Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 02:25
Behavioral task
behavioral1
Sample
735c9a299b07d6e41236317e48c153a0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
735c9a299b07d6e41236317e48c153a0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
735c9a299b07d6e41236317e48c153a0_NeikiAnalytics.exe
-
Size
1024KB
-
MD5
735c9a299b07d6e41236317e48c153a0
-
SHA1
a167f7b3149f788197e9709449f466c3c328743c
-
SHA256
1647e08b28ed77b18038fe6089831ee78b5bbaa859eff5554c543599c07cbe62
-
SHA512
6d900ebba98a350bf5ba78fd2bac4f5cbe05e65bc912cbfdaab10bddd5d1b418c8b1f7fbab5da09eed475d895315b0945d2859436da3ee9a323c9cc15e74f7de
-
SSDEEP
24576:EtaSHFaZRBEYyqmaf2qwiHPKgRC4gvGZl6snARe:6aSHFaZRBEYyqmS2DiHPKQgmN
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Kfbkmk32.exeLeajdfnm.exeKlnjbbdh.exeDgdmmgpj.exeEecqjpee.exeFeeiob32.exeIhankokm.exeJiondcpk.exeAjejgp32.exeAaobdjof.exeGakaqd32.exeDkhcmgnl.exeHhioga32.exeAbbbnchb.exeHahjpbad.exeHkpnhgge.exeIdmhkpml.exeBpiipf32.exeBiicik32.exeLlqcfe32.exeOgblbo32.exeOikojfgk.exePiphee32.exeCcahbp32.exeDpeekh32.exePbpjiphi.exeFioija32.exeHdfflm32.exeJbnhng32.exeMhqfbebj.exeNkeelohh.exeBppoqeja.exeChnqkg32.exeEmieil32.exeOgmfbd32.exeQecoqk32.exeEgdilkbf.exeCfeddafl.exeCpnojioo.exeEdpmjj32.exeDqhhknjp.exeFpdhklkl.exeIlknfn32.exeNialog32.exeCojema32.exeBlgpef32.exeCclkfdnc.exeMkobnqan.exeNnnojlpa.exePijbfj32.exeDngoibmo.exePmnhfjmg.exeFejgko32.exeInqcif32.exeMhgmapfi.exeAhlgfdeq.exeDjefobmk.exeDgfjbgmh.exeLhmjkaoc.exePelipl32.exeEeqdep32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfbkmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leajdfnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klnjbbdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgdmmgpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eecqjpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feeiob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihankokm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiondcpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajejgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaobdjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gakaqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkhcmgnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhioga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abbbnchb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hahjpbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkpnhgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idmhkpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpiipf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biicik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llqcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogblbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oikojfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccahbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpeekh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbpjiphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fioija32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdfflm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbnhng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhqfbebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkeelohh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bppoqeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chnqkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emieil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogmfbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qecoqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfeddafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpnojioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edpmjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqhhknjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpdhklkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nialog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpiipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cojema32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blgpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cclkfdnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkobnqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnnojlpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pijbfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dngoibmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmnhfjmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fejgko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inqcif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhgmapfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahlgfdeq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogmfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djefobmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgfjbgmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhmjkaoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pelipl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeqdep32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Gakaqd32.exe family_berbew \Windows\SysWOW64\Gcojnmdn.exe family_berbew \Windows\SysWOW64\Gikopfih.exe family_berbew C:\Windows\SysWOW64\Gimlefge.exe family_berbew