePkidlk32.exeQqeicede.exeDmafennb.exeQijdocfj.exeKjcpii32.exeNgpolo32.exeEqgnokip.exeFpqdkf32.exeKfegbj32.exeKaklpcoc.exeMihiih32.exeBmkmdk32.exeIdklfpon.exeBiamilfj.exeJmbiipml.exePkndaa32.exeAfiglkle.exeJnclnihj.exeGjdhbc32.exeQfokbnip.exeDknekeef.exeNiikceid.exeOkoafmkm.exeLfdmggnm.exeBejdiffp.exeIjgdngmf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpmnhglp.dll" Bblogakg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omdneebf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gogcek32.dll" Ebmgcohn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edkcojga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbnoliap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amelne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjbcfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfoqmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmihhelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll" Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippdhfji.dll" Albjlcao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aagancdj.dll" Lihmjejl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mppepcfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nacgdhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cehkbgdf.dll" Gbcfadgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moidahcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaaijdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbaileio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haiccald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cenaioaq.dll" Afgkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifnechbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfmdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcipd32.dll" Kocbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mieeibkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmdic32.dll" Qeohnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioijbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbpnanch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnmehnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaldcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deokbacp.dll" Blmfea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcopobi.dll" Blaopqpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baqbenep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbpbqda.dll" Dcfdgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkidlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqeicede.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmafennb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qijdocfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpgbgpe.dll" Kjcpii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngpolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkmkpl32.dll" Eqgnokip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpqdkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfegbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Immfnjan.dll" Kaklpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iopodh32.dll" Mihiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmkmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpffnl32.dll" Idklfpon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipikqbi.dll" Jmbiipml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aabagnfc.dll" Edkcojga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afiglkle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmngmj32.dll" Jnclnihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjdhbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanjadqp.dll" Qfokbnip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dknekeef