Analysis
-
max time kernel
119s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 22:09
Behavioral task
behavioral1
Sample
010a51854c5c5e719504143d00054920_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
010a51854c5c5e719504143d00054920_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
010a51854c5c5e719504143d00054920_NeikiAnalytics.exe
-
Size
384KB
-
MD5
010a51854c5c5e719504143d00054920
-
SHA1
4289b924233836284da0466c6acb0b57fa65c4f9
-
SHA256
8f8aa1dd9651847f6916df887a30cee04feaa21adabdc8db3cc2fe664b593dbd
-
SHA512
aadeb261b24f75b30ce0e1a3e07a08efe260cd15035a5aabcbc3735857643cfe36873a351e07d6cc8d6451fb036825159654649af28ac184a2f2e33f5dca800a
-
SSDEEP
6144:x5n3KJTgVrNrpui6yYPaIGckpyWO63t5YNpui6yYPaIGcky0PVd68LwYwI+8mkUm:G6V9pV6yYPI3cpV6yYPZ0PVdvcY9+8hn
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Pgpgjepk.exeOdedge32.exeKalipcmb.exeLopfhk32.exeBnlgbnbp.exeJlnmel32.exeElajgpmj.exeGnaooi32.exeNlqmmd32.exeFlhflleb.exeBbllnlfd.exeEfljhq32.exeGdmdacnn.exeChcloo32.exeHmoofdea.exePbgjgomc.exeFefqdl32.exeEdfbaabj.exeFdmhbplb.exeGhgfekpn.exeMfihkoal.exeOlmcchlg.exeHbnmienj.exeIpmqgmcd.exeJmipdo32.exeCfhkhd32.exeIjphofem.exeMbqkiind.exeDjjjga32.exeKidjdpie.exeBnihdemo.exeInhanl32.exeBqlfaj32.exeCepipm32.exeGqcnln32.exeDgiaefgg.exeIogpag32.exePljcllqe.exeJhdlad32.exeHmjoqo32.exeHmlkfo32.exeAgglbp32.exeCcgklc32.exePebpkk32.exeGnkoid32.exeCfckcoen.exeGckdgjeb.exeQhilkege.exeDlndnacm.exePhcpgm32.exeMkqqnq32.exeOippjl32.exeCkhdggom.exeFpjofl32.exeCglalbbi.exeLkggmldl.exePmjaohol.exeKhjgel32.exeHblgnkdh.exeMmgfqh32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgpgjepk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odedge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kalipcmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lopfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnlgbnbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnmel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elajgpmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gnaooi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlqmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flhflleb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbllnlfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efljhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdmdacnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chcloo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmoofdea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbgjgomc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fefqdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edfbaabj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdmhbplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghgfekpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mfihkoal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olmcchlg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbnmienj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ipmqgmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmipdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfhkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijphofem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbqkiind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djjjga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kidjdpie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnihdemo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inhanl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqlfaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cepipm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqcnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbllnlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgiaefgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iogpag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pljcllqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhdlad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmjoqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmlkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Agglbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccgklc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pebpkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gnkoid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfckcoen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefqdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gckdgjeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhilkege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dlndnacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phcpgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkqqnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oippjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhdggom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpjofl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglalbbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lkggmldl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmjaohol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khjgel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hblgnkdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmgfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmjaohol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djjjga32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Bepjha32.exe family_berbew \Windows\SysWOW64\Bmnlbcfg.exe family_berbew C:\Windows\SysWOW64\Cpcnonob.exe family_berbew C:\Windows\SysWOW64\Chcloo32.exe family_berbew \Windows\SysWOW64\Cpnaca32.exe family_berbew behavioral1/memory/2680-68-0x0000000000310000-0x0000000000344000-memory.dmp family_berbew \Windows\SysWOW64\Dhplhc32.exe family_berbew \Windows\SysWOW64\Dlndnacm.exe family_berbew behavioral1/memory/2800-97-0x0000000000220000-0x0000000000254000-memory.dmp family_berbew \Windows\SysWOW64\Ekhkjm32.exe family_berbew \Windows\SysWOW64\Ekjgpm32.exe family_berbew \Windows\SysWOW64\Ffibkj32.exe family_berbew behavioral1/memory/2812-141-0x0000000000220000-0x0000000000254000-memory.dmp family_berbew \Windows\SysWOW64\Filgbdfd.exe family_berbew C:\Windows\SysWOW64\Gmpjagfa.exe family_berbew \Windows\SysWOW64\Gmbfggdo.exe family_berbew \Windows\SysWOW64\Hbfepmmn.exe family_berbew C:\Windows\SysWOW64\Hegnahjo.exe family_berbew \Windows\SysWOW64\Ihmpobck.exe family_berbew C:\Windows\SysWOW64\Jbpdeogo.exe family_berbew C:\Windows\SysWOW64\Jdejhfig.exe family_berbew C:\Windows\SysWOW64\Jkbojpna.exe family_berbew C:\Windows\SysWOW64\Koddccaa.exe