Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 02:46
Behavioral task
behavioral1
Sample
73edbe2205beca00bade57fc1c19d700_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
73edbe2205beca00bade57fc1c19d700_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
73edbe2205beca00bade57fc1c19d700_NeikiAnalytics.exe
-
Size
448KB
-
MD5
73edbe2205beca00bade57fc1c19d700
-
SHA1
0e5418e1d1638dea2bfbfd0fd0070c12590a5257
-
SHA256
0ebd19329fad54956bb161e4af5b66b4b3cf3a37c6e8e951c18f946ef38e5be8
-
SHA512
1996dcfc14462be6ff15fc1a10f68f896af6c20405495a2acdb29d272da71b0acca8fca402f40db90cb172ee2076c115e462dcb16f5056c16fdc711b171ad35c
-
SSDEEP
6144:ts8VDlu6oQjEbG7aOl3BzrUmKyIxLfYeOO9UmKyIxLiajOEjXP3HBsR4/0ePGSzk:ts8ZToa7aOlxzr3cOK3TajRfXFMKNxC
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Aljgfioc.exeAaaoij32.exeIhdkao32.exeKblhgk32.exeLlfifq32.exeFckjalhj.exeFpdhklkl.exeMpfkqb32.exeCohigamf.exeLahkigca.exeDbbkja32.exeGhoegl32.exeJcbellac.exeFidoim32.exeIkddbj32.exePqkmjh32.exeEgllae32.exeBifgdk32.exeEpdkli32.exeHmlnoc32.exeJiakjb32.exeKihqkagp.exeKeoapb32.exePclfkc32.exeAmfcikek.exeGhkllmoi.exeNpfgpe32.exeEiaiqn32.exeIfcbodli.exeIkbgmj32.exeLkncmmle.exeNlbeqb32.exeAnccmo32.exeQdccfh32.exeBnefdp32.exeFiaeoang.exeJfcnngnd.exeHejoiedd.exeLafndg32.exePnomcl32.exeDdgjdk32.exeCpjiajeb.exeEqgnokip.exeLajhofao.exeEhgppi32.exeAffhncfc.exeDoehqead.exeBbjbaa32.exeLemaif32.exeEmkaol32.exeEqbddk32.exeCljcelan.exeHhjhkq32.exeIqopea32.exeAamfnkai.exeBoqbfb32.exeEjkima32.exeQlkdkd32.exeChpmpg32.exeMgqcmlgl.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aljgfioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihdkao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kblhgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llfifq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckjalhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpfkqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lahkigca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbbkja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghoegl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcbellac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fidoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikddbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqkmjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bifgdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epdkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmlnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiakjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihqkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keoapb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pclfkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amfcikek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghkllmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npfgpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiaiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifcbodli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikbgmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkncmmle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlbeqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anccmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdccfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdccfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnefdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fiaeoang.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcnngnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hejoiedd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lafndg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnomcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgjdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpjiajeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqgnokip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lajhofao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehgppi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Affhncfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keoapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doehqead.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lemaif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfcikek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emkaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqbddk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cljcelan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhjhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqopea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aamfnkai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boqbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejkima32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlkdkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chpmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgqcmlgl.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Qdccfh32.exe family_berbew \Windows\SysWOW64\Adeplhib.exe family_berbew \Windows\SysWOW64\Ankdiqih.exe family_berbew C:\Windows\SysWOW64\Affhncfc.exe family_berbew \Windows\SysWOW64\Aiedjneg.exe family_berbew \Windows\SysWOW64\Ambmpmln.exe family_berbew C:\Windows\SysWOW64\Aiinen32.exe family_berbew C:\Windows\SysWOW64\Ailkjmpo.exe family_berbew C:\Windows\SysWOW64\Aljgfioc.exe family_berbew \Windows\SysWOW64\Bbflib32.exe family_berbew C:\Windows\SysWOW64\Bpafkknm.exe family_berbew \Windows\SysWOW64\Bgknheej.exe family_berbew C:\Windows\SysWOW64\Bnefdp32.exe family_berbew \Windows\SysWOW64\Cjlgiqbk.exe family_berbew C:\Windows\SysWOW64\Cfbhnaho.exe family_berbew C:\Windows\SysWOW64\Cpjiajeb.exe family_berbew C:\Windows\SysWOW64\Claifkkf.exe family_berbew C:\Windows\SysWOW64\Copfbfjj.exe family_berbew C:\Windows\SysWOW64\Cfinoq32.exe family_berbew C:\Windows\SysWOW64\Chhjkl32.exe family_berbew C:\Windows\SysWOW64\Ddokpmfo.exe family_berbew C:\Windows\SysWOW64\Dkhcmgnl.exe family_berbew C:\Windows\SysWOW64\Ddagfm32.exe family_berbew C:\Windows\SysWOW64\Ddcdkl32.exe family_berbew C:\Windows\SysWOW64\Doobajme.exe family_berbew C:\Windows\SysWOW64\Emcbkn32.exe family_berbew C:\Windows\SysWOW64\Epaogi32.exe family_berbew C:\Windows\SysWOW64\Ebpkce32.exe family_berbew C:\Windows\SysWOW64\Emeopn32.exe family_berbew C:\Windows\SysWOW64\Emhlfmgj.exe family_berbew C:\Windows\SysWOW64\Epfhbign.exe family_berbew C:\Windows\SysWOW64\Elmigj32.exe family_berbew C:\Windows\SysWOW64\Eiaiqn32.exe family_berbew C:\Windows\SysWOW64\Ejbfhfaj.exe family_berbew C:\Windows\SysWOW64\Fnpnndgp.exe family_berbew C:\Windows\SysWOW64\Fmcoja32.exe family_berbew C:\Windows\SysWOW64\Fhhcgj32.exe family_berbew C:\Windows\SysWOW64\Fjilieka.exe family_berbew C:\Windows\SysWOW64\Fmjejphb.exe family_berbew C:\Windows\SysWOW64\Fiaeoang.exe family_berbew C:\Windows\SysWOW64\Gonnhhln.exe family_berbew C:\Windows\SysWOW64\Gfefiemq.exe family_berbew C:\Windows\SysWOW64\Glaoalkh.exe family_berbew C:\Windows\SysWOW64\Gkgkbipp.exe family_berbew C:\Windows\SysWOW64\Gelppaof.exe family_berbew C:\Windows\SysWOW64\Gkihhhnm.exe family_berbew C:\Windows\SysWOW64\Geolea32.exe family_berbew C:\Windows\SysWOW64\Gogangdc.exe family_berbew C:\Windows\SysWOW64\Ghoegl32.exe family_berbew C:\Windows\SysWOW64\Hknach32.exe family_berbew C:\Windows\SysWOW64\Hgdbhi32.exe family_berbew C:\Windows\SysWOW64\Hckcmjep.exe family_berbew C:\Windows\SysWOW64\Hgilchkf.exe family_berbew C:\Windows\SysWOW64\Hodpgjha.exe family_berbew C:\Windows\SysWOW64\Hlhaqogk.exe family_berbew C:\Windows\SysWOW64\Ihoafpmp.exe family_berbew C:\Windows\SysWOW64\Ioijbj32.exe family_berbew C:\Windows\SysWOW64\Ifcbodli.exe family_berbew C:\Windows\SysWOW64\Igdogl32.exe family_berbew C:\Windows\SysWOW64\Ikbgmj32.exe family_berbew C:\Windows\SysWOW64\Inqcif32.exe family_berbew C:\Windows\SysWOW64\Iqopea32.exe family_berbew C:\Windows\SysWOW64\Icpigm32.exe family_berbew C:\Windows\SysWOW64\Jofiln32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Qdccfh32.exeAdeplhib.exeAnkdiqih.exeAffhncfc.exeAiedjneg.exeAmbmpmln.exeAiinen32.exeAfmonbqk.exeAilkjmpo.exeAljgfioc.exeBbflib32.exeBopicc32.exeBpafkknm.exeBgknheej.exeBnefdp32.exeCjlgiqbk.exeCljcelan.exeCcdlbf32.exeCfbhnaho.exeCjpqdp32.exeCpjiajeb.exeCciemedf.exeCfgaiaci.exeClaifkkf.exeCopfbfjj.exeCckace32.exeCfinoq32.exeChhjkl32.exeDdokpmfo.exeDkhcmgnl.exeDodonf32.exeDbbkja32.exeDdagfm32.exeDnilobkm.exeDdcdkl32.exeDmafennb.exeDoobajme.exeDjefobmk.exeEmcbkn32.exeEpaogi32.exeEbpkce32.exeEijcpoac.exeEmeopn32.exeEpdkli32.exeEbbgid32.exeEeqdep32.exeEmhlfmgj.exeEpfhbign.exeEfppoc32.exeEiomkn32.exeElmigj32.exeEnkece32.exeEbgacddo.exeEiaiqn32.exeEjbfhfaj.exeEalnephf.exeFckjalhj.exeFlabbihl.exeFnpnndgp.exeFmcoja32.exeFhhcgj32.exeFjgoce32.exeFmekoalh.exeFpdhklkl.exepid process 1064 Qdccfh32.exe 2328 Adeplhib.exe 2720 Ankdiqih.exe 2636 Affhncfc.exe 2724 Aiedjneg.exe 2780 Ambmpmln.exe 2444 Aiinen32.exe 2964 Afmonbqk.exe 1668 Ailkjmpo.exe 1928 Aljgfioc.exe 2768 Bbflib32.exe 1208 Bopicc32.exe 2264 Bpafkknm.exe 2244 Bgknheej.exe 728 Bnefdp32.exe 568 Cjlgiqbk.exe 412 Cljcelan.exe 1872 Ccdlbf32.exe 1672 Cfbhnaho.exe 2132 Cjpqdp32.exe 1092 Cpjiajeb.exe 1436 Cciemedf.exe 2120 Cfgaiaci.exe 2936 Claifkkf.exe 3028 Copfbfjj.exe 1576 Cckace32.exe 2172 Cfinoq32.exe 2512 Chhjkl32.exe 2564 Ddokpmfo.exe 2712 Dkhcmgnl.exe 2648 Dodonf32.exe 2464 Dbbkja32.exe 764 Ddagfm32.exe 2496 Dnilobkm.exe 2036 Ddcdkl32.exe 952 Dmafennb.exe 1220 Doobajme.exe 2284 Djefobmk.exe 336 Emcbkn32.exe 680 Epaogi32.exe 2104 Ebpkce32.exe 1664 Eijcpoac.exe 1620 Emeopn32.exe 960 Epdkli32.exe 3068 Ebbgid32.exe 3012 Eeqdep32.exe 1608 Emhlfmgj.exe 1960 Epfhbign.exe 2616 Efppoc32.exe 2652 Eiomkn32.exe 904 Elmigj32.exe 2612 Enkece32.exe 1728 Ebgacddo.exe 2208 Eiaiqn32.exe 540 Ejbfhfaj.exe 600 Ealnephf.exe 632 Fckjalhj.exe 1628 Flabbihl.exe 488 Fnpnndgp.exe 1788 Fmcoja32.exe 1296 Fhhcgj32.exe 1584 Fjgoce32.exe 356 Fmekoalh.exe 2860 Fpdhklkl.exe -
Loads dropped DLL 64 IoCs
Processes:
73edbe2205beca00bade57fc1c19d700_NeikiAnalytics.exeQdccfh32.exeAdeplhib.exeAnkdiqih.exeAffhncfc.exeAiedjneg.exeAmbmpmln.exeAiinen32.exeAfmonbqk.exeAilkjmpo.exeAljgfioc.exeBbflib32.exeBopicc32.exeBpafkknm.exeBgknheej.exeBnefdp32.exeCjlgiqbk.exeCljcelan.exeCcdlbf32.exeCfbhnaho.exeCjpqdp32.exeCpjiajeb.exeCciemedf.exeCfgaiaci.exeClaifkkf.exeCopfbfjj.exeCckace32.exeCfinoq32.exeChhjkl32.exeDdokpmfo.exeDkhcmgnl.exeDodonf32.exepid process 1972 73edbe2205beca00bade57fc1c19d700_NeikiAnalytics.exe 1972 73edbe2205beca00bade57fc1c19d700_NeikiAnalytics.exe 1064 Qdccfh32.exe 1064 Qdccfh32.exe 2328 Adeplhib.exe 2328 Adeplhib.exe 2720 Ankdiqih.exe 2720 Ankdiqih.exe 2636 Affhncfc.exe 2636 Affhncfc.exe 2724 Aiedjneg.exe 2724 Aiedjneg.exe 2780 Ambmpmln.exe 2780 Ambmpmln.exe 2444 Aiinen32.exe 2444 Aiinen32.exe 2964 Afmonbqk.exe 2964 Afmonbqk.exe 1668 Ailkjmpo.exe 1668 Ailkjmpo.exe 1928 Aljgfioc.exe 1928 Aljgfioc.exe 2768 Bbflib32.exe 2768 Bbflib32.exe 1208 Bopicc32.exe 1208 Bopicc32.exe 2264 Bpafkknm.exe 2264 Bpafkknm.exe 2244 Bgknheej.exe 2244 Bgknheej.exe 728 Bnefdp32.exe 728 Bnefdp32.exe 568 Cjlgiqbk.exe 568 Cjlgiqbk.exe 412 Cljcelan.exe 412 Cljcelan.exe 1872 Ccdlbf32.exe 1872 Ccdlbf32.exe 1672 Cfbhnaho.exe 1672 Cfbhnaho.exe 2132 Cjpqdp32.exe 2132 Cjpqdp32.exe 1092 Cpjiajeb.exe 1092 Cpjiajeb.exe 1436 Cciemedf.exe 1436 Cciemedf.exe 2120 Cfgaiaci.exe 2120 Cfgaiaci.exe 2936 Claifkkf.exe 2936 Claifkkf.exe 3028 Copfbfjj.exe 3028 Copfbfjj.exe 1576 Cckace32.exe 1576 Cckace32.exe 2172 Cfinoq32.exe 2172 Cfinoq32.exe 2512 Chhjkl32.exe 2512 Chhjkl32.exe 2564 Ddokpmfo.exe 2564 Ddokpmfo.exe 2712 Dkhcmgnl.exe 2712 Dkhcmgnl.exe 2648 Dodonf32.exe 2648 Dodonf32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Pflomnkb.exeDhpiojfb.exeNolhan32.exeIhdkao32.exeIcpigm32.exeKihqkagp.exeKpkofpgq.exeKblhgk32.exeNkeelohh.exePjcabmga.exeFhhcgj32.exeAlpmfdcb.exeDggcffhg.exePamiog32.exeCjdfmo32.exeOqideepg.exeHcnpbi32.exeOcimgp32.exeGmgdddmq.exeJfcnngnd.exeNhdlkdkg.exePnomcl32.exeCcngld32.exeEdkcojga.exeLahkigca.exeJmmfkafa.exeNnhkcj32.exePkndaa32.exeBbjbaa32.exeBmpfojmp.exeQdccfh32.exeIfcbodli.exeBkommo32.exeCoelaaoi.exeDfdjhndl.exeHlhaqogk.exeIqalka32.exeJbnhng32.exeAaaoij32.exeAemkjiem.exeElmigj32.exeAfohaa32.exeBoqbfb32.exeKngfih32.exeJnclnihj.exeLbqabkql.exeMmceigep.exeQbelgood.exeAaobdjof.exeBocolb32.exeIkbgmj32.exeEiomkn32.exeEalnephf.exeQlkdkd32.exeAnafhopc.exeBiicik32.exeCjlgiqbk.exeDmafennb.exeAehboi32.exeBnefdp32.exeEmcbkn32.exeHicodd32.exedescription ioc process File created C:\Windows\SysWOW64\Hjkbhikj.dll Pflomnkb.exe File opened for modification C:\Windows\SysWOW64\Dlkepi32.exe Dhpiojfb.exe File created C:\Windows\SysWOW64\Fkeemhpn.dll Nolhan32.exe File created C:\Windows\SysWOW64\Ikbgmj32.exe Ihdkao32.exe File created C:\Windows\SysWOW64\Ifnechbj.exe Icpigm32.exe File created C:\Windows\SysWOW64\Kkgmgmfd.exe Kihqkagp.exe File opened for modification C:\Windows\SysWOW64\Kgbggnhc.exe Kpkofpgq.exe File created C:\Windows\SysWOW64\Kifpdelo.exe Kblhgk32.exe File opened for modification C:\Windows\SysWOW64\Naoniipe.exe Nkeelohh.exe File opened for modification C:\Windows\SysWOW64\Pnomcl32.exe Pjcabmga.exe File opened for modification C:\Windows\SysWOW64\Fjgoce32.exe Fhhcgj32.exe File created C:\Windows\SysWOW64\Anojbobe.exe Alpmfdcb.exe File created C:\Windows\SysWOW64\Cbcodmih.dll Dggcffhg.exe File created C:\Windows\SysWOW64\Peiepfgg.exe Pamiog32.exe File created C:\Windows\SysWOW64\Lnfhlh32.dll Cjdfmo32.exe File opened for modification C:\Windows\SysWOW64\Ocgpappk.exe Oqideepg.exe File created C:\Windows\SysWOW64\Nbniiffi.dll Hcnpbi32.exe File opened for modification C:\Windows\SysWOW64\Ojcecjee.exe Ocimgp32.exe File opened for modification C:\Windows\SysWOW64\Geolea32.exe Gmgdddmq.exe File created C:\Windows\SysWOW64\Jiakjb32.exe Jfcnngnd.exe File created C:\Windows\SysWOW64\Fgaleqmc.dll Nhdlkdkg.exe File opened for modification C:\Windows\SysWOW64\Pamiog32.exe Pnomcl32.exe File created C:\Windows\SysWOW64\Dgjclbdi.exe Ccngld32.exe File opened for modification C:\Windows\SysWOW64\Ehgppi32.exe Edkcojga.exe File created C:\Windows\SysWOW64\Lecgje32.exe Lahkigca.exe File created C:\Windows\SysWOW64\Loclnq32.dll Jmmfkafa.exe File created C:\Windows\SysWOW64\Lfnbefhd.dll Nnhkcj32.exe File opened for modification C:\Windows\SysWOW64\Pjadmnic.exe Pkndaa32.exe File created C:\Windows\SysWOW64\Behnnm32.exe Bbjbaa32.exe File created C:\Windows\SysWOW64\Bpnbkeld.exe Bmpfojmp.exe File opened for modification C:\Windows\SysWOW64\Adeplhib.exe Qdccfh32.exe File created C:\Windows\SysWOW64\Pacmbbii.dll Ifcbodli.exe File opened for modification C:\Windows\SysWOW64\Biamilfj.exe Bkommo32.exe File created C:\Windows\SysWOW64\Bneqdoee.dll Coelaaoi.exe File created C:\Windows\SysWOW64\Oakomajq.dll Dfdjhndl.exe File created C:\Windows\SysWOW64\Hogmmjfo.exe Hlhaqogk.exe File created C:\Windows\SysWOW64\Gpmcnehn.dll Iqalka32.exe File opened for modification C:\Windows\SysWOW64\Kemejc32.exe Jbnhng32.exe File created C:\Windows\SysWOW64\Onjnkb32.dll Aaaoij32.exe File opened for modification C:\Windows\SysWOW64\Afohaa32.exe Aemkjiem.exe File created C:\Windows\SysWOW64\Lbidmekh.dll Elmigj32.exe File opened for modification C:\Windows\SysWOW64\Ajjcbpdd.exe Afohaa32.exe File created C:\Windows\SysWOW64\Bblogakg.exe Boqbfb32.exe File created C:\Windows\SysWOW64\Kmjfdejp.exe Kngfih32.exe File opened for modification