Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 06:57
Behavioral task
behavioral1
Sample
7bd907430f7c2044924fbf7b41c74cd0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7bd907430f7c2044924fbf7b41c74cd0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
7bd907430f7c2044924fbf7b41c74cd0_NeikiAnalytics.exe
-
Size
1024KB
-
MD5
7bd907430f7c2044924fbf7b41c74cd0
-
SHA1
5fc9407d3955b2ea56a4bfedf0c078e2d4e3cd03
-
SHA256
b4d8eb2ced45ca0689534ce646f9740eacd97acf6dc1ee778377a98f6ca4c7f0
-
SHA512
ec6a4f67fb9783e7d7d24afb73f5a3cdf7fd7ade59d7266d2d6b112049cac966cb4597df8f49e12b76d8f2886ff4a4ed1f20f18c13f303bd58516e174c2ec6bf
-
SSDEEP
24576:/taSHFaZRBEYyqmaf2qwiHPKgRC4gvGZl6snARe:1aSHFaZRBEYyqmS2DiHPKQgmN
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Mmdgbp32.exeGjdjklek.exeCjonncab.exePfpibn32.exeAphjjf32.exeMhilph32.exeCkahkk32.exeJepmgj32.exeMeoell32.exeGcmamj32.exeHgeelf32.exeMmbmeifk.exeMjfnomde.exeEanldqgf.exeJoidhh32.exeLpnmgdli.exeLfkeokjp.exeAjmijmnn.exeMkfclo32.exeOhbikbkb.exeIdcacc32.exeAjqljc32.exeDkqnoh32.exeEfljhq32.exeHfjbmb32.exeGjijqa32.exeNkegeg32.exeKbmome32.exeBncaekhp.exeLgngbmjp.exeCqdfehii.exeHicqmmfc.exeKncaojfb.exeHffibceh.exeJimdcqom.exeFgcejm32.exeFofbhgde.exePadeldeo.exeCfhiplmp.exeIjclol32.exeDjocbqpb.exeNigafnck.exeQbnphngk.exeBfcodkcb.exeFpbnjjkm.exeHpbbdfik.exeEnbnkigh.exePegqpacp.exeEaeipfei.exePebpkk32.exeDnefhpma.exeFkhbgbkc.exePjcckf32.exeOlkifaen.exeHqiqjlga.exeBbmapj32.exeAodkci32.exeJaoqqflp.exeDemaoj32.exeKgnpeg32.exeNbjcqe32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmdgbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjdjklek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjdjklek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjonncab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfpibn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aphjjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhilph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckahkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jepmgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meoell32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcmamj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgeelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmbmeifk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjfnomde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eanldqgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joidhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpnmgdli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfkeokjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajmijmnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkfclo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohbikbkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcacc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajqljc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkqnoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efljhq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjbmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjijqa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkegeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmome32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bncaekhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkqnoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgngbmjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqdfehii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hicqmmfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kncaojfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hffibceh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jimdcqom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgcejm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fofbhgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Padeldeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfhiplmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijclol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kncaojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djocbqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nigafnck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbnphngk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcodkcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpbnjjkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpbbdfik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enbnkigh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pegqpacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaeipfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pebpkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnefhpma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkhbgbkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcckf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olkifaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqiqjlga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbmapj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodkci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaoqqflp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Demaoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnpeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbjcqe32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Amqccfed.exe family_berbew \Windows\SysWOW64\Bilmcf32.exe family_berbew C:\Windows\SysWOW64\Becnhgmg.exe family_berbew \Windows\SysWOW64\Cbdnko32.exe family_berbew \Windows\SysWOW64\Ciqcmiei.exe family_berbew \Windows\SysWOW64\Dgbcpq32.exe family_berbew C:\Windows\SysWOW64\Ejehgkdp.exe family_berbew \Windows\SysWOW64\Eodnebpd.exe family_berbew C:\Windows\SysWOW64\Fjeefofk.exe family_berbew \Windows\SysWOW64\Gaafhloq.exe family_berbew \Windows\SysWOW64\Gjijqa32.exe family_berbew \Windows\SysWOW64\Gngcgp32.exe family_berbew