C:\Windows\SysWOW64\Hkqecnkq.exe family_berbew \Windows\SysWOW64\Hnandi32.exe family_berbew \Windows\SysWOW64\Hhioga32.exe family_berbew \Windows\SysWOW64\Hqddldcp.exe family_berbew \Windows\SysWOW64\Iolmbpfe.exe family_berbew C:\Windows\SysWOW64\Ibmfdkcf.exe family_berbew \Windows\SysWOW64\Ienoff32.exe family_berbew C:\Windows\SysWOW64\Imeggc32.exe family_berbew C:\Windows\SysWOW64\Jgqemakf.exe family_berbew C:\Windows\SysWOW64\Jjoailji.exe family_berbew \Windows\SysWOW64\Jancafna.exe family_berbew C:\Windows\SysWOW64\Jjfgjk32.exe family_berbew C:\Windows\SysWOW64\Kfmhol32.exe family_berbew C:\Windows\SysWOW64\Kikdkh32.exe family_berbew C:\Windows\SysWOW64\Kfaajlfp.exe family_berbew C:\Windows\SysWOW64\Klnjbbdh.exe family_berbew C:\Windows\SysWOW64\Kpjfba32.exe family_berbew C:\Windows\SysWOW64\Kegnkh32.exe family_berbew C:\Windows\SysWOW64\Kbkodl32.exe family_berbew behavioral1/memory/2288-293-0x00000000002E0000-0x0000000000313000-memory.dmp family_berbew C:\Windows\SysWOW64\Koocdnai.exe family_berbew C:\Windows\SysWOW64\Loapim32.exe family_berbew C:\Windows\SysWOW64\Lekhfgfc.exe family_berbew C:\Windows\SysWOW64\Lhjdbcef.exe family_berbew behavioral1/memory/2236-336-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew C:\Windows\SysWOW64\Labhkh32.exe family_berbew C:\Windows\SysWOW64\Lhlqhb32.exe family_berbew C:\Windows\SysWOW64\Limmokib.exe family_berbew C:\Windows\SysWOW64\Ldcamcih.exe family_berbew behavioral1/memory/2896-380-0x00000000002F0000-0x0000000000323000-memory.dmp family_berbew C:\Windows\SysWOW64\Lbfahp32.exe family_berbew C:\Windows\SysWOW64\Ldenbcge.exe family_berbew behavioral1/memory/2592-409-0x0000000000440000-0x0000000000473000-memory.dmp family_berbew C:\Windows\SysWOW64\Lgdjnofi.exe family_berbew C:\Windows\SysWOW64\Llqcfe32.exe family_berbew C:\Windows\SysWOW64\Loooca32.exe family_berbew C:\Windows\SysWOW64\Moalhq32.exe family_berbew C:\Windows\SysWOW64\Maphdl32.exe family_berbew behavioral1/memory/1912-453-0x00000000002D0000-0x0000000000303000-memory.dmp family_berbew C:\Windows\SysWOW64\Mlelaeqk.exe family_berbew C:\Windows\SysWOW64\Mabejlob.exe family_berbew C:\Windows\SysWOW64\Mhlmgf32.exe family_berbew C:\Windows\SysWOW64\Mofecpnl.exe family_berbew C:\Windows\SysWOW64\Mkmfhacp.exe family_berbew C:\Windows\SysWOW64\Mnkbdlbd.exe family_berbew C:\Windows\SysWOW64\Mhqfbebj.exe family_berbew C:\Windows\SysWOW64\Mkobnqan.exe family_berbew C:\Windows\SysWOW64\Nnnojlpa.exe family_berbew C:\Windows\SysWOW64\Ndgggf32.exe family_berbew C:\Windows\SysWOW64\Njdpomfe.exe family_berbew C:\Windows\SysWOW64\Npnhlg32.exe family_berbew C:\Windows\SysWOW64\Nghphaeo.exe family_berbew C:\Windows\SysWOW64\Nleiqhcg.exe family_berbew C:\Windows\SysWOW64\Nocemcbj.exe family_berbew C:\Windows\SysWOW64\Nfmmin32.exe family_berbew C:\Windows\SysWOW64\Nqcagfim.exe family_berbew C:\Windows\SysWOW64\Nfpjomgd.exe family_berbew C:\Windows\SysWOW64\Nmjblg32.exe family_berbew C:\Windows\SysWOW64\Nbfjdn32.exe family_berbew C:\Windows\SysWOW64\Ohqbqhde.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Gakaqd32.exeGcojnmdn.exeGikopfih.exeGimlefge.exeHkqecnkq.exeHnandi32.exeHhioga32.exeHqddldcp.exeIolmbpfe.exeIbmfdkcf.exeIenoff32.exeImeggc32.exeJgqemakf.exeJjoailji.exeJancafna.exeJjfgjk32.exeKfmhol32.exeKikdkh32.exeKfaajlfp.exeKlnjbbdh.exeKpjfba32.exeKegnkh32.exeKoocdnai.exeKbkodl32.exeLoapim32.exeLekhfgfc.exeLhjdbcef.exeLabhkh32.exeLhlqhb32.exeLimmokib.exeLdcamcih.exeLbfahp32.exeLdenbcge.exeLgdjnofi.exeLlqcfe32.exeLoooca32.exeMoalhq32.exeMaphdl32.exeMlelaeqk.exeMabejlob.exeMhlmgf32.exeMofecpnl.exeMkmfhacp.exeMnkbdlbd.exeMhqfbebj.exeMkobnqan.exeNnnojlpa.exeNdgggf32.exeNjdpomfe.exeNpnhlg32.exeNghphaeo.exeNleiqhcg.exeNocemcbj.exeNfmmin32.exeNqcagfim.exeNfpjomgd.exeNmjblg32.exeNbfjdn32.exeOhqbqhde.exeOfdcjm32.exeOgfpbeim.exeOdjpkihg.exeOghlgdgk.exeOnbddoog.exepid process 2956 Gakaqd32.exe 2620 Gcojnmdn.exe 2604 Gikopfih.exe 2772 Gimlefge.exe 2472 Hkqecnkq.exe 2968 Hnandi32.exe 2572 Hhioga32.exe 2128 Hqddldcp.exe 2748 Iolmbpfe.exe 1968 Ibmfdkcf.exe 1700 Ienoff32.exe 2016 Imeggc32.exe 1960 Jgqemakf.exe 2024 Jjoailji.exe 688 Jancafna.exe 1356 Jjfgjk32.exe 1812 Kfmhol32.exe 848 Kikdkh32.exe 1708 Kfaajlfp.exe 2080 Klnjbbdh.exe 1992 Kpjfba32.exe 2288 Kegnkh32.exe 112 Koocdnai.exe 2188 Kbkodl32.exe 628 Loapim32.exe 2236 Lekhfgfc.exe 2208 Lhjdbcef.exe 1752 Labhkh32.exe 2440 Lhlqhb32.exe 2896 Limmokib.exe 2492 Ldcamcih.exe 2484 Lbfahp32.exe 2592 Ldenbcge.exe 2248 Lgdjnofi.exe 2052 Llqcfe32.exe 1580 Loooca32.exe 1912 Moalhq32.exe 2816 Maphdl32.exe 2364 Mlelaeqk.exe 900 Mabejlob.exe 2448 Mhlmgf32.exe 2284 Mofecpnl.exe 2828 Mkmfhacp.exe 804 Mnkbdlbd.exe 108 Mhqfbebj.exe 1396 Mkobnqan.exe 1224 Nnnojlpa.exe 1784 Ndgggf32.exe 1412 Njdpomfe.exe 1340 Npnhlg32.exe 312 Nghphaeo.exe 1352 Nleiqhcg.exe 2728 Nocemcbj.exe 2272 Nfmmin32.exe 2696 Nqcagfim.exe 2764 Nfpjomgd.exe 1732 Nmjblg32.exe 2848 Nbfjdn32.exe 2276 Ohqbqhde.exe 2456 Ofdcjm32.exe 2540 Ogfpbeim.exe 292 Odjpkihg.exe 1548 Oghlgdgk.exe 1248 Onbddoog.exe -
Loads dropped DLL 64 IoCs
Processes:
