Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 06:49
Behavioral task
behavioral1
Sample
7b7fbe99cf591e6d00ef2256692e0230_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7b7fbe99cf591e6d00ef2256692e0230_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
7b7fbe99cf591e6d00ef2256692e0230_NeikiAnalytics.exe
-
Size
94KB
-
MD5
7b7fbe99cf591e6d00ef2256692e0230
-
SHA1
1ed397975e90a8f039c1b5f68601fb1bdb52d3da
-
SHA256
584dee471d8535815f992c32e9c456147c9abe576899d7d27b6edc933ba1a2a2
-
SHA512
fc0557293367a68584f26714bdb464c5cc858f821fbf20dbeb4cf08175d0c966019b4a450b632ca181dfa79ab2c2c37eaeb3efc2b897276c1880cb97ab04ee6f
-
SSDEEP
1536:KOe6eXwDn+431pqwEuqKzcQ1lipRQDFRfRa9HprmRfRZ:zCwDn5mwED6lipeDF5wkpv
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ohibdf32.exeFaagpp32.exeIhdkao32.exeJmmfkafa.exeLlfifq32.exeBpleef32.exeCndbcc32.exeClaifkkf.exeJqdipqbp.exeJqfffqpm.exeJbnhng32.exeMhbped32.exeObcccl32.exeEdkcojga.exe7b7fbe99cf591e6d00ef2256692e0230_NeikiAnalytics.exeAipddi32.exeJjjacf32.exeKmjfdejp.exeEcejkf32.exeDjbiicon.exeCddaphkn.exeOmbapedi.exeMaoajf32.exeBlbfjg32.exeBldcpf32.exeDknekeef.exeEbmgcohn.exeDmoipopd.exeJjojofgn.exeMgnfhlin.exeGkkemh32.exeNhiffc32.exeNgpolo32.exeEjkima32.exeMpbaebdd.exeHlcgeo32.exeJejhecaj.exeLeonofpp.exeObojhlbq.exeBbhela32.exeBbjbaa32.exeFnpnndgp.exeEcqqpgli.exeQpgpkcpp.exeBehnnm32.exeKpkofpgq.exePnomcl32.exePkndaa32.exeCnmehnan.exeKjqccigf.exeEecqjpee.exeQabcjgkh.exeChhjkl32.exePjhknm32.exeKifpdelo.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohibdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Faagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihdkao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmmfkafa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llfifq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpleef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cndbcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Claifkkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqdipqbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jqfffqpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbnhng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhbped32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obcccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edkcojga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 7b7fbe99cf591e6d00ef2256692e0230_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aipddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjjacf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmjfdejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecejkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djbiicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cddaphkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ombapedi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faagpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maoajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Blbfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bldcpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknekeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebmgcohn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmoipopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjojofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmjfdejp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnfhlin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkkemh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhiffc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpolo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejkima32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpbaebdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jqdipqbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jejhecaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Leonofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obojhlbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbhela32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fnpnndgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecqqpgli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpgpkcpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behnnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpkofpgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnomcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecqqpgli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ombapedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llfifq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qpgpkcpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmehnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjqccigf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eecqjpee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qabcjgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chhjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjhknm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kifpdelo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdkao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbhela32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule behavioral1/memory/3028-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Cciemedf.exe family_berbew behavioral1/memory/3028-6-0x0000000001FE0000-0x0000000002021000-memory.dmp family_berbew \Windows\SysWOW64\Claifkkf.exe family_berbew behavioral1/memory/2012-20-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew \Windows\SysWOW64\Chhjkl32.exe family_berbew behavioral1/memory/2616-33-0x0000000000300000-0x0000000000341000-memory.dmp family_berbew behavioral1/memory/2540-52-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Cndbcc32.exe family_berbew \Windows\SysWOW64\Dgmglh32.exe family_berbew behavioral1/memory/2540-60-0x0000000000320000-0x0000000000361000-memory.dmp family_berbew C:\Windows\SysWOW64\Dqelenlc.exe family_berbew behavioral1/memory/1984-78-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Dkkpbgli.exe family_berbew behavioral1/memory/1836-91-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Dbehoa32.exe family_berbew behavioral1/memory/2448-104-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Ddcdkl32.exe family_berbew behavioral1/memory/2448-116-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew behavioral1/memory/2984-130-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Dmoipopd.exe family_berbew \Windows\SysWOW64\Djbiicon.exe family_berbew C:\Windows\SysWOW64\Dmafennb.exe family_berbew behavioral1/memory/308-150-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2024-156-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Dgfjbgmh.exe family_berbew \Windows\SysWOW64\Emcbkn32.exe family_berbew behavioral1/memory/2752-169-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1716-182-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Ejgcdb32.exe family_berbew behavioral1/memory/1716-189-0x00000000002D0000-0x0000000000311000-memory.dmp family_berbew \Windows\SysWOW64\Epdkli32.exe family_berbew behavioral1/memory/1540-208-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Eeqdep32.exe family_berbew behavioral1/memory/2412-226-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/836-238-0x00000000002E0000-0x0000000000321000-memory.dmp family_berbew C:\Windows\SysWOW64\Enihne32.exe family_berbew behavioral1/memory/2412-232-0x0000000000280000-0x00000000002C1000-memory.dmp family_berbew behavioral1/memory/1080-240-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/836-233-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Ekklaj32.exe family_berbew C:\Windows\SysWOW64\Eecqjpee.exe family_berbew behavioral1/memory/1552-250-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Eiaiqn32.exe family_berbew behavioral1/memory/1172-266-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1928-271-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Egdilkbf.exe family_berbew C:\Windows\SysWOW64\Ejbfhfaj.exe family_berbew behavioral1/memory/1036-282-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Fnpnndgp.exe family_berbew behavioral1/memory/1036-291-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew C:\Windows\SysWOW64\Ffkcbgek.exe family_berbew C:\Windows\SysWOW64\Fnbkddem.exe family_berbew behavioral1/memory/1712-313-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1416-311-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2744-325-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Faagpp32.exe family_berbew C:\Windows\SysWOW64\Facdeo32.exe family_berbew behavioral1/memory/2188-339-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Fdapak32.exe family_berbew behavioral1/memory/2628-346-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Fjlhneio.exe family_berbew behavioral1/memory/2628-362-0x0000000000290000-0x00000000002D1000-memory.dmp family_berbew behavioral1/memory/3060-361-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Cciemedf.exeClaifkkf.exeChhjkl32.exeCndbcc32.exeDgmglh32.exeDqelenlc.exeDkkpbgli.exeDbehoa32.exeDdcdkl32.exeDmoipopd.exeDjbiicon.exeDmafennb.exeDgfjbgmh.exeEmcbkn32.exeEjgcdb32.exeEpdkli32.exeEeqdep32.exeEkklaj32.exeEnihne32.exeEecqjpee.exeEiaiqn32.exeEgdilkbf.exeEjbfhfaj.exeFnpnndgp.exeFfkcbgek.exeFnbkddem.exeFaagpp32.exeFacdeo32.exeFdapak32.exeFjlhneio.exeFlmefm32.exeFiaeoang.exeGpmjak32.exeGldkfl32.exeGdopkn32.exeGkihhhnm.exeGkkemh32.exeGmjaic32.exeHahjpbad.exeHkpnhgge.exeHnojdcfi.exeHiekid32.exeHlcgeo32.exeHgilchkf.exeHpapln32.exeHlhaqogk.exeHogmmjfo.exeIaeiieeb.exeIdceea32.exeIknnbklc.exeIfcbodli.exeIhankokm.exeIkpjgkjq.exeIqmcpahh.exeIhdkao32.exeInqcif32.exeIqopea32.exeIcmlam32.exeIkddbj32.exeIqalka32.exeIcpigm32.exeIfnechbj.exeJjjacf32.exeJqdipqbp.exepid process 2012 Cciemedf.exe 2616 Claifkkf.exe 2644 Chhjkl32.exe 2540 Cndbcc32.exe 2468 Dgmglh32.exe 1984 Dqelenlc.exe 1836 Dkkpbgli.exe 2448 Dbehoa32.exe 2924 Ddcdkl32.exe 2984 Dmoipopd.exe 308 Djbiicon.exe 2024 Dmafennb.exe 2752 Dgfjbgmh.exe 1716 Emcbkn32.exe 880 Ejgcdb32.exe 1540 Epdkli32.exe 2412 Eeqdep32.exe 836 Ekklaj32.exe 1080 Enihne32.exe 1552 Eecqjpee.exe 1172 Eiaiqn32.exe 1928 Egdilkbf.exe 1036 Ejbfhfaj.exe 3044 Fnpnndgp.exe 1416 Ffkcbgek.exe 1712 Fnbkddem.exe 2744 Faagpp32.exe 2188 Facdeo32.exe 2628 Fdapak32.exe 3060 Fjlhneio.exe 2732 Flmefm32.exe 2480 Fiaeoang.exe 2488 Gpmjak32.exe 1596 Gldkfl32.exe 2828 Gdopkn32.exe 2952 Gkihhhnm.exe 3000 Gkkemh32.exe 2696 Gmjaic32.exe 2532 Hahjpbad.exe 1684 Hkpnhgge.exe 1780 Hnojdcfi.exe 600 Hiekid32.exe 696 Hlcgeo32.exe 488 Hgilchkf.exe 564 Hpapln32.exe 1152 Hlhaqogk.exe 2892 Hogmmjfo.exe 3024 Iaeiieeb.exe 2120 Idceea32.exe 904 Iknnbklc.exe 1608 Ifcbodli.exe 1764 Ihankokm.exe 2584 Ikpjgkjq.exe 2132 Iqmcpahh.exe 2724 Ihdkao32.exe 2460 Inqcif32.exe 2608 Iqopea32.exe 2804 Icmlam32.exe 2796 Ikddbj32.exe 2520 Iqalka32.exe 888 Icpigm32.exe 2172 Ifnechbj.exe 2768 Jjjacf32.exe 648 Jqdipqbp.exe -