C:\Windows\SysWOW64\Hicqmmfc.exe family_berbew C:\Windows\SysWOW64\Hpbbdfik.exe family_berbew \Windows\SysWOW64\Ilnmdgkj.exe family_berbew \Windows\SysWOW64\Idknoi32.exe family_berbew C:\Windows\SysWOW64\Jpfhoi32.exe family_berbew C:\Windows\SysWOW64\Jhamckel.exe family_berbew C:\Windows\SysWOW64\Kdbpnk32.exe family_berbew C:\Windows\SysWOW64\Kgnpeg32.exe family_berbew C:\Windows\SysWOW64\Kmmebm32.exe family_berbew C:\Windows\SysWOW64\Kqknil32.exe family_berbew C:\Windows\SysWOW64\Lifbmn32.exe family_berbew C:\Windows\SysWOW64\Lbogfcjc.exe family_berbew C:\Windows\SysWOW64\Lcncpfaf.exe family_berbew C:\Windows\SysWOW64\Lpgajgeg.exe family_berbew C:\Windows\SysWOW64\Ledibnco.exe family_berbew behavioral1/memory/1604-330-0x0000000000220000-0x0000000000253000-memory.dmp family_berbew C:\Windows\SysWOW64\Mimemp32.exe family_berbew C:\Windows\SysWOW64\Nlnnnk32.exe family_berbew behavioral1/memory/2824-452-0x0000000000220000-0x0000000000253000-memory.dmp family_berbew behavioral1/memory/2824-451-0x0000000000220000-0x0000000000253000-memory.dmp family_berbew C:\Windows\SysWOW64\Oifdbb32.exe family_berbew C:\Windows\SysWOW64\Padeldeo.exe family_berbew C:\Windows\SysWOW64\Phpjnnki.exe family_berbew C:\Windows\SysWOW64\Pqkobqhd.exe family_berbew C:\Windows\SysWOW64\Pjcckf32.exe family_berbew C:\Windows\SysWOW64\Pggdejno.exe family_berbew C:\Windows\SysWOW64\Pqphnp32.exe family_berbew C:\Windows\SysWOW64\Qfmafg32.exe family_berbew C:\Windows\SysWOW64\Pqnlhpfb.exe family_berbew C:\Windows\SysWOW64\Akncimmh.exe family_berbew C:\Windows\SysWOW64\Qglmpi32.exe family_berbew C:\Windows\SysWOW64\Onocmadb.exe family_berbew C:\Windows\SysWOW64\Opkccm32.exe family_berbew C:\Windows\SysWOW64\Odbeilbg.exe family_berbew C:\Windows\SysWOW64\Ndpicm32.exe family_berbew C:\Windows\SysWOW64\Aollokco.exe family_berbew C:\Windows\SysWOW64\Nkegeg32.exe family_berbew behavioral1/memory/1652-418-0x0000000000220000-0x0000000000253000-memory.dmp family_berbew C:\Windows\SysWOW64\Nbjcqe32.exe family_berbew C:\Windows\SysWOW64\Nefbga32.exe family_berbew C:\Windows\SysWOW64\Akeijlfq.exe family_berbew C:\Windows\SysWOW64\Bjoofhgc.exe family_berbew C:\Windows\SysWOW64\Bpjkiogm.exe family_berbew C:\Windows\SysWOW64\Baigca32.exe family_berbew C:\Windows\SysWOW64\Bbmapj32.exe family_berbew behavioral1/memory/2576-386-0x00000000001B0000-0x00000000001E3000-memory.dmp family_berbew C:\Windows\SysWOW64\Mbcmpfhi.exe family_berbew C:\Windows\SysWOW64\Bncaekhp.exe family_berbew C:\Windows\SysWOW64\Chlfnp32.exe family_berbew C:\Windows\SysWOW64\Mhilph32.exe family_berbew C:\Windows\SysWOW64\Mmdgbp32.exe family_berbew C:\Windows\SysWOW64\Cbajkiof.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Amqccfed.exeBilmcf32.exeBecnhgmg.exeCbdnko32.exeCiqcmiei.exeDgbcpq32.exeEjehgkdp.exeEodnebpd.exeFjeefofk.exeGaafhloq.exeGjijqa32.exeGngcgp32.exeHicqmmfc.exeHpbbdfik.exeIlnmdgkj.exeIdknoi32.exeJpfhoi32.exeJhamckel.exeKgnpeg32.exeKdbpnk32.exeKmmebm32.exeKqknil32.exeLifbmn32.exeLbogfcjc.exeLcncpfaf.exeLpgajgeg.exeLedibnco.exeMmakmp32.exeMmdgbp32.exeMhilph32.exeMbcmpfhi.exeMimemp32.exeNlnnnk32.exeNefbga32.exeNbjcqe32.exeNkegeg32.exeNdpicm32.exeOdbeilbg.exeOpkccm32.exeOnocmadb.exeOifdbb32.exePadeldeo.exePhpjnnki.exePqkobqhd.exePjcckf32.exePqnlhpfb.exePggdejno.exePqphnp32.exeQfmafg32.exeQglmpi32.exeAkncimmh.exeAollokco.exeAkeijlfq.exeBpjkiogm.exeBjoofhgc.exeBaigca32.exeBbmapj32.exeBncaekhp.exeChlfnp32.exeCbajkiof.exeCllkin32.exeCaidaeak.exeCkahkk32.exeCfhiplmp.exepid process 2152 Amqccfed.exe 2608 Bilmcf32.exe 2652 Becnhgmg.exe 1712 Cbdnko32.exe 2456 Ciqcmiei.exe 1804 Dgbcpq32.exe 576 Ejehgkdp.exe 1584 Eodnebpd.exe 2812 Fjeefofk.exe 2104 Gaafhloq.exe 1404 Gjijqa32.exe 1868 Gngcgp32.exe 2664 Hicqmmfc.exe 1108 Hpbbdfik.exe 2276 Ilnmdgkj.exe 2112 Idknoi32.exe 2776 Jpfhoi32.exe 1072 Jhamckel.exe 1700 Kgnpeg32.exe 1672 Kdbpnk32.exe 940 Kmmebm32.exe 2748 Kqknil32.exe 900 Lifbmn32.exe 2308 Lbogfcjc.exe 1648 Lcncpfaf.exe 1604 Lpgajgeg.exe 2240 Ledibnco.exe 1616 Mmakmp32.exe 2640 Mmdgbp32.exe 2656 Mhilph32.exe 2576 Mbcmpfhi.exe 2828 Mimemp32.exe 2108 Nlnnnk32.exe 1652 Nefbga32.exe 1424 Nbjcqe32.exe 3060 Nkegeg32.exe 2824 Ndpicm32.exe 1940 Odbeilbg.exe 2868 Opkccm32.exe 836 Onocmadb.exe 2312 Oifdbb32.exe 1688 Padeldeo.exe 2708 Phpjnnki.exe 2764 Pqkobqhd.exe 1920 Pjcckf32.exe 2272 Pqnlhpfb.exe 1300 Pggdejno.exe 2116 Pqphnp32.exe 300 Qfmafg32.exe 1756 Qglmpi32.exe 1944 Akncimmh.exe 2156 Aollokco.exe 2512 Akeijlfq.exe 2580 Bpjkiogm.exe 2424 Bjoofhgc.exe 2000 Baigca32.exe 676 Bbmapj32.exe 276 Bncaekhp.exe 468 Chlfnp32.exe 2416 Cbajkiof.exe 1344 Cllkin32.exe 1816 Caidaeak.exe 1992 Ckahkk32.exe 1112 Cfhiplmp.exe -
Loads dropped DLL 64 IoCs
Processes:
7bd907430f7c2044924fbf7b41c74cd0_NeikiAnalytics.exeAmqccfed.exeBilmcf32.exeBecnhgmg.exeCbdnko32.exeCiqcmiei.exeDgbcpq32.exeEjehgkdp.exeEodnebpd.exeFjeefofk.exeGaafhloq.exeGjijqa32.exeGngcgp32.exeHicqmmfc.exeHpbbdfik.exeIlnmdgkj.exeIdknoi32.exeJpfhoi32.exeJhamckel.exeKgnpeg32.exeKdbpnk32.exeKmmebm32.exeKqknil32.exeLifbmn32.exeLbogfcjc.exeLcncpfaf.exeLpgajgeg.exeLedibnco.exeMmakmp32.exeMmdgbp32.exeMhilph32.exeMbcmpfhi.exepid process 3012 7bd907430f7c2044924fbf7b41c74cd0_NeikiAnalytics.exe 3012 7bd907430f7c2044924fbf7b41c74cd0_NeikiAnalytics.exe 2152 Amqccfed.exe 2152 Amqccfed.exe 2608 Bilmcf32.exe 2608 Bilmcf32.exe 2652 Becnhgmg.exe 2652 Becnhgmg.exe 1712 Cbdnko32.exe 1712 Cbdnko32.exe 2456 Ciqcmiei.exe 2456 Ciqcmiei.exe 1804 Dgbcpq32.exe 1804 Dgbcpq32.exe 576 Ejehgkdp.exe 576 Ejehgkdp.exe 1584 Eodnebpd.exe 1584 Eodnebpd.exe 2812 Fjeefofk.exe 2812 Fjeefofk.exe 2104 Gaafhloq.exe 2104 Gaafhloq.exe 1404 Gjijqa32.exe 1404 Gjijqa32.exe 1868 Gngcgp32.exe 1868 Gngcgp32.exe 2664 Hicqmmfc.exe 2664 Hicqmmfc.exe 1108 Hpbbdfik.exe 1108 Hpbbdfik.exe 2276 Ilnmdgkj.exe 2276 Ilnmdgkj.exe 2112 Idknoi32.exe 2112 Idknoi32.exe 2776 Jpfhoi32.exe 2776 Jpfhoi32.exe 1072 Jhamckel.exe 1072 Jhamckel.exe 1700 Kgnpeg32.exe 1700 Kgnpeg32.exe 1672 Kdbpnk32.exe 1672 Kdbpnk32.exe 940 Kmmebm32.exe 940 Kmmebm32.exe 2748 Kqknil32.exe 2748 Kqknil32.exe 900 Lifbmn32.exe 900 Lifbmn32.exe 2308 Lbogfcjc.exe 2308 Lbogfcjc.exe 1648 Lcncpfaf.exe 1648 Lcncpfaf.exe 1604 Lpgajgeg.exe 1604 Lpgajgeg.exe 2240 Ledibnco.exe 2240 Ledibnco.exe 1616 Mmakmp32.exe 1616 Mmakmp32.exe 2640 Mmdgbp32.exe 2640 Mmdgbp32.exe 2656 Mhilph32.exe 2656 Mhilph32.exe 2576 Mbcmpfhi.exe 2576 Mbcmpfhi.exe -