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niikceid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhdqqjhl.dll" Okoafmkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaaijdgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfdmggnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bejdiffp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfojbj32.dll" Ijgdngmf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6f6c6be662cd9dc224dba861fbeef200_NeikiAnalytics.exeBaqbenep.exeCjndop32.exeComimg32.exeCdlnkmha.exeDodonf32.exeDcfdgiid.exeDmafennb.exeEihfjo32.exeEmhlfmgj.exeEbedndfa.exeFaokjpfd.exeFdoclk32.exeFioija32.exeFeeiob32.exeGldkfl32.exedescription pid process target process PID 3048 wrote to memory of 292 3048 6f6c6be662cd9dc224dba861fbeef200_NeikiAnalytics.exe Baqbenep.exe PID 3048 wrote to memory of 292 3048 6f6c6be662cd9dc224dba861fbeef200_NeikiAnalytics.exe Baqbenep.exe PID 3048 wrote to memory of 292 3048 6f6c6be662cd9dc224dba861fbeef200_NeikiAnalytics.exe Baqbenep.exe PID 3048 wrote to memory of 292 3048 6f6c6be662cd9dc224dba861fbeef200_NeikiAnalytics.exe Baqbenep.exe PID 292 wrote to memory of 2072 292 Baqbenep.exe Cjndop32.exe PID 292 wrote to memory of 2072 292 Baqbenep.exe Cjndop32.exe PID 292 wrote to memory of 2072 292 Baqbenep.exe Cjndop32.exe PID 292 wrote to memory of 2072 292 Baqbenep.exe Cjndop32.exe PID 2072 wrote to memory of 2636 2072 Cjndop32.exe Comimg32.exe PID 2072 wrote to memory of 2636 2072 Cjndop32.exe Comimg32.exe PID 2072 wrote to memory of 2636 2072 Cjndop32.exe Comimg32.exe PID 2072 wrote to memory of 2636 2072 Cjndop32.exe Comimg32.exe PID 2636 wrote to memory of 2748 2636 Comimg32.exe Cdlnkmha.exe PID 2636 wrote to memory of 2748 2636 Comimg32.exe Cdlnkmha.exe PID 2636 wrote to memory of 2748 2636 Comimg32.exe Cdlnkmha.exe PID 2636 wrote to memory of 2748 2636 Comimg32.exe Cdlnkmha.exe PID 2748 wrote to memory of 2736 2748 Cdlnkmha.exe Dodonf32.exe PID 2748 wrote to memory of 2736 2748 Cdlnkmha.exe Dodonf32.exe PID 2748 wrote to memory of 2736 2748 Cdlnkmha.exe Dodonf32.exe PID 2748 wrote to memory of 2736 2748 Cdlnkmha.exe Dodonf32.exe PID 2736 wrote to memory of 2500 2736 Dodonf32.exe Dcfdgiid.exe PID 2736 wrote to memory of 2500 2736 Dodonf32.exe Dcfdgiid.exe PID 2736 wrote to memory of 2500 2736 Dodonf32.exe Dcfdgiid.exe PID 2736 wrote to memory of 2500 2736 Dodonf32.exe Dcfdgiid.exe PID 2500 wrote to memory of 3032 2500 Dcfdgiid.exe Dmafennb.exe PID 2500 wrote to memory of 3032 2500 Dcfdgiid.exe Dmafennb.exe PID 2500 wrote to memory of 3032 2500 Dcfdgiid.exe Dmafennb.exe PID 2500 wrote to memory of 3032 2500 Dcfdgiid.exe Dmafennb.exe PID 3032 wrote to memory of 3004 3032 Dmafennb.exe Eihfjo32.exe PID 3032 wrote to memory of 3004 3032 Dmafennb.exe Eihfjo32.exe PID 3032 wrote to memory of 3004 3032 Dmafennb.exe Eihfjo32.exe PID 3032 wrote to memory of 3004 3032 Dmafennb.exe Eihfjo32.exe PID 3004 wrote to memory of 2272 3004 Eihfjo32.exe Emhlfmgj.exe PID 3004 wrote to memory of 2272 3004 Eihfjo32.exe Emhlfmgj.exe PID 3004 wrote to memory of 2272 3004 Eihfjo32.exe Emhlfmgj.exe PID 3004 wrote to memory of 2272 3004 Eihfjo32.exe Emhlfmgj.exe PID 2272 wrote to memory of 2772 2272 Emhlfmgj.exe Ebedndfa.exe PID 2272 wrote to memory of 2772 2272 Emhlfmgj.exe Ebedndfa.exe PID 2272 wrote to memory of 2772 2272 Emhlfmgj.exe Ebedndfa.exe PID 2272 wrote to memory of 2772 2272 Emhlfmgj.exe Ebedndfa.exe PID 2772 wrote to memory of 1744 2772 Ebedndfa.exe Faokjpfd.exe PID 2772 wrote to memory of 1744 2772 Ebedndfa.exe Faokjpfd.exe PID 2772 wrote to memory of 1744 2772 Ebedndfa.exe Faokjpfd.exe PID 2772 wrote to memory of 1744 2772 Ebedndfa.exe Faokjpfd.exe PID 1744 wrote to memory of 1380 1744 Faokjpfd.exe Fdoclk32.exe PID 1744 wrote to memory