Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 05:24
Behavioral task
behavioral1
Sample
78fda4dc896111b6bc57e5fa59cd79d0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
78fda4dc896111b6bc57e5fa59cd79d0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
78fda4dc896111b6bc57e5fa59cd79d0_NeikiAnalytics.exe
-
Size
177KB
-
MD5
78fda4dc896111b6bc57e5fa59cd79d0
-
SHA1
b2777b2d1e63e638c61470a66c3316c84073429c
-
SHA256
fe8d34352ef2ecb90b8acae8fc28edffe769a3c17e7d352ffe4d649ecdc27cfe
-
SHA512
d6e2070659624ef35529706501335450ebb99830fece9724ea68cd608399385b85cb1ceb73aa31f022581d59363e28d3a115944e1b7dac311b6659a0c256ba7d
-
SSDEEP
3072:upkDpvFMYhZySLIbs68g3q/haR5sS+vfvLHhjh8g1eGFyOsa:QkD9Dks68ga/harSvLHh98gwG0ON
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Keoapb32.exePgioaa32.exeDhpiojfb.exeHomclekn.exeKmjojo32.exeKicmdo32.exeHnojdcfi.exeLmolnh32.exeNaajoinb.exeOqideepg.exeFfklhqao.exeBdgafdfp.exeEqdajkkb.exeHkfagfop.exeFhneehek.exeGdgcpi32.exeGebbnpfp.exeFhkpmjln.exeIdhopq32.exePnomcl32.exeAadloj32.exeDbhnhp32.exeHgjefg32.exeIkkjbe32.exeGdopkn32.exeDbkknojp.exeGbaileio.exeGpejeihi.exeHhjhkq32.exeIgihbknb.exeQbcpbo32.exeLmlhnagm.exeMkclhl32.exeNgnbgplj.exeCdlgpgef.exeDggcffhg.exeGfhladfn.exeIkfmfi32.exeJfcnngnd.exePgeefbhm.exeAfohaa32.exeCkccgane.exeEjobhppq.exeMhhfdo32.exeGddifnbk.exeKfbcbd32.exeNondgn32.exeBoqbfb32.exeJfknbe32.exeLfbpag32.exeMdpjlajk.exeDdgjdk32.exeKegqdqbl.exeLjkomfjl.exeKjcpii32.exeBemgilhh.exeCldooj32.exeHpbiommg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keoapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgioaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhpiojfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Homclekn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmjojo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kicmdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnojdcfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmolnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naajoinb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqideepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffklhqao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdgafdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqdajkkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkfagfop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhneehek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdgcpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gebbnpfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhkpmjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idhopq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnomcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadloj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbhnhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgjefg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikkjbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdopkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keoapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbkknojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbaileio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpejeihi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjhkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igihbknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnomcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbcpbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmlhnagm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkclhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngnbgplj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlgpgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dggcffhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhladfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gebbnpfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgjefg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfmfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfcnngnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgeefbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afohaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckccgane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejobhppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhhfdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aadloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikfmfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfbcbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nondgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boqbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfknbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdpjlajk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kegqdqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljkomfjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjcpii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bemgilhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cldooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpbiommg.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Cndbcc32.exe family_berbew C:\Windows\SysWOW64\Dhjgal32.exe family_berbew \Windows\SysWOW64\Djnpnc32.exe family_berbew \Windows\SysWOW64\Dkmmhf32.exe family_berbew \Windows\SysWOW64\Dgdmmgpj.exe family_berbew \Windows\SysWOW64\Doobajme.exe family_berbew \Windows\SysWOW64\Emcbkn32.exe family_berbew C:\Windows\SysWOW64\Ejgcdb32.exe family_berbew \Windows\SysWOW64\Ecpgmhai.exe family_berbew \Windows\SysWOW64\Epfhbign.exe family_berbew \Windows\SysWOW64\Epieghdk.exe family_berbew C:\Windows\SysWOW64\Eiaiqn32.exe family_berbew \Windows\SysWOW64\Fehjeo32.exe family_berbew \Windows\SysWOW64\Fnpnndgp.exe family_berbew \Windows\SysWOW64\Fjgoce32.exe family_berbew \Windows\SysWOW64\Fhkpmjln.exe family_berbew C:\Windows\SysWOW64\Fdapak32.exe family_berbew C:\Windows\SysWOW64\Fbdqmghm.exe family_berbew C:\Windows\SysWOW64\Fmjejphb.exe family_berbew C:\Windows\SysWOW64\Fddmgjpo.exe family_berbew C:\Windows\SysWOW64\Gpknlk32.exe family_berbew C:\Windows\SysWOW64\Ghfbqn32.exe family_berbew C:\Windows\SysWOW64\Gpmjak32.exe family_berbew C:\Windows\SysWOW64\Gieojq32.exe family_berbew C:\Windows\SysWOW64\Gobgcg32.exe family_berbew C:\Windows\SysWOW64\Gdopkn32.exe family_berbew C:\Windows\SysWOW64\Gacpdbej.exe family_berbew C:\Windows\SysWOW64\Ghmiam32.exe family_berbew behavioral1/memory/2200-345-0x0000000000270000-0x00000000002B0000-memory.dmp family_berbew behavioral1/memory/2200-344-0x0000000000270000-0x00000000002B0000-memory.dmp family_berbew C:\Windows\SysWOW64\Gddifnbk.exe family_berbew C:\Windows\SysWOW64\Hpkjko32.exe family_berbew C:\Windows\SysWOW64\Hnojdcfi.exe family_berbew C:\Windows\SysWOW64\Hnagjbdf.exe family_berbew C:\Windows\SysWOW64\Hellne32.exe family_berbew C:\Windows\SysWOW64\Hhjhkq32.exe family_berbew C:\Windows\SysWOW64\Henidd32.exe family_berbew C:\Windows\SysWOW64\Iaeiieeb.exe family_berbew behavioral1/memory/2812-431-0x0000000000270000-0x00000000002B0000-memory.dmp family_berbew C:\Windows\SysWOW64\Idceea32.exe family_berbew C:\Windows\SysWOW64\Idfbkq32.exe family_berbew C:\Windows\SysWOW64\Igdogl32.exe family_berbew C:\Windows\SysWOW64\Iokfhi32.exe family_berbew C:\Windows\SysWOW64\Idhopq32.exe family_berbew C:\Windows\SysWOW64\Iggkllpe.exe family_berbew C:\Windows\SysWOW64\Igihbknb.exe family_berbew C:\Windows\SysWOW64\Idmhkpml.exe family_berbew C:\Windows\SysWOW64\Ifnechbj.exe family_berbew C:\Windows\SysWOW64\Jnemdecl.exe family_berbew C:\Windows\SysWOW64\Jofiln32.exe family_berbew C:\Windows\SysWOW64\Jgnamk32.exe family_berbew C:\Windows\SysWOW64\Jiondcpk.exe family_berbew C:\Windows\SysWOW64\Jmjjea32.exe family_berbew C:\Windows\SysWOW64\Jcdbbloa.exe family_berbew C:\Windows\SysWOW64\Jfcnngnd.exe family_berbew C:\Windows\SysWOW64\Jmmfkafa.exe family_berbew C:\Windows\SysWOW64\Jcgogk32.exe family_berbew C:\Windows\SysWOW64\Jehkodcm.exe family_berbew C:\Windows\SysWOW64\Jmocpado.exe family_berbew C:\Windows\SysWOW64\Jnqphi32.exe family_berbew C:\Windows\SysWOW64\Jfghif32.exe family_berbew C:\Windows\SysWOW64\Jifdebic.exe family_berbew C:\Windows\SysWOW64\Joplbl32.exe family_berbew C:\Windows\SysWOW64\Kemejc32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Cndbcc32.exeDhjgal32.exeDjnpnc32.exeDkmmhf32.exeDgdmmgpj.exeDoobajme.exeEmcbkn32.exeEjgcdb32.exeEcpgmhai.exeEpfhbign.exeEpieghdk.exeEiaiqn32.exeFehjeo32.exeFnpnndgp.exeFjgoce32.exeFhkpmjln.exeFdapak32.exeFbdqmghm.exeFmjejphb.exeFddmgjpo.exeGpknlk32.exeGhfbqn32.exeGpmjak32.exeGieojq32.exeGobgcg32.exeGdopkn32.exeGacpdbej.exeGhmiam32.exeGddifnbk.exeHpkjko32.exeHnojdcfi.exeHnagjbdf.exeHellne32.exeHhjhkq32.exeHenidd32.exeIaeiieeb.exeIdceea32.exeIdfbkq32.exeIgdogl32.exeIokfhi32.exeIdhopq32.exeIggkllpe.exeIgihbknb.exeIdmhkpml.exeIfnechbj.exeJnemdecl.exeJofiln32.exeJgnamk32.exeJiondcpk.exeJmjjea32.exeJcdbbloa.exeJfcnngnd.exeJmmfkafa.exeJcgogk32.exeJehkodcm.exeJmocpado.exeJnqphi32.exeJfghif32.exeJifdebic.exeJoplbl32.exeKemejc32.exeKihqkagp.exeKkgmgmfd.exeKbqecg32.exepid process 2156 Cndbcc32.exe 1980 Dhjgal32.exe 2720 Djnpnc32.exe 2540 Dkmmhf32.exe 2560 Dgdmmgpj.exe 2444 Doobajme.exe 1152 Emcbkn32.exe 2784 Ejgcdb32.exe 2964 Ecpgmhai.exe 1452 Epfhbign.exe 2524 Epieghdk.exe 1300 Eiaiqn32.exe 2092 Fehjeo32.exe 2296 Fnpnndgp.exe 2404 Fjgoce32.exe 1476 Fhkpmjln.exe 632 Fdapak32.exe 2908 Fbdqmghm.exe 1756 Fmjejphb.exe 1932 Fddmgjpo.exe 2012 Gpknlk32.exe 928 Ghfbqn32.exe 2336 Gpmjak32.exe 1972 Gieojq32.exe 2196 Gobgcg32.exe 2324 Gdopkn32.exe 2200 Gacpdbej.exe 2568 Ghmiam32.exe 2580 Gddifnbk.exe 2752 Hpkjko32.exe 2808 Hnojdcfi.exe 2424 Hnagjbdf.exe 2932 Hellne32.exe 2512 Hhjhkq32.exe 2812 Henidd32.exe 1796 Iaeiieeb.exe 2660 Idceea32.exe 536 Idfbkq32.exe 1260 Igdogl32.exe 2364 Iokfhi32.exe 1712 Idhopq32.exe 1960 Iggkllpe.exe 1852 Igihbknb.exe 1084 Idmhkpml.exe 1068 Ifnechbj.exe 1392 Jnemdecl.exe 320 Jofiln32.exe 1536 Jgnamk32.exe 2148 Jiondcpk.exe 2832 Jmjjea32.exe 1988 Jcdbbloa.exe 2036 Jfcnngnd.exe 3048 Jmmfkafa.exe 2632 Jcgogk32.exe 2748 Jehkodcm.exe 2536 Jmocpado.exe 2476 Jnqphi32.exe 1708 Jfghif32.exe 2916 Jifdebic.exe 1736 Joplbl32.exe 2976 Kemejc32.exe 1284 Kihqkagp.exe 1944 Kkgmgmfd.exe 1660 Kbqecg32.exe -
Loads dropped DLL 64 IoCs
Processes:
78fda4dc896111b6bc57e5fa59cd79d0_NeikiAnalytics.exeCndbcc32.exeDhjgal32.exeDjnpnc32.exeDkmmhf32.exeDgdmmgpj.exeDoobajme.exeEmcbkn32.exeEjgcdb32.exeEcpgmhai.exeEpfhbign.exeEpieghdk.exeEiaiqn32.exeFehjeo32.exeFnpnndgp.exeFjgoce32.exeFhkpmjln.exeFdapak32.exeFbdqmghm.exeFmjejphb.exeFddmgjpo.exeGpknlk32.exeGhfbqn32.exeGpmjak32.exeGieojq32.exeGobgcg32.exeGkihhhnm.exeGacpdbej.exeGhmiam32.exeGddifnbk.exeHpkjko32.exeHnojdcfi.exepid process 2352 78fda4dc896111b6bc57e5fa59cd79d0_NeikiAnalytics.exe 2352 78fda4dc896111b6bc57e5fa59cd79d0_NeikiAnalytics.exe 2156 Cndbcc32.exe 2156 Cndbcc32.exe 1980 Dhjgal32.exe 1980 Dhjgal32.exe 2720 Djnpnc32.exe 2720 Djnpnc32.exe 2540 Dkmmhf32.exe 2540 Dkmmhf32.exe 2560 Dgdmmgpj.exe 2560 Dgdmmgpj.exe 2444 Doobajme.exe 2444 Doobajme.exe 1152 Emcbkn32.exe 1152 Emcbkn32.exe 2784 Ejgcdb32.exe 2784 Ejgcdb32.exe 2964 Ecpgmhai.exe 2964 Ecpgmhai.exe 1452 Epfhbign.exe 1452 Epfhbign.exe 2524 Epieghdk.exe 2524 Epieghdk.exe 1300 Eiaiqn32.exe 1300 Eiaiqn32.exe 2092 Fehjeo32.exe 2092 Fehjeo32.exe 2296 Fnpnndgp.exe 2296 Fnpnndgp.exe 2404 Fjgoce32.exe 2404 Fjgoce32.exe 1476 Fhkpmjln.exe 1476 Fhkpmjln.exe 632 Fdapak32.exe 632 Fdapak32.exe 2908 Fbdqmghm.exe 2908 Fbdqmghm.exe 1756 Fmjejphb.exe 1756 Fmjejphb.exe 1932 Fddmgjpo.exe 1932 Fddmgjpo.exe 2012 Gpknlk32.exe 2012 Gpknlk32.exe 928 Ghfbqn32.exe 928 Ghfbqn32.exe 2336 Gpmjak32.exe 2336 Gpmjak32.exe 1972 Gieojq32.exe 1972 Gieojq32.exe 2196 Gobgcg32.exe 2196 Gobgcg32.exe 1588 Gkihhhnm.exe 1588 Gkihhhnm.exe 2200 Gacpdbej.exe 2200 Gacpdbej.exe 2568 Ghmiam32.exe 2568 Ghmiam32.exe 2580 Gddifnbk.exe 2580 Gddifnbk.exe 2752 Hpkjko32.exe 2752 Hpkjko32.exe 2808 Hnojdcfi.exe 2808 Hnojdcfi.exe -
Drops file in System32 directory 64 IoCs
Processes:
Gpmjak32.exeGpqpjj32.exeKnpemf32.exeFepiimfg.exe78fda4dc896111b6bc57e5fa59cd79d0_NeikiAnalytics.exeHnojdcfi.exeKgpjanje.exeBekkcljk.exeIdnaoohk.exeMeccii32.exeOkgnab32.exeAnafhopc.exeGiieco32.exeNejiih32.exeDndlim32.exePcnbablo.exeJkjfah32.exeGjakmc32.exeLbnemk32.exeNolhan32.exeCpnojioo.exeNgfflj32.exeBmpfojmp.exeFidoim32.exeIkkjbe32.exeDgdmmgpj.exeEpieghdk.exeNaajoinb.exeBmkmdk32.exeFmbhok32.exeHabfipdj.exeJjbpgd32.exeIdmhkpml.exeJiondcpk.exeObcccl32.exeCklmgb32.exeLmlhnagm.exeNefpnhlc.exeBdeeqehb.exeGmbdnn32.exeHgjefg32.exeCoelaaoi.exeHmfjha32.exeJmmfkafa.exeAjhgmpfg.exeBhigphio.exeCpkbdiqb.exeDkmmhf32.exeHdildlie.exeHlljjjnm.exeJoplbl32.exeDbkknojp.exeEdnpej32.exeGfjhgdck.exeLabkdack.exeBlpjegfm.exeChnqkg32.exeGmpgio32.exeEjmebq32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Gieojq32.exe Gpmjak32.exe File created C:\Windows\SysWOW64\Gfjhgdck.exe Gpqpjj32.exe File opened for modification C:\Windows\SysWOW64\Kbkameaf.exe Knpemf32.exe File created C:\Windows\SysWOW64\Qmbbdq32.dll Fepiimfg.exe File created C:\Windows\SysWOW64\Hpenlb32.dll 78fda4dc896111b6bc57e5fa59cd79d0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Hnagjbdf.exe Hnojdcfi.exe File created C:\Windows\SysWOW64\Kjnfniii.exe Kgpjanje.exe File created C:\Windows\SysWOW64\Bhigphio.exe Bekkcljk.exe File opened for modification C:\Windows\SysWOW64\Ikhjki32.exe Idnaoohk.exe File created C:\Windows\SysWOW64\Nolhan32.exe Meccii32.exe File opened for modification C:\Windows\SysWOW64\Obafnlpn.exe Okgnab32.exe File created C:\Windows\SysWOW64\Adnopfoj.exe Anafhopc.exe File created C:\Windows\SysWOW64\Gpcmpijk.exe Giieco32.exe File created C:\Windows\SysWOW64\Nglfapnl.exe Nejiih32.exe File created C:\Windows\SysWOW64\Dcadac32.exe Dndlim32.exe File created C:\Windows\SysWOW64\Ogdafiei.dll Pcnbablo.exe File created C:\Windows\SysWOW64\Jpfdhnai.dll Jkjfah32.exe File created C:\Windows\SysWOW64\Eofjhkoj.dll Dndlim32.exe File created C:\Windows\SysWOW64\Algdlcdm.dll Gjakmc32.exe File created C:\Windows\SysWOW64\Lfjqnjkh.exe Lbnemk32.exe File opened for modification C:\Windows\SysWOW64\Ncgdbmmp.exe Nolhan32.exe File created C:\Windows\SysWOW64\Dglpkenb.dll Cpnojioo.exe File created C:\Windows\SysWOW64\Ogjgkqaa.dll Ngfflj32.exe File created C:\Windows\SysWOW64\Boqbfb32.exe Bmpfojmp.exe File created C:\Windows\SysWOW64\Fmpkjkma.exe Fidoim32.exe File created C:\Windows\SysWOW64\Illgimph.exe Ikkjbe32.exe File created C:\Windows\SysWOW64\Cillgpen.dll Dgdmmgpj.exe File created C:\Windows\SysWOW64\Bibckiab.dll Epieghdk.exe File created C:\Windows\SysWOW64\Ckmkcoqd.dll Naajoinb.exe File created C:\Windows\SysWOW64\Bdeeqehb.exe Bmkmdk32.exe File created C:\Windows\SysWOW64\Fkcpip32.dll Fmbhok32.exe File created C:\Windows\SysWOW64\Jbhnql32.dll Habfipdj.exe File opened for modification C:\Windows\SysWOW64\Illgimph.exe Ikkjbe32.exe File created C:\Windows\SysWOW64\Indgjihl.dll Jjbpgd32.exe File opened for modification C:\Windows\SysWOW64\Ifnechbj.exe Idmhkpml.exe File opened for modification C:\Windows\SysWOW64\Jmjjea32.exe Jiondcpk.exe File created C:\Windows\SysWOW64\Pimkpfeh.exe Obcccl32.exe File created C:\Windows\SysWOW64\Cfgnhbba.dll Cklmgb32.exe File created C:\Windows\SysWOW64\Fhhmapcq.dll Lmlhnagm.exe File opened for modification C:\Windows\SysWOW64\Nhdlkdkg.exe Nefpnhlc.exe File opened for modification C:\Windows\SysWOW64\Bkommo32.exe Bdeeqehb.exe File opened for modification C:\Windows\SysWOW64\Gpqpjj32.exe Gmbdnn32.exe File created C:\Windows\SysWOW64\Hkfagfop.exe Hgjefg32.exe File created C:\Windows\SysWOW64\Nhdlkdkg.exe Nefpnhlc.exe File created C:\Windows\SysWOW64\Gojbjm32.dll Coelaaoi.exe File opened for modification C:\Windows\SysWOW64\Habfipdj.exe Hmfjha32.exe File created C:\Windows\SysWOW64\Jcgogk32.exe Jmmfkafa.exe File created C:\Windows\SysWOW64\Onjnkb32.dll Ajhgmpfg.exe File created C:\Windows\SysWOW64\Eddpkh32.dll Bhigphio.exe File created C:\Windows\SysWOW64\Cgejac32.exe Cpkbdiqb.exe File created C:\Windows\SysWOW64\Dgdmmgpj.exe Dkmmhf32.exe File created C:\Windows\SysWOW64\Aafminbq.dll Bmpfojmp.exe File created C:\Windows\SysWOW64\Hlqdei32.exe Hdildlie.exe File created C:\Windows\SysWOW64\Hojgfemq.exe Hlljjjnm.exe File created C:\Windows\SysWOW64\Kemejc32.exe Joplbl32.exe File created C:\Windows\SysWOW64\Dggcffhg.exe Dbkknojp.exe File opened for modification C:\Windows\SysWOW64\Egllae32.exe Ednpej32.exe File created C:\Windows\SysWOW64\Giieco32.exe Gfjhgdck.exe File opened for modification C:\Windows\SysWOW64\Ljkomfjl.exe Labkdack.exe File opened for modification C:\Windows\SysWOW64\Dgdmmgpj.exe Dkmmhf32.exe File created C:\Windows\SysWOW64\Bdgafdfp.exe Blpjegfm.exe File created C:\Windows\SysWOW64\Cklmgb32.exe Chnqkg32.exe File opened for modification C:\Windows\SysWOW64\Gpncej32.exe Gmpgio32.exe File opened for modification C:\Windows\SysWOW64\Emkaol32.exe Ejmebq32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4936 4900 WerFault.exe Nlhgoqhh.exe -