735c9a299b07d6e41236317e48c153a0_NeikiAnalytics.exeGakaqd32.exeGcojnmdn.exeGikopfih.exeGimlefge.exeHkqecnkq.exeHnandi32.exeHhioga32.exeHqddldcp.exeIolmbpfe.exeIbmfdkcf.exeIenoff32.exeImeggc32.exeJgqemakf.exeJjoailji.exeJancafna.exeJjfgjk32.exeKfmhol32.exeKikdkh32.exeKfaajlfp.exeKlnjbbdh.exeKpjfba32.exeKegnkh32.exeKoocdnai.exeKbkodl32.exeLoapim32.exeLekhfgfc.exeLhjdbcef.exeLabhkh32.exeLhlqhb32.exeLimmokib.exeLdcamcih.exepid process 2400 735c9a299b07d6e41236317e48c153a0_NeikiAnalytics.exe 2400 735c9a299b07d6e41236317e48c153a0_NeikiAnalytics.exe 2956 Gakaqd32.exe 2956 Gakaqd32.exe 2620 Gcojnmdn.exe 2620 Gcojnmdn.exe 2604 Gikopfih.exe 2604 Gikopfih.exe 2772 Gimlefge.exe 2772 Gimlefge.exe 2472 Hkqecnkq.exe 2472 Hkqecnkq.exe 2968 Hnandi32.exe 2968 Hnandi32.exe 2572 Hhioga32.exe 2572 Hhioga32.exe 2128 Hqddldcp.exe 2128 Hqddldcp.exe 2748 Iolmbpfe.exe 2748 Iolmbpfe.exe 1968 Ibmfdkcf.exe 1968 Ibmfdkcf.exe 1700 Ienoff32.exe 1700 Ienoff32.exe 2016 Imeggc32.exe 2016 Imeggc32.exe 1960 Jgqemakf.exe 1960 Jgqemakf.exe 2024 Jjoailji.exe 2024 Jjoailji.exe 688 Jancafna.exe 688 Jancafna.exe 1356 Jjfgjk32.exe 1356 Jjfgjk32.exe 1812 Kfmhol32.exe 1812 Kfmhol32.exe 848 Kikdkh32.exe 848 Kikdkh32.exe 1708 Kfaajlfp.exe 1708 Kfaajlfp.exe 2080 Klnjbbdh.exe 2080 Klnjbbdh.exe 1992 Kpjfba32.exe 1992 Kpjfba32.exe 2288 Kegnkh32.exe 2288 Kegnkh32.exe 112 Koocdnai.exe 112 Koocdnai.exe 2188 Kbkodl32.exe 2188 Kbkodl32.exe 628 Loapim32.exe 628 Loapim32.exe 2236 Lekhfgfc.exe 2236 Lekhfgfc.exe 2208 Lhjdbcef.exe 2208 Lhjdbcef.exe 1752 Labhkh32.exe 1752 Labhkh32.exe 2440 Lhlqhb32.exe 2440 Lhlqhb32.exe 2896 Limmokib.exe 2896 Limmokib.exe 2492 Ldcamcih.exe 2492 Ldcamcih.exe -
Drops file in System32 directory 64 IoCs
Processes:
Mlelaeqk.exeNfpjomgd.exePefijfii.exeBblogakg.exeCfbhnaho.exeDgdmmgpj.exeHnojdcfi.exeKgpjanje.exeNialog32.exeImeggc32.exeMhqfbebj.exeNjdpomfe.exeHpapln32.exeEgllae32.exeKikdkh32.exeNfmmin32.exeOjieip32.exeCkffgg32.exeLajhofao.exePlcdgfbo.exeAigaon32.exeCfgaiaci.exeNaoniipe.exeDgjclbdi.exeNgnbgplj.exeOcgpappk.exeOfmbnkhg.exePqhpdhcc.exeFjaonpnn.exeLojomkdn.exeEdpmjj32.exeEjmebq32.exeLhlqhb32.exeLdcamcih.exePelipl32.exeDcfdgiid.exeLhmjkaoc.exeMgimmm32.exeBhndldcn.exeDolnad32.exeBoqbfb32.exeOnbddoog.exeIeqeidnl.exeNcgdbmmp.exeNondgn32.exePkpagq32.exe735c9a299b07d6e41236317e48c153a0_NeikiAnalytics.exeAhikqd32.exeGimlefge.exeCngcjo32.exeFhffaj32.exeMhdplq32.exeOlmhdf32.exeEnakbp32.exeOhqbqhde.exeDqhhknjp.exeInngcfid.exeLogbhl32.exePciifc32.exeAfiecb32.exeDjefobmk.exeJifdebic.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Mabejlob.exe Mlelaeqk.exe File created C:\Windows\SysWOW64\Fdfcak32.dll Nfpjomgd.exe File opened for modification C:\Windows\SysWOW64\Pciifc32.exe Pefijfii.exe File opened for modification C:\Windows\SysWOW64\Bifgdk32.exe Bblogakg.exe File created C:\Windows\SysWOW64\Cnippoha.exe Cfbhnaho.exe File created C:\Windows\SysWOW64\Gfedefbi.dll Dgdmmgpj.exe File created C:\Windows\SysWOW64\Hlakpp32.exe Hnojdcfi.exe File created C:\Windows\SysWOW64\Iqfmng32.dll Kgpjanje.exe File created C:\Windows\SysWOW64\Nhdlkdkg.exe Nialog32.exe File opened for modification C:\Windows\SysWOW64\Jgqemakf.exe Imeggc32.exe File created C:\Windows\SysWOW64\Mkobnqan.exe Mhqfbebj.exe File created C:\Windows\SysWOW64\Npnhlg32.exe Njdpomfe.exe File opened for modification C:\Windows\SysWOW64\Hlhaqogk.exe Hpapln32.exe File created C:\Windows\SysWOW64\Ekhhadmk.exe Egllae32.exe File opened for modification C:\Windows\SysWOW64\Kfaajlfp.exe Kikdkh32.exe File opened for modification C:\Windows\SysWOW64\Nqcagfim.exe Nfmmin32.exe File created C:\Windows\SysWOW64\Oqcnfjli.exe Ojieip32.exe File created C:\Windows\SysWOW64\Ddokpmfo.exe Ckffgg32.exe File created C:\Windows\SysWOW64\Ldidkbpb.exe Lajhofao.exe File created C:\Windows\SysWOW64\Ealffeej.dll Plcdgfbo.exe File created C:\Windows\SysWOW64\Fabnbook.dll Aigaon32.exe File created C:\Windows\SysWOW64\Chemfl32.exe Cfgaiaci.exe File opened for modification C:\Windows\SysWOW64\Nejiih32.exe Naoniipe.exe File created C:\Windows\SysWOW64\Jaegglem.dll Dgjclbdi.exe File created C:\Windows\SysWOW64\Oceaboqg.dll Ngnbgplj.exe File created C:\Windows\SysWOW64\Ocgpappk.exe Ocgpappk.exe File created C:\Windows\SysWOW64\Qiejdkkn.dll Ofmbnkhg.exe File opened for modification C:\Windows\SysWOW64\Piphee32.exe Pqhpdhcc.exe File opened for modification C:\Windows\SysWOW64\Fidoim32.exe Fjaonpnn.exe File created C:\Windows\SysWOW64\Lecgje32.exe Lojomkdn.exe File opened for modification C:\Windows\SysWOW64\Eccmffjf.exe Edpmjj32.exe File opened for modification C:\Windows\SysWOW64\Enhacojl.exe Ejmebq32.exe File created C:\Windows\SysWOW64\Acjgoa32.dll Lhlqhb32.exe File opened for modification C:\Windows\SysWOW64\Lbfahp32.exe Ldcamcih.exe File created C:\Windows\SysWOW64\Ppamme32.exe Pelipl32.exe File opened for modification C:\Windows\SysWOW64\Dgaqgh32.exe Dcfdgiid.exe File created C:\Windows\SysWOW64\Lliflp32.exe Lhmjkaoc.exe File created C:\Windows\SysWOW64\Jknpfqoh.dll Mgimmm32.exe File created C:\Windows\SysWOW64\Bpiipf32.exe Bhndldcn.exe File opened for modification C:\Windows\SysWOW64\Dhdcji32.exe Dolnad32.exe File created C:\Windows\SysWOW64\Njabih32.dll Boqbfb32.exe File opened for modification C:\Windows\SysWOW64\Okfencna.exe Onbddoog.exe File created C:\Windows\SysWOW64\Idceea32.exe Ieqeidnl.exe File created C:\Windows\SysWOW64\Najdnj32.exe Ncgdbmmp.exe File created C:\Windows\SysWOW64\Amdhhh32.dll Nondgn32.exe File created C:\Windows\SysWOW64\Lijfoo32.dll Pkpagq32.exe