family_berbew C:\Windows\SysWOW64\Khlili32.exe family_berbew C:\Windows\SysWOW64\Kcdjoaee.exe family_berbew C:\Windows\SysWOW64\Khabghdl.exe family_berbew C:\Windows\SysWOW64\Lkakicam.exe family_berbew C:\Windows\SysWOW64\Lhelbh32.exe family_berbew C:\Windows\SysWOW64\Lgkhdddo.exe family_berbew C:\Windows\SysWOW64\Lngnfnji.exe family_berbew C:\Windows\SysWOW64\Lqhfhigj.exe family_berbew C:\Windows\SysWOW64\Mchoid32.exe family_berbew behavioral1/memory/2564-371-0x0000000000220000-0x0000000000254000-memory.dmp family_berbew behavioral1/memory/2564-370-0x0000000000220000-0x0000000000254000-memory.dmp family_berbew C:\Windows\SysWOW64\Mfihkoal.exe family_berbew C:\Windows\SysWOW64\Mhonngce.exe family_berbew C:\Windows\SysWOW64\Nnkcpq32.exe family_berbew C:\Windows\SysWOW64\Nhdhif32.exe family_berbew behavioral1/memory/2352-408-0x0000000000220000-0x0000000000254000-memory.dmp family_berbew C:\Windows\SysWOW64\Nbniid32.exe family_berbew C:\Windows\SysWOW64\Nbpeoc32.exe family_berbew C:\Windows\SysWOW64\Nfnneb32.exe family_berbew behavioral1/memory/1956-437-0x0000000001BA0000-0x0000000001BD4000-memory.dmp family_berbew C:\Windows\SysWOW64\Olmcchlg.exe family_berbew C:\Windows\SysWOW64\Okbpde32.exe family_berbew C:\Windows\SysWOW64\Oanefo32.exe family_berbew C:\Windows\SysWOW64\Pljcllqe.exe family_berbew C:\Windows\SysWOW64\Pgpgjepk.exe family_berbew C:\Windows\SysWOW64\Poklngnf.exe family_berbew C:\Windows\SysWOW64\Phcpgm32.exe family_berbew C:\Windows\SysWOW64\Pkdihhag.exe family_berbew C:\Windows\SysWOW64\Phhjblpa.exe family_berbew C:\Windows\SysWOW64\Qaqnkafa.exe family_berbew C:\Windows\SysWOW64\Qkibcg32.exe family_berbew C:\Windows\SysWOW64\Ajnpecbj.exe family_berbew C:\Windows\SysWOW64\Anlhkbhq.exe family_berbew C:\Windows\SysWOW64\Agdmdg32.exe family_berbew C:\Windows\SysWOW64\Ajeeeblb.exe family_berbew C:\Windows\SysWOW64\Aqonbm32.exe family_berbew C:\Windows\SysWOW64\Aopahjll.exe family_berbew C:\Windows\SysWOW64\Bbbgod32.exe family_berbew C:\Windows\SysWOW64\Bnihdemo.exe family_berbew C:\Windows\SysWOW64\Bgblmk32.exe family_berbew C:\Windows\SysWOW64\Bbgqjdce.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Bepjha32.exeBmnlbcfg.exeCpcnonob.exeChcloo32.exeCpnaca32.exeDhplhc32.exeDlndnacm.exeEkhkjm32.exeEkjgpm32.exeFfibkj32.exeFilgbdfd.exeGmpjagfa.exeGmbfggdo.exeHbfepmmn.exeHegnahjo.exeIhmpobck.exeJbpdeogo.exeJdejhfig.exeJkbojpna.exeKoddccaa.exeKhlili32.exeKcdjoaee.exeKhabghdl.exeLkakicam.exeLhelbh32.exeLgkhdddo.exeLngnfnji.exeLqhfhigj.exeMchoid32.exeMfihkoal.exeMhonngce.exeNnkcpq32.exeNhdhif32.exeNbniid32.exeNbpeoc32.exeNfnneb32.exeOlmcchlg.exeOkbpde32.exeOanefo32.exePljcllqe.exePgpgjepk.exePoklngnf.exePhcpgm32.exePkdihhag.exePhhjblpa.exeQaqnkafa.exeQkibcg32.exeAjnpecbj.exeAnlhkbhq.exeAgdmdg32.exeAopahjll.exeAjeeeblb.exeAqonbm32.exeBbbgod32.exeBnihdemo.exeBgblmk32.exeBbgqjdce.exeBjbeofpp.exeCillkbac.exeCfpldf32.exeCbgmigeq.exeCpkmcldj.exeCehfkb32.exeDaofpchf.exepid process 1776 Bepjha32.exe 2476 Bmnlbcfg.exe 2436 Cpcnonob.exe 2680 Chcloo32.exe 2604 Cpnaca32.exe 2800 Dhplhc32.exe 816 Dlndnacm.exe 1816 Ekhkjm32.exe 2812 Ekjgpm32.exe 1628 Ffibkj32.exe 2148 Filgbdfd.exe 2320 Gmpjagfa.exe 1784 Gmbfggdo.exe 1720 Hbfepmmn.exe 2740 Hegnahjo.exe 2544 Ihmpobck.exe 2940 Jbpdeogo.exe 2204 Jdejhfig.exe 