Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 14:15
Behavioral task
behavioral1
Sample
f00291fcb561b5bbccda65ac996f0fb0_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
f00291fcb561b5bbccda65ac996f0fb0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
f00291fcb561b5bbccda65ac996f0fb0_NeikiAnalytics.exe
-
Size
384KB
-
MD5
f00291fcb561b5bbccda65ac996f0fb0
-
SHA1
48ba9bd0e6728decf8b6d639285840210340d7f4
-
SHA256
67dd4c4f806d3723a20ed5b13c8072cd79b404adb0fb60fbdee5c9a38d9b2ee3
-
SHA512
30430ee615fff0548063f278bc4a736debb5b38a09373de3b35df014eb2892274fca0dcce6e0586a2cde42af3252313771ff213992e3d91cc2a731c066cbbc12
-
SSDEEP
6144:0S4PthEP2pui6yYPaIGckpyWO63t5YNpui6yYPaIGcky0PVd68LwYwI+8mkUr1G/:F4PLE+pV6yYPI3cpV6yYPZ0PVdvcY9+y
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ieqeidnl.exeMhgmapfi.exeOkgnab32.exeCkoilb32.exeLeonofpp.exeOfhick32.exeBioqclil.exeEecqjpee.exeKaaijdgn.exeDbfabp32.exeFfnphf32.exeIdmhkpml.exeKfbkmk32.exeDqhhknjp.exeOlmhdf32.exePnlqnl32.exeBmpfojmp.exeDcadac32.exeKpkofpgq.exeAmkpegnj.exeBpiipf32.exeDjhphncm.exeQbbfopeg.exeBkodhe32.exeDgdmmgpj.exeGkkemh32.exeJonplmcb.exeNnhkcj32.exeDgjclbdi.exeMmceigep.exeMkgfckcj.exeIdklfpon.exeAnccmo32.exeEnkece32.exePamiog32.exeLmolnh32.exeNnennj32.exeBjlqhoba.exeFidoim32.exeDpbheh32.exeEbinic32.exeLpbefoai.exeLahkigca.exeCnobnmpl.exeDqjepm32.exeBopicc32.exePogclp32.exeMhbped32.exeDknekeef.exeBdjefj32.exeKkijmm32.exeMgljbm32.exeChbjffad.exeDpeekh32.exePlfamfpm.exePbfpik32.exeApimacnn.exeAmfcikek.exeKkgmgmfd.exeBkommo32.exeDkcofe32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ieqeidnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgmapfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckoilb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leonofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofhick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bioqclil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eecqjpee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaaijdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idmhkpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfbkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dqhhknjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olmhdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlqnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmpfojmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcadac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpkofpgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amkpegnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpiipf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhphncm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbbfopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkodhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgdmmgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkkemh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jonplmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnhkcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgjclbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmceigep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkgfckcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idklfpon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anccmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enkece32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pamiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmolnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnennj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fidoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebinic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpbefoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lahkigca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dqjepm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pogclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dknekeef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdjefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkijmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgljbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chbjffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpeekh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plfamfpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkgfckcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbfpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Apimacnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfcikek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgmgmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhgmapfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkommo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkcofe32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Pminkk32.exe family_berbew \Windows\SysWOW64\Pjmodopf.exe family_berbew \Windows\SysWOW64\Pbiciana.exe family_berbew \Windows\SysWOW64\Plahag32.exe family_berbew \Windows\SysWOW64\Piehkkcl.exe family_berbew \Windows\SysWOW64\Pnbacbac.exe family_berbew \Windows\SysWOW64\Plfamfpm.exe family_berbew