File created C:\Windows\SysWOW64\Okjnpflh.dll 735c9a299b07d6e41236317e48c153a0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Chemfl32.exe Cfgaiaci.exe File created C:\Windows\SysWOW64\Pheafa32.dll Cfgaiaci.exe File created C:\Windows\SysWOW64\Oqhiplaj.dll Ahikqd32.exe File opened for modification C:\Windows\SysWOW64\Hkqecnkq.exe Gimlefge.exe File created C:\Windows\SysWOW64\Cljcelan.exe Cngcjo32.exe File created C:\Windows\SysWOW64\Fejgko32.exe Fhffaj32.exe File created C:\Windows\SysWOW64\Bmamfo32.dll Mhdplq32.exe File created C:\Windows\SysWOW64\Ocgpappk.exe Olmhdf32.exe File created C:\Windows\SysWOW64\Hhijaf32.dll Enakbp32.exe File opened for modification C:\Windows\SysWOW64\Ofdcjm32.exe Ohqbqhde.exe File created C:\Windows\SysWOW64\Dcfdgiid.exe Dqhhknjp.exe File opened for modification C:\Windows\SysWOW64\Iajcde32.exe Inngcfid.exe File opened for modification C:\Windows\SysWOW64\Lbcnhjnj.exe Logbhl32.exe File created C:\Windows\SysWOW64\Gljilnja.dll Pciifc32.exe File created C:\Windows\SysWOW64\Bhfbdd32.dll Afiecb32.exe File created C:\Windows\SysWOW64\Fclomp32.dll Djefobmk.exe File created C:\Windows\SysWOW64\Joplbl32.exe Jifdebic.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process 5288 5264 WerFault.exe -
Modifies registry class 64 IoCs
Processes:
Bifgdk32.exeDcfdgiid.exeEihfjo32.exeGaqcoc32.exeKpmlkp32.exeNdpfkdmf.exeAoepcn32.exeCghggc32.exeEqpgol32.exePmnhfjmg.exeDgaqgh32.exeHkpnhgge.exeIokfhi32.exeKcdnao32.exeChbjffad.exeEpfhbign.exePogclp32.exeQmicohqm.exeLdidkbpb.exeOqkqkdne.exePbhmnkjf.exeDgjclbdi.exeAigaon32.exeKcbakpdo.exeNcgdbmmp.exeNaajoinb.exeGbijhg32.exePnajilng.exeBfenbpec.exePlcdgfbo.exeGicbeald.exeGdamqndn.exeHlhaqogk.exeIdmhkpml.exePjadmnic.exeFhkpmjln.exeHahjpbad.exeNdbcpd32.exeOobjaqaj.exeFjaonpnn.exeLgdjnofi.exeDfgmhd32.exeHjhhocjj.exeBbjbaa32.exeCadhnmnm.exeEnhacojl.exeNceclqan.exeAlegac32.exeJjoailji.exeLhlqhb32.exePijbfj32.exeJoplbl32.exeLimfed32.exeNajdnj32.exeEfppoc32.exeJancafna.exePpamme32.exeFfnphf32.exeFioija32.exeIdceea32.exeCpnojioo.exeEbjglbml.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bifgdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcfdgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdoik32.dll" Eihfjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaqcoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpmlkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndpfkdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajjmcaea.dll" Aoepcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cghggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gogcek32.dll" Eqpgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmnhfjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hecjkifm.dll" Dgaqgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkpnhgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongdpbkl.dll" Iokfhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcdnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chbjffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbolehjh.dll" Epfhbign.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pogclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanjadqp.dll" Qmicohqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldidkbpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqkqkdne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbhmnkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaegglem.dll" Dgjclbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aigaon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcbakpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqhmfm32.dll" Ncgdbmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbecd32.dll" Naajoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeoffcnl.dll" Pnajilng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ealffeej.dll" Plcdgfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gicbeald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdamqndn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmccf32.dll" Idmhkpml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjadmnic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmhlp32.dll" Dcfdgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhkpmjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hahjpbad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkpnhgge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndbcpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchnel32.dll" Oobjaqaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjaonpnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgdjnofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfgmhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjhhocjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbjbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhokkp32.dll" Cadhnmnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enhacojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nceclqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jneohcll.dll" Alegac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjoailji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhlqhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pijbfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnnggjm.dll" Joplbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibkki32.dll" Limfed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Najdnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jancafna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppamme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fioija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll" Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadfjo32.dll" Cpnojioo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebjglbml.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