1152 Jkbojpna.exe 1548 Koddccaa.exe 1832 Khlili32.exe 2660 Kcdjoaee.exe 2112 Khabghdl.exe 1384 Lkakicam.exe 2128 Lhelbh32.exe 2076 Lgkhdddo.exe 1708 Lngnfnji.exe 2516 Lqhfhigj.exe 2564 Mchoid32.exe 2716 Mfihkoal.exe 2012 Mhonngce.exe 2352 Nnkcpq32.exe 2796 Nhdhif32.exe 2608 Nbniid32.exe 1956 Nbpeoc32.exe 2692 Nfnneb32.exe 2008 Olmcchlg.exe 2000 Okbpde32.exe 1912 Oanefo32.exe 2308 Pljcllqe.exe 1176 Pgpgjepk.exe 2244 Poklngnf.exe 2124 Phcpgm32.exe 3000 Pkdihhag.exe 1668 Phhjblpa.exe 1092 Qaqnkafa.exe 2040 Qkibcg32.exe 888 Ajnpecbj.exe 2748 Anlhkbhq.exe 708 Agdmdg32.exe 1684 Aopahjll.exe 2152 Ajeeeblb.exe 2480 Aqonbm32.exe 2168 Bbbgod32.exe 2368 Bnihdemo.exe 2328 Bgblmk32.exe 112 Bbgqjdce.exe 1240 Bjbeofpp.exe 2808 Cillkbac.exe 1636 Cfpldf32.exe 1140 Cbgmigeq.exe 1604 Cpkmcldj.exe 2628 Cehfkb32.exe 2268 Daofpchf.exe -
Loads dropped DLL 64 IoCs
Processes:
010a51854c5c5e719504143d00054920_NeikiAnalytics.exeBepjha32.exeBmnlbcfg.exeCpcnonob.exeChcloo32.exeCpnaca32.exeDhplhc32.exeDlndnacm.exeEkhkjm32.exeEkjgpm32.exeFfibkj32.exeFilgbdfd.exeGmpjagfa.exeGmbfggdo.exeHbfepmmn.exeHegnahjo.exeIhmpobck.exeJbpdeogo.exeJdejhfig.exeJkbojpna.exeKoddccaa.exeKhlili32.exeKcdjoaee.exeKhabghdl.exeLkakicam.exeLhelbh32.exeLgkhdddo.exeLngnfnji.exeLqhfhigj.exeMchoid32.exeMfihkoal.exeMhonngce.exepid process 2300 010a51854c5c5e719504143d00054920_NeikiAnalytics.exe 2300 010a51854c5c5e719504143d00054920_NeikiAnalytics.exe 1776 Bepjha32.exe 1776 Bepjha32.exe 2476 Bmnlbcfg.exe 2476 Bmnlbcfg.exe 2436 Cpcnonob.exe 2436 Cpcnonob.exe 2680 Chcloo32.exe 2680 Chcloo32.exe 2604 Cpnaca32.exe 2604 Cpnaca32.exe 2800 Dhplhc32.exe 2800 Dhplhc32.exe 816 Dlndnacm.exe 816 Dlndnacm.exe 1816 Ekhkjm32.exe 1816 Ekhkjm32.exe 2812 Ekjgpm32.exe 2812 Ekjgpm32.exe 1628 Ffibkj32.exe 1628 Ffibkj32.exe 2148 Filgbdfd.exe 2148 Filgbdfd.exe 2320 Gmpjagfa.exe 2320 Gmpjagfa.exe 1784 Gmbfggdo.exe 1784 Gmbfggdo.exe 1720 Hbfepmmn.exe 1720 Hbfepmmn.exe 2740 Hegnahjo.exe 2740 Hegnahjo.exe 2544 Ihmpobck.exe 2544 Ihmpobck.exe 2940 Jbpdeogo.exe 2940 Jbpdeogo.exe 2204 Jdejhfig.exe 2204 Jdejhfig.exe 1152 Jkbojpna.exe 1152 Jkbojpna.exe 1548 Koddccaa.exe 1548 Koddccaa.exe 1832 Khlili32.exe 1832 Khlili32.exe 2660 Kcdjoaee.exe 2660 Kcdjoaee.exe 2112 Khabghdl.exe 2112 Khabghdl.exe 1384 Lkakicam.exe 1384 Lkakicam.exe 2128 Lhelbh32.exe 2128 Lhelbh32.exe 2076 Lgkhdddo.exe 2076 Lgkhdddo.exe 1708 Lngnfnji.exe 1708 Lngnfnji.exe 2516 Lqhfhigj.exe 2516 Lqhfhigj.exe 2564 Mchoid32.exe 2564 Mchoid32.exe 2716 Mfihkoal.exe 2716 Mfihkoal.exe 2012 Mhonngce.exe 2012 Mhonngce.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jmipdo32.exeHqgddm32.exeAkpkmo32.exeAcnlgajg.exeFnofjfhk.exeCjhabndo.exeEkhkjm32.exeCfpldf32.exeHegnahjo.exeOekjjl32.exeJfieigio.exeAhpbkd32.exeDmmpolof.exeAopahjll.exePbgjgomc.exeJagpdd32.exeKbpbmkan.exeOemgplgo.exeAqbdkk32.exeCoacbfii.exeCcgklc32.exeMhonngce.exeHblgnkdh.exePmehdh32.exeEifmimch.exeAgdmdg32.exeFdqnkoep.exeKaglcgdc.exeFpjofl32.exeHiclkp32.exeQhilkege.exeFqfemqod.exeBccmmf32.exePblcbn32.exe010a51854c5c5e719504143d00054920_NeikiAnalytics.exeBbgqjdce.exeMfmndn32.exeFlhflleb.exeBnochnpm.exeIihiphln.exeEdfbaabj.exeAlihaioe.exeIpmqgmcd.exeJjnhhjjk.exeMmgfqh32.exeCglalbbi.exeCfckcoen.exeFdnjkh32.exeJedehaea.exeNbniid32.exeNbpeoc32.exeMomfan32.exeCillkbac.exeEoblnd32.exeMggabaea.exeQkibcg32.exeKidjdpie.exeFoolgh32.exeAognbnkm.exedescription