of 1380 1744 Faokjpfd.exe Fdoclk32.exe PID 1744 wrote to memory of 1380 1744 Faokjpfd.exe Fdoclk32.exe PID 1744 wrote to memory of 1380 1744 Faokjpfd.exe Fdoclk32.exe PID 1380 wrote to memory of 2012 1380 Fdoclk32.exe Fioija32.exe PID 1380 wrote to memory of 2012 1380 Fdoclk32.exe Fioija32.exe PID 1380 wrote to memory of 2012 1380 Fdoclk32.exe Fioija32.exe PID 1380 wrote to memory of 2012 1380 Fdoclk32.exe Fioija32.exe PID 2012 wrote to memory of 1864 2012 Fioija32.exe Feeiob32.exe PID 2012 wrote to memory of 1864 2012 Fioija32.exe Feeiob32.exe PID 2012 wrote to memory of 1864 2012 Fioija32.exe Feeiob32.exe PID 2012 wrote to memory of 1864 2012 Fioija32.exe Feeiob32.exe PID 1864 wrote to memory of 2536 1864 Feeiob32.exe Gldkfl32.exe PID 1864 wrote to memory of 2536 1864 Feeiob32.exe Gldkfl32.exe PID 1864 wrote to memory of 2536 1864 Feeiob32.exe Gldkfl32.exe PID 1864 wrote to memory of 2536 1864 Feeiob32.exe Gldkfl32.exe PID 2536 wrote to memory of 1496 2536 Gldkfl32.exe Gmgdddmq.exe PID 2536 wrote to memory of 1496 2536 Gldkfl32.exe Gmgdddmq.exe PID 2536 wrote to memory of 1496 2536 Gldkfl32.exe Gmgdddmq.exe PID 2536 wrote to memory of 1496 2536 Gldkfl32.exe Gmgdddmq.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f6c6be662cd9dc224dba861fbeef200_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6f6c6be662cd9dc224dba861fbeef200_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1496 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:412 -
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:864 -
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:332 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1376 -
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe33⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe34⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe35⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe36⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe37⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe40⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe41⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe42⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe43⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:672 -
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:636 -
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:632 -
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe48⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe50⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe51⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe52⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe54⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe56⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe59⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1452 -
C:\Windows\SysWOW64\Mgimmm32.exeC:\Windows\system32\Mgimmm32.exe61⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe64⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe66⤵PID:2896
-
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1804 -
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe68⤵PID:1192
-
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe69⤵PID:588
-
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe70⤵PID:1692
-
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2068 -
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1336 -
C:\Windows\SysWOW64\Nkeelohh.exeC:\Windows\system32\Nkeelohh.exe73⤵PID:832
-
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe74⤵
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe75⤵PID:312
-
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe76⤵
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe77⤵PID:2660
-