C:\Windows\SysWOW64\Jbnhng32.exe Jnclnihj.exe File created C:\Windows\SysWOW64\Bhhognbb.dll Lbqabkql.exe File created C:\Windows\SysWOW64\Mpbaebdd.exe Mmceigep.exe File created C:\Windows\SysWOW64\Qfahhm32.exe Qbelgood.exe File opened for modification C:\Windows\SysWOW64\Adnopfoj.exe Aaobdjof.exe File opened for modification C:\Windows\SysWOW64\Baakhm32.exe Bocolb32.exe File created C:\Windows\SysWOW64\Odoghjmf.dll Ikbgmj32.exe File created C:\Windows\SysWOW64\Ogjbla32.dll Eiomkn32.exe File created C:\Windows\SysWOW64\Fckjalhj.exe Ealnephf.exe File created C:\Windows\SysWOW64\Qcbllb32.exe Qlkdkd32.exe File opened for modification C:\Windows\SysWOW64\Aaobdjof.exe Anafhopc.exe File opened for modification C:\Windows\SysWOW64\Bhkdeggl.exe Biicik32.exe File created C:\Windows\SysWOW64\Ognnoaka.dll Cjlgiqbk.exe File opened for modification C:\Windows\SysWOW64\Doobajme.exe Dmafennb.exe File opened for modification C:\Windows\SysWOW64\Igdogl32.exe Ifcbodli.exe File opened for modification C:\Windows\SysWOW64\Ahgnke32.exe Aehboi32.exe File created C:\Windows\SysWOW64\Ffdiejho.dll Biicik32.exe File created C:\Windows\SysWOW64\Cjlgiqbk.exe Bnefdp32.exe File created C:\Windows\SysWOW64\Epafjqck.dll Emcbkn32.exe File opened for modification C:\Windows\SysWOW64\Hckcmjep.exe Hicodd32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5092 4488 WerFault.exe Fkckeh32.exe -
Modifies registry class 64 IoCs
Processes:
Lahkigca.exeAmfcikek.exeDkqbaecc.exeCcahbp32.exeEbodiofk.exe73edbe2205beca00bade57fc1c19d700_NeikiAnalytics.exeEbbgid32.exeBblogakg.exeCadhnmnm.exeCdikkg32.exeDlgldibq.exeCopfbfjj.exeGhmiam32.exePqkmjh32.exePogclp32.exePclfkc32.exeBpnbkeld.exeBehnnm32.exeFbdqmghm.exeNnennj32.exePeiepfgg.exeQjjgclai.exeBfadgq32.exeNhfipcid.exeAmbmpmln.exeFjilieka.exeJkdpanhg.exePedleg32.exeBhigphio.exeEeqdep32.exeJcgogk32.exeOlmhdf32.exeEgjpkffe.exeFmjejphb.exeCeaadk32.exeDglpbbbg.exeEbmgcohn.exeHhmepp32.exeJiakjb32.exeNkeelohh.exeKkijmm32.exeMhdplq32.exeBppoqeja.exeCfbhnaho.exeCfgaiaci.exeGeolea32.exeMlibjc32.exeDhdcji32.exeEgllae32.exeGogangdc.exeIhoafpmp.exeKblhgk32.exeMpbaebdd.exePgbhabjp.exeChbjffad.exeEdkcojga.exeDodonf32.exeDdagfm32.exeFeeiob32.exeBgknheej.exeEjbfhfaj.exeLijjoe32.exeOklkmnbp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lahkigca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amfcikek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfiilbkl.dll" Dkqbaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gojbjm32.dll" Ccahbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfnjef32.dll" Ebodiofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elgpfqll.dll" 73edbe2205beca00bade57fc1c19d700_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkakief.dll" Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bblogakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhokkp32.dll" Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdikkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnoej32.dll" Dlgldibq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Copfbfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll" Ghmiam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pqkmjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkdaf32.dll" Pogclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pclfkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpnbkeld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmhccl32.dll" Behnnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbdqmghm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnennj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Peiepfgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qjjgclai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfadgq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhfipcid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pienahqb.dll" Ambmpmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeccgbbh.dll" Fjilieka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkdpanhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pedleg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhigphio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eeqdep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phoccb32.dll" Jcgogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlnnp32.dll" Olmhdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egjpkffe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmjejphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhhpp32.dll" Ceaadk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dglpbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebmgcohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbgan32.dll" Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jiakjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkkgfioo.dll" Nkeelohh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkijmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhdplq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bppoqeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfbhnaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfgaiaci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlibjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhofcjea.dll" Dhdcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabenjd.dll" Gogangdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfimidmd.dll" Kblhgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpbaebdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlibjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgbhabjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chbjffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geemiobo.dll" Edkcojga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dodonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddagfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbmkg32.dll" Feeiob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmpcjge.dll" Bgknheej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkdneid.dll" Lijjoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oklkmnbp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
73edbe2205beca00bade57fc1c19d700_NeikiAnalytics.exeQdccfh32.exeAdeplhib.exeAnkdiqih.exeAffhncfc.exeAiedjneg.exeAmbmpmln.exeAiinen32.exeAfmonbqk.exeAilkjmpo.exeAljgfioc.exeBbflib32.exeBopicc32.exeBpafkknm.exeBgknheej.exeBnefdp32.exedescription pid process target process PID 1972 wrote to memory of 1064 1972 73edbe2205beca00bade57fc1c19d700_NeikiAnalytics.exe Qdccfh32.exe PID 1972 wrote to memory of 1064 1972 73edbe2205beca00bade57fc1c19d700_NeikiAnalytics.exe Qdccfh32.exe PID 1972 wrote to memory of 1064 1972 73edbe2205beca00bade57fc1c19d700_NeikiAnalytics.exe Qdccfh32.exe PID 1972 wrote to memory of 1064 1972 73edbe2205beca00bade57fc1c19d700_NeikiAnalytics.exe Qdccfh32.exe PID 1064 wrote to memory of 2328 1064 Qdccfh32.exe Adeplhib.exe PID 1064 wrote to memory of 2328 1064 Qdccfh32.exe Adeplhib.exe PID 1064 wrote to memory of 2328 1064 Qdccfh32.exe Adeplhib.exe PID 1064 wrote to memory of 2328 1064 Qdccfh32.exe Adeplhib.exe PID 2328 wrote to memory of 2720 2328 Adeplhib.exe Ankdiqih.exe PID 2328 wrote to memory of 2720 2328 Adeplhib.exe Ankdiqih.exe PID 2328 wrote to memory of 2720 2328 Adeplhib.exe Ankdiqih.exe PID 2328 wrote to memory of 2720 2328 Adeplhib.exe Ankdiqih.exe PID 2720 wrote to memory of 2636 2720 Ankdiqih.exe Affhncfc.exe PID 2720 wrote to memory of 2636 2720 Ankdiqih.exe Affhncfc.exe PID 2720 wrote to memory of 2636 2720 Ankdiqih.exe Affhncfc.exe PID 2720 wrote to memory of 2636 2720 Ankdiqih.exe Affhncfc.exe PID 2636 wrote to memory of 2724 2636 Affhncfc.exe Aiedjneg.exe PID 2636 wrote to memory of 2724 2636 Affhncfc.exe Aiedjneg.exe PID 2636 wrote to memory of 2724 2636 Affhncfc.exe Aiedjneg.exe PID 2636 wrote to memory of 2724 2636 Affhncfc.exe Aiedjneg.exe PID 2724 wrote to memory of 2780 2724 Aiedjneg.exe Ambmpmln.exe PID 2724 wrote to memory of 2780 2724 Aiedjneg.exe Ambmpmln.exe PID 2724 wrote to memory of 2780 2724 Aiedjneg.exe Ambmpmln.exe PID 2724 wrote to memory of 2780 2724 Aiedjneg.exe Ambmpmln.exe PID 2780 wrote to memory of 2444 2780 Ambmpmln.exe Aiinen32.exe PID 2780 wrote to memory of 2444 2780 Ambmpmln.exe Aiinen32.exe PID 2780 wrote to memory of 2444 2780 Ambmpmln.exe Aiinen32.exe PID 2780 wrote to memory of 2444 2780 Ambmpmln.exe Aiinen32.exe PID 2444 wrote to memory of 2964 2444 Aiinen32.exe Afmonbqk.exe PID 2444 wrote to memory of 2964 2444 Aiinen32.exe Afmonbqk.exe PID 2444 wrote to memory of 2964 2444 Aiinen32.exe Afmonbqk.exe PID 2444 wrote to memory of 2964 2444 Aiinen32.exe Afmonbqk.exe PID 2964 wrote to memory of 1668 2964 Afmonbqk.exe Ailkjmpo.exe PID 2964 wrote to memory of 1668 2964 Afmonbqk.exe Ailkjmpo.exe PID 2964 wrote to memory of 1668 2964 Afmonbqk.exe Ailkjmpo.exe PID 2964 wrote to memory of 1668 2964 Afmonbqk.exe Ailkjmpo.exe PID 1668 wrote to memory of 1928 1668 Ailkjmpo.exe Aljgfioc.exe PID 1668 wrote to memory of 1928 1668 Ailkjmpo.exe Aljgfioc.exe PID 1668 wrote to memory of 1928 1668 Ailkjmpo.exe Aljgfioc.exe PID 1668 wrote to memory of 1928 1668 Ailkjmpo.exe Aljgfioc.exe PID 1928 wrote to memory of 2768 1928 Aljgfioc.exe Bbflib32.exe PID 1928 wrote to memory of 2768 1928 Aljgfioc.exe Bbflib32.exe PID 1928 wrote to memory of 2768 1928 Aljgfioc.exe Bbflib32.exe PID 1928 wrote to memory of 2768 1928 Aljgfioc.exe Bbflib32.exe PID 2768 wrote to memory of 1208 2768 Bbflib32.exe Bopicc32.exe PID 2768 wrote to memory of 1208 2768 Bbflib32.exe Bopicc32.exe PID 2768 wrote to memory of 1208 2768 Bbflib32.exe Bopicc32.exe PID 2768 wrote to memory of 1208 2768 Bbflib32.exe Bopicc32.exe PID 1208 wrote to memory of 2264 1208 Bopicc32.exe Bpafkknm.exe PID 1208 wrote to memory of 2264 1208 Bopicc32.exe Bpafkknm.exe PID 1208 wrote to memory of 2264 1208 Bopicc32.exe Bpafkknm.exe PID 1208 wrote to memory of 2264 1208 Bopicc32.exe Bpafkknm.exe PID 2264 wrote to memory of 2244 2264 Bpafkknm.exe Bgknheej.exe PID 2264 wrote to memory of 2244 2264 Bpafkknm.exe Bgknheej.exe PID 2264 wrote to memory of 2244 2264 Bpafkknm.exe Bgknheej.exe PID 2264 wrote to memory of 2244 2264 Bpafkknm.exe Bgknheej.exe PID 2244 wrote to memory of 728 2244 Bgknheej.exe Bnefdp32.exe