Drops file in System32 directory 64 IoCs
Processes:
Mimemp32.exeKofaicon.exeMicklk32.exeDkigoimd.exeGaafhloq.exeKmmebm32.exeBpjkiogm.exeNbflno32.exeNbjeinje.exeKcginj32.exeAahfdihn.exeIlnmdgkj.exeLfkeokjp.exeAdifpk32.exeKipmhc32.exeGhajacmo.exeElkofg32.exeIamdkfnc.exeHkolakkb.exeLgingm32.exeCbdnko32.exeJfliim32.exeJmhnkfpa.exeBmbgfkje.exePecgea32.exeEnbnkigh.exeOfcqcp32.exeGcmamj32.exeQldhkc32.exeGiaidnkf.exeLbogfcjc.exeBceibfgj.exeFgdgcfmb.exePegqpacp.exeJepmgj32.exeEobchk32.exeOabkom32.exeCebeem32.exeFeiddbbj.exeFdnolfon.exeKjmnjkjd.exeAchjibcl.exeFhjmfnok.exeAgbbgqhh.exeEhmdgp32.exeHjofdi32.exeJhbold32.exeObmnna32.exeFlocfmnl.exeBcpimq32.exeDcghkf32.exeBjoofhgc.exeLifbmn32.exePqphnp32.exeQfmafg32.exeAobnniji.exeBecnhgmg.exePadeldeo.exeIeomef32.exeHnbaif32.exeOfnpnkgf.exeCiqcmiei.exedescription ioc process File created C:\Windows\SysWOW64\Odgfhpob.dll Mimemp32.exe File opened for modification C:\Windows\SysWOW64\Khabghdl.exe Kofaicon.exe File created C:\Windows\SysWOW64\Pcncbo32.dll Micklk32.exe File opened for modification C:\Windows\SysWOW64\Dfphcj32.exe Dkigoimd.exe File opened for modification C:\Windows\SysWOW64\Gjijqa32.exe Gaafhloq.exe File opened for modification C:\Windows\SysWOW64\Kqknil32.exe Kmmebm32.exe File created C:\Windows\SysWOW64\Limigjac.dll Bpjkiogm.exe File opened for modification C:\Windows\SysWOW64\Nmkplgnq.exe Nbflno32.exe File created C:\Windows\SysWOW64\Odldga32.dll Nbjeinje.exe File created C:\Windows\SysWOW64\Iddlde32.dll Kcginj32.exe File opened for modification C:\Windows\SysWOW64\Ageompfe.exe Aahfdihn.exe File created C:\Windows\SysWOW64\Idknoi32.exe Ilnmdgkj.exe File opened for modification C:\Windows\SysWOW64\Locjhqpa.exe Lfkeokjp.exe File opened for modification C:\Windows\SysWOW64\Anbkipok.exe Adifpk32.exe File created C:\Windows\SysWOW64\Mbbhfl32.dll Kipmhc32.exe File opened for modification C:\Windows\SysWOW64\Ggicgopd.exe Ghajacmo.exe File created C:\Windows\SysWOW64\Fbegbacp.exe Elkofg32.exe File opened for modification C:\Windows\SysWOW64\Jaoqqflp.exe Iamdkfnc.exe File created C:\Windows\SysWOW64\Hqnapb32.exe Hkolakkb.exe File created C:\Windows\SysWOW64\Bdmpfa32.dll Lgingm32.exe File created C:\Windows\SysWOW64\Pemqjmkp.dll Cbdnko32.exe File opened for modification C:\Windows\SysWOW64\Jmhnkfpa.exe Jfliim32.exe File created C:\Windows\SysWOW64\Diibmpdj.dll Jmhnkfpa.exe File created C:\Windows\SysWOW64\Cbppnbhm.exe Bmbgfkje.exe File opened for modification C:\Windows\SysWOW64\Pcghof32.exe Pecgea32.exe File opened for modification C:\Windows\SysWOW64\Egjbdo32.exe Enbnkigh.exe File created C:\Windows\SysWOW64\Objaha32.exe Ofcqcp32.exe File created C:\Windows\SysWOW64\Gqaafn32.exe Gcmamj32.exe File created C:\Windows\SysWOW64\Hagojlib.dll Qldhkc32.exe File opened for modification C:\Windows\SysWOW64\Ghibjjnk.exe Giaidnkf.exe File opened for modification C:\Windows\SysWOW64\Lcncpfaf.exe Lbogfcjc.exe File created C:\Windows\SysWOW64\Bnknoogp.exe Bceibfgj.exe File created C:\Windows\SysWOW64\Chccoi32.dll Fgdgcfmb.exe File created C:\Windows\SysWOW64\Popeif32.exe Pegqpacp.exe File created C:\Windows\SysWOW64\Hqbbglbj.dll Jepmgj32.exe File created C:\Windows\SysWOW64\Ehmdgp32.exe Eobchk32.exe File created C:\Windows\SysWOW64\Pepcelel.exe Oabkom32.exe File opened for modification C:\Windows\SysWOW64\Cjonncab.exe Cebeem32.exe File opened for modification C:\Windows\SysWOW64\Fhjmfnok.exe Feiddbbj.exe File created C:\Windows\SysWOW64\Fnmfkmah.dll Hkolakkb.exe File created C:\Windows\SysWOW64\Ekbkpe32.dll Fdnolfon.exe File opened for modification C:\Windows\SysWOW64\Kgqocoin.exe Kjmnjkjd.exe File created C:\Windows\SysWOW64\Egfokakc.dll Achjibcl.exe File created C:\Windows\SysWOW64\Lpmbdjfi.dll Fhjmfnok.exe File opened for modification C:\Windows\SysWOW64\Aahfdihn.exe Agbbgqhh.exe File opened for modification C:\Windows\SysWOW64\Eaeipfei.exe Ehmdgp32.exe File opened for modification C:\Windows\SysWOW64\Hpkompgg.exe Hjofdi32.exe File opened for modification C:\Windows\SysWOW64\Jbjpom32.exe Jhbold32.exe File opened for modification C:\Windows\SysWOW64\Oabkom32.exe Obmnna32.exe File opened for modification C:\Windows\SysWOW64\Fgdgcfmb.exe Flocfmnl.exe File created C:\Windows\SysWOW64\Bogjaamh.exe Bcpimq32.exe File opened for modification C:\Windows\SysWOW64\Ejaphpnp.exe Dcghkf32.exe File created C:\Windows\SysWOW64\Baigca32.exe Bjoofhgc.exe File opened for modification C:\Windows\SysWOW64\Lbogfcjc.exe Lifbmn32.exe File created C:\Windows\SysWOW64\Qfmafg32.exe Pqphnp32.exe File opened for modification C:\Windows\SysWOW64\Qglmpi32.exe Qfmafg32.exe File opened for modification C:\Windows\SysWOW64\Ajgbkbjp.exe Aobnniji.exe File created C:\Windows\SysWOW64\Gfpifm32.dll Becnhgmg.exe File created C:\Windows\SysWOW64\Phpjnnki.exe Padeldeo.exe File created C:\Windows\SysWOW64\Ilnomp32.exe Ieomef32.exe File opened for modification C:\Windows\SysWOW64\Cbppnbhm.exe Bmbgfkje.exe File created C:\Windows\SysWOW64\Ieofkp32.exe Hnbaif32.exe File opened for modification C:\Windows\SysWOW64\Olkifaen.exe Ofnpnkgf.exe File created C:\Windows\SysWOW64\Dgbcpq32.exe Ciqcmiei.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2552 1504 WerFault.exe Lbjofi32.exe -
Modifies registry class 64 IoCs
Processes:
Agpeaa32.exeEjehgkdp.exeIpehmebh.exeFamope32.exeMkfclo32.exeCjonncab.exeKcginj32.exeObjjnkie.exeIdknoi32.exeDpkibo32.exeEaeipfei.exeGgicgopd.exeLpgajgeg.exeIpokcdjn.exeElkmmodo.exeFgdgcfmb.exeFofbhgde.exeGiaidnkf.exeIdcacc32.exeMicklk32.exeNpdfhhhe.exeAfdiondb.exeLdahkaij.exeKdbepm32.exePadeldeo.exeFnflke32.exeGqaafn32.exeKmegjdad.exeAkeijlfq.exeAdifpk32.exeBqeqqk32.exeFpbnjjkm.exeCfhiplmp.exeEejopecj.exeFjlmpfhg.exeQppkfhlc.exeGgdcbi32.exeHqnapb32.exeBbjpil32.exeCcpeld32.exeBaigca32.exeLqejbiim.exeEnlidg32.exeDokfme32.exeEinjdb32.exeDeakjjbk.exeJjpdmi32.exeMmakmp32.exeOpkccm32.exeLgkhdddo.exeJoidhh32.exeIjclol32.exeImodkadq.exeOjglhm32.exeEjaphpnp.exeCiqcmiei.exeDaipqhdg.exeJepmgj32.exeNnkcpq32.exeKofaicon.exeNjgpij32.exeBjoofhgc.exeGpelnb32.exeHbiaemkk.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agpeaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejehgkdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipehmebh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Famope32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pikijafg.dll" Mkfclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjonncab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcginj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Objjnkie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mljgjbmc.dll" Idknoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpkibo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eaeipfei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggicgopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpgajgeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipokcdjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elkmmodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgdgcfmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fofbhgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giaidnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbfmiaej.dll" Idcacc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Micklk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npdfhhhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afdiondb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajhibfpo.dll" Ldahkaij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdbepm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Padeldeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkiolmdc.dll" Fnflke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqaafn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmegjdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akeijlfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodmepdn.dll" Adifpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqeqqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpbnjjkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfhiplmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eejopecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjlmpfhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qppkfhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlfnje32.dll" Ggdcbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmemln32.dll" Hqnapb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbjpil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjgpkif.dll" Ccpeld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkllaj32.dll" Baigca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqejbiim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enlidg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dokfme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Einjdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deakjjbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dghccddl.dll" Jjpdmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkijnbae.dll" Mmakmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkojbh32.dll" Opkccm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgkhdddo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joidhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijclol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imodkadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkkiehdc.dll" Ojglhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejaphpnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciqcmiei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daipqhdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jepmgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnkcpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kofaicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njgpij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgckfd32.dll" Bjoofhgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpelnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbiaemkk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7bd907430f7c2044924fbf7b41c74cd0_NeikiAnalytics.exeAmqccfed.exeBilmcf32.exeBecnhgmg.exeCbdnko32.exeCiqcmiei.exeDgbcpq32.exeEjehgkdp.exeEodnebpd.exeFjeefofk.exeGaafhloq.exeGjijqa32.exeGngcgp32.exeHicqmmfc.exeHpbbdfik.exeIlnmdgkj.exedescription pid process target process PID 3012 wrote to memory of 2152 3012 7bd907430f7c2044924fbf7b41c74cd0_NeikiAnalytics.exe Amqccfed.exe PID 3012 wrote to memory of 2152 3012 7bd907430f7c2044924fbf7b41c74cd0_NeikiAnalytics.exe Amqccfed.exe PID 3012 wrote to memory of 2152 3012 7bd907430f7c2044924fbf7b41c74cd0_NeikiAnalytics.exe Amqccfed.exe PID 3012 wrote to memory of 2152 3012 7bd907430f7c2044924fbf7b41c74cd0_NeikiAnalytics.exe Amqccfed.exe PID 2152 wrote to memory of 2608 2152 Amqccfed.exe Bilmcf32.exe PID 2152 wrote to memory of 2608 2152 Amqccfed.exe Bilmcf32.exe PID 2152 wrote to memory of 2608 2152 Amqccfed.exe Bilmcf32.exe PID 2152 wrote to memory of 2608 2152 Amqccfed.exe Bilmcf32.exe PID 2608 wrote to memory of 2652 2608 Bilmcf32.exe Becnhgmg.exe PID 2608 wrote to memory of 2652 2608 Bilmcf32.exe Becnhgmg.exe PID 2608 wrote to memory of 2652 2608 Bilmcf32.exe Becnhgmg.exe PID 2608 wrote to memory of 2652 2608 Bilmcf32.exe Becnhgmg.exe PID 2652 wrote to memory of 1712 