C:\Windows\SysWOW64\Penfelgm.exe family_berbew \Windows\SysWOW64\Qbbfopeg.exe family_berbew \Windows\SysWOW64\Qdccfh32.exe family_berbew \Windows\SysWOW64\Adeplhib.exe family_berbew \Windows\SysWOW64\Ankdiqih.exe family_berbew \Windows\SysWOW64\Ahchbf32.exe family_berbew \Windows\SysWOW64\Abmibdlh.exe family_berbew \Windows\SysWOW64\Admemg32.exe family_berbew \Windows\SysWOW64\Alhjai32.exe family_berbew C:\Windows\SysWOW64\Aepojo32.exe family_berbew C:\Windows\SysWOW64\Ahokfj32.exe family_berbew C:\Windows\SysWOW64\Bbdocc32.exe family_berbew C:\Windows\SysWOW64\Bebkpn32.exe family_berbew C:\Windows\SysWOW64\Bhahlj32.exe family_berbew C:\Windows\SysWOW64\Bkodhe32.exe family_berbew C:\Windows\SysWOW64\Baildokg.exe family_berbew C:\Windows\SysWOW64\Bloqah32.exe family_berbew C:\Windows\SysWOW64\Bnpmipql.exe family_berbew C:\Windows\SysWOW64\Bdjefj32.exe family_berbew C:\Windows\SysWOW64\Bopicc32.exe family_berbew behavioral1/memory/1884-330-0x0000000000250000-0x0000000000284000-memory.dmp family_berbew C:\Windows\SysWOW64\Banepo32.exe family_berbew C:\Windows\SysWOW64\Bdlblj32.exe family_berbew C:\Windows\SysWOW64\Bgknheej.exe family_berbew C:\Windows\SysWOW64\Bnefdp32.exe family_berbew C:\Windows\SysWOW64\Bdooajdc.exe family_berbew C:\Windows\SysWOW64\Cngcjo32.exe family_berbew C:\Windows\SysWOW64\Cpeofk32.exe family_berbew behavioral1/memory/1252-410-0x0000000000300000-0x0000000000334000-memory.dmp family_berbew C:\Windows\SysWOW64\Cgpgce32.exe family_berbew C:\Windows\SysWOW64\Cnippoha.exe family_berbew C:\Windows\SysWOW64\Cphlljge.exe family_berbew C:\Windows\SysWOW64\Cgbdhd32.exe family_berbew C:\Windows\SysWOW64\Cpjiajeb.exe family_berbew C:\Windows\SysWOW64\Cbkeib32.exe family_berbew C:\Windows\SysWOW64\Ckdjbh32.exe family_berbew C:\Windows\SysWOW64\Cckace32.exe family_berbew C:\Windows\SysWOW64\Cdlnkmha.exe family_berbew C:\Windows\SysWOW64\Cobbhfhg.exe family_berbew C:\Windows\SysWOW64\Dbpodagk.exe family_berbew C:\Windows\SysWOW64\Dhjgal32.exe family_berbew C:\Windows\SysWOW64\Dkhcmgnl.exe family_berbew C:\Windows\SysWOW64\Dngoibmo.exe family_berbew C:\Windows\SysWOW64\Dqelenlc.exe family_berbew C:\Windows\SysWOW64\Dhmcfkme.exe family_berbew C:\Windows\SysWOW64\Djnpnc32.exe family_berbew C:\Windows\SysWOW64\Dbehoa32.exe family_berbew C:\Windows\SysWOW64\Dqhhknjp.exe family_berbew C:\Windows\SysWOW64\Dcfdgiid.exe family_berbew C:\Windows\SysWOW64\Dkmmhf32.exe family_berbew C:\Windows\SysWOW64\Dqjepm32.exe family_berbew C:\Windows\SysWOW64\Dgdmmgpj.exe family_berbew C:\Windows\SysWOW64\Dfgmhd32.exe family_berbew C:\Windows\SysWOW64\Djbiicon.exe family_berbew C:\Windows\SysWOW64\Dmafennb.exe family_berbew C:\Windows\SysWOW64\Dcknbh32.exe family_berbew C:\Windows\SysWOW64\Dfijnd32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Pminkk32.exePjmodopf.exePbiciana.exePlahag32.exePiehkkcl.exePnbacbac.exePlfamfpm.exePenfelgm.exeQbbfopeg.exeQdccfh32.exeAdeplhib.exeAnkdiqih.exeAhchbf32.exeAbmibdlh.exeAdmemg32.exeAlhjai32.exeAepojo32.exeAhokfj32.exeBbdocc32.exeBebkpn32.exeBhahlj32.exeBkodhe32.exeBaildokg.exeBloqah32.exeBnpmipql.exeBdjefj32.exeBopicc32.exeBanepo32.exeBdlblj32.exeBgknheej.exeBnefdp32.exeBdooajdc.exeCngcjo32.exeCpeofk32.exeCgpgce32.exeCnippoha.exeCphlljge.exeCgbdhd32.exeCpjiajeb.exeCbkeib32.exeCkdjbh32.exeCckace32.exeCdlnkmha.exeCobbhfhg.exeDbpodagk.exeDhjgal32.exeDkhcmgnl.exeDngoibmo.exeDqelenlc.exeDhmcfkme.exeDjnpnc32.exeDbehoa32.exeDqhhknjp.exeDcfdgiid.exeDkmmhf32.exeDqjepm32.exeDgdmmgpj.exeDfgmhd32.exeDjbiicon.exeDmafennb.exeDcknbh32.exeDfijnd32.exeEmcbkn32.exeEpaogi32.exepid process 2148 Pminkk32.exe 1728 Pjmodopf.exe 2596 Pbiciana.exe 2876 Plahag32.exe 2480 Piehkkcl.exe 2500 Pnbacbac.exe 2796 Plfamfpm.exe 2972 Penfelgm.exe 1668 Qbbfopeg.exe 1180 Qdccfh32.exe 2432 Adeplhib.exe 2536 Ankdiqih.exe 860 Ahchbf32.exe 2852 Abmibdlh.exe 1952 Admemg32.exe 716 Alhjai32.exe 2624 Aepojo32.exe 1040 Ahokfj32.exe 1260 Bbdocc32.exe 320 Bebkpn32.exe 1544 Bhahlj32.exe 1332 Bkodhe32.exe 2836 Baildokg.exe 2328 Bloqah32.exe 1244 Bnpmipql.exe 1884 Bdjefj32.exe 1580 Bopicc32.exe 3004 Banepo32.exe 2636 Bdlblj32.exe 2640 Bgknheej.exe 2472 Bnefdp32.exe 2488 Bdooajdc.exe 1524 Cngcjo32.exe 1252 Cpeofk32.exe 1396 Cgpgce32.exe 1308 Cnippoha.exe 1756 Cphlljge.exe 2792 Cgbdhd32.exe 1088 Cpjiajeb.exe 1048 Cbkeib32.exe 2404 Ckdjbh32.exe 1656 Cckace32.exe 1352 Cdlnkmha.exe 2544 Cobbhfhg.exe 448 Dbpodagk.exe 1948 Dhjgal32.exe 1148 Dkhcmgnl.exe 2904 Dngoibmo.exe 1608 Dqelenlc.exe 1592 Dhmcfkme.exe 2860 Djnpnc32.exe 3032 Dbehoa32.exe 2132 Dqhhknjp.exe 2632 Dcfdgiid.exe 2620 Dkmmhf32.exe 2508 Dqjepm32.exe 2684 Dgdmmgpj.exe 2320 Dfgmhd32.exe 1248 Djbiicon.exe 2776 Dmafennb.exe 876 Dcknbh32.exe 1900 Dfijnd32.exe 2000 Emcbkn32.exe 1896 Epaogi32.exe -
Loads dropped DLL 64 IoCs
Processes:
f00291fcb561b5bbccda65ac996f0fb0_NeikiAnalytics.exePminkk32.exePjmodopf.exePbiciana.exePlahag32.exePiehkkcl.exePnbacbac.exePlfamfpm.exePenfelgm.exeQbbfopeg.exeQdccfh32.exeAdeplhib.exeAnkdiqih.exeAhchbf32.exeAbmibdlh.exeAdmemg32.exeAlhjai32.exeAepojo32.exeAhokfj32.exeBbdocc32.exeBebkpn32.exeBhahlj32.exeBkodhe32.exeBaildokg.exeBloqah32.exeBnpmipql.exeBdjefj32.exeBopicc32.exeBanepo32.exeBdlblj32.exeBgknheej.exeBnefdp32.exepid process 2216 f00291fcb561b5bbccda65ac996f0fb0_NeikiAnalytics.exe 2216 f00291fcb561b5bbccda65ac996f0fb0_NeikiAnalytics.exe 2148 Pminkk32.exe 2148 Pminkk32.exe 1728 Pjmodopf.exe 1728 Pjmodopf.exe 2596 Pbiciana.exe 2596 Pbiciana.exe 2876 Plahag32.exe 2876 Plahag32.exe 2480 Piehkkcl.exe 2480 Piehkkcl.exe 2500 Pnbacbac.exe 2500 Pnbacbac.exe 2796 Plfamfpm.exe 2796 Plfamfpm.exe 2972 Penfelgm.exe 2972 Penfelgm.exe 1668 Qbbfopeg.exe 1668 Qbbfopeg.exe 1180 Qdccfh32.exe 1180 Qdccfh32.exe 2432 Adeplhib.exe 2432 Adeplhib.exe 2536 Ankdiqih.exe 2536 Ankdiqih.exe 860 Ahchbf32.exe 860 Ahchbf32.exe 2852 Abmibdlh.exe 2852 Abmibdlh.exe 1952 Admemg32.exe 1952 Admemg32.exe 716 Alhjai32.exe 716 Alhjai32.exe 2624 Aepojo32.exe 2624 Aepojo32.exe 1040 Ahokfj32.exe 1040 Ahokfj32.exe 1260 Bbdocc32.exe 1260 Bbdocc32.exe 320 Bebkpn32.exe 320 Bebkpn32.exe 1544 Bhahlj32.exe 1544 Bhahlj32.exe 1332 Bkodhe32.exe 1332 Bkodhe32.exe 2836 Baildokg.exe 2836 Baildokg.exe 2328 Bloqah32.exe 2328 Bloqah32.exe 1244 Bnpmipql.exe 1244 Bnpmipql.exe 1884 Bdjefj32.exe 1884 Bdjefj32.exe 1580 Bopicc32.exe 1580 Bopicc32.exe 3004 Banepo32.exe 3004 Banepo32.exe 2636 Bdlblj32.exe 2636 Bdlblj32.exe 2640 Bgknheej.exe 2640 Bgknheej.exe 2472 Bnefdp32.exe 2472 Bnefdp32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ckdjbh32.exeLhmjkaoc.exeAjejgp32.exeFlmefm32.exeHlhaqogk.exeCafecmlj.exePlahag32.exeHjjddchg.exeFpfdalii.exeHpocfncj.exeOlmhdf32.exeInngcfid.exeOfelmloo.exeDknekeef.exeEfcfga32.exeHicodd32.exePkpagq32.exeCldooj32.exeDlkepi32.exeFlabbihl.exePeiepfgg.exeNondgn32.exeAbhimnma.exeBloqah32.exeBdjefj32.exeFddmgjpo.exeMmahdggc.exePnomcl32.exeEojnkg32.exeDgdmmgpj.exeHnojdcfi.exeLlfifq32.exeLpbefoai.exePmdjdh32.exeAplifb32.exeDhnmij32.exeDfijnd32.exeKaaijdgn.exeMdkqqa32.exeObojhlbq.exeMggpgmof.exeCklmgb32.exeEecqjpee.exeHknach32.exeIkpjgkjq.exeKjqccigf.exeAidnohbk.exeBpleef32.exePlfamfpm.exeBopicc32.exeLajhofao.exeCppkph32.exeDhbfdjdp.exeEflgccbp.exeInljnfkg.exeNpdjje32.exePbfpik32.exeFnbkddem.exeGhkllmoi.exeHpapln32.exeCeaadk32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Cckace32.exe Ckdjbh32.exe File created C:\Windows\SysWOW64\Lliflp32.exe Lhmjkaoc.exe File created C:\Windows\SysWOW64\Gjchig32.dll Ajejgp32.exe File created C:\Windows\SysWOW64\Fddmgjpo.exe Flmefm32.exe File created C:\Windows\SysWOW64\Ejdmpb32.dll Hlhaqogk.exe File opened for modification C:\Windows\SysWOW64\Ceaadk32.exe Cafecmlj.exe File created C:\Windows\SysWOW64\Qonlfkdd.dll Plahag32.exe File created C:\Windows\SysWOW64\Pnbgan32.dll Hjjddchg.exe File opened for modification C:\Windows\SysWOW64\Anafhopc.exe Ajejgp32.exe File created C:\Windows\SysWOW64\Fbdqmghm.exe Fpfdalii.exe File created C:\Windows\SysWOW64\Hgilchkf.exe Hpocfncj.exe File opened for modification C:\Windows\SysWOW64\Ocgpappk.exe Olmhdf32.exe File opened for modification C:\Windows\SysWOW64\Iqmcpahh.exe Inngcfid.exe File opened for modification C:\Windows\SysWOW64\Onmdoioa.exe Ofelmloo.exe File created C:\Windows\SysWOW64\Bjidgghp.dll Dknekeef.exe File opened for modification C:\Windows\SysWOW64\Ejobhppq.exe Efcfga32.exe File opened for modification C:\Windows\SysWOW64\Hnojdcfi.exe Hicodd32.exe File created C:\Windows\SysWOW64\Pnomcl32.exe Pkpagq32.exe File created C:\Windows\SysWOW64\Mhkdik32.dll Cldooj32.exe File created C:\Windows\SysWOW64\Egqdeaqb.dll Dlkepi32.exe File created C:\Windows\SysWOW64\Lghegkoc.dll Flabbihl.exe File created C:\Windows\SysWOW64\Dpmqjgdc.dll Peiepfgg.exe File created C:\Windows\SysWOW64\Namqci32.exe Nondgn32.exe File created C:\Windows\SysWOW64\Befkmkob.dll Abhimnma.exe File opened for modification C:\Windows\SysWOW64\Bnpmipql.exe Bloqah32.exe File created C:\Windows\SysWOW64\Bopicc32.exe Bdjefj32.exe File created C:\Windows\SysWOW64\Ffbicfoc.exe Fddmgjpo.exe File created C:\Windows\SysWOW64\Kdkpbk32.dll Mmahdggc.exe File opened for modification C:\Windows\SysWOW64\Pamiog32.exe Pnomcl32.exe File opened for modification C:\Windows\SysWOW64\Efcfga32.exe Eojnkg32.exe File created C:\Windows\SysWOW64\Gfedefbi.dll Dgdmmgpj.exe File opened for modification C:\Windows\SysWOW64\Hpmgqnfl.exe Hnojdcfi.exe File opened for modification C:\Windows\SysWOW64\Lpbefoai.exe Llfifq32.exe File opened for modification C:\Windows\SysWOW64\Lflmci32.exe Lpbefoai.exe File opened for modification C:\Windows\SysWOW64\Pfjbgnme.exe Peiepfgg.exe File created C:\Windows\SysWOW64\Ppbfpd32.exe Pmdjdh32.exe File created C:\Windows\SysWOW64\Abjebn32.exe Aplifb32.exe File created C:\Windows\SysWOW64\Dpeekh32.exe Dhnmij32.exe File created C:\Windows\SysWOW64\Emcbkn32.exe Dfijnd32.exe File opened for modification C:\Windows\SysWOW64\Kkgmgmfd.exe Kaaijdgn.exe File created C:\Windows\SysWOW64\Mhgmapfi.exe Mdkqqa32.exe File created C:\Windows\SysWOW64\Ofjfhk32.exe Obojhlbq.exe File created C:\Windows\SysWOW64\Bmnkpm32.dll Mggpgmof.exe File opened for modification C:\Windows\SysWOW64\Cohigamf.exe Cklmgb32.exe File created C:\Windows\SysWOW64\Bnpmlfkm.dll Eecqjpee.exe File created C:\Windows\SysWOW64\Ncolgf32.dll Hknach32.exe File created C:\Windows\SysWOW64\Ongdpbkl.dll