PID 2244 wrote to memory of 728 2244 Bgknheej.exe Bnefdp32.exe PID 2244 wrote to memory of 728 2244 Bgknheej.exe Bnefdp32.exe PID 2244 wrote to memory of 728 2244 Bgknheej.exe Bnefdp32.exe PID 728 wrote to memory of 568 728 Bnefdp32.exe Cjlgiqbk.exe PID 728 wrote to memory of 568 728 Bnefdp32.exe Cjlgiqbk.exe PID 728 wrote to memory of 568 728 Bnefdp32.exe Cjlgiqbk.exe PID 728 wrote to memory of 568 728 Bnefdp32.exe Cjlgiqbk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\73edbe2205beca00bade57fc1c19d700_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\73edbe2205beca00bade57fc1c19d700_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:568 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:412 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1092 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1436 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2172 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2512 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe35⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe36⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe38⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe39⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:336 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe41⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe42⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe43⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe44⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe48⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe49⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe50⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:904 -
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe53⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe54⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:540 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:600 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe59⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe60⤵
- Executes dropped EXE
PID:488 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe61⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1296 -
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe63⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe64⤵
- Executes dropped EXE
PID:356 -
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe66⤵PID:3004
-
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe67⤵
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe68⤵PID:2004
-
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe69⤵PID:1880
-
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe70⤵
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe71⤵PID:1900
-
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe72⤵
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe73⤵PID:2760
-
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe74⤵PID:2388
-
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe75⤵
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2300 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe77⤵PID:1512
-
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe78⤵PID:1712
-
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe79⤵PID:856
-
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe80⤵PID:2504
-
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe81⤵PID:2128
-
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe82⤵PID:788
-
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe83⤵PID:1492
-
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe84⤵PID:2708
-
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe85⤵PID:2024
-
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe86⤵PID:1416
-
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe87⤵PID:2480
-
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1996 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe89⤵PID:2676
-
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe90⤵
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe91⤵
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe92⤵
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe93⤵PID:2216
-
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe94⤵
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe95⤵PID:2656
-
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2832 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe97⤵PID:2176
-
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2688 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe99⤵PID:2476
-
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe100⤵PID:2232
-
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe101⤵
- Drops file in System32 directory
PID:608 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe102⤵PID:884
-
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2288 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe104⤵PID:2700
-
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe105⤵PID:1556
-
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe106⤵
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe107⤵PID:1196
-