ioc process File created C:\Windows\SysWOW64\Jedehaea.exe Jmipdo32.exe File created C:\Windows\SysWOW64\Gmiflpof.dll Hqgddm32.exe File created C:\Windows\SysWOW64\Agglbp32.exe Akpkmo32.exe File created C:\Windows\SysWOW64\Blfapfpg.exe Acnlgajg.exe File created C:\Windows\SysWOW64\Kgfkgo32.dll Fnofjfhk.exe File created C:\Windows\SysWOW64\Madnjdee.dll Cjhabndo.exe File created C:\Windows\SysWOW64\Lpenkfbe.dll Ekhkjm32.exe File opened for modification C:\Windows\SysWOW64\Cbgmigeq.exe Cfpldf32.exe File opened for modification C:\Windows\SysWOW64\Ihmpobck.exe Hegnahjo.exe File created C:\Windows\SysWOW64\Dkodahqi.dll Oekjjl32.exe File created C:\Windows\SysWOW64\Makpje32.dll Jfieigio.exe File created C:\Windows\SysWOW64\Gdecfn32.dll Ahpbkd32.exe File created C:\Windows\SysWOW64\Dijdkh32.dll Dmmpolof.exe File created C:\Windows\SysWOW64\Ajeeeblb.exe Aopahjll.exe File opened for modification C:\Windows\SysWOW64\Fjegog32.exe Fnofjfhk.exe File opened for modification C:\Windows\SysWOW64\Ppkjac32.exe Pbgjgomc.exe File opened for modification C:\Windows\SysWOW64\Jjpdmi32.exe Jagpdd32.exe File created C:\Windows\SysWOW64\Kpdcfoph.exe Kbpbmkan.exe File opened for modification C:\Windows\SysWOW64\Pbagipfi.exe Oemgplgo.exe File created C:\Windows\SysWOW64\Cglalbbi.exe Cjhabndo.exe File created C:\Windows\SysWOW64\Kfcgie32.dll Aqbdkk32.exe File opened for modification C:\Windows\SysWOW64\Ckhdggom.exe Coacbfii.exe File opened for modification C:\Windows\SysWOW64\Cidddj32.exe Ccgklc32.exe File opened for modification C:\Windows\SysWOW64\Nnkcpq32.exe Mhonngce.exe File created C:\Windows\SysWOW64\Hpphhp32.exe Hblgnkdh.exe File created C:\Windows\SysWOW64\Pmjaohol.exe Pmehdh32.exe File opened for modification C:\Windows\SysWOW64\Emdeok32.exe Eifmimch.exe File created C:\Windows\SysWOW64\Aopahjll.exe Agdmdg32.exe File created C:\Windows\SysWOW64\Nllchm32.dll Fdqnkoep.exe File created C:\Windows\SysWOW64\Jmgfca32.dll Kaglcgdc.exe File opened for modification C:\Windows\SysWOW64\Foolgh32.exe Fpjofl32.exe File created C:\Windows\SysWOW64\Hbkqdepm.exe Hiclkp32.exe File created C:\Windows\SysWOW64\Aehngihn.dll Qhilkege.exe File created C:\Windows\SysWOW64\Kfnpea32.dll Fqfemqod.exe File opened for modification C:\Windows\SysWOW64\Bjmeiq32.exe Bccmmf32.exe File created C:\Windows\SysWOW64\Mahildbb.dll Pblcbn32.exe File created C:\Windows\SysWOW64\Bepjha32.exe 010a51854c5c5e719504143d00054920_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Bjbeofpp.exe Bbgqjdce.exe File created C:\Windows\SysWOW64\Ikgeel32.dll Mfmndn32.exe File created C:\Windows\SysWOW64\Gnkoid32.exe Flhflleb.exe File created C:\Windows\SysWOW64\Bbllnlfd.exe Bnochnpm.exe File opened for modification C:\Windows\SysWOW64\Bepjha32.exe 010a51854c5c5e719504143d00054920_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Jkhejkcq.exe Iihiphln.exe File opened for modification C:\Windows\SysWOW64\Fnofjfhk.exe Edfbaabj.exe File created C:\Windows\SysWOW64\Ahpifj32.exe Alihaioe.exe File opened for modification C:\Windows\SysWOW64\Imaapa32.exe Ipmqgmcd.exe File created C:\Windows\SysWOW64\Jagpdd32.exe Jjnhhjjk.exe File created C:\Windows\SysWOW64\Ekjgpm32.exe Ekhkjm32.exe File created