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2820 -
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe81⤵
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe82⤵
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Oqideepg.exeC:\Windows\system32\Oqideepg.exe83⤵PID:2792
-
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe84⤵PID:856
-
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe85⤵PID:1824
-
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1444 -
C:\Windows\SysWOW64\Obojhlbq.exeC:\Windows\system32\Obojhlbq.exe87⤵PID:1880
-
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe88⤵
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1036 -
C:\Windows\SysWOW64\Omfkke32.exeC:\Windows\system32\Omfkke32.exe90⤵PID:2340
-
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1644 -
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe92⤵PID:2860
-
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe93⤵PID:2444
-
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe94⤵
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2440 -
C:\Windows\SysWOW64\Pciifc32.exeC:\Windows\system32\Pciifc32.exe96⤵PID:2248
-
C:\Windows\SysWOW64\Pjcabmga.exeC:\Windows\system32\Pjcabmga.exe97⤵PID:2768
-
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe98⤵PID:2496
-
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe99⤵
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Pflomnkb.exeC:\Windows\system32\Pflomnkb.exe100⤵PID:1272
-
C:\Windows\SysWOW64\Qabcjgkh.exeC:\Windows\system32\Qabcjgkh.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2396 -
C:\Windows\SysWOW64\Qcpofbjl.exeC:\Windows\system32\Qcpofbjl.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2100 -
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2064 -
C:\Windows\SysWOW64\Qfokbnip.exeC:\Windows\system32\Qfokbnip.exe104⤵
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe105⤵PID:1524
-
C:\Windows\SysWOW64\Qbelgood.exeC:\Windows\system32\Qbelgood.exe106⤵
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Amkpegnj.exeC:\Windows\system32\Amkpegnj.exe107⤵PID:2584
-
C:\Windows\SysWOW64\Anlmmp32.exeC:\Windows\system32\Anlmmp32.exe108⤵
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Aibajhdn.exeC:\Windows\system32\Aibajhdn.exe109⤵PID:2972
-
C:\Windows\SysWOW64\Abjebn32.exeC:\Windows\system32\Abjebn32.exe110⤵PID:2712
-
C:\Windows\SysWOW64\Aehboi32.exeC:\Windows\system32\Aehboi32.exe111⤵
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Albjlcao.exeC:\Windows\system32\Albjlcao.exe112⤵
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Aaobdjof.exeC:\Windows\system32\Aaobdjof.exe113⤵PID:1936
-
C:\Windows\SysWOW64\Aekodi32.exeC:\Windows\system32\Aekodi32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2092 -
C:\Windows\SysWOW64\Anccmo32.exeC:\Windows\system32\Anccmo32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:500 -
C:\Windows\SysWOW64\Adpkee32.exeC:\Windows\system32\Adpkee32.exe116⤵
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Afohaa32.exeC:\Windows\system32\Afohaa32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2368 -
C:\Windows\SysWOW64\Bpgljfbl.exeC:\Windows\system32\Bpgljfbl.exe118⤵PID:888
-
C:\Windows\SysWOW64\Bfadgq32.exeC:\Windows\system32\Bfadgq32.exe119⤵PID:1604
-
C:\Windows\SysWOW64\Bjlqhoba.exeC:\Windows\system32\Bjlqhoba.exe120⤵
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Bmkmdk32.exeC:\Windows\system32\Bmkmdk32.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe122⤵
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Bdgafdfp.exeC:\Windows\system32\Bdgafdfp.exe123⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2324 -
C:\Windows\SysWOW64\Bfenbpec.exeC:\Windows\system32\Bfenbpec.exe124⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2980 -