Ikpjgkjq.exe File created C:\Windows\SysWOW64\Kmopod32.exe Kjqccigf.exe File opened for modification C:\Windows\SysWOW64\Ajejgp32.exe Aidnohbk.exe File created C:\Windows\SysWOW64\Pmbdhi32.dll Bpleef32.exe File opened for modification C:\Windows\SysWOW64\Penfelgm.exe Plfamfpm.exe File created C:\Windows\SysWOW64\Banepo32.exe Bopicc32.exe File opened for modification C:\Windows\SysWOW64\Ldidkbpb.exe Lajhofao.exe File opened for modification C:\Windows\SysWOW64\Ppbfpd32.exe Pmdjdh32.exe File created C:\Windows\SysWOW64\Qbgpffch.dll Cppkph32.exe File created C:\Windows\SysWOW64\Dlnbeh32.exe Dhbfdjdp.exe File created C:\Windows\SysWOW64\Cgqjffca.dll Eflgccbp.exe File opened for modification C:\Windows\SysWOW64\Ifcbodli.exe Inljnfkg.exe File created C:\Windows\SysWOW64\Nhkbkc32.exe Npdjje32.exe File created C:\Windows\SysWOW64\Kaplbi32.dll Pbfpik32.exe File created C:\Windows\SysWOW64\Lgahch32.dll Fnbkddem.exe File opened for modification C:\Windows\SysWOW64\Goddhg32.exe Ghkllmoi.exe File created C:\Windows\SysWOW64\Hodpgjha.exe Hpapln32.exe File created C:\Windows\SysWOW64\Chpmpg32.exe Ceaadk32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4580 4596 WerFault.exe Fkckeh32.exe -
Modifies registry class 64 IoCs
Processes:
Omdneebf.exeDmafennb.exeEeempocb.exeEqijej32.exeEbinic32.exePiphee32.exeLafndg32.exeFbdqmghm.exeKkijmm32.exeOnhgbmfb.exeQabcjgkh.exeBloqah32.exeFfnphf32.exeEbedndfa.exeMgljbm32.exeMeagci32.exeCkoilb32.exeFidoim32.exeJiondcpk.exeMlkopcge.exeGmjaic32.exeKkgmgmfd.exeKjjmbj32.exeOmbapedi.exef00291fcb561b5bbccda65ac996f0fb0_NeikiAnalytics.exeDqhhknjp.exeAaobdjof.exeHmlnoc32.exeKgbggnhc.exeHodpgjha.exeOfjfhk32.exeDgjclbdi.exeBdjefj32.exeDfijnd32.exeLeonofpp.exeLahkigca.exeOnmdoioa.exeOkgnab32.exePedleg32.exeAdeplhib.exeGejcjbah.exeMhbped32.exeBpiipf32.exeFfbicfoc.exeGkgkbipp.exeEnkece32.exeBhkdeggl.exeBanepo32.exeEgamfkdh.exeChbjffad.exeDogefd32.exeBaildokg.exeBbhela32.exeHicodd32.exeKfgdhjmk.exeMkeimlfm.exeAlhjai32.exeBdlblj32.exeEnfenplo.exePogclp32.exeIqmcpahh.exeJnemdecl.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Omdneebf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dmafennb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eeempocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahoanjcc.dll" Eqijej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiiegafd.dll" Ebinic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lafndg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Omdneebf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fbdqmghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baoohhdn.dll" Kkijmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Onhgbmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qabcjgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bloqah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebedndfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mgljbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Meagci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckoilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll" Fidoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldnlic32.dll" Jiondcpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mlkopcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmjaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkgmgmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjjmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ombapedi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID f00291fcb561b5bbccda65ac996f0fb0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dqhhknjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelpgepb.dll" Aaobdjof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmlnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgbggnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll" Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ofjfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogilika.dll" Dgjclbdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdjefj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfijnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jooafm32.dll" Leonofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lahkigca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkmcgmjk.dll" Onmdoioa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Okgnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkddcl32.dll" Pedleg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Adeplhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gejcjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfiini32.dll" Mhbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igmdobgi.dll" Bpiipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqgok32.dll" Ffbicfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Enkece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bhkdeggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deokcq32.dll" Banepo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egamfkdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chbjffad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