Loads dropped DLL 64 IoCs
Processes:
7b7fbe99cf591e6d00ef2256692e0230_NeikiAnalytics.exeCciemedf.exeClaifkkf.exeChhjkl32.exeCndbcc32.exeDgmglh32.exeDqelenlc.exeDkkpbgli.exeDbehoa32.exeDdcdkl32.exeDmoipopd.exeDjbiicon.exeDmafennb.exeDgfjbgmh.exeEmcbkn32.exeEjgcdb32.exeEpdkli32.exeEeqdep32.exeEkklaj32.exeEnihne32.exeEecqjpee.exeEiaiqn32.exeEgdilkbf.exeEjbfhfaj.exeFnpnndgp.exeFfkcbgek.exeFnbkddem.exeFaagpp32.exeFacdeo32.exeFdapak32.exeFjlhneio.exeFlmefm32.exepid process 3028 7b7fbe99cf591e6d00ef2256692e0230_NeikiAnalytics.exe 3028 7b7fbe99cf591e6d00ef2256692e0230_NeikiAnalytics.exe 2012 Cciemedf.exe 2012 Cciemedf.exe 2616 Claifkkf.exe 2616 Claifkkf.exe 2644 Chhjkl32.exe 2644 Chhjkl32.exe 2540 Cndbcc32.exe 2540 Cndbcc32.exe 2468 Dgmglh32.exe 2468 Dgmglh32.exe 1984 Dqelenlc.exe 1984 Dqelenlc.exe 1836 Dkkpbgli.exe 1836 Dkkpbgli.exe 2448 Dbehoa32.exe 2448 Dbehoa32.exe 2924 Ddcdkl32.exe 2924 Ddcdkl32.exe 2984 Dmoipopd.exe 2984 Dmoipopd.exe 308 Djbiicon.exe 308 Djbiicon.exe 2024 Dmafennb.exe 2024 Dmafennb.exe 2752 Dgfjbgmh.exe 2752 Dgfjbgmh.exe 1716 Emcbkn32.exe 1716 Emcbkn32.exe 880 Ejgcdb32.exe 880 Ejgcdb32.exe 1540 Epdkli32.exe 1540 Epdkli32.exe 2412 Eeqdep32.exe 2412 Eeqdep32.exe 836 Ekklaj32.exe 836 Ekklaj32.exe 1080 Enihne32.exe 1080 Enihne32.exe 1552 Eecqjpee.exe 1552 Eecqjpee.exe 1172 Eiaiqn32.exe 1172 Eiaiqn32.exe 1928 Egdilkbf.exe 1928 Egdilkbf.exe 1036 Ejbfhfaj.exe 1036 Ejbfhfaj.exe 3044 Fnpnndgp.exe 3044 Fnpnndgp.exe 1416 Ffkcbgek.exe 1416 Ffkcbgek.exe 1712 Fnbkddem.exe 1712 Fnbkddem.exe 2744 Faagpp32.exe 2744 Faagpp32.exe 2188 Facdeo32.exe 2188 Facdeo32.exe 2628 Fdapak32.exe 2628 Fdapak32.exe 3060 Fjlhneio.exe 3060 Fjlhneio.exe 2732 Flmefm32.exe 2732 Flmefm32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jmmfkafa.exeLoeebl32.exePqhpdhcc.exeAadloj32.exeOhibdf32.exeIhankokm.exeKneicieh.exeCgcmlcja.exeIdceea32.exeClilkfnb.exeKjnfniii.exeNialog32.exeNoqamn32.exePimkpfeh.exeAhgnke32.exeEmcbkn32.exeLfjqnjkh.exeLeajdfnm.exeDbehoa32.exePciifc32.exeQbcpbo32.exeCojema32.exePggbla32.exeDggcffhg.exeEdkcojga.exeEjkima32.exeFdapak32.exeLpdbloof.exeAnlmmp32.exeAplifb32.exeEnihne32.exeFlmefm32.exeDgmglh32.exeIkddbj32.exeAipddi32.exeEbjglbml.exeGdopkn32.exeAjejgp32.exeDnoomqbg.exeDfamcogo.exeObcccl32.exeBiicik32.exeEeqdep32.exeKeoapb32.exeNcgdbmmp.exeNnennj32.exeFaagpp32.exeHahjpbad.exeKmjfdejp.exeAhdaee32.exeFfkcbgek.exeAehboi32.exeHlhaqogk.exePjhknm32.exeQabcjgkh.exeBemgilhh.exeCnobnmpl.exeDfoqmo32.exeEgdilkbf.exeCddaphkn.exeDbfabp32.exedescription ioc process File created C:\Windows\SysWOW64\Jcgogk32.exe Jmmfkafa.exe File created C:\Windows\SysWOW64\Bhhognbb.dll Loeebl32.exe File opened for modification C:\Windows\SysWOW64\Pkndaa32.exe Pqhpdhcc.exe File opened for modification C:\Windows\SysWOW64\Bhndldcn.exe Aadloj32.exe File created C:\Windows\SysWOW64\Oobjaqaj.exe Ohibdf32.exe File opened for modification C:\Windows\SysWOW64\Ikpjgkjq.exe Ihankokm.exe File opened for modification C:\Windows\SysWOW64\Keoapb32.exe Kneicieh.exe File opened for modification C:\Windows\SysWOW64\Cojema32.exe Cgcmlcja.exe File created C:\Windows\SysWOW64\Eqpofkjo.dll Idceea32.exe File created C:\Windows\SysWOW64\Cnkicn32.exe Clilkfnb.exe File opened for modification C:\Windows\SysWOW64\Kmmcjehm.exe Kjnfniii.exe File opened for modification C:\Windows\SysWOW64\Nlphkb32.exe Nialog32.exe File created C:\Windows\SysWOW64\Nhiffc32.exe Noqamn32.exe File opened for modification C:\Windows\SysWOW64\Pogclp32.exe Pimkpfeh.exe File opened for modification C:\Windows\SysWOW64\Ajejgp32.exe Ahgnke32.exe File created C:\Windows\SysWOW64\Ejgcdb32.exe Emcbkn32.exe File opened for modification C:\Windows\SysWOW64\Lihmjejl.exe Lfjqnjkh.exe File created C:\Windows\SysWOW64\Bibkki32.dll Leajdfnm.exe File created C:\Windows\SysWOW64\Anapbp32.dll Dbehoa32.exe File created C:\Windows\SysWOW64\Pnomcl32.exe Pciifc32.exe File opened for modification C:\Windows\SysWOW64\Qimhoi32.exe Qbcpbo32.exe File created C:\Windows\SysWOW64\Opiehf32.dll Cojema32.exe File created C:\Windows\SysWOW64\Pnajilng.exe Pggbla32.exe File created C:\Windows\SysWOW64\Enakbp32.exe Dggcffhg.exe File created C:\Windows\SysWOW64\Olfeho32.dll Edkcojga.exe File opened for modification C:\Windows\SysWOW64\Edpmjj32.exe Ejkima32.exe File opened for modification C:\Windows\SysWOW64\Fjlhneio.exe Fdapak32.exe File created C:\Windows\SysWOW64\Lhpfqama.exe Leajdfnm.exe File created C:\Windows\SysWOW64\Gqncakcq.dll Lpdbloof.exe File created C:\Windows\SysWOW64\Befkmkob.dll Anlmmp32.exe File created C:\Windows\SysWOW64\Abjebn32.exe Aplifb32.exe File created C:\Windows\SysWOW64\Lopekk32.dll Enihne32.exe File created C:\Windows\SysWOW64\Cmbmkg32.dll Flmefm32.exe File created C:\Windows\SysWOW64\Bhndldcn.exe Aadloj32.exe File opened for modification C:\Windows\SysWOW64\Dqelenlc.exe Dgmglh32.exe File opened for modification C:\Windows\SysWOW64\Iqalka32.exe Ikddbj32.exe File opened for modification C:\Windows\SysWOW64\Apimacnn.exe Aipddi32.exe File created C:\Windows\SysWOW64\Hoogfn32.dll Ebjglbml.exe File opened for modification C:\Windows\SysWOW64\Gkihhhnm.exe Gdopkn32.exe File opened for modification C:\Windows\SysWOW64\Abmbhn32.exe Ajejgp32.exe File created