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe125⤵
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Bblogakg.exeC:\Windows\system32\Bblogakg.exe126⤵
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Bekkcljk.exeC:\Windows\system32\Bekkcljk.exe127⤵PID:2000
-
C:\Windows\SysWOW64\Bhigphio.exeC:\Windows\system32\Bhigphio.exe128⤵PID:2212
-
C:\Windows\SysWOW64\Bemgilhh.exeC:\Windows\system32\Bemgilhh.exe129⤵PID:1508
-
C:\Windows\SysWOW64\Coelaaoi.exeC:\Windows\system32\Coelaaoi.exe130⤵PID:1404
-
C:\Windows\SysWOW64\Cadhnmnm.exeC:\Windows\system32\Cadhnmnm.exe131⤵PID:2552
-
C:\Windows\SysWOW64\Cohigamf.exeC:\Windows\system32\Cohigamf.exe132⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Cddaphkn.exeC:\Windows\system32\Cddaphkn.exe133⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2040 -
C:\Windows\SysWOW64\Cnmehnan.exeC:\Windows\system32\Cnmehnan.exe134⤵
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Cgejac32.exeC:\Windows\system32\Cgejac32.exe135⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2892 -
C:\Windows\SysWOW64\Cclkfdnc.exeC:\Windows\system32\Cclkfdnc.exe136⤵PID:852
-
C:\Windows\SysWOW64\Ckccgane.exeC:\Windows\system32\Ckccgane.exe137⤵PID:612
-
C:\Windows\SysWOW64\Cldooj32.exeC:\Windows\system32\Cldooj32.exe138⤵
- Drops file in System32 directory
PID:1352 -
C:\Windows\SysWOW64\Dfmdho32.exeC:\Windows\system32\Dfmdho32.exe139⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Dlgldibq.exeC:\Windows\system32\Dlgldibq.exe140⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Dfoqmo32.exeC:\Windows\system32\Dfoqmo32.exe141⤵
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Dogefd32.exeC:\Windows\system32\Dogefd32.exe142⤵PID:2056
-
C:\Windows\SysWOW64\Dbfabp32.exeC:\Windows\system32\Dbfabp32.exe143⤵PID:1288
-
C:\Windows\SysWOW64\Dknekeef.exeC:\Windows\system32\Dknekeef.exe144⤵
- Modifies registry class
PID:688 -
C:\Windows\SysWOW64\Dbhnhp32.exeC:\Windows\system32\Dbhnhp32.exe145⤵PID:2304
-
C:\Windows\SysWOW64\Dfdjhndl.exeC:\Windows\system32\Dfdjhndl.exe146⤵PID:2364
-
C:\Windows\SysWOW64\Dhbfdjdp.exeC:\Windows\system32\Dhbfdjdp.exe147⤵PID:2556
-
C:\Windows\SysWOW64\Dolnad32.exeC:\Windows\system32\Dolnad32.exe148⤵PID:2720
-
C:\Windows\SysWOW64\Ddigjkid.exeC:\Windows\system32\Ddigjkid.exe149⤵PID:2708
-
C:\Windows\SysWOW64\Dookgcij.exeC:\Windows\system32\Dookgcij.exe150⤵PID:308
-
C:\Windows\SysWOW64\Ebmgcohn.exeC:\Windows\system32\Ebmgcohn.exe151⤵
- Drops file in System32 directory
- Modifies registry class
PID:660 -
C:\Windows\SysWOW64\Edkcojga.exeC:\Windows\system32\Edkcojga.exe152⤵
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Endhhp32.exeC:\Windows\system32\Endhhp32.exe153⤵PID:2156
-
C:\Windows\SysWOW64\Eqbddk32.exeC:\Windows\system32\Eqbddk32.exe154⤵
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Ekhhadmk.exeC:\Windows\system32\Ekhhadmk.exe155⤵PID:924
-
C:\Windows\SysWOW64\Eqdajkkb.exeC:\Windows\system32\Eqdajkkb.exe156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2336 -
C:\Windows\SysWOW64\Egoife32.exeC:\Windows\system32\Egoife32.exe157⤵PID:1092
-
C:\Windows\SysWOW64\Eqgnokip.exeC:\Windows\system32\Eqgnokip.exe158⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Eojnkg32.exeC:\Windows\system32\Eojnkg32.exe159⤵PID:320
-
C:\Windows\SysWOW64\Efcfga32.exeC:\Windows\system32\Efcfga32.exe160⤵
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Eplkpgnh.exeC:\Windows\system32\Eplkpgnh.exe161⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Fjaonpnn.exeC:\Windows\system32\Fjaonpnn.exe162⤵PID:872
-
C:\Windows\SysWOW64\Fcjcfe32.exeC:\Windows\system32\Fcjcfe32.exe163⤵PID:3036
-
C:\Windows\SysWOW64\Fekpnn32.exeC:\Windows\system32\Fekpnn32.exe164⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3008 -