735c9a299b07d6e41236317e48c153a0_NeikiAnalytics.exeGakaqd32.exeGcojnmdn.exeGikopfih.exeGimlefge.exeHkqecnkq.exeHnandi32.exeHhioga32.exeHqddldcp.exeIolmbpfe.exeIbmfdkcf.exeIenoff32.exeImeggc32.exeJgqemakf.exeJjoailji.exeJancafna.exedescription pid process target process PID 2400 wrote to memory of 2956 2400 735c9a299b07d6e41236317e48c153a0_NeikiAnalytics.exe Gakaqd32.exe PID 2400 wrote to memory of 2956 2400 735c9a299b07d6e41236317e48c153a0_NeikiAnalytics.exe Gakaqd32.exe PID 2400 wrote to memory of 2956 2400 735c9a299b07d6e41236317e48c153a0_NeikiAnalytics.exe Gakaqd32.exe PID 2400 wrote to memory of 2956 2400 735c9a299b07d6e41236317e48c153a0_NeikiAnalytics.exe Gakaqd32.exe PID 2956 wrote to memory of 2620 2956 Gakaqd32.exe Gcojnmdn.exe PID 2956 wrote to memory of 2620 2956 Gakaqd32.exe Gcojnmdn.exe PID 2956 wrote to memory of 2620 2956 Gakaqd32.exe Gcojnmdn.exe PID 2956 wrote to memory of 2620 2956 Gakaqd32.exe Gcojnmdn.exe PID 2620 wrote to memory of 2604 2620 Gcojnmdn.exe Gikopfih.exe PID 2620 wrote to memory of 2604 2620 Gcojnmdn.exe Gikopfih.exe PID 2620 wrote to memory of 2604 2620 Gcojnmdn.exe Gikopfih.exe PID 2620 wrote to memory of 2604 2620 Gcojnmdn.exe Gikopfih.exe PID 2604 wrote to memory of 2772 2604 Gikopfih.exe Gimlefge.exe PID 2604 wrote to memory of 2772 2604 Gikopfih.exe Gimlefge.exe PID 2604 wrote to memory of 2772 2604 Gikopfih.exe Gimlefge.exe PID 2604 wrote to memory of 2772 2604 Gikopfih.exe Gimlefge.exe PID 2772 wrote to memory of 2472 2772 Gimlefge.exe Hkqecnkq.exe PID 2772 wrote to memory of 2472 2772 Gimlefge.exe Hkqecnkq.exe PID 2772 wrote to memory of 2472 2772 Gimlefge.exe Hkqecnkq.exe PID 2772 wrote to memory of 2472 2772 Gimlefge.exe Hkqecnkq.exe PID 2472 wrote to memory of 2968 2472 Hkqecnkq.exe Hnandi32.exe PID 2472 wrote to memory of 2968 2472 Hkqecnkq.exe Hnandi32.exe PID 2472 wrote to memory of 2968 2472 Hkqecnkq.exe Hnandi32.exe PID 2472 wrote to memory of 2968 2472 Hkqecnkq.exe Hnandi32.exe PID 2968 wrote to memory of 2572 2968 Hnandi32.exe Hhioga32.exe PID 2968 wrote to memory of 2572 2968 Hnandi32.exe Hhioga32.exe PID 2968 wrote to memory of 2572 2968 Hnandi32.exe Hhioga32.exe PID 2968 wrote to memory of 2572 2968 Hnandi32.exe Hhioga32.exe PID 2572 wrote to memory of 2128 2572 Hhioga32.exe Hqddldcp.exe PID 2572 wrote to memory of 2128 2572 Hhioga32.exe Hqddldcp.exe PID 2572 wrote to memory of 2128 2572 Hhioga32.exe Hqddldcp.exe PID 2572 wrote to memory of 2128 2572 Hhioga32.exe Hqddldcp.exe PID 2128 wrote to memory of 2748 2128 Hqddldcp.exe Iolmbpfe.exe PID 2128 wrote to memory of 2748 2128 Hqddldcp.exe Iolmbpfe.exe PID 2128 wrote to memory of 2748 2128 Hqddldcp.exe Iolmbpfe.exe PID 2128 wrote to memory of 2748 2128 Hqddldcp.exe Iolmbpfe.exe PID 2748 wrote to memory of 1968 2748 Iolmbpfe.exe Ibmfdkcf.exe PID 2748 wrote to memory of 1968 2748 Iolmbpfe.exe Ibmfdkcf.exe PID 2748 wrote to memory of 1968 2748 Iolmbpfe.exe Ibmfdkcf.exe PID 2748 wrote to memory of 1968 2748 Iolmbpfe.exe Ibmfdkcf.exe PID 1968 wrote to memory of 1700 1968 Ibmfdkcf.exe Ienoff32.exe PID 1968 wrote to memory of 1700 1968 Ibmfdkcf.exe Ienoff32.exe PID 1968 wrote to memory of 1700 1968 Ibmfdkcf.exe Ienoff32.exe PID 1968 wrote to memory of 1700 1968 Ibmfdkcf.exe Ienoff32.exe PID 1700 wrote to memory of 2016 1700 Ienoff32.exe Imeggc32.exe PID 1700 wrote to memory of 2016 1700 Ienoff32.exe Imeggc32.exe PID 1700 wrote to memory of 2016 1700 Ienoff32.exe Imeggc32.exe PID 1700 wrote to memory of 2016 1700 Ienoff32.exe Imeggc32.exe PID 2016 wrote to memory of 1960 2016 Imeggc32.exe Jgqemakf.exe PID 2016 wrote to memory of 1960 2016 Imeggc32.exe Jgqemakf.exe PID 2016 wrote to memory of 1960 2016 Imeggc32.exe Jgqemakf.exe PID 2016 wrote to memory of 1960 2016 Imeggc32.exe Jgqemakf.exe PID 1960 wrote to memory of 2024 1960 Jgqemakf.exe Jjoailji.exe PID 1960 wrote to memory of 2024 1960 Jgqemakf.exe Jjoailji.exe PID 1960 wrote to memory of 2024 1960 Jgqemakf.exe Jjoailji.exe PID 1960 wrote to memory of 2024 1960 Jgqemakf.exe Jjoailji.exe PID 2024 wrote to memory of 688 2024 Jjoailji.exe Jancafna.exe PID 2024 wrote to memory of 688 2024 Jjoailji.exe Jancafna.exe PID 2024 wrote to memory of 688 2024 Jjoailji.exe Jancafna.exe PID 2024 wrote to memory of 688 2024 Jjoailji.exe Jancafna.exe PID 688 wrote to memory of 1356 688 Jancafna.exe Jjfgjk32.exe PID 688 wrote to memory of 1356 688 Jancafna.exe Jjfgjk32.exe PID 688 wrote to memory of 1356 688 Jancafna.exe Jjfgjk32.exe PID 688 wrote to memory of 1356 688 Jancafna.exe Jjfgjk32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\735c9a299b07d6e41236317e48c153a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\735c9a299b07d6e41236317e48c153a0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Gakaqd32.exeC:\Windows\system32\Gakaqd32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Gcojnmdn.exeC:\Windows\system32\Gcojnmdn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Gikopfih.exeC:\Windows\system32\Gikopfih.