C:\Windows\SysWOW64\Dbkknojp.exe Dnoomqbg.exe File created C:\Windows\SysWOW64\Egqdeaqb.dll Dfamcogo.exe File created C:\Windows\SysWOW64\Pimkpfeh.exe Obcccl32.exe File opened for modification C:\Windows\SysWOW64\Ckjpacfp.exe Biicik32.exe File created C:\Windows\SysWOW64\Maphhihi.dll Eeqdep32.exe File created C:\Windows\SysWOW64\Baoohhdn.dll Keoapb32.exe File created C:\Windows\SysWOW64\Mdqmicng.dll Ncgdbmmp.exe File created C:\Windows\SysWOW64\Nhkbkc32.exe Nnennj32.exe File created C:\Windows\SysWOW64\Jkamkfgh.dll Faagpp32.exe File created C:\Windows\SysWOW64\Pffgja32.dll Hahjpbad.exe File created C:\Windows\SysWOW64\Cddfocpb.dll Kmjfdejp.exe File created C:\Windows\SysWOW64\Hojgbclk.dll Ahdaee32.exe File created C:\Windows\SysWOW64\Iaeldika.dll Ffkcbgek.exe File created C:\Windows\SysWOW64\Kckmmp32.dll Aehboi32.exe File opened for modification C:\Windows\SysWOW64\Hogmmjfo.exe Hlhaqogk.exe File created C:\Windows\SysWOW64\Qabcjgkh.exe Pjhknm32.exe File created C:\Windows\SysWOW64\Nglknl32.dll Qabcjgkh.exe File opened for modification C:\Windows\SysWOW64\Biicik32.exe Bemgilhh.exe File opened for modification C:\Windows\SysWOW64\Cdikkg32.exe Cnobnmpl.exe File created C:\Windows\SysWOW64\Fileil32.dll Dfoqmo32.exe File opened for modification C:\Windows\SysWOW64\Ddcdkl32.exe Dbehoa32.exe File created C:\Windows\SysWOW64\Ejbfhfaj.exe Egdilkbf.exe File created C:\Windows\SysWOW64\Cgcmlcja.exe Cddaphkn.exe File created C:\Windows\SysWOW64\Blopagpd.dll Dbfabp32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3792 3720 WerFault.exe Fkckeh32.exe -
Modifies registry class 64 IoCs
Processes:
Nialog32.exeDfoqmo32.exeDhbfdjdp.exeEmcbkn32.exeLhbcfa32.exeMaoajf32.exeBpleef32.exeLollckbk.exeOnjgiiad.exeDggcffhg.exeNnhkcj32.exeEnihne32.exeDfdjhndl.exeEcqqpgli.exeEplkpgnh.exeHogmmjfo.exeMmfbogcn.exeAadloj32.exeBafidiio.exeBiicik32.exeHpapln32.exeKmjfdejp.exeNcgdbmmp.exeNhkbkc32.exeAhikqd32.exeEkelld32.exeClaifkkf.exeJoplbl32.exeMeccii32.exeDcenlceh.exeFiaeoang.exeMkclhl32.exeDhdcji32.exeEjmebq32.exeIqmcpahh.exeCdikkg32.exeCcngld32.exeIhankokm.exeAhdaee32.exeAehboi32.exeBbhela32.exeIkddbj32.exeNlphkb32.exeOcimgp32.exePnomcl32.exeCndbcc32.exeLlfifq32.exeCddaphkn.exeAplifb32.exeAbjebn32.exeHkpnhgge.exeHnojdcfi.exeOnmdoioa.exeNoqamn32.exeIknnbklc.exeKifpdelo.exeDgfjbgmh.exeFfkcbgek.exeLfjqnjkh.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgaleqmc.dll" Nialog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfoqmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhbfdjdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Emcbkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lhbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkophk32.dll" Maoajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bpleef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lollckbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Onjgiiad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dggcffhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omkepc32.dll" Nnhkcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Enihne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghiae32.dll" Dfdjhndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfidj32.dll" Ecqqpgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eplkpgnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoacn32.dll" Mmfbogcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aadloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igmdobgi.dll" Bafidiio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Biicik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hpapln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmjfdejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncgdbmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nhkbkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahikqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aabagnfc.dll" Ekelld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keledb32.dll" Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Emcbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Joplbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Meccii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dcenlceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll" Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnkpm32.dll" Mkclhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhdcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ejmebq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iqmcpahh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cdikkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ccngld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgecelp.dll" Ihankokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojgbclk.dll" Ahdaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kckmmp32.dll" Aehboi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bafidiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecenlqh.dll" Bbhela32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ikddbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nlphkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgefik32.dll" Ocimgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pnomcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cndbcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llfifq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cddaphkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aplifb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifjeknjd.dll" Abjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkpnhgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknfklng.dll" Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakmkaok.dll" Onmdoioa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Abjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Noqamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iknnbklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpgbgpe.dll" Kifpdelo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lhbcfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahdaee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dgfjbgmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaeldika.dll" Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckqfeoma.dll" Lfjqnjkh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7b7fbe99cf591e6d00ef2256692e0230_NeikiAnalytics.exeCciemedf.exeClaifkkf.exeChhjkl32.exeCndbcc32.exeDgmglh32.exeDqelenlc.exeDkkpbgli.exeDbehoa32.exeDdcdkl32.exeDmoipopd.exeDjbiicon.exeDmafennb.exeDgfjbgmh.exeEmcbkn32.exeEjgcdb32.exedescription pid process target process PID 3028 wrote to memory of 2012 3028 7b7fbe99cf591e6d00ef2256692e0230_NeikiAnalytics.exe Cciemedf.exe PID 3028 wrote to memory of 2012 3028 7b7fbe99cf591e6d00ef2256692e0230_NeikiAnalytics.exe Cciemedf.exe PID 3028 wrote to memory of 2012 3028 7b7fbe99cf591e6d00ef2256692e0230_NeikiAnalytics.exe Cciemedf.exe PID 3028 wrote to memory of 2012 3028 7b7fbe99cf591e6d00ef2256692e0230_NeikiAnalytics.exe Cciemedf.exe PID 2012 wrote to memory of 2616 2012 Cciemedf.exe Claifkkf.exe PID 2012 wrote to memory of 2616 2012 Cciemedf.exe Claifkkf.exe PID 2012 wrote to memory of 2616 2012 Cciemedf.exe Claifkkf.exe PID 2012 wrote to memory of 2616 2012 Cciemedf.exe Claifkkf.exe PID 2616 wrote to memory of 2644 2616 Claifkkf.exe Chhjkl32.exe PID 2616 wrote to memory of 2644 2616 Claifkkf.exe Chhjkl32.exe PID 2616 wrote to memory of 2644 2616 Claifkkf.exe Chhjkl32.exe PID 2616 wrote to memory of 2644 2616 Claifkkf.exe Chhjkl32.exe PID 2644 wrote to memory of 2540 2644 Chhjkl32.exe Cndbcc32.exe PID 2644 wrote to memory of 2540 2644 Chhjkl32.exe Cndbcc32.exe PID 2644 wrote to memory of 2540 2644 Chhjkl32.exe Cndbcc32.exe PID 2644 wrote to memory of 2540 2644 Chhjkl32.exe Cndbcc32.exe PID 2540 wrote to memory of 2468 2540 Cndbcc32.exe Dgmglh32.exe PID 2540 wrote to memory of 2468 2540 Cndbcc32.exe Dgmglh32.exe PID 2540 wrote to memory of 2468 2540 Cndbcc32.exe Dgmglh32.exe PID 2540 wrote to memory of 2468 2540 Cndbcc32.exe Dgmglh32.exe PID 2468 wrote to memory of 1984 2468 Dgmglh32.exe Dqelenlc.exe PID 2468 wrote to memory of 1984 2468 Dgmglh32.exe Dqelenlc.exe PID 2468 wrote to memory of 1984 2468 Dgmglh32.exe Dqelenlc.exe PID 2468 wrote to memory of 1984 2468 Dgmglh32.exe Dqelenlc.exe PID 1984 wrote to memory of 1836 1984 Dqelenlc.exe Dkkpbgli.exe PID 1984 wrote to memory of 1836 1984 Dqelenlc.exe Dkkpbgli.exe PID 1984 wrote to memory of 1836 1984 Dqelenlc.exe Dkkpbgli.exe PID 1984 wrote to memory of 1836 1984 Dqelenlc.exe Dkkpbgli.exe PID 1836 wrote to memory of 2448 1836 Dkkpbgli.exe Dbehoa32.exe PID 1836 wrote to memory of 2448 1836 Dkkpbgli.exe Dbehoa32.exe PID 1836 wrote to memory of 2448 1836 Dkkpbgli.exe Dbehoa32.exe PID 1836 wrote to memory of 2448 1836 Dkkpbgli.exe Dbehoa32.exe PID 2448 wrote to memory of 2924 2448 Dbehoa32.exe Ddcdkl32.exe PID 2448 wrote to memory of 2924 2448 Dbehoa32.exe Ddcdkl32.exe PID 2448 wrote to memory of 2924 2448 Dbehoa32.exe Ddcdkl32.exe PID 2448 wrote to memory of 2924 2448 Dbehoa32.exe Ddcdkl32.exe PID 2924 wrote to memory of 2984 2924 Ddcdkl32.exe Dmoipopd.exe PID 2924 wrote to memory of 2984 2924 Ddcdkl32.exe Dmoipopd.exe PID 2924 wrote to memory of 2984 2924 Ddcdkl32.exe Dmoipopd.exe PID 2924 wrote to memory of 2984 2924 Ddcdkl32.exe Dmoipopd.exe PID 2984 wrote to memory of 308 2984 Dmoipopd.exe Djbiicon.exe PID 2984 wrote to memory of 308 2984 Dmoipopd.exe Djbiicon.exe PID 2984 wrote to memory of 308 2984 Dmoipopd.exe Djbiicon.exe PID 2984 wrote to memory of 308 2984 Dmoipopd.exe Djbiicon.exe PID 308 wrote to memory of 2024 308 Djbiicon.exe Dmafennb.exe PID 308 wrote to memory of 2024 308 Djbiicon.exe Dmafennb.exe PID 308 wrote to memory of 2024 308 Djbiicon.exe Dmafennb.exe PID 308 wrote to memory of 2024 308 Djbiicon.exe Dmafennb.exe PID 2024 wrote to memory of 2752 2024 Dmafennb.exe Dgfjbgmh.exe PID 2024 wrote to memory of 2752 2024 Dmafennb.exe Dgfjbgmh.exe PID 2024 wrote to memory of 2752 2024 Dmafennb.exe Dgfjbgmh.exe PID 2024 wrote to memory of 2752 2024 Dmafennb.exe Dgfjbgmh.exe PID 2752 wrote to memory of 1716 2752 Dgfjbgmh.exe Emcbkn32.exe PID 2752 wrote to memory of 1716 2752 Dgfjbgmh.exe Emcbkn32.exe PID 2752 wrote to memory of 1716 2752 Dgfjbgmh.exe Emcbkn32.exe PID 2752 wrote to memory of 1716 2752 Dgfjbgmh.exe Emcbkn32.exe PID 1716 wrote to memory of 880 1716 Emcbkn32.exe Ejgcdb32.exe PID 1716 wrote to memory of 880 1716 Emcbkn32.exe Ejgcdb32.exe PID 1716 wrote to memory of 880 1716 Emcbkn32.exe Ejgcdb32.exe PID 1716 wrote to memory of 880 1716 Emcbkn32.exe Ejgcdb32.exe PID 880 wrote to memory of 1540 880 Ejgcdb32.exe Epdkli32.exe PID 880 wrote to memory of 1540 880 Ejgcdb32.exe