2652 Becnhgmg.exe Cbdnko32.exe PID 2652 wrote to memory of 1712 2652 Becnhgmg.exe Cbdnko32.exe PID 2652 wrote to memory of 1712 2652 Becnhgmg.exe Cbdnko32.exe PID 2652 wrote to memory of 1712 2652 Becnhgmg.exe Cbdnko32.exe PID 1712 wrote to memory of 2456 1712 Cbdnko32.exe Ciqcmiei.exe PID 1712 wrote to memory of 2456 1712 Cbdnko32.exe Ciqcmiei.exe PID 1712 wrote to memory of 2456 1712 Cbdnko32.exe Ciqcmiei.exe PID 1712 wrote to memory of 2456 1712 Cbdnko32.exe Ciqcmiei.exe PID 2456 wrote to memory of 1804 2456 Ciqcmiei.exe Dgbcpq32.exe PID 2456 wrote to memory of 1804 2456 Ciqcmiei.exe Dgbcpq32.exe PID 2456 wrote to memory of 1804 2456 Ciqcmiei.exe Dgbcpq32.exe PID 2456 wrote to memory of 1804 2456 Ciqcmiei.exe Dgbcpq32.exe PID 1804 wrote to memory of 576 1804 Dgbcpq32.exe Ejehgkdp.exe PID 1804 wrote to memory of 576 1804 Dgbcpq32.exe Ejehgkdp.exe PID 1804 wrote to memory of 576 1804 Dgbcpq32.exe Ejehgkdp.exe PID 1804 wrote to memory of 576 1804 Dgbcpq32.exe Ejehgkdp.exe PID 576 wrote to memory of 1584 576 Ejehgkdp.exe Eodnebpd.exe PID 576 wrote to memory of 1584 576 Ejehgkdp.exe Eodnebpd.exe PID 576 wrote to memory of 1584 576 Ejehgkdp.exe Eodnebpd.exe PID 576 wrote to memory of 1584 576 Ejehgkdp.exe Eodnebpd.exe PID 1584 wrote to memory of 2812 1584 Eodnebpd.exe Fjeefofk.exe PID 1584 wrote to memory of 2812 1584 Eodnebpd.exe Fjeefofk.exe PID 1584 wrote to memory of 2812 1584 Eodnebpd.exe Fjeefofk.exe PID 1584 wrote to memory of 2812 1584 Eodnebpd.exe Fjeefofk.exe PID 2812 wrote to memory of 2104 2812 Fjeefofk.exe Gaafhloq.exe PID 2812 wrote to memory of 2104 2812 Fjeefofk.exe Gaafhloq.exe PID 2812 wrote to memory of 2104 2812 Fjeefofk.exe Gaafhloq.exe PID 2812 wrote to memory of 2104 2812 Fjeefofk.exe Gaafhloq.exe PID 2104 wrote to memory of 1404 2104 Gaafhloq.exe Gjijqa32.exe PID 2104 wrote to memory of 1404 2104 Gaafhloq.exe Gjijqa32.exe PID 2104 wrote to memory of 1404 2104 Gaafhloq.exe Gjijqa32.exe PID 2104 wrote to memory of 1404 2104 Gaafhloq.exe Gjijqa32.exe PID 1404 wrote to memory of 1868 1404 Gjijqa32.exe Gngcgp32.exe PID 1404 wrote to memory of 1868 1404 Gjijqa32.exe Gngcgp32.exe PID 1404 wrote to memory of 1868 1404 Gjijqa32.exe Gngcgp32.exe PID 1404 wrote to memory of 1868 1404 Gjijqa32.exe Gngcgp32.exe PID 1868 wrote to memory of 2664 1868 Gngcgp32.exe Hicqmmfc.exe PID 1868 wrote to memory of 2664 1868 Gngcgp32.exe Hicqmmfc.exe PID 1868 wrote to memory of 2664 1868 Gngcgp32.exe Hicqmmfc.exe PID 1868 wrote to memory of 2664 1868 Gngcgp32.exe Hicqmmfc.exe PID 2664 wrote to memory of 1108 2664 Hicqmmfc.exe Hpbbdfik.exe PID 2664 wrote to memory of 1108 2664 Hicqmmfc.exe Hpbbdfik.exe PID 2664 wrote to memory of 1108 2664 Hicqmmfc.exe Hpbbdfik.exe PID 2664 wrote to memory of 1108 2664 Hicqmmfc.exe Hpbbdfik.exe PID 1108 wrote to memory of 2276 1108 Hpbbdfik.exe Ilnmdgkj.exe PID 1108 wrote to memory of 2276 1108 Hpbbdfik.exe Ilnmdgkj.exe PID 1108 wrote to memory of 2276 1108 Hpbbdfik.exe Ilnmdgkj.exe PID 1108 wrote to memory of 2276 1108 Hpbbdfik.exe Ilnmdgkj.exe PID 2276 wrote to memory of 2112 2276 Ilnmdgkj.exe Idknoi32.exe PID 2276 wrote to memory of 2112 2276 Ilnmdgkj.exe Idknoi32.exe PID 2276 wrote to memory of 2112 2276 Ilnmdgkj.exe Idknoi32.exe PID 2276 wrote to memory of 2112 2276 Ilnmdgkj.exe Idknoi32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7bd907430f7c2044924fbf7b41c74cd0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7bd907430f7c2044924fbf7b41c74cd0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Amqccfed.exeC:\Windows\system32\Amqccfed.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Bilmcf32.exeC:\Windows\system32\Bilmcf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Becnhgmg.exeC:\Windows\system32\Becnhgmg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Cbdnko32.exeC:\Windows\system32\Cbdnko32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Ciqcmiei.exeC:\Windows\system32\Ciqcmiei.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Dgbcpq32.exeC:\Windows\system32\Dgbcpq32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Ejehgkdp.exeC:\Windows\system32\Ejehgkdp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Eodnebpd.exeC:\Windows\system32\Eodnebpd.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Fjeefofk.exeC:\Windows\system32\Fjeefofk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Gaafhloq.exeC:\Windows\system32\Gaafhloq.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Gjijqa32.exeC:\Windows\system32\Gjijqa32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Gngcgp32.exeC:\Windows\system32\Gngcgp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Hicqmmfc.exeC:\Windows\system32\Hicqmmfc.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Hpbbdfik.exeC:\Windows\system32\Hpbbdfik.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Ilnmdgkj.exeC:\Windows\system32\Ilnmdgkj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Jpfhoi32.exeC:\Windows\system32\Jpfhoi32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Jhamckel.exeC:\Windows\system32\Jhamckel.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1072 -