dogefd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Baildokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chboohof.dll" Bbhela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kfgdhjmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mkeimlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opiehf32.dll" Ckoilb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Alhjai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdlblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Enfenplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmlpbdc.dll" Pogclp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iqmcpahh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jnemdecl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f00291fcb561b5bbccda65ac996f0fb0_NeikiAnalytics.exePminkk32.exePjmodopf.exePbiciana.exePlahag32.exePiehkkcl.exePnbacbac.exePlfamfpm.exePenfelgm.exeQbbfopeg.exeQdccfh32.exeAdeplhib.exeAnkdiqih.exeAhchbf32.exeAbmibdlh.exeAdmemg32.exedescription pid process target process PID 2216 wrote to memory of 2148 2216 f00291fcb561b5bbccda65ac996f0fb0_NeikiAnalytics.exe Pminkk32.exe PID 2216 wrote to memory of 2148 2216 f00291fcb561b5bbccda65ac996f0fb0_NeikiAnalytics.exe Pminkk32.exe PID 2216 wrote to memory of 2148 2216 f00291fcb561b5bbccda65ac996f0fb0_NeikiAnalytics.exe Pminkk32.exe PID 2216 wrote to memory of 2148 2216 f00291fcb561b5bbccda65ac996f0fb0_NeikiAnalytics.exe Pminkk32.exe PID 2148 wrote to memory of 1728 2148 Pminkk32.exe Pjmodopf.exe PID 2148 wrote to memory of 1728 2148 Pminkk32.exe Pjmodopf.exe PID 2148 wrote to memory of 1728 2148 Pminkk32.exe Pjmodopf.exe PID 2148 wrote to memory of 1728 2148 Pminkk32.exe Pjmodopf.exe PID 1728 wrote to memory of 2596 1728 Pjmodopf.exe Pbiciana.exe PID 1728 wrote to memory of 2596 1728 Pjmodopf.exe Pbiciana.exe PID 1728 wrote to memory of 2596 1728 Pjmodopf.exe Pbiciana.exe PID 1728 wrote to memory of 2596 1728 Pjmodopf.exe Pbiciana.exe PID 2596 wrote to memory of 2876 2596 Pbiciana.exe Plahag32.exe PID 2596 wrote to memory of 2876 2596 Pbiciana.exe Plahag32.exe PID 2596 wrote to memory of 2876 2596 Pbiciana.exe Plahag32.exe PID 2596 wrote to memory of 2876 2596 Pbiciana.exe Plahag32.exe PID 2876 wrote to memory of 2480 2876 Plahag32.exe Piehkkcl.exe PID 2876 wrote to memory of 2480 2876 Plahag32.exe Piehkkcl.exe PID 2876 wrote to memory of 2480 2876 Plahag32.exe Piehkkcl.exe PID 2876 wrote to memory of 2480 2876 Plahag32.exe Piehkkcl.exe PID 2480 wrote to memory of 2500 2480 Piehkkcl.exe Pnbacbac.exe PID 2480 wrote to memory of 2500 2480 Piehkkcl.exe Pnbacbac.exe PID 2480 wrote to memory of 2500 2480 Piehkkcl.exe Pnbacbac.exe PID 2480 wrote to memory of 2500 2480 Piehkkcl.exe Pnbacbac.exe PID 2500 wrote to memory of 2796 2500 Pnbacbac.exe Plfamfpm.exe PID 2500 wrote to memory of 2796 2500 Pnbacbac.exe Plfamfpm.exe PID 2500 wrote to memory of 2796 2500 Pnbacbac.exe Plfamfpm.exe PID 2500 wrote to memory of 2796 2500 Pnbacbac.exe Plfamfpm.exe PID 2796 wrote to memory of 2972 2796 Plfamfpm.exe Penfelgm.exe PID 2796 wrote to memory of 2972 2796 Plfamfpm.exe Penfelgm.exe PID 2796 wrote to memory of 2972 2796 Plfamfpm.exe Penfelgm.exe PID 2796 wrote to memory of 2972 2796 Plfamfpm.exe Penfelgm.exe PID 2972 wrote to memory of 1668 2972 Penfelgm.exe Qbbfopeg.exe PID 2972 wrote to memory of 1668 2972 Penfelgm.exe Qbbfopeg.exe PID 2972 wrote to memory of 1668 2972 Penfelgm.exe Qbbfopeg.exe PID 2972 wrote to memory of 1668 2972 Penfelgm.exe Qbbfopeg.exe PID 1668 wrote to memory of 1180 1668 Qbbfopeg.exe Qdccfh32.exe PID 1668 wrote to memory of 1180 1668 Qbbfopeg.exe Qdccfh32.exe PID 1668 wrote to memory of 1180 1668 Qbbfopeg.exe Qdccfh32.exe PID 1668 wrote to memory of 1180 1668 Qbbfopeg.exe Qdccfh32.exe PID 1180 wrote to memory of 2432 1180 Qdccfh32.exe Adeplhib.exe PID 1180 wrote to memory of 2432 1180 Qdccfh32.exe Adeplhib.exe PID 1180 wrote to memory of 2432 1180 Qdccfh32.exe Adeplhib.exe PID 1180 wrote to memory of 2432 1180 Qdccfh32.exe Adeplhib.exe PID 2432 wrote to memory of 2536 2432 Adeplhib.exe Ankdiqih.exe PID 2432 wrote to memory of 2536 2432 Adeplhib.exe Ankdiqih.exe PID 2432 wrote to memory of 2536 2432 Adeplhib.exe Ankdiqih.exe PID 2432 wrote to memory of 2536 2432 Adeplhib.exe Ankdiqih.exe PID 2536 wrote to memory of 860 2536 Ankdiqih.exe Ahchbf32.exe PID 2536 wrote to memory of 860 2536 Ankdiqih.exe Ahchbf32.exe PID 2536 wrote to memory of 860 2536 Ankdiqih.exe Ahchbf32.exe PID 2536 wrote to memory of 860 2536 Ankdiqih.exe Ahchbf32.exe PID 860 wrote to memory of 2852 860 Ahchbf32.exe Abmibdlh.exe PID 860 wrote to memory of 2852 860 Ahchbf32.exe Abmibdlh.exe PID 860 wrote to memory of 2852 860 Ahchbf32.exe Abmibdlh.exe PID 860 wrote to memory of 2852 860 Ahchbf32.exe Abmibdlh.exe PID 2852 wrote to memory of 1952 2852 Abmibdlh.exe Admemg32.exe PID 2852 wrote to memory of 1952 2852 Abmibdlh.exe Admemg32.exe PID 2852 wrote to memory of 1952 2852 Abmibdlh.exe Admemg32.exe PID 2852 wrote to memory of 1952 2852 Abmibdlh.exe Admemg32.exe PID 1952 wrote to memory of 716 1952 Admemg32.exe Alhjai32.exe PID 1952 wrote to memory