Epdkli32.exe PID 880 wrote to memory of 1540 880 Ejgcdb32.exe Epdkli32.exe PID 880 wrote to memory of 1540 880 Ejgcdb32.exe Epdkli32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b7fbe99cf591e6d00ef2256692e0230_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7b7fbe99cf591e6d00ef2256692e0230_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:836 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1080 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1172 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1416 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe34⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe35⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe37⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe39⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe43⤵
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe45⤵
- Executes dropped EXE
PID:488 -
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:564 -
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe49⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:904 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe52⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe54⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe57⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe58⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe59⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe61⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe62⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe63⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe66⤵PID:1240
-
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe67⤵PID:1260
-
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2044 -
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe69⤵PID:1944
-
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3056 -
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe72⤵PID:2916
-
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe73⤵PID:1800
-
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe74⤵PID:2856
-
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe76⤵PID:2428
-
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe77⤵
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2980 -
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe79⤵PID:1672
-
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe80⤵PID:2680
-
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe81⤵
- Drops file in System32 directory
PID:400 -
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe82⤵
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe83⤵PID:1292
-
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe85⤵PID:1332
-
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe86⤵
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe87⤵PID:2244
-
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1584 -
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2204 -
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe90⤵PID:2720
-
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe91⤵PID:2668
-
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe92⤵PID:1768
-
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe94⤵PID:2944
-
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe96⤵PID:1920
-
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Loeebl32.exeC:\Windows\system32\Loeebl32.exe98⤵
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1564 -
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe100⤵PID:284
-
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe101⤵
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe102⤵PID:972
-
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe103⤵
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe104⤵PID:2636
-
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe105⤵PID:2592
-
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe106⤵PID:2572
-
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe107⤵PID:2556
-
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe108⤵
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe109⤵
- Modifies registry class
PID:344 -
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe110⤵PID:1092
-
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe111⤵
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe112⤵PID:1708
-
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe113⤵PID:1788
-
C:\Windows\SysWOW64\Mgimmm32.exeC:\Windows\system32\Mgimmm32.exe114⤵PID:1956
-
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Mpbaebdd.exeC:\Windows\system32\Mpbaebdd.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1728 -
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe117⤵PID:3064
-
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe118⤵PID:2632
-
C:\Windows\SysWOW64\Mmfbogcn.exeC:\Windows\system32\Mmfbogcn.exe119⤵
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe120⤵PID:2936
-
C:\Windows\SysWOW64\Mgnfhlin.exeC:\Windows\system32\Mgnfhlin.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1796 -
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe122⤵PID:2016
-
C:\Windows\SysWOW64\Mpfkqb32.exeC:\Windows\system32\Mpfkqb32.exe123⤵PID:2268
-
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe124⤵PID:2864
-
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe125⤵
- Modifies registry class
PID:1100 -