Modifies registry class 64 IoCs
Processes:
Nkpegi32.exeLmolnh32.exeBdgafdfp.exeOnjgiiad.exeAnojbobe.exeEjkima32.exeHlqdei32.exeMhhfdo32.exe78fda4dc896111b6bc57e5fa59cd79d0_NeikiAnalytics.exeFbdqmghm.exeAemkjiem.exeJmbiipml.exeKfpgmdog.exeNpagjpcd.exeGacpdbej.exeLeajdfnm.exeGddifnbk.exeHmbpmapf.exeFcefji32.exeGmpgio32.exeEmcbkn32.exeKofopj32.exeEgoife32.exeFllnlg32.exeLfmffhde.exeMkklljmg.exeMdpjlajk.exeQbcpbo32.exeHabfipdj.exeIkkjbe32.exeGjakmc32.exeHlljjjnm.exeFfhpbacb.exeFmbhok32.exeJcjdpj32.exeEjgcdb32.exeAadloj32.exeMmahdggc.exeBkommo32.exeFbdjbaea.exeJoplbl32.exeKihqkagp.exeOqideepg.exeCeaadk32.exeIpjoplgo.exeFdapak32.exeHenidd32.exeAefeijle.exeDndlim32.exeJfknbe32.exeKemejc32.exeLoeebl32.exeFnfamcoj.exeHdildlie.exeInkccpgk.exeMbpgggol.exeKbqecg32.exeDfmdho32.exeBemgilhh.exeFjmaaddo.exeDjnpnc32.exeKmaled32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkpegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpdgnh32.dll" Lmolnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdgafdfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onjgiiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifjeknjd.dll" Anojbobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejkima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmlko32.dll" Hlqdei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhhfdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 78fda4dc896111b6bc57e5fa59cd79d0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbdqmghm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aemkjiem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmbiipml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfpgmdog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npagjpcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gacpdbej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leajdfnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll" Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmbpmapf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcefji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmpgio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emcbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjbelmp.dll" Kofopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egoife32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fllnlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlfdghbq.dll" Lfmffhde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkklljmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgagbb32.dll" Mdpjlajk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhnfd32.dll" Qbcpbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbhnql32.dll" Habfipdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempblao.dll" Ikkjbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfmffhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnhijl32.dll" Aemkjiem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjakmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdghad32.dll" Hlljjjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffhpbacb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmbhok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcjdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekpaqgc.dll" Ejgcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aadloj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmahdggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmmjh32.dll" Bkommo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbdjbaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joplbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjjndgdk.dll" Kihqkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqideepg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceaadk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpebiecm.dll" Ipjoplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll" Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aefeijle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eofjhkoj.dll" Dndlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfoagoic.dll" Jfknbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kemejc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loeebl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnfamcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdildlie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inkccpgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbpgggol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbqecg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpmgg32.dll" Dfmdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekkdc32.dll" Bemgilhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjmaaddo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djnpnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmaled32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