of 716 1952 Admemg32.exe Alhjai32.exe PID 1952 wrote to memory of 716 1952 Admemg32.exe Alhjai32.exe PID 1952 wrote to memory of 716 1952 Admemg32.exe Alhjai32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f00291fcb561b5bbccda65ac996f0fb0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\f00291fcb561b5bbccda65ac996f0fb0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:716 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1260 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:320 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1332 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1244 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe33⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe34⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe35⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe36⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe37⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe38⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe39⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe40⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe41⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe43⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe44⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe45⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe46⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe47⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe48⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe49⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe50⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe51⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe52⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe53⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe55⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe56⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe59⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe60⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe62⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe64⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe65⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe66⤵
- Drops file in System32 directory
PID:1700 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe67⤵PID:2040
-
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe68⤵PID:1480
-
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe69⤵PID:2260
-
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe70⤵PID:1688
-
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe71⤵PID:2384
-
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe72⤵PID:3056
-
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe73⤵PID:2664
-
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe74⤵
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe76⤵
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1436 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe78⤵PID:2752
-
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe79⤵
- Modifies registry class
PID:856 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe80⤵PID:1888
-
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe81⤵PID:848
-
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe83⤵PID:1692
-
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe84⤵
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe85⤵PID:1792
-
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe86⤵PID:3060
-
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe87⤵
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe88⤵PID:2448
-
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe89⤵PID:2568
-
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe91⤵PID:1196
-
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe92⤵PID:1932
-
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe93⤵
- Drops file in System32 directory
PID:704 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe94⤵
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe95⤵PID:824
-
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe96⤵
- Drops file in System32 directory
PID:268 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe97⤵
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe98⤵
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe99⤵PID:2128
-
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe100⤵PID:3000
-
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe101⤵PID:2552
-
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe102⤵PID:2696
-
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe103⤵PID:2820
-
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe104⤵PID:2616
-
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe105⤵PID:2756
-
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe106⤵
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe107⤵PID:1812
-
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe108⤵
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe109⤵PID:1376
-
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe110⤵
- Drops file in System32 directory