C:\Windows\SysWOW64\Kgnpeg32.exeC:\Windows\system32\Kgnpeg32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\Kdbpnk32.exeC:\Windows\system32\Kdbpnk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Kmmebm32.exeC:\Windows\system32\Kmmebm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\Kqknil32.exeC:\Windows\system32\Kqknil32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Lifbmn32.exeC:\Windows\system32\Lifbmn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\Lbogfcjc.exeC:\Windows\system32\Lbogfcjc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Lcncpfaf.exeC:\Windows\system32\Lcncpfaf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Ledibnco.exeC:\Windows\system32\Ledibnco.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Mmdgbp32.exeC:\Windows\system32\Mmdgbp32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Mhilph32.exeC:\Windows\system32\Mhilph32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Mbcmpfhi.exeC:\Windows\system32\Mbcmpfhi.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Mimemp32.exeC:\Windows\system32\Mimemp32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Nlnnnk32.exeC:\Windows\system32\Nlnnnk32.exe34⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Nefbga32.exeC:\Windows\system32\Nefbga32.exe35⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Nbjcqe32.exeC:\Windows\system32\Nbjcqe32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Nkegeg32.exeC:\Windows\system32\Nkegeg32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Ndpicm32.exeC:\Windows\system32\Ndpicm32.exe38⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Odbeilbg.exeC:\Windows\system32\Odbeilbg.exe39⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Opkccm32.exeC:\Windows\system32\Opkccm32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe41⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe42⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Phpjnnki.exeC:\Windows\system32\Phpjnnki.exe44⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe45⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Pjcckf32.exeC:\Windows\system32\Pjcckf32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe47⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Pggdejno.exeC:\Windows\system32\Pggdejno.exe48⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Pqphnp32.exeC:\Windows\system32\Pqphnp32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Qfmafg32.exeC:\Windows\system32\Qfmafg32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:300 -
C:\Windows\SysWOW64\Qglmpi32.exeC:\Windows\system32\Qglmpi32.exe51⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe52⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe53⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Akeijlfq.exeC:\Windows\system32\Akeijlfq.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Baigca32.exeC:\Windows\system32\Baigca32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Bbmapj32.exeC:\Windows\system32\Bbmapj32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Chlfnp32.exeC:\Windows\system32\Chlfnp32.exe60⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe61⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Cllkin32.exeC:\Windows\system32\Cllkin32.exe62⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe63⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Cfhiplmp.exeC:\Windows\system32\Cfhiplmp.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1112 -
C:\Windows\SysWOW64\Ddliip32.exeC:\Windows\system32\Ddliip32.exe66⤵PID:2936
-
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe67⤵PID:2344
-
C:\Windows\SysWOW64\Dgoopkgh.exeC:\Windows\system32\Dgoopkgh.exe68⤵PID:1836
-
C:\Windows\SysWOW64\Dllhhaep.exeC:\Windows\system32\Dllhhaep.exe69⤵PID:1680
-
C:\Windows\SysWOW64\Daipqhdg.exeC:\Windows\system32\Daipqhdg.exe70⤵
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Enbnkigh.exeC:\Windows\system32\Enbnkigh.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe72⤵PID:2796
-
C:\Windows\SysWOW64\Ednbncmb.exeC:\Windows\system32\Ednbncmb.exe73⤵PID:1788
-
C:\Windows\SysWOW64\Ejmhkiig.exeC:\Windows\system32\Ejmhkiig.exe74⤵PID:1728
-
C:\Windows\SysWOW64\Elnqmd32.exeC:\Windows\system32\Elnqmd32.exe75⤵PID:2948
-
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2740 -
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe77⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe78⤵PID:1040
-
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe79⤵PID:1660
-
C:\Windows\SysWOW64\Gbfiaj32.exeC:\Windows\system32\Gbfiaj32.exe80⤵PID:1952
-
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe81⤵PID:1972
-
C:\Windows\SysWOW64\Gjdjklek.exeC:\Windows\system32\Gjdjklek.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2880 -
C:\Windows\SysWOW64\Gghkdp32.exeC:\Windows\system32\Gghkdp32.exe83⤵PID:1412
-
C:\Windows\SysWOW64\Gbaken32.exeC:\Windows\system32\Gbaken32.exe84⤵PID:1820
-
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe85⤵
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe86⤵
- Modifies registry class
PID:320 -
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe87⤵PID:1324
-
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe88⤵PID:3052
-
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe89⤵
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe90⤵PID:2820
-
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe92⤵PID:1408
-
C:\Windows\SysWOW64\Ipokcdjn.exeC:\Windows\system32\Ipokcdjn.exe93⤵
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe94⤵PID:2636
-
C:\Windows\SysWOW64\Jdaqmg32.exeC:\Windows\system32\Jdaqmg32.exe95⤵PID:1360
-
C:\Windows\SysWOW64\Jepmgj32.exeC:\Windows\system32\Jepmgj32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1180 -
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe97⤵PID:2524
-
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Khabghdl.exeC:\Windows\system32\Khabghdl.exe99⤵PID:2452
-
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe100⤵PID:2296
-
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe101⤵
- Modifies registry class
PID:656 -
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe102⤵PID:2772
-
C:\Windows\SysWOW64\Lqejbiim.exeC:\Windows\system32\Lqejbiim.exe103⤵
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Mchoid32.exeC:\Windows\system32\Mchoid32.exe105⤵PID:2036
-
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe106⤵PID:1256
-
C:\Windows\SysWOW64\Meoell32.exeC:\Windows\system32\Meoell32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1076 -
C:\Windows\SysWOW64\Meabakda.exeC:\Windows\system32\Meabakda.exe108⤵PID:2292
-