C:\Windows\SysWOW64\Fpqdkf32.exeC:\Windows\system32\Fpqdkf32.exe165⤵
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Fiihdlpc.exeC:\Windows\system32\Fiihdlpc.exe166⤵PID:2872
-
C:\Windows\SysWOW64\Fglipi32.exeC:\Windows\system32\Fglipi32.exe167⤵PID:2380
-
C:\Windows\SysWOW64\Fikejl32.exeC:\Windows\system32\Fikejl32.exe168⤵
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Fjmaaddo.exeC:\Windows\system32\Fjmaaddo.exe169⤵PID:2956
-
C:\Windows\SysWOW64\Fbdjbaea.exeC:\Windows\system32\Fbdjbaea.exe170⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:400 -
C:\Windows\SysWOW64\Fhqbkhch.exeC:\Windows\system32\Fhqbkhch.exe171⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Fmmkcoap.exeC:\Windows\system32\Fmmkcoap.exe172⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Gedbdlbb.exeC:\Windows\system32\Gedbdlbb.exe173⤵PID:2172
-
C:\Windows\SysWOW64\Gffoldhp.exeC:\Windows\system32\Gffoldhp.exe174⤵PID:2128
-
C:\Windows\SysWOW64\Gmpgio32.exeC:\Windows\system32\Gmpgio32.exe175⤵PID:1188
-
C:\Windows\SysWOW64\Gpncej32.exeC:\Windows\system32\Gpncej32.exe176⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2520 -
C:\Windows\SysWOW64\Gjdhbc32.exeC:\Windows\system32\Gjdhbc32.exe177⤵
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Gbomfe32.exeC:\Windows\system32\Gbomfe32.exe178⤵PID:2540
-
C:\Windows\SysWOW64\Giieco32.exeC:\Windows\system32\Giieco32.exe179⤵PID:1716
-
C:\Windows\SysWOW64\Gbaileio.exeC:\Windows\system32\Gbaileio.exe180⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Gmgninie.exeC:\Windows\system32\Gmgninie.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2568 -
C:\Windows\SysWOW64\Gbcfadgl.exeC:\Windows\system32\Gbcfadgl.exe182⤵
- Drops file in System32 directory
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Gebbnpfp.exeC:\Windows\system32\Gebbnpfp.exe183⤵
- Drops file in System32 directory
PID:1372 -
C:\Windows\SysWOW64\Haiccald.exeC:\Windows\system32\Haiccald.exe184⤵
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Hlngpjlj.exeC:\Windows\system32\Hlngpjlj.exe185⤵PID:1120
-
C:\Windows\SysWOW64\Hhehek32.exeC:\Windows\system32\Hhehek32.exe186⤵PID:2096
-
C:\Windows\SysWOW64\Hanlnp32.exeC:\Windows\system32\Hanlnp32.exe187⤵
- Drops file in System32 directory
PID:1488 -
C:\Windows\SysWOW64\Hgjefg32.exeC:\Windows\system32\Hgjefg32.exe188⤵PID:2384
-
C:\Windows\SysWOW64\Hpbiommg.exeC:\Windows\system32\Hpbiommg.exe189⤵PID:1888
-
C:\Windows\SysWOW64\Hmfjha32.exeC:\Windows\system32\Hmfjha32.exe190⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1960 -
C:\Windows\SysWOW64\Hpefdl32.exeC:\Windows\system32\Hpefdl32.exe191⤵
- Drops file in System32 directory
PID:540 -
C:\Windows\SysWOW64\Iimjmbae.exeC:\Windows\system32\Iimjmbae.exe192⤵PID:1028
-
C:\Windows\SysWOW64\Ipgbjl32.exeC:\Windows\system32\Ipgbjl32.exe193⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\Iedkbc32.exeC:\Windows\system32\Iedkbc32.exe194⤵PID:2424
-
C:\Windows\SysWOW64\Inkccpgk.exeC:\Windows\system32\Inkccpgk.exe195⤵
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Iefhhbef.exeC:\Windows\system32\Iefhhbef.exe196⤵PID:1728
-
C:\Windows\SysWOW64\Iheddndj.exeC:\Windows\system32\Iheddndj.exe197⤵PID:3080
-
C:\Windows\SysWOW64\Ijdqna32.exeC:\Windows\system32\Ijdqna32.exe198⤵PID:3120
-
C:\Windows\SysWOW64\Ioaifhid.exeC:\Windows\system32\Ioaifhid.exe199⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3160 -
C:\Windows\SysWOW64\Ihjnom32.exeC:\Windows\system32\Ihjnom32.exe200⤵PID:3200
-
C:\Windows\SysWOW64\Jabbhcfe.exeC:\Windows\system32\Jabbhcfe.exe201⤵
- Drops file in System32 directory
PID:3240 -
C:\Windows\SysWOW64\Jkjfah32.exeC:\Windows\system32\Jkjfah32.exe202⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3280 -
C:\Windows\SysWOW64\Jnicmdli.exeC:\Windows\system32\Jnicmdli.exe203⤵PID:3320