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2528 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe109⤵PID:1708
-
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe110⤵PID:2376
-
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe111⤵PID:2044
-
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe112⤵
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe113⤵
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe114⤵PID:2460
-
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe115⤵
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe116⤵PID:2800
-
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe118⤵PID:112
-
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe119⤵PID:1632
-
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe120⤵PID:2796
-
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:980 -
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe123⤵PID:808
-
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe124⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2776 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe125⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1588 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe126⤵PID:2076
-
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe127⤵
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe128⤵
- Drops file in System32 directory
PID:1028 -
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe129⤵PID:2212
-
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe130⤵PID:1048
-
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe131⤵PID:1148
-
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe132⤵PID:1956
-
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe133⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1204 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe134⤵PID:2640
-
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe135⤵PID:1188
-
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe136⤵PID:684
-
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe137⤵PID:2436
-
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe138⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe139⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe140⤵
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe141⤵PID:2240
-
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe142⤵
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe143⤵PID:2752
-
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe144⤵PID:2968
-
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe145⤵PID:2080
-
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe146⤵PID:1984
-
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe147⤵PID:2844
-
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe148⤵
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe149⤵
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe150⤵
- Drops file in System32 directory
PID:1892 -
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe151⤵PID:852
-
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe152⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe153⤵PID:2484
-
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe154⤵PID:2056
-
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe155⤵PID:2672
-
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1988 -
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe157⤵PID:2868
-
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe158⤵
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe159⤵
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe160⤵PID:2896
-
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe161⤵PID:1184
-
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe162⤵PID:2904
-
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe163⤵PID:1600
-
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe164⤵PID:1172
-
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe165⤵
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe166⤵PID:2236
-
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe167⤵PID:2940
-
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe168⤵PID:3100
-
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe169⤵PID:3140
-
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe170⤵PID:3180
-
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe171⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3220 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe172⤵PID:3260
-
C:\Windows\SysWOW64\Kmaled32.exeC:\Windows\system32\Kmaled32.exe173⤵PID:3300
-
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe174⤵PID:3340
-
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe175⤵PID:3380
-
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe176⤵PID:3420
-
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe177⤵PID:3460
-
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3500 -
C:\Windows\SysWOW64\Lmcijcbe.exeC:\Windows\system32\Lmcijcbe.exe179⤵PID:3540
-
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe180⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3580 -
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe181⤵