78fda4dc896111b6bc57e5fa59cd79d0_NeikiAnalytics.exeCndbcc32.exeDhjgal32.exeDjnpnc32.exeDkmmhf32.exeDgdmmgpj.exeDoobajme.exeEmcbkn32.exeEjgcdb32.exeEcpgmhai.exeEpfhbign.exeEpieghdk.exeEiaiqn32.exeFehjeo32.exeFnpnndgp.exeFjgoce32.exedescription pid process target process PID 2352 wrote to memory of 2156 2352 78fda4dc896111b6bc57e5fa59cd79d0_NeikiAnalytics.exe Cndbcc32.exe PID 2352 wrote to memory of 2156 2352 78fda4dc896111b6bc57e5fa59cd79d0_NeikiAnalytics.exe Cndbcc32.exe PID 2352 wrote to memory of 2156 2352 78fda4dc896111b6bc57e5fa59cd79d0_NeikiAnalytics.exe Cndbcc32.exe PID 2352 wrote to memory of 2156 2352 78fda4dc896111b6bc57e5fa59cd79d0_NeikiAnalytics.exe Cndbcc32.exe PID 2156 wrote to memory of 1980 2156 Cndbcc32.exe Dhjgal32.exe PID 2156 wrote to memory of 1980 2156 Cndbcc32.exe Dhjgal32.exe PID 2156 wrote to memory of 1980 2156 Cndbcc32.exe Dhjgal32.exe PID 2156 wrote to memory of 1980 2156 Cndbcc32.exe Dhjgal32.exe PID 1980 wrote to memory of 2720 1980 Dhjgal32.exe Djnpnc32.exe PID 1980 wrote to memory of 2720 1980 Dhjgal32.exe Djnpnc32.exe PID 1980 wrote to memory of 2720 1980 Dhjgal32.exe Djnpnc32.exe PID 1980 wrote to memory of 2720 1980 Dhjgal32.exe Djnpnc32.exe PID 2720 wrote to memory of 2540 2720 Djnpnc32.exe Dkmmhf32.exe PID 2720 wrote to memory of 2540 2720 Djnpnc32.exe Dkmmhf32.exe PID 2720 wrote to memory of 2540 2720 Djnpnc32.exe Dkmmhf32.exe PID 2720 wrote to memory of 2540 2720 Djnpnc32.exe Dkmmhf32.exe PID 2540 wrote to memory of 2560 2540 Dkmmhf32.exe Dgdmmgpj.exe PID 2540 wrote to memory of 2560 2540 Dkmmhf32.exe Dgdmmgpj.exe PID 2540 wrote to memory of 2560 2540 Dkmmhf32.exe Dgdmmgpj.exe PID 2540 wrote to memory of 2560 2540 Dkmmhf32.exe Dgdmmgpj.exe PID 2560 wrote to memory of 2444 2560 Dgdmmgpj.exe Doobajme.exe PID 2560 wrote to memory of 2444 2560 Dgdmmgpj.exe Doobajme.exe PID 2560 wrote to memory of 2444 2560 Dgdmmgpj.exe Doobajme.exe PID 2560 wrote to memory of 2444 2560 Dgdmmgpj.exe Doobajme.exe PID 2444 wrote to memory of 1152 2444 Doobajme.exe Emcbkn32.exe PID 2444 wrote to memory of 1152 2444 Doobajme.exe Emcbkn32.exe PID 2444 wrote to memory of 1152 2444 Doobajme.exe Emcbkn32.exe PID 2444 wrote to memory of 1152 2444 Doobajme.exe Emcbkn32.exe PID 1152 wrote to memory of 2784 1152 Emcbkn32.exe Ejgcdb32.exe PID 1152 wrote to memory of 2784 1152 Emcbkn32.exe Ejgcdb32.exe PID 1152 wrote to memory of 2784 1152 Emcbkn32.exe Ejgcdb32.exe PID 1152 wrote to memory of 2784 1152 Emcbkn32.exe Ejgcdb32.exe PID 2784 wrote to memory of 2964 2784 Ejgcdb32.exe Ecpgmhai.exe PID 2784 wrote to memory of 2964 2784 Ejgcdb32.exe Ecpgmhai.exe PID 2784 wrote to memory of 2964 2784 Ejgcdb32.exe Ecpgmhai.exe PID 2784 wrote to memory of 2964 2784 Ejgcdb32.exe Ecpgmhai.exe PID 2964 wrote to memory of 1452 2964 Ecpgmhai.exe Epfhbign.exe PID 2964 wrote to memory of 1452 2964 Ecpgmhai.exe Epfhbign.exe PID 2964 wrote to memory of 1452 2964 Ecpgmhai.exe Epfhbign.exe PID 2964 wrote to memory of 1452 2964 Ecpgmhai.exe Epfhbign.exe PID 1452 wrote to memory of 2524 1452 Epfhbign.exe Epieghdk.exe PID 1452 wrote to memory of 2524 1452 Epfhbign.exe Epieghdk.exe PID 1452 wrote to memory of 2524 1452 Epfhbign.exe Epieghdk.exe PID 1452 wrote to memory of 2524 1452 Epfhbign.exe Epieghdk.exe PID 2524 wrote to memory of 1300 2524 Epieghdk.exe Eiaiqn32.exe PID 2524 wrote to memory of 1300 2524 Epieghdk.exe Eiaiqn32.exe PID 2524 wrote to memory of 1300 2524 Epieghdk.exe Eiaiqn32.exe PID 2524 wrote to memory of 1300 2524 Epieghdk.exe Eiaiqn32.exe PID 1300 wrote to memory of 2092 1300 Eiaiqn32.exe Fehjeo32.exe PID 1300 wrote to memory of 2092 1300 Eiaiqn32.exe Fehjeo32.exe PID 1300 wrote to memory of 2092 1300 Eiaiqn32.exe Fehjeo32.exe PID 1300 wrote to memory of 2092 1300 Eiaiqn32.exe Fehjeo32.exe PID 2092 wrote to memory of 2296 2092 Fehjeo32.exe Fnpnndgp.exe PID 2092 wrote to memory of 2296 2092 Fehjeo32.exe Fnpnndgp.exe PID 2092 wrote to memory of 2296 2092 Fehjeo32.exe Fnpnndgp.exe PID 2092 wrote to memory of 2296 2092 Fehjeo32.exe Fnpnndgp.exe PID 2296 wrote to memory of 2404 2296 Fnpnndgp.exe Fjgoce32.exe PID 2296 wrote to memory of 2404 2296 Fnpnndgp.exe Fjgoce32.exe PID 2296 wrote to memory of 2404 2296 Fnpnndgp.exe Fjgoce32.exe PID 2296 wrote to memory of 2404 2296 Fnpnndgp.exe Fjgoce32.exe PID 2404 wrote to memory of 1476 2404 Fjgoce32.exe Fhkpmjln.exe PID 2404 wrote to memory of 1476 2404 Fjgoce32.exe Fhkpmjln.exe PID 2404 wrote to memory of 1476 2404 Fjgoce32.exe Fhkpmjln.exe PID 2404 wrote to memory of 1476 2404 Fjgoce32.exe Fhkpmjln.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\78fda4dc896111b6bc57e5fa59cd79d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\78fda4dc896111b6bc57e5fa59cd79d0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1476 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:632 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:928 -
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe28⤵
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe34⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe35⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe38⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe39⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe40⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe41⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe42⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe44⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1084 -