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe109⤵PID:2536
-
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe110⤵
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe111⤵PID:632
-
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1432 -
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe113⤵
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe114⤵PID:852
-
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe115⤵PID:2864
-
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe116⤵PID:1084
-
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe117⤵PID:1096
-
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe118⤵PID:392
-
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe119⤵PID:2792
-
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe120⤵
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe121⤵PID:2660
-
C:\Windows\SysWOW64\Pegqpacp.exeC:\Windows\system32\Pegqpacp.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Popeif32.exeC:\Windows\system32\Popeif32.exe123⤵PID:2836
-
C:\Windows\SysWOW64\Pldebkhj.exeC:\Windows\system32\Pldebkhj.exe124⤵PID:2712
-
C:\Windows\SysWOW64\Abegfa32.exeC:\Windows\system32\Abegfa32.exe125⤵PID:1860
-
C:\Windows\SysWOW64\Ajqljc32.exeC:\Windows\system32\Ajqljc32.exe126⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2244 -
C:\Windows\SysWOW64\Aqmamm32.exeC:\Windows\system32\Aqmamm32.exe127⤵PID:2984
-
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe128⤵
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Ajgbkbjp.exeC:\Windows\system32\Ajgbkbjp.exe129⤵PID:2132
-
C:\Windows\SysWOW64\Aodkci32.exeC:\Windows\system32\Aodkci32.exe130⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1996 -
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe131⤵PID:1104
-
C:\Windows\SysWOW64\Bkmhnjlh.exeC:\Windows\system32\Bkmhnjlh.exe132⤵PID:808
-
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe133⤵PID:572
-
C:\Windows\SysWOW64\Bnnaoe32.exeC:\Windows\system32\Bnnaoe32.exe134⤵PID:2888
-
C:\Windows\SysWOW64\Cillkbac.exeC:\Windows\system32\Cillkbac.exe135⤵PID:2724
-
C:\Windows\SysWOW64\Ccdmnj32.exeC:\Windows\system32\Ccdmnj32.exe136⤵PID:2492
-
C:\Windows\SysWOW64\Cfeepelg.exeC:\Windows\system32\Cfeepelg.exe137⤵PID:2412
-
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe138⤵PID:1316
-
C:\Windows\SysWOW64\Dkigoimd.exeC:\Windows\system32\Dkigoimd.exe139⤵
- Drops file in System32 directory
PID:1116 -
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe140⤵PID:1916
-
C:\Windows\SysWOW64\Dpkibo32.exeC:\Windows\system32\Dpkibo32.exe141⤵
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Dkqnoh32.exeC:\Windows\system32\Dkqnoh32.exe142⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2372 -
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe143⤵PID:1004
-
C:\Windows\SysWOW64\Eejopecj.exeC:\Windows\system32\Eejopecj.exe144⤵
- Modifies registry class
PID:588 -
C:\Windows\SysWOW64\Eobchk32.exeC:\Windows\system32\Eobchk32.exe145⤵
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe146⤵
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Eaeipfei.exeC:\Windows\system32\Eaeipfei.exe147⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Elkmmodo.exeC:\Windows\system32\Elkmmodo.exe148⤵
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Enlidg32.exeC:\Windows\system32\Enlidg32.exe149⤵
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Fhbnbpjc.exeC:\Windows\system32\Fhbnbpjc.exe150⤵PID:1548
-
C:\Windows\SysWOW64\Famope32.exeC:\Windows\system32\Famope32.exe151⤵
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Flfpabkp.exeC:\Windows\system32\Flfpabkp.exe152⤵PID:2696
-
C:\Windows\SysWOW64\Fqalaa32.exeC:\Windows\system32\Fqalaa32.exe153⤵PID:1784
-
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe154⤵
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Fjlmpfhg.exeC:\Windows\system32\Fjlmpfhg.exe155⤵
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe156⤵
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\Ggicgopd.exeC:\Windows\system32\Ggicgopd.exe157⤵
- Modifies registry class
PID:1476 -
C:\Windows\SysWOW64\Gncldi32.exeC:\Windows\system32\Gncldi32.exe158⤵PID:2620
-
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe159⤵PID:2844
-
C:\Windows\SysWOW64\Gkglnm32.exeC:\Windows\system32\Gkglnm32.exe160⤵PID:2252
-
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe161⤵PID:1852
-
C:\Windows\SysWOW64\Hmkeke32.exeC:\Windows\system32\Hmkeke32.exe162⤵PID:2160
-
C:\Windows\SysWOW64\Hjofdi32.exeC:\Windows\system32\Hjofdi32.exe163⤵
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe164⤵PID:2736
-
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe165⤵PID:2956
-
C:\Windows\SysWOW64\Hjcppidk.exeC:\Windows\system32\Hjcppidk.exe166⤵PID:516
-
C:\Windows\SysWOW64\Hcldhnkk.exeC:\Windows\system32\Hcldhnkk.exe167⤵PID:2564
-
C:\Windows\SysWOW64\Hihlqeib.exeC:\Windows\system32\Hihlqeib.exe168⤵PID:2440
-
C:\Windows\SysWOW64\Ieomef32.exeC:\Windows\system32\Ieomef32.exe169⤵
- Drops file in System32 directory
PID:776 -
C:\Windows\SysWOW64\Ilnomp32.exeC:\Windows\system32\Ilnomp32.exe170⤵PID:2348
-
C:\Windows\SysWOW64\Imokehhl.exeC:\Windows\system32\Imokehhl.exe171⤵PID:2556
-
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe172⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe173⤵
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe174⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2516 -
C:\Windows\SysWOW64\Jfliim32.exeC:\Windows\system32\Jfliim32.exe175⤵
- Drops file in System32 directory
PID:932 -
C:\Windows\SysWOW64\Jmhnkfpa.exeC:\Windows\system32\Jmhnkfpa.exe176⤵
- Drops file in System32 directory
PID:1184 -
C:\Windows\SysWOW64\Jojkco32.exeC:\Windows\system32\Jojkco32.exe177⤵PID:708
-
C:\Windows\SysWOW64\Jhbold32.exeC:\Windows\system32\Jhbold32.exe178⤵
- Drops file in System32 directory
PID:324 -
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe179⤵PID:1340
-