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Gimlefge.exeC:\Windows\system32\Gimlefge.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Hkqecnkq.exeC:\Windows\system32\Hkqecnkq.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Hnandi32.exeC:\Windows\system32\Hnandi32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Hhioga32.exeC:\Windows\system32\Hhioga32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Hqddldcp.exeC:\Windows\system32\Hqddldcp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Iolmbpfe.exeC:\Windows\system32\Iolmbpfe.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Ibmfdkcf.exeC:\Windows\system32\Ibmfdkcf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Ienoff32.exeC:\Windows\system32\Ienoff32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Imeggc32.exeC:\Windows\system32\Imeggc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Jgqemakf.exeC:\Windows\system32\Jgqemakf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Jjoailji.exeC:\Windows\system32\Jjoailji.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Jancafna.exeC:\Windows\system32\Jancafna.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\Jjfgjk32.exeC:\Windows\system32\Jjfgjk32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Kpjfba32.exeC:\Windows\system32\Kpjfba32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:112 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:628 -
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2236 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe33⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe34⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe37⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe38⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe39⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe41⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe42⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe43⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe44⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe45⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:108 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe49⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1412 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe51⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe52⤵
- Executes dropped EXE
PID:312 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe53⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe54⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe56⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe58⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe59⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe61⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe62⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe63⤵
- Executes dropped EXE
PID:292 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe64⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1248 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe66⤵PID:2452
-
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe67⤵
- Drops file in System32 directory
PID:924 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe68⤵PID:2368
-
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1172 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe70⤵PID:544
-
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe71⤵PID:1360
-
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe72⤵PID:1008
-
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe73⤵PID:3004
-
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe74⤵PID:1748
-
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe76⤵PID:2884
-
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe79⤵
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2520 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe82⤵PID:2000
-
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe83⤵PID:1456
-
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe84⤵PID:2912
-
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1100 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe86⤵PID:1680
-
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe87⤵PID:2064
-
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe88⤵PID:1684
-
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe89⤵PID:2408
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe90⤵PID:2184
-
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe91⤵
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe93⤵PID:2584
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe94⤵PID:1180
-
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe95⤵PID:1460
-
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe96⤵PID:836
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2836 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe98⤵PID:2252
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe99⤵PID:1560
-
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe100⤵PID:788