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe126⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1812 -
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe127⤵PID:2512
-
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe128⤵
- Drops file in System32 directory
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe129⤵
- Drops file in System32 directory
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe130⤵
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe131⤵PID:2020
-
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe132⤵PID:1592
-
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe133⤵PID:2792
-
C:\Windows\SysWOW64\Noqamn32.exeC:\Windows\system32\Noqamn32.exe134⤵
- Drops file in System32 directory
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe135⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1824 -
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe136⤵
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe137⤵
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Nnhkcj32.exeC:\Windows\system32\Nnhkcj32.exe138⤵
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe139⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2960 -
C:\Windows\SysWOW64\Onjgiiad.exeC:\Windows\system32\Onjgiiad.exe140⤵
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe141⤵PID:1636
-
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe142⤵
- Modifies registry class
PID:1376 -
C:\Windows\SysWOW64\Oqkqkdne.exeC:\Windows\system32\Oqkqkdne.exe143⤵PID:636
-
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe144⤵
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe145⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2160 -
C:\Windows\SysWOW64\Obojhlbq.exeC:\Windows\system32\Obojhlbq.exe146⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1656 -
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe147⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe148⤵PID:1532
-
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe149⤵PID:2648
-
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe150⤵PID:3036
-
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe151⤵PID:1084
-
C:\Windows\SysWOW64\Obcccl32.exeC:\Windows\system32\Obcccl32.exe152⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe153⤵
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe154⤵PID:684
-
C:\Windows\SysWOW64\Pqhpdhcc.exeC:\Windows\system32\Pqhpdhcc.exe155⤵
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2544 -
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe157⤵PID:2596
-
C:\Windows\SysWOW64\Pciifc32.exeC:\Windows\system32\Pciifc32.exe158⤵
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe159⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Peiepfgg.exeC:\Windows\system32\Peiepfgg.exe160⤵PID:784
-
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe161⤵
- Drops file in System32 directory
PID:1392 -
C:\Windows\SysWOW64\Pnajilng.exeC:\Windows\system32\Pnajilng.exe162⤵PID:728
-
C:\Windows\SysWOW64\Papfegmk.exeC:\Windows\system32\Papfegmk.exe163⤵PID:1008
-
C:\Windows\SysWOW64\Pcnbablo.exeC:\Windows\system32\Pcnbablo.exe164⤵PID:2432
-
C:\Windows\SysWOW64\Pgioaa32.exeC:\Windows\system32\Pgioaa32.exe165⤵PID:3004
-
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe166⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Qabcjgkh.exeC:\Windows\system32\Qabcjgkh.exe167⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe168⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Qimhoi32.exeC:\Windows\system32\Qimhoi32.exe169⤵PID:1752
-
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe170⤵PID:336
-
C:\Windows\SysWOW64\Qpgpkcpp.exeC:\Windows\system32\Qpgpkcpp.exe171⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2708 -
C:\Windows\SysWOW64\Qfahhm32.exeC:\Windows\system32\Qfahhm32.exe172⤵PID:1936
-
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe173⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe174⤵PID:2560
-
C:\Windows\SysWOW64\Anlmmp32.exeC:\Windows\system32\Anlmmp32.exe175⤵
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Aefeijle.exeC:\Windows\system32\Aefeijle.exe176⤵PID:976
-
C:\Windows\SysWOW64\Ahdaee32.exeC:\Windows\system32\Ahdaee32.exe177⤵
- Drops file in System32 directory
- Modifies registry class
PID:796 -
C:\Windows\SysWOW64\Aplifb32.exeC:\Windows\system32\Aplifb32.exe178⤵
- Drops file in System32 directory
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Abjebn32.exeC:\Windows\system32\Abjebn32.exe179⤵
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Aehboi32.exeC:\Windows\system32\Aehboi32.exe180⤵
- Drops file in System32 directory
- Modifies registry class
PID:1272 -
C:\Windows\SysWOW64\Ahgnke32.exeC:\Windows\system32\Ahgnke32.exe181⤵
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Ajejgp32.exeC:\Windows\system32\Ajejgp32.exe182⤵
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Abmbhn32.exeC:\Windows\system32\Abmbhn32.exe183⤵PID:2852
-
C:\Windows\SysWOW64\Aekodi32.exeC:\Windows\system32\Aekodi32.exe184⤵PID:2844
-
C:\Windows\SysWOW64\Ahikqd32.exeC:\Windows\system32\Ahikqd32.exe185⤵
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe186⤵PID:2264
-
C:\Windows\SysWOW64\Amfcikek.exeC:\Windows\system32\Amfcikek.exe187⤵PID:2008
-
C:\Windows\SysWOW64\Aaaoij32.exeC:\Windows\system32\Aaaoij32.exe188⤵PID:2588
-
C:\Windows\SysWOW64\Ahlgfdeq.exeC:\Windows\system32\Ahlgfdeq.exe189⤵PID:2776