PID:584 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe111⤵PID:2900
-
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe112⤵PID:2252
-
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe113⤵PID:2704
-
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2152 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe115⤵
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe116⤵PID:1448
-
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe117⤵
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe118⤵
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe119⤵PID:1464
-
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe120⤵PID:1612
-
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe121⤵PID:2868
-
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe122⤵
- Drops file in System32 directory
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe123⤵
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe124⤵PID:1268
-
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe125⤵PID:1572
-
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe126⤵PID:2964
-
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe127⤵
- Drops file in System32 directory
PID:596 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe128⤵PID:2884
-
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe129⤵PID:1628
-
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe130⤵
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe131⤵
- Modifies registry class
PID:892 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe132⤵
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe133⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe134⤵PID:1100
-
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe135⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1740 -
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe136⤵PID:1800
-
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe137⤵PID:1904
-
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe138⤵
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe139⤵PID:3020
-
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe140⤵
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe141⤵
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe142⤵
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe143⤵PID:772
-
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe144⤵PID:1744
-
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe145⤵PID:2264
-
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe146⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:956 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe147⤵PID:2336
-
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe148⤵PID:2956
-
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe149⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2608 -
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe150⤵PID:2300
-
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe151⤵
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe152⤵PID:1696
-
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe153⤵PID:2648
-
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe154⤵
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe155⤵PID:1748
-
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe156⤵PID:1876
-
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe157⤵PID:2412
-
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe158⤵PID:2016
-
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe159⤵PID:2768
-
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe160⤵PID:108
-
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe161⤵PID:1536
-
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1912 -
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe163⤵PID:2832
-
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe164⤵PID:1072
-
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe165⤵PID:2744
-
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe166⤵PID:1680
-
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe167⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe168⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe169⤵
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe170⤵PID:2420
-
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe171⤵PID:2176
-
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe172⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:572 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe173⤵PID:2800
-
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe174⤵PID:412
-
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe175⤵PID:2556
-
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe176⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2032 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe177⤵PID:2496
-
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1968 -
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe179⤵
- Modifies registry class
PID:1128 -
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe180⤵
- Drops file in System32 directory
PID:616 -
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe181⤵PID:2292
-
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe182⤵PID:2720