-
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe101⤵PID:1780
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe102⤵PID:2292
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe103⤵
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe104⤵PID:2148
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe105⤵PID:2116
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe106⤵
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe107⤵PID:1632
-
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe108⤵PID:2524
-
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2360 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe110⤵PID:1764
-
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe111⤵PID:2392
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe112⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe113⤵PID:1796
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe114⤵PID:2020
-
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe115⤵PID:600
-
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe116⤵PID:844
-
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe117⤵
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe118⤵PID:1916
-
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2944 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1636 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe121⤵PID:2712
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe123⤵
- Drops file in System32 directory
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe124⤵
- Modifies registry class
PID:780 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe125⤵PID:1976
-
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe126⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe127⤵
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe128⤵PID:1508
-
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe129⤵PID:1196
-
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe130⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:776 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe131⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe132⤵
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe133⤵PID:1176
-
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe134⤵PID:1652
-
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe135⤵PID:2648
-
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe136⤵PID:608
-
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe137⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2060 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe138⤵
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe139⤵
- Modifies registry class
PID:912 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe140⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2564 -
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe141⤵PID:2632
-
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe142⤵PID:2496
-
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe143⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2976 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe144⤵PID:2832
-
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe145⤵PID:2396
-
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe146⤵PID:2036
-
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe147⤵
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe148⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1860 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe149⤵PID:2668
-
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe150⤵PID:2644
-
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2744 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe152⤵
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe153⤵
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe154⤵PID:1832
-
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe155⤵PID:2820
-
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe156⤵PID:1368
-
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe157⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:584 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe158⤵PID:624
-
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe159⤵PID:1828
-
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe160⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2196 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe161⤵PID:880
-
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe162⤵
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe163⤵
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe164⤵PID:384
-
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe165⤵PID:2924
-
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe166⤵PID:2840
-
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe167⤵PID:2532
-
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe168⤵
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe169⤵PID:3052
-
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe170⤵PID:1724
-
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe171⤵PID:2732
-
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe172⤵PID:644
-
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe173⤵
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe174⤵PID:1000
-