-
C:\Windows\SysWOW64\Ajjcbpdd.exeC:\Windows\system32\Ajjcbpdd.exe190⤵PID:2948
-
C:\Windows\SysWOW64\Aadloj32.exeC:\Windows\system32\Aadloj32.exe191⤵
- Drops file in System32 directory
- Modifies registry class
PID:3096 -
C:\Windows\SysWOW64\Bhndldcn.exeC:\Windows\system32\Bhndldcn.exe192⤵PID:3136
-
C:\Windows\SysWOW64\Bjlqhoba.exeC:\Windows\system32\Bjlqhoba.exe193⤵PID:3176
-
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe194⤵
- Modifies registry class
PID:3216 -
C:\Windows\SysWOW64\Bbhela32.exeC:\Windows\system32\Bbhela32.exe195⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3256 -
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe196⤵PID:3296
-
C:\Windows\SysWOW64\Bpleef32.exeC:\Windows\system32\Bpleef32.exe197⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3336 -
C:\Windows\SysWOW64\Bbjbaa32.exeC:\Windows\system32\Bbjbaa32.exe198⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3376 -
C:\Windows\SysWOW64\Behnnm32.exeC:\Windows\system32\Behnnm32.exe199⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3416 -
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe200⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3456 -
C:\Windows\SysWOW64\Bpnbkeld.exeC:\Windows\system32\Bpnbkeld.exe201⤵PID:3496
-
C:\Windows\SysWOW64\Bghjhp32.exeC:\Windows\system32\Bghjhp32.exe202⤵PID:3536
-
C:\Windows\SysWOW64\Bifgdk32.exeC:\Windows\system32\Bifgdk32.exe203⤵PID:3576
-
C:\Windows\SysWOW64\Bldcpf32.exeC:\Windows\system32\Bldcpf32.exe204⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3616 -
C:\Windows\SysWOW64\Bocolb32.exeC:\Windows\system32\Bocolb32.exe205⤵PID:3656
-
C:\Windows\SysWOW64\Bemgilhh.exeC:\Windows\system32\Bemgilhh.exe206⤵
- Drops file in System32 directory
PID:3700 -
C:\Windows\SysWOW64\Biicik32.exeC:\Windows\system32\Biicik32.exe207⤵
- Drops file in System32 directory
- Modifies registry class
PID:3740 -
C:\Windows\SysWOW64\Ckjpacfp.exeC:\Windows\system32\Ckjpacfp.exe208⤵PID:3780
-
C:\Windows\SysWOW64\Ccahbp32.exeC:\Windows\system32\Ccahbp32.exe209⤵PID:3820
-
C:\Windows\SysWOW64\Cdbdjhmp.exeC:\Windows\system32\Cdbdjhmp.exe210⤵PID:3860
-
C:\Windows\SysWOW64\Clilkfnb.exeC:\Windows\system32\Clilkfnb.exe211⤵
- Drops file in System32 directory
PID:3900 -
C:\Windows\SysWOW64\Cnkicn32.exeC:\Windows\system32\Cnkicn32.exe212⤵PID:3940
-
C:\Windows\SysWOW64\Cddaphkn.exeC:\Windows\system32\Cddaphkn.exe213⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3980 -
C:\Windows\SysWOW64\Cgcmlcja.exeC:\Windows\system32\Cgcmlcja.exe214⤵
- Drops file in System32 directory
PID:4020 -
C:\Windows\SysWOW64\Cojema32.exeC:\Windows\system32\Cojema32.exe215⤵
- Drops file in System32 directory
PID:4060 -
C:\Windows\SysWOW64\Cnmehnan.exeC:\Windows\system32\Cnmehnan.exe216⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1816 -
C:\Windows\SysWOW64\Cahail32.exeC:\Windows\system32\Cahail32.exe217⤵PID:3120
-
C:\Windows\SysWOW64\Cgejac32.exeC:\Windows\system32\Cgejac32.exe218⤵PID:3168
-
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe219⤵
- Drops file in System32 directory
PID:3224 -
C:\Windows\SysWOW64\Cdikkg32.exeC:\Windows\system32\Cdikkg32.exe220⤵
- Modifies registry class
PID:3268 -
C:\Windows\SysWOW64\Cghggc32.exeC:\Windows\system32\Cghggc32.exe221⤵PID:3324
-
C:\Windows\SysWOW64\Cnaocmmi.exeC:\Windows\system32\Cnaocmmi.exe222⤵PID:3368
-
C:\Windows\SysWOW64\Cldooj32.exeC:\Windows\system32\Cldooj32.exe223⤵PID:3436
-
C:\Windows\SysWOW64\Ccngld32.exeC:\Windows\system32\Ccngld32.exe224⤵
- Modifies registry class
PID:3476 -
C:\Windows\SysWOW64\Dfmdho32.exeC:\Windows\system32\Dfmdho32.exe225⤵PID:3524
-
C:\Windows\SysWOW64\Dndlim32.exeC:\Windows\system32\Dndlim32.exe226⤵PID:3572
-
C:\Windows\SysWOW64\Dpbheh32.exeC:\Windows\system32\Dpbheh32.exe227⤵PID:3624
-
C:\Windows\SysWOW64\Dcadac32.exeC:\Windows\system32\Dcadac32.exe228⤵PID:3636
-
C:\Windows\SysWOW64\Dfoqmo32.exeC:\Windows\system32\Dfoqmo32.exe229⤵
- Drops file in System32 directory
- Modifies registry class
PID:3728 -
C:\Windows\SysWOW64\Dhnmij32.exeC:\Windows\system32\Dhnmij32.exe230⤵PID:3776
-
C:\Windows\SysWOW64\Dogefd32.exeC:\Windows\system32\Dogefd32.exe231⤵PID:3828
-
C:\Windows\SysWOW64\Dbfabp32.exeC:\Windows\system32\Dbfabp32.exe232⤵
- Drops file in System32 directory
PID:3888 -
C:\Windows\SysWOW64\Dfamcogo.exeC:\Windows\system32\Dfamcogo.exe233⤵
- Drops file in System32 directory
PID:3936 -
C:\Windows\SysWOW64\Dknekeef.exeC:\Windows\system32\Dknekeef.exe234⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3968 -
C:\Windows\SysWOW64\Dcenlceh.exeC:\Windows\system32\Dcenlceh.exe235⤵
- Modifies registry class
PID:4028 -
C:\Windows\SysWOW64\Dfdjhndl.exeC:\Windows\system32\Dfdjhndl.exe236⤵
- Modifies registry class
PID:4080 -
C:\Windows\SysWOW64\Dhbfdjdp.exeC:\Windows\system32\Dhbfdjdp.exe237⤵
- Modifies registry class
PID:412 -
C:\Windows\SysWOW64\Dnoomqbg.exeC:\Windows\system32\Dnoomqbg.exe238⤵
- Drops file in System32 directory
PID:3160 -
C:\Windows\SysWOW64\Dbkknojp.exeC:\Windows\system32\Dbkknojp.exe239⤵PID:3236
-
C:\Windows\SysWOW64\Dhdcji32.exeC:\Windows\system32\Dhdcji32.exe240⤵
- Modifies registry class
PID:3272 -
C:\Windows\SysWOW64\Dggcffhg.exeC:\Windows\system32\Dggcffhg.exe241⤵
- Drops file in System32 directory
- Modifies registry class
PID:3360 -
C:\Windows\SysWOW64\Enakbp32.exeC:\Windows\system32\Enakbp32.exe242⤵PID:3396