-
C:\Windows\SysWOW64\Jnkpbcjg.exeC:\Windows\system32\Jnkpbcjg.exe204⤵
- Drops file in System32 directory
PID:3364 -
C:\Windows\SysWOW64\Jchhkjhn.exeC:\Windows\system32\Jchhkjhn.exe205⤵
- Drops file in System32 directory
PID:3404 -
C:\Windows\SysWOW64\Jjbpgd32.exeC:\Windows\system32\Jjbpgd32.exe206⤵PID:3444
-
C:\Windows\SysWOW64\Jdgdempa.exeC:\Windows\system32\Jdgdempa.exe207⤵PID:3560
-
C:\Windows\SysWOW64\Jmbiipml.exeC:\Windows\system32\Jmbiipml.exe208⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3608 -
C:\Windows\SysWOW64\Jghmfhmb.exeC:\Windows\system32\Jghmfhmb.exe209⤵PID:3648
-
C:\Windows\SysWOW64\Kocbkk32.exeC:\Windows\system32\Kocbkk32.exe210⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3688 -
C:\Windows\SysWOW64\Kilfcpqm.exeC:\Windows\system32\Kilfcpqm.exe211⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3728 -
C:\Windows\SysWOW64\Kebgia32.exeC:\Windows\system32\Kebgia32.exe212⤵PID:3768
-
C:\Windows\SysWOW64\Kohkfj32.exeC:\Windows\system32\Kohkfj32.exe213⤵PID:3808
-
C:\Windows\SysWOW64\Knmhgf32.exeC:\Windows\system32\Knmhgf32.exe214⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3848 -
C:\Windows\SysWOW64\Kaldcb32.exeC:\Windows\system32\Kaldcb32.exe215⤵
- Modifies registry class
PID:3888 -
C:\Windows\SysWOW64\Kkaiqk32.exeC:\Windows\system32\Kkaiqk32.exe216⤵PID:3928
-
C:\Windows\SysWOW64\Lghjel32.exeC:\Windows\system32\Lghjel32.exe217⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3968 -
C:\Windows\SysWOW64\Lmebnb32.exeC:\Windows\system32\Lmebnb32.exe218⤵PID:4008
-
C:\Windows\SysWOW64\Lapnnafn.exeC:\Windows\system32\Lapnnafn.exe219⤵PID:4048
-
C:\Windows\SysWOW64\Ljibgg32.exeC:\Windows\system32\Ljibgg32.exe220⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4088 -
C:\Windows\SysWOW64\Lmgocb32.exeC:\Windows\system32\Lmgocb32.exe221⤵PID:3104
-
C:\Windows\SysWOW64\Lgmcqkkh.exeC:\Windows\system32\Lgmcqkkh.exe222⤵PID:3152
-
C:\Windows\SysWOW64\Lfpclh32.exeC:\Windows\system32\Lfpclh32.exe223⤵PID:3196
-
C:\Windows\SysWOW64\Laegiq32.exeC:\Windows\system32\Laegiq32.exe224⤵PID:3260
-
C:\Windows\SysWOW64\Lccdel32.exeC:\Windows\system32\Lccdel32.exe225⤵PID:3316
-
C:\Windows\SysWOW64\Lmlhnagm.exeC:\Windows\system32\Lmlhnagm.exe226⤵PID:3352
-
C:\Windows\SysWOW64\Lfdmggnm.exeC:\Windows\system32\Lfdmggnm.exe227⤵
- Drops file in System32 directory
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Mbkmlh32.exeC:\Windows\system32\Mbkmlh32.exe228⤵PID:3416
-
C:\Windows\SysWOW64\Mieeibkn.exeC:\Windows\system32\Mieeibkn.exe229⤵
- Modifies registry class
PID:3496 -
C:\Windows\SysWOW64\Mlcbenjb.exeC:\Windows\system32\Mlcbenjb.exe230⤵PID:3536
-
C:\Windows\SysWOW64\Moanaiie.exeC:\Windows\system32\Moanaiie.exe231⤵PID:3588
-
C:\Windows\SysWOW64\Mbpgggol.exeC:\Windows\system32\Mbpgggol.exe232⤵PID:3632
-
C:\Windows\SysWOW64\Mhloponc.exeC:\Windows\system32\Mhloponc.exe233⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3676 -
C:\Windows\SysWOW64\Mmihhelk.exeC:\Windows\system32\Mmihhelk.exe234⤵
- Modifies registry class
PID:3724 -
C:\Windows\SysWOW64\Maedhd32.exeC:\Windows\system32\Maedhd32.exe235⤵PID:3784
-
C:\Windows\SysWOW64\Moidahcn.exeC:\Windows\system32\Moidahcn.exe236⤵
- Modifies registry class
PID:3820 -
C:\Windows\SysWOW64\Mpjqiq32.exeC:\Windows\system32\Mpjqiq32.exe237⤵PID:3872
-
C:\Windows\SysWOW64\Nhaikn32.exeC:\Windows\system32\Nhaikn32.exe238⤵PID:3920
-
C:\Windows\SysWOW64\Nkpegi32.exeC:\Windows\system32\Nkpegi32.exe239⤵PID:3976
-
C:\Windows\SysWOW64\Nplmop32.exeC:\Windows\system32\Nplmop32.exe240⤵PID:3984
-
C:\Windows\SysWOW64\Nmpnhdfc.exeC:\Windows\system32\Nmpnhdfc.exe241⤵
- Drops file in System32 directory
PID:4076 -
C:\Windows\SysWOW64\Ndjfeo32.exeC:\Windows\system32\Ndjfeo32.exe242⤵PID:3116