C:\Windows\SysWOW64\Kgbioq32.dll Mmgfqh32.exe File opened for modification C:\Windows\SysWOW64\Cmhjdiap.exe Cglalbbi.exe File created C:\Windows\SysWOW64\Ghdjfq32.dll Cfckcoen.exe File created C:\Windows\SysWOW64\Fccglehn.exe Fdnjkh32.exe File created C:\Windows\SysWOW64\Mnpkephg.dll Jedehaea.exe File opened for modification C:\Windows\SysWOW64\Ekjgpm32.exe Ekhkjm32.exe File opened for modification C:\Windows\SysWOW64\Nbpeoc32.exe Nbniid32.exe File created C:\Windows\SysWOW64\Nfnneb32.exe Nbpeoc32.exe File created C:\Windows\SysWOW64\Epflllfi.dll Momfan32.exe File opened for modification C:\Windows\SysWOW64\Cfpldf32.exe Cillkbac.exe File created C:\Windows\SysWOW64\Emgioakg.exe Eoblnd32.exe File created C:\Windows\SysWOW64\Mmdjkhdh.exe Mggabaea.exe File created C:\Windows\SysWOW64\Ajnpecbj.exe Qkibcg32.exe File created C:\Windows\SysWOW64\Kapohbfp.exe Kidjdpie.exe File created C:\Windows\SysWOW64\Jagkpl32.dll Foolgh32.exe File opened for modification C:\Windows\SysWOW64\Ahpbkd32.exe Aognbnkm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3088 2476 WerFault.exe Lbjofi32.exe -
Modifies registry class 64 IoCs
Processes:
Poklngnf.exeDldkmlhl.exeAhbekjcf.exeClojhf32.exeIkfbbjdj.exeImaapa32.exeBmnlbcfg.exeJajmjcoe.exeJbhcim32.exeDgiaefgg.exeKdbepm32.exeNjhfcp32.exeJkhejkcq.exeKmkihbho.exeInjndk32.exeDfkhndca.exeHmjoqo32.exeHiclkp32.exeFeddombd.exeGmpjagfa.exeCehfkb32.exeJbcjnnpl.exeEhlmljkm.exeKpdcfoph.exePblcbn32.exeQeppdo32.exeBqlfaj32.exeEmdeok32.exeKidjdpie.exeIhdpbq32.exeJampjian.exePehcij32.exeGdmdacnn.exeFoahmh32.exePmehdh32.exeCfckcoen.exeFilgbdfd.exeDhmhhmlm.exeIedfqeka.exeFlhflleb.exePbgjgomc.exeQgjccb32.exeCoacbfii.exeMkdffoij.exeDlndnacm.exeGmbfggdo.exeHpphhp32.exeImokehhl.exeDpcmgi32.exeJoggci32.exeOpqoge32.exeKoddccaa.exeNfnneb32.exeGaagcpdl.exeGfkmie32.exeFccglehn.exeKhlili32.exeJfieigio.exeDhplhc32.exeBfdenafn.exeGckdgjeb.exeJkbaci32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pniqhlqh.dll" Poklngnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dldkmlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfokakc.dll" Ahbekjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ikfbbjdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Imaapa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmnlbcfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nafdnlbb.dll" Jajmjcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neghkn32.dll" Jbhcim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dgiaefgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kdbepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njhfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkhejkcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcghbo32.dll" Injndk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanbhm32.dll" Dfkhndca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hmjoqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hiclkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Feddombd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmpjagfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cehfkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbcjnnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ehlmljkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpdcfoph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pblcbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qeppdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdjhp32.dll" Bqlfaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqdodila.dll" Emdeok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kidjdpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ihdpbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jampjian.