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe175⤵PID:3048
-
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe176⤵PID:1728
-
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe177⤵PID:2152
-
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe179⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1004 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe180⤵PID:2616
-
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe182⤵
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Hlakpp32.exeC:\Windows\system32\Hlakpp32.exe183⤵PID:2300
-
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe184⤵PID:816
-
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe185⤵PID:2760
-
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe186⤵PID:320
-
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe187⤵PID:2916
-
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe188⤵
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe189⤵
- Drops file in System32 directory
PID:896 -
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe190⤵
- Modifies registry class
PID:1120 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe191⤵PID:2844
-
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe192⤵
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe193⤵
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe194⤵PID:3108
-
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe195⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3148 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe196⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3188 -
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe197⤵PID:3228
-
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe198⤵
- Modifies registry class
PID:3268 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe199⤵
- Drops file in System32 directory
PID:3308 -
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe200⤵PID:3348
-
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe201⤵PID:3388
-
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe202⤵PID:3428
-
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe203⤵PID:3468
-
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe204⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3508 -
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe205⤵PID:3548
-
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe206⤵PID:3588
-
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe207⤵PID:3628
-
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe208⤵PID:3668
-
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe209⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3708 -
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe210⤵PID:3748
-
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe211⤵PID:3788
-
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe212⤵PID:3828
-
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe213⤵PID:3868
-
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe214⤵PID:3908
-
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe215⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3948 -
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe216⤵PID:3988
-
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe217⤵PID:4028
-
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe218⤵PID:4068
-
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe219⤵PID:3080
-
C:\Windows\SysWOW64\Jbjochdi.exeC:\Windows\system32\Jbjochdi.exe220⤵PID:3124
-
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe221⤵PID:3172
-
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe222⤵PID:3216
-
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe223⤵PID:3276
-
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe224⤵PID:3332
-
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe225⤵
- Drops file in System32 directory
PID:3384 -
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe226⤵
- Modifies registry class
PID:3440 -
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe227⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3492 -
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe228⤵PID:3532
-
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe229⤵PID:3584
-
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe230⤵PID:3168
-
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe231⤵
- Modifies registry class
PID:3128 -
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe232⤵PID:3740
-
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe233⤵PID:3796
-
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe234⤵PID:3820
-
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe235⤵
- Modifies registry class
PID:3880 -
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe236⤵
- Drops file in System32 directory
PID:3920 -
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe237⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3976 -
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe238⤵PID:4020
-
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe239⤵PID:4080
-
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe240⤵PID:3116
-
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe241⤵PID:2796
-
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe242⤵
- Modifies registry class
PID:3224