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe47⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe48⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe49⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe50⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe52⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe53⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe56⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe57⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe58⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe59⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe60⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe61⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1284 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe65⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2376 -
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe68⤵PID:2040
-
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe69⤵PID:1328
-
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe70⤵PID:908
-
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe71⤵
- Drops file in System32 directory
PID:844 -
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe72⤵PID:2004
-
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe73⤵PID:1072
-
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe74⤵PID:2828
-
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe75⤵PID:2556
-
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe76⤵PID:2312
-
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2940 -
C:\Windows\SysWOW64\Kmaled32.exeC:\Windows\system32\Kmaled32.exe78⤵
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe79⤵
- Drops file in System32 directory
PID:496 -
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe80⤵PID:288
-
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe81⤵PID:1308
-
C:\Windows\SysWOW64\Loeebl32.exeC:\Windows\system32\Loeebl32.exe82⤵
- Modifies registry class
PID:672 -
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe83⤵PID:2604
-
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe84⤵
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe85⤵PID:2104
-
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe86⤵PID:760
-
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:620 -
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe88⤵PID:1948
-
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2388 -
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe90⤵
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe91⤵PID:2648
-
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe92⤵PID:2736
-
C:\Windows\SysWOW64\Mpbaebdd.exeC:\Windows\system32\Mpbaebdd.exe93⤵PID:876
-
C:\Windows\SysWOW64\Mgljbm32.exeC:\Windows\system32\Mgljbm32.exe94⤵PID:2788
-
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe95⤵PID:1652
-
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe97⤵PID:624
-
C:\Windows\SysWOW64\Mpfkqb32.exeC:\Windows\system32\Mpfkqb32.exe98⤵PID:1808
-
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe99⤵PID:544
-
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe100⤵
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Nolhan32.exeC:\Windows\system32\Nolhan32.exe101⤵
- Drops file in System32 directory
PID:892 -
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe102⤵PID:2088
-
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe103⤵
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe104⤵PID:884
-
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2572 -
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe106⤵PID:2172
-
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe107⤵PID:2460
-
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe108⤵PID:1644
-
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe109⤵
- Drops file in System32 directory
PID:1844 -
C:\Windows\SysWOW64\Nglfapnl.exeC:\Windows\system32\Nglfapnl.exe110⤵PID:2980
-
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:684 -
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe112⤵PID:2064
-
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1264 -
C:\Windows\SysWOW64\Njlockkm.exeC:\Windows\system32\Njlockkm.exe114⤵PID:2068
-
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe115⤵PID:900
-
C:\Windows\SysWOW64\Nceclqan.exeC:\Windows\system32\Nceclqan.exe116⤵PID:2180
-
C:\Windows\SysWOW64\Onjgiiad.exeC:\Windows\system32\Onjgiiad.exe117⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Oqideepg.exeC:\Windows\system32\Oqideepg.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Ojahnj32.exeC:\Windows\system32\Ojahnj32.exe119⤵PID:2800
-
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe120⤵PID:2956
-
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe121⤵PID:1304
-
C:\Windows\SysWOW64\Ojcecjee.exeC:\Windows\system32\Ojcecjee.exe122⤵PID:1256
-
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe123⤵PID:2240
-
C:\Windows\SysWOW64\Oclilp32.exeC:\Windows\system32\Oclilp32.exe124⤵PID:1524
-
C:\Windows\SysWOW64\Ofjfhk32.exeC:\Windows\system32\Ofjfhk32.exe125⤵PID:568
-
C:\Windows\SysWOW64\Okgnab32.exeC:\Windows\system32\Okgnab32.exe126⤵
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe127⤵PID:2516
-
C:\Windows\SysWOW64\Omfkke32.exeC:\Windows\system32\Omfkke32.exe128⤵PID:2260
-
C:\Windows\SysWOW64\Obcccl32.exeC:\Windows\system32\Obcccl32.exe129⤵