- Drops file in System32 directory
PID:3620 -
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe182⤵PID:3660
-
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe183⤵
- Modifies registry class
PID:3704 -
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe184⤵PID:3744
-
C:\Windows\SysWOW64\Logbhl32.exeC:\Windows\system32\Logbhl32.exe185⤵PID:3784
-
C:\Windows\SysWOW64\Lafndg32.exeC:\Windows\system32\Lafndg32.exe186⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3824 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe187⤵PID:3864
-
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe188⤵PID:3904
-
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe189⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3944 -
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe190⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3984 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe191⤵PID:4024
-
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe192⤵PID:4064
-
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe193⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3076 -
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe194⤵
- Modifies registry class
PID:3128 -
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe195⤵PID:3176
-
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe196⤵PID:3236
-
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe197⤵PID:3276
-
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe198⤵PID:3324
-
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe199⤵PID:3372
-
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe200⤵PID:3432
-
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe201⤵PID:3484
-
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe202⤵
- Drops file in System32 directory
PID:3532 -
C:\Windows\SysWOW64\Mpbaebdd.exeC:\Windows\system32\Mpbaebdd.exe203⤵
- Modifies registry class
PID:3588 -
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe204⤵PID:3636
-
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe205⤵PID:3672
-
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe206⤵PID:3732
-
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe207⤵
- Modifies registry class
PID:3780 -
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe208⤵PID:3832
-
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe209⤵PID:3876
-
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe210⤵PID:3928
-
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe211⤵PID:3980
-
C:\Windows\SysWOW64\Mpfkqb32.exeC:\Windows\system32\Mpfkqb32.exe212⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3520 -
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe213⤵PID:4076
-
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe214⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3084 -
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe215⤵PID:3148
-
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe216⤵PID:3228
-
C:\Windows\SysWOW64\Nolhan32.exeC:\Windows\system32\Nolhan32.exe217⤵
- Drops file in System32 directory
PID:3272 -
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe218⤵PID:3332
-
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe219⤵
- Drops file in System32 directory
PID:3392 -
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe220⤵PID:1896
-
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe221⤵PID:3516
-
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe222⤵PID:3592
-
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe223⤵PID:3652
-
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe224⤵
- Modifies registry class
PID:1132 -
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe225⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3752 -
C:\Windows\SysWOW64\Nkeelohh.exeC:\Windows\system32\Nkeelohh.exe226⤵
- Drops file in System32 directory
- Modifies registry class
PID:1124 -
C:\Windows\SysWOW64\Naoniipe.exeC:\Windows\system32\Naoniipe.exe227⤵PID:3804
-
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe228⤵PID:3940
-
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe229⤵PID:4008
-
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe230⤵PID:4056
-
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe231⤵
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe232⤵PID:4084
-
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe233⤵PID:3196
-
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe234⤵PID:2136
-
C:\Windows\SysWOW64\Nnhkcj32.exeC:\Windows\system32\Nnhkcj32.exe235⤵
- Drops file in System32 directory
PID:3292 -
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe236⤵PID:3448
-
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe237⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3528 -
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe238⤵PID:3616
-
C:\Windows\SysWOW64\Nceclqan.exeC:\Windows\system32\Nceclqan.exe239⤵PID:2292
-
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe240⤵PID:3768
-
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe241⤵
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Onjgiiad.exeC:\Windows\system32\Onjgiiad.exe242⤵PID:2468