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccgnbk32.dll" Pehcij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbmnbl32.dll" Gdmdacnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Foahmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pmehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfckcoen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Filgbdfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhmhhmlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iedfqeka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Flhflleb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpifad32.dll" Pbgjgomc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qgjccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll" Coacbfii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmjoqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mkdffoij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfdej32.dll" Dlndnacm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmbfggdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hpphhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Imokehhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncekdcqn.dll" Dpcmgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Joggci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Opqoge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Koddccaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbkmo32.dll" Koddccaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nfnneb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gaagcpdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gfkmie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piaoqi32.dll" Fccglehn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Khlili32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Makpje32.dll" Jfieigio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhplhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpkmjnb.dll" Bfdenafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkpbohhb.dll" Gckdgjeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnllhjif.dll" Jkbaci32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
010a51854c5c5e719504143d00054920_NeikiAnalytics.exeBepjha32.exeBmnlbcfg.exeCpcnonob.exeChcloo32.exeCpnaca32.exeDhplhc32.exeDlndnacm.exeEkhkjm32.exeEkjgpm32.exeFfibkj32.exeFilgbdfd.exeGmpjagfa.exeGmbfggdo.exeHbfepmmn.exeHegnahjo.exedescription pid process target process PID 2300 wrote to memory of 1776 2300 010a51854c5c5e719504143d00054920_NeikiAnalytics.exe Bepjha32.exe PID 2300 wrote to memory of 1776 2300 010a51854c5c5e719504143d00054920_NeikiAnalytics.exe Bepjha32.exe PID 2300 wrote to memory of 1776 2300 010a51854c5c5e719504143d00054920_NeikiAnalytics.exe Bepjha32.exe PID 2300 wrote to memory of 1776 2300 010a51854c5c5e719504143d00054920_NeikiAnalytics.exe