C:\Windows\SysWOW64\Kncaojfb.exeC:\Windows\system32\Kncaojfb.exe180⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1976 -
C:\Windows\SysWOW64\Kekiphge.exeC:\Windows\system32\Kekiphge.exe181⤵PID:548
-
C:\Windows\SysWOW64\Knfndjdp.exeC:\Windows\system32\Knfndjdp.exe182⤵PID:2852
-
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe183⤵
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Kgqocoin.exeC:\Windows\system32\Kgqocoin.exe184⤵PID:616
-
C:\Windows\SysWOW64\Lpnmgdli.exeC:\Windows\system32\Lpnmgdli.exe185⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1792 -
C:\Windows\SysWOW64\Lfkeokjp.exeC:\Windows\system32\Lfkeokjp.exe186⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Locjhqpa.exeC:\Windows\system32\Locjhqpa.exe187⤵PID:956
-
C:\Windows\SysWOW64\Loefnpnn.exeC:\Windows\system32\Loefnpnn.exe188⤵PID:2788
-
C:\Windows\SysWOW64\Lfoojj32.exeC:\Windows\system32\Lfoojj32.exe189⤵PID:2388
-
C:\Windows\SysWOW64\Lohccp32.exeC:\Windows\system32\Lohccp32.exe190⤵PID:1724
-
C:\Windows\SysWOW64\Mdghaf32.exeC:\Windows\system32\Mdghaf32.exe191⤵PID:972
-
C:\Windows\SysWOW64\Mmbmeifk.exeC:\Windows\system32\Mmbmeifk.exe192⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2012 -
C:\Windows\SysWOW64\Mjfnomde.exeC:\Windows\system32\Mjfnomde.exe193⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3024 -
C:\Windows\SysWOW64\Mqpflg32.exeC:\Windows\system32\Mqpflg32.exe194⤵PID:3064
-
C:\Windows\SysWOW64\Mimgeigj.exeC:\Windows\system32\Mimgeigj.exe195⤵PID:2768
-
C:\Windows\SysWOW64\Nbflno32.exeC:\Windows\system32\Nbflno32.exe196⤵
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Nmkplgnq.exeC:\Windows\system32\Nmkplgnq.exe197⤵PID:3104
-
C:\Windows\SysWOW64\Nbhhdnlh.exeC:\Windows\system32\Nbhhdnlh.exe198⤵PID:3176
-
C:\Windows\SysWOW64\Nlqmmd32.exeC:\Windows\system32\Nlqmmd32.exe199⤵PID:3220
-
C:\Windows\SysWOW64\Nbjeinje.exeC:\Windows\system32\Nbjeinje.exe200⤵
- Drops file in System32 directory
PID:3260 -
C:\Windows\SysWOW64\Neknki32.exeC:\Windows\system32\Neknki32.exe201⤵PID:3304
-
C:\Windows\SysWOW64\Njjcip32.exeC:\Windows\system32\Njjcip32.exe202⤵PID:3344
-
C:\Windows\SysWOW64\Odchbe32.exeC:\Windows\system32\Odchbe32.exe203⤵PID:3384
-
C:\Windows\SysWOW64\Ojmpooah.exeC:\Windows\system32\Ojmpooah.exe204⤵PID:3424
-
C:\Windows\SysWOW64\Ofcqcp32.exeC:\Windows\system32\Ofcqcp32.exe205⤵
- Drops file in System32 directory
PID:3464 -
C:\Windows\SysWOW64\Objaha32.exeC:\Windows\system32\Objaha32.exe206⤵PID:3504
-
C:\Windows\SysWOW64\Ompefj32.exeC:\Windows\system32\Ompefj32.exe207⤵PID:3544
-
C:\Windows\SysWOW64\Obmnna32.exeC:\Windows\system32\Obmnna32.exe208⤵
- Drops file in System32 directory
PID:3584 -
C:\Windows\SysWOW64\Oabkom32.exeC:\Windows\system32\Oabkom32.exe209⤵
- Drops file in System32 directory
PID:3624 -
C:\Windows\SysWOW64\Pepcelel.exeC:\Windows\system32\Pepcelel.exe210⤵PID:3664
-
C:\Windows\SysWOW64\Pohhna32.exeC:\Windows\system32\Pohhna32.exe211⤵PID:3704
-
C:\Windows\SysWOW64\Pebpkk32.exeC:\Windows\system32\Pebpkk32.exe212⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3744 -
C:\Windows\SysWOW64\Ppnnai32.exeC:\Windows\system32\Ppnnai32.exe213⤵PID:3788
-
C:\Windows\SysWOW64\Pghfnc32.exeC:\Windows\system32\Pghfnc32.exe214⤵PID:3828
-
C:\Windows\SysWOW64\Qppkfhlc.exeC:\Windows\system32\Qppkfhlc.exe215⤵
- Modifies registry class
PID:3868 -
C:\Windows\SysWOW64\Qgjccb32.exeC:\Windows\system32\Qgjccb32.exe216⤵PID:3908
-
C:\Windows\SysWOW64\Accqnc32.exeC:\Windows\system32\Accqnc32.exe217⤵PID:3948
-
C:\Windows\SysWOW64\Ajmijmnn.exeC:\Windows\system32\Ajmijmnn.exe218⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3988 -
C:\Windows\SysWOW64\Afdiondb.exeC:\Windows\system32\Afdiondb.exe219⤵
- Modifies registry class
PID:4028 -
C:\Windows\SysWOW64\Ahbekjcf.exeC:\Windows\system32\Ahbekjcf.exe220⤵PID:4068
-
C:\Windows\SysWOW64\Achjibcl.exeC:\Windows\system32\Achjibcl.exe221⤵
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Adifpk32.exeC:\Windows\system32\Adifpk32.exe222⤵
- Drops file in System32 directory
- Modifies registry class
PID:3148 -
C:\Windows\SysWOW64\Anbkipok.exeC:\Windows\system32\Anbkipok.exe223⤵PID:1216
-
C:\Windows\SysWOW64\Adlcfjgh.exeC:\Windows\system32\Adlcfjgh.exe224⤵PID:3196
-
C:\Windows\SysWOW64\Bqeqqk32.exeC:\Windows\system32\Bqeqqk32.exe225⤵
- Modifies registry class
PID:3276 -
C:\Windows\SysWOW64\Bkjdndjo.exeC:\Windows\system32\Bkjdndjo.exe226⤵PID:3320
-
C:\Windows\SysWOW64\Bceibfgj.exeC:\Windows\system32\Bceibfgj.exe227⤵
- Drops file in System32 directory
PID:3380 -
C:\Windows\SysWOW64\Bnknoogp.exeC:\Windows\system32\Bnknoogp.exe228⤵PID:2476
-
C:\Windows\SysWOW64\Bffbdadk.exeC:\Windows\system32\Bffbdadk.exe229⤵PID:3472
-
C:\Windows\SysWOW64\Bbmcibjp.exeC:\Windows\system32\Bbmcibjp.exe230⤵PID:3520
-
C:\Windows\SysWOW64\Bmbgfkje.exeC:\Windows\system32\Bmbgfkje.exe231⤵
- Drops file in System32 directory
PID:3576 -
C:\Windows\SysWOW64\Cbppnbhm.exeC:\Windows\system32\Cbppnbhm.exe232⤵PID:3620
-
C:\Windows\SysWOW64\Cebeem32.exeC:\Windows\system32\Cebeem32.exe233⤵
- Drops file in System32 directory
PID:3672 -
C:\Windows\SysWOW64\Cjonncab.exeC:\Windows\system32\Cjonncab.exe234⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3728 -
C:\Windows\SysWOW64\Clojhf32.exeC:\Windows\system32\Clojhf32.exe235⤵PID:3516
-
C:\Windows\SysWOW64\Dhhhbg32.exeC:\Windows\system32\Dhhhbg32.exe236⤵PID:3876
-
C:\Windows\SysWOW64\Dmepkn32.exeC:\Windows\system32\Dmepkn32.exe237⤵PID:3564
-
C:\Windows\SysWOW64\Dfpaic32.exeC:\Windows\system32\Dfpaic32.exe238⤵PID:4012
-
C:\Windows\SysWOW64\Dokfme32.exeC:\Windows\system32\Dokfme32.exe239⤵
- Modifies registry class
PID:4092 -
C:\Windows\SysWOW64\Dlofgj32.exeC:\Windows\system32\Dlofgj32.exe240⤵PID:3848
-
C:\Windows\SysWOW64\Eegkpo32.exeC:\Windows\system32\Eegkpo32.exe241⤵PID:3092
-
C:\Windows\SysWOW64\Eanldqgf.exeC:\Windows\system32\Eanldqgf.exe242⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3216