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe130⤵PID:1616
-
C:\Windows\SysWOW64\Pqhpdhcc.exeC:\Windows\system32\Pqhpdhcc.exe131⤵PID:1440
-
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe132⤵PID:2684
-
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe133⤵PID:1908
-
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe134⤵PID:580
-
C:\Windows\SysWOW64\Pqkmjh32.exeC:\Windows\system32\Pqkmjh32.exe135⤵PID:396
-
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe136⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1684 -
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe137⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1740 -
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe138⤵PID:1668
-
C:\Windows\SysWOW64\Pnajilng.exeC:\Windows\system32\Pnajilng.exe139⤵PID:1992
-
C:\Windows\SysWOW64\Pcnbablo.exeC:\Windows\system32\Pcnbablo.exe140⤵
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Pgioaa32.exeC:\Windows\system32\Pgioaa32.exe141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2620 -
C:\Windows\SysWOW64\Pikkiijf.exeC:\Windows\system32\Pikkiijf.exe142⤵PID:1356
-
C:\Windows\SysWOW64\Qabcjgkh.exeC:\Windows\system32\Qabcjgkh.exe143⤵PID:1376
-
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe144⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe145⤵PID:2520
-
C:\Windows\SysWOW64\Qpgpkcpp.exeC:\Windows\system32\Qpgpkcpp.exe146⤵PID:1956
-
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe147⤵PID:808
-
C:\Windows\SysWOW64\Qedhdjnh.exeC:\Windows\system32\Qedhdjnh.exe148⤵PID:1688
-
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe149⤵PID:1752
-
C:\Windows\SysWOW64\Abhimnma.exeC:\Windows\system32\Abhimnma.exe150⤵PID:2548
-
C:\Windows\SysWOW64\Aefeijle.exeC:\Windows\system32\Aefeijle.exe151⤵
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Aplifb32.exeC:\Windows\system32\Aplifb32.exe152⤵PID:2700
-
C:\Windows\SysWOW64\Anojbobe.exeC:\Windows\system32\Anojbobe.exe153⤵
- Modifies registry class
PID:1192 -
C:\Windows\SysWOW64\Aehboi32.exeC:\Windows\system32\Aehboi32.exe154⤵PID:2600
-
C:\Windows\SysWOW64\Ahgnke32.exeC:\Windows\system32\Ahgnke32.exe155⤵PID:2272
-
C:\Windows\SysWOW64\Anafhopc.exeC:\Windows\system32\Anafhopc.exe156⤵
- Drops file in System32 directory
PID:1480 -
C:\Windows\SysWOW64\Adnopfoj.exeC:\Windows\system32\Adnopfoj.exe157⤵PID:2776
-
C:\Windows\SysWOW64\Alegac32.exeC:\Windows\system32\Alegac32.exe158⤵PID:2280
-
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe159⤵
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Aemkjiem.exeC:\Windows\system32\Aemkjiem.exe160⤵
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Afohaa32.exeC:\Windows\system32\Afohaa32.exe161⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2952 -
C:\Windows\SysWOW64\Aadloj32.exeC:\Windows\system32\Aadloj32.exe162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Bhndldcn.exeC:\Windows\system32\Bhndldcn.exe163⤵PID:484
-
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe164⤵PID:1028
-
C:\Windows\SysWOW64\Bmkmdk32.exeC:\Windows\system32\Bmkmdk32.exe165⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Bdeeqehb.exeC:\Windows\system32\Bdeeqehb.exe166⤵
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Bkommo32.exeC:\Windows\system32\Bkommo32.exe167⤵
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Blpjegfm.exeC:\Windows\system32\Blpjegfm.exe168⤵
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Bdgafdfp.exeC:\Windows\system32\Bdgafdfp.exe169⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:436 -
C:\Windows\SysWOW64\Behnnm32.exeC:\Windows\system32\Behnnm32.exe170⤵PID:2796
-
C:\Windows\SysWOW64\Bmpfojmp.exeC:\Windows\system32\Bmpfojmp.exe171⤵
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Boqbfb32.exeC:\Windows\system32\Boqbfb32.exe172⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3024 -
C:\Windows\SysWOW64\Bekkcljk.exeC:\Windows\system32\Bekkcljk.exe173⤵
- Drops file in System32 directory
PID:1244 -
C:\Windows\SysWOW64\Bhigphio.exeC:\Windows\system32\Bhigphio.exe174⤵
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Bppoqeja.exeC:\Windows\system32\Bppoqeja.exe175⤵PID:3020
-
C:\Windows\SysWOW64\Baakhm32.exeC:\Windows\system32\Baakhm32.exe176⤵PID:2596
-
C:\Windows\SysWOW64\Bemgilhh.exeC:\Windows\system32\Bemgilhh.exe177⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Coelaaoi.exeC:\Windows\system32\Coelaaoi.exe178⤵
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Cadhnmnm.exeC:\Windows\system32\Cadhnmnm.exe179⤵PID:1340
-
C:\Windows\SysWOW64\Chnqkg32.exeC:\Windows\system32\Chnqkg32.exe180⤵
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Cklmgb32.exeC:\Windows\system32\Cklmgb32.exe181⤵
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Cafecmlj.exeC:\Windows\system32\Cafecmlj.exe182⤵PID:2996
-
C:\Windows\SysWOW64\Ceaadk32.exeC:\Windows\system32\Ceaadk32.exe183⤵
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Ckoilb32.exeC:\Windows\system32\Ckoilb32.exe184⤵PID:1920
-
C:\Windows\SysWOW64\Cojema32.exeC:\Windows\system32\Cojema32.exe185⤵PID:2716
-
C:\Windows\SysWOW64\Cpkbdiqb.exeC:\Windows\system32\Cpkbdiqb.exe186⤵
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Cgejac32.exeC:\Windows\system32\Cgejac32.exe187⤵PID:2120
-
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe188⤵PID:1252
-
C:\Windows\SysWOW64\Cpnojioo.exeC:\Windows\system32\Cpnojioo.exe189⤵