-
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe183⤵
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe184⤵PID:3100
-
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe185⤵PID:3140
-
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe186⤵PID:3180
-
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe187⤵PID:3220
-
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe188⤵
- Drops file in System32 directory
PID:3260 -
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe189⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3300 -
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe190⤵PID:3340
-
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe191⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3380 -
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe192⤵
- Drops file in System32 directory
PID:3420 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe193⤵PID:3460
-
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe194⤵PID:3500
-
C:\Windows\SysWOW64\Lafndg32.exeC:\Windows\system32\Lafndg32.exe195⤵
- Modifies registry class
PID:3540 -
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe196⤵PID:3580
-
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe197⤵PID:3620
-
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe198⤵PID:3660
-
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe199⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3700 -
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe200⤵PID:3740
-
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe201⤵PID:3780
-
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe202⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3820 -
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe203⤵
- Drops file in System32 directory
PID:3860 -
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe204⤵PID:3900
-
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe205⤵
- Drops file in System32 directory
PID:3940 -
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe206⤵PID:3980
-
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe207⤵
- Drops file in System32 directory
PID:4020 -
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe208⤵
- Drops file in System32 directory
PID:4060 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe209⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2780 -
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe210⤵
- Modifies registry class
PID:3108 -
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe211⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3120 -
C:\Windows\SysWOW64\Mpbaebdd.exeC:\Windows\system32\Mpbaebdd.exe212⤵PID:3208
-
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe213⤵PID:3256
-
C:\Windows\SysWOW64\Mgljbm32.exeC:\Windows\system32\Mgljbm32.exe214⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3316 -
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe215⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3352 -
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe216⤵PID:3412
-
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe217⤵PID:3456
-
C:\Windows\SysWOW64\Mgnfhlin.exeC:\Windows\system32\Mgnfhlin.exe218⤵PID:3508
-
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe219⤵
- Modifies registry class
PID:3520 -
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe220⤵
- Modifies registry class
PID:3604 -
C:\Windows\SysWOW64\Mpfkqb32.exeC:\Windows\system32\Mpfkqb32.exe221⤵PID:3652
-
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe222⤵PID:3708
-
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe223⤵PID:3756
-
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3804 -
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe225⤵PID:3844
-
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe226⤵PID:3908
-
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe227⤵PID:3960
-
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe228⤵PID:4004
-
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe229⤵
- Drops file in System32 directory
PID:4052 -
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe230⤵PID:2880
-
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe231⤵PID:3128
-
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe232⤵PID:3192
-
C:\Windows\SysWOW64\Nkeelohh.exeC:\Windows\system32\Nkeelohh.exe233⤵PID:3248
-
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe234⤵PID:3280
-
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe235⤵PID:3364
-
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe236⤵PID:3440
-
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe237⤵PID:3492
-
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe238⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3568 -
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe239⤵
- Drops file in System32 directory
PID:3640 -
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe240⤵PID:3684
-
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe241⤵PID:3748
-
C:\Windows\SysWOW64\Nnhkcj32.exeC:\Windows\system32\Nnhkcj32.exe242⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3812