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Ckccgane.exeC:\Windows\system32\Ckccgane.exe190⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2268 -
C:\Windows\SysWOW64\Cldooj32.exeC:\Windows\system32\Cldooj32.exe191⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2652 -
C:\Windows\SysWOW64\Cdlgpgef.exeC:\Windows\system32\Cdlgpgef.exe192⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3104 -
C:\Windows\SysWOW64\Dfmdho32.exeC:\Windows\system32\Dfmdho32.exe193⤵
- Modifies registry class
PID:3144 -
C:\Windows\SysWOW64\Dndlim32.exeC:\Windows\system32\Dndlim32.exe194⤵
- Drops file in System32 directory
- Modifies registry class
PID:3184 -
C:\Windows\SysWOW64\Dcadac32.exeC:\Windows\system32\Dcadac32.exe195⤵PID:3224
-
C:\Windows\SysWOW64\Dfoqmo32.exeC:\Windows\system32\Dfoqmo32.exe196⤵PID:3264
-
C:\Windows\SysWOW64\Dhnmij32.exeC:\Windows\system32\Dhnmij32.exe197⤵PID:3304
-
C:\Windows\SysWOW64\Dpeekh32.exeC:\Windows\system32\Dpeekh32.exe198⤵PID:3344
-
C:\Windows\SysWOW64\Dbfabp32.exeC:\Windows\system32\Dbfabp32.exe199⤵PID:3384
-
C:\Windows\SysWOW64\Dhpiojfb.exeC:\Windows\system32\Dhpiojfb.exe200⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3424 -
C:\Windows\SysWOW64\Dknekeef.exeC:\Windows\system32\Dknekeef.exe201⤵PID:3464
-
C:\Windows\SysWOW64\Dbhnhp32.exeC:\Windows\system32\Dbhnhp32.exe202⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3504 -
C:\Windows\SysWOW64\Ddgjdk32.exeC:\Windows\system32\Ddgjdk32.exe203⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3544 -
C:\Windows\SysWOW64\Dkqbaecc.exeC:\Windows\system32\Dkqbaecc.exe204⤵PID:3584
-
C:\Windows\SysWOW64\Dnoomqbg.exeC:\Windows\system32\Dnoomqbg.exe205⤵PID:3624
-
C:\Windows\SysWOW64\Dbkknojp.exeC:\Windows\system32\Dbkknojp.exe206⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3664 -
C:\Windows\SysWOW64\Dggcffhg.exeC:\Windows\system32\Dggcffhg.exe207⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3704 -
C:\Windows\SysWOW64\Enakbp32.exeC:\Windows\system32\Enakbp32.exe208⤵PID:3744
-
C:\Windows\SysWOW64\Eqpgol32.exeC:\Windows\system32\Eqpgol32.exe209⤵PID:3784
-
C:\Windows\SysWOW64\Edkcojga.exeC:\Windows\system32\Edkcojga.exe210⤵PID:3824
-
C:\Windows\SysWOW64\Endhhp32.exeC:\Windows\system32\Endhhp32.exe211⤵PID:3864
-
C:\Windows\SysWOW64\Ednpej32.exeC:\Windows\system32\Ednpej32.exe212⤵
- Drops file in System32 directory
PID:3908 -
C:\Windows\SysWOW64\Egllae32.exeC:\Windows\system32\Egllae32.exe213⤵PID:3948
-
C:\Windows\SysWOW64\Ejkima32.exeC:\Windows\system32\Ejkima32.exe214⤵
- Modifies registry class
PID:3988 -
C:\Windows\SysWOW64\Eqdajkkb.exeC:\Windows\system32\Eqdajkkb.exe215⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4028 -
C:\Windows\SysWOW64\Egoife32.exeC:\Windows\system32\Egoife32.exe216⤵
- Modifies registry class
PID:4068 -
C:\Windows\SysWOW64\Ejmebq32.exeC:\Windows\system32\Ejmebq32.exe217⤵
- Drops file in System32 directory
PID:3084 -
C:\Windows\SysWOW64\Emkaol32.exeC:\Windows\system32\Emkaol32.exe218⤵PID:3132
-
C:\Windows\SysWOW64\Eojnkg32.exeC:\Windows\system32\Eojnkg32.exe219⤵PID:3172
-
C:\Windows\SysWOW64\Egafleqm.exeC:\Windows\system32\Egafleqm.exe220⤵PID:3232
-
C:\Windows\SysWOW64\Ejobhppq.exeC:\Windows\system32\Ejobhppq.exe221⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3280 -
C:\Windows\SysWOW64\Eplkpgnh.exeC:\Windows\system32\Eplkpgnh.exe222⤵PID:3332
-
C:\Windows\SysWOW64\Ebjglbml.exeC:\Windows\system32\Ebjglbml.exe223⤵PID:3380
-
C:\Windows\SysWOW64\Fidoim32.exeC:\Windows\system32\Fidoim32.exe224⤵
- Drops file in System32 directory
PID:3432 -
C:\Windows\SysWOW64\Fmpkjkma.exeC:\Windows\system32\Fmpkjkma.exe225⤵PID:3444
-
C:\Windows\SysWOW64\Fcjcfe32.exeC:\Windows\system32\Fcjcfe32.exe226⤵PID:3552
-
C:\Windows\SysWOW64\Ffhpbacb.exeC:\Windows\system32\Ffhpbacb.exe227⤵
- Modifies registry class
PID:3572 -
C:\Windows\SysWOW64\Fmbhok32.exeC:\Windows\system32\Fmbhok32.exe228⤵
- Drops file in System32 directory
- Modifies registry class
PID:3608 -
C:\Windows\SysWOW64\Fpqdkf32.exeC:\Windows\system32\Fpqdkf32.exe229⤵PID:3676
-
C:\Windows\SysWOW64\Ffklhqao.exeC:\Windows\system32\Ffklhqao.exe230⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3728 -
C:\Windows\SysWOW64\Fenmdm32.exeC:\Windows\system32\Fenmdm32.exe231⤵PID:3776
-
C:\Windows\SysWOW64\Fpcqaf32.exeC:\Windows\system32\Fpcqaf32.exe232⤵PID:3796
-
C:\Windows\SysWOW64\Fnfamcoj.exeC:\Windows\system32\Fnfamcoj.exe233⤵
- Modifies registry class
PID:3884 -
C:\Windows\SysWOW64\Fepiimfg.exeC:\Windows\system32\Fepiimfg.exe234⤵
- Drops file in System32 directory
PID:3932 -
C:\Windows\SysWOW64\Fhneehek.exeC:\Windows\system32\Fhneehek.exe235⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3980 -
C:\Windows\SysWOW64\Fjmaaddo.exeC:\Windows\system32\Fjmaaddo.exe236⤵
- Modifies registry class
PID:4048 -
C:\Windows\SysWOW64\Fbdjbaea.exeC:\Windows\system32\Fbdjbaea.exe237⤵
- Modifies registry class
PID:4084 -
C:\Windows\SysWOW64\Fcefji32.exeC:\Windows\system32\Fcefji32.exe238⤵
- Modifies registry class
PID:3112 -
C:\Windows\SysWOW64\Fllnlg32.exeC:\Windows\system32\Fllnlg32.exe239⤵
- Modifies registry class
PID:3156 -
C:\Windows\SysWOW64\Faigdn32.exeC:\Windows\system32\Faigdn32.exe240⤵PID:3244
-
C:\Windows\SysWOW64\Gdgcpi32.exeC:\Windows\system32\Gdgcpi32.exe241⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3300 -
C:\Windows\SysWOW64\Gjakmc32.exeC:\Windows\system32\Gjakmc32.exe242⤵
- Drops file in System32 directory
- Modifies registry class
PID:3376