Bepjha32.exe PID 1776 wrote to memory of 2476 1776 Bepjha32.exe Bmnlbcfg.exe PID 1776 wrote to memory of 2476 1776 Bepjha32.exe Bmnlbcfg.exe PID 1776 wrote to memory of 2476 1776 Bepjha32.exe Bmnlbcfg.exe PID 1776 wrote to memory of 2476 1776 Bepjha32.exe Bmnlbcfg.exe PID 2476 wrote to memory of 2436 2476 Bmnlbcfg.exe Cpcnonob.exe PID 2476 wrote to memory of 2436 2476 Bmnlbcfg.exe Cpcnonob.exe PID 2476 wrote to memory of 2436 2476 Bmnlbcfg.exe Cpcnonob.exe PID 2476 wrote to memory of 2436 2476 Bmnlbcfg.exe Cpcnonob.exe PID 2436 wrote to memory of 2680 2436 Cpcnonob.exe Chcloo32.exe PID 2436 wrote to memory of 2680 2436 Cpcnonob.exe Chcloo32.exe PID 2436 wrote to memory of 2680 2436 Cpcnonob.exe Chcloo32.exe PID 2436 wrote to memory of 2680 2436 Cpcnonob.exe Chcloo32.exe PID 2680 wrote to memory of 2604 2680 Chcloo32.exe Cpnaca32.exe PID 2680 wrote to memory of 2604 2680 Chcloo32.exe Cpnaca32.exe PID 2680 wrote to memory of 2604 2680 Chcloo32.exe Cpnaca32.exe PID 2680 wrote to memory of 2604 2680 Chcloo32.exe Cpnaca32.exe PID 2604 wrote to memory of 2800 2604 Cpnaca32.exe Dhplhc32.exe PID 2604 wrote to memory of 2800 2604 Cpnaca32.exe Dhplhc32.exe PID 2604 wrote to memory of 2800 2604 Cpnaca32.exe Dhplhc32.exe PID 2604 wrote to memory of 2800 2604 Cpnaca32.exe Dhplhc32.exe PID 2800 wrote to memory of 816 2800 Dhplhc32.exe Dlndnacm.exe PID 2800 wrote to memory of 816 2800 Dhplhc32.exe Dlndnacm.exe PID 2800 wrote to memory of 816 2800 Dhplhc32.exe Dlndnacm.exe PID 2800 wrote to memory of 816 2800 Dhplhc32.exe Dlndnacm.exe PID 816 wrote to memory of 1816 816 Dlndnacm.exe Ekhkjm32.exe PID 816 wrote to memory of 1816 816 Dlndnacm.exe Ekhkjm32.exe PID 816 wrote to memory of 1816 816 Dlndnacm.exe Ekhkjm32.exe PID 816 wrote to memory of 1816 816 Dlndnacm.exe Ekhkjm32.exe PID 1816 wrote to memory of 2812 1816 Ekhkjm32.exe Ekjgpm32.exe PID 1816 wrote to memory of 2812 1816 Ekhkjm32.exe Ekjgpm32.exe PID 1816 wrote to memory of 2812 1816 Ekhkjm32.exe Ekjgpm32.exe PID 1816 wrote to memory of 2812 1816 Ekhkjm32.exe Ekjgpm32.exe PID 2812 wrote to memory of 1628 2812 Ekjgpm32.exe Ffibkj32.exe PID 2812 wrote to memory of 1628 2812 Ekjgpm32.exe Ffibkj32.exe PID 2812 wrote to memory of 1628 2812 Ekjgpm32.exe Ffibkj32.exe PID 2812 wrote to memory of 1628 2812 Ekjgpm32.exe Ffibkj32.exe PID 1628 wrote to memory of 2148 1628 Ffibkj32.exe Filgbdfd.exe PID 1628 wrote to memory of 2148 1628 Ffibkj32.exe Filgbdfd.exe PID 1628 wrote to memory of 2148 1628 Ffibkj32.exe Filgbdfd.exe PID 1628 wrote to memory of 2148 1628 Ffibkj32.exe Filgbdfd.exe PID 2148 wrote to memory of 2320 2148 Filgbdfd.exe Gmpjagfa.exe PID 2148 wrote to memory of 2320 2148 Filgbdfd.exe Gmpjagfa.exe PID 2148 wrote to memory of 2320 2148 Filgbdfd.exe Gmpjagfa.exe PID 2148 wrote to memory of 2320 2148 Filgbdfd.exe Gmpjagfa.exe PID 2320 wrote to memory of 1784 2320 Gmpjagfa.exe Gmbfggdo.exe PID 2320 wrote to memory of 1784 2320 Gmpjagfa.exe Gmbfggdo.exe PID 2320 wrote to memory of 1784 2320 Gmpjagfa.exe Gmbfggdo.exe PID 2320 wrote to memory of 1784 2320 Gmpjagfa.exe Gmbfggdo.exe PID 1784 wrote to memory of 1720 1784 Gmbfggdo.exe Hbfepmmn.exe PID 1784 wrote to memory of 1720 1784 Gmbfggdo.exe Hbfepmmn.exe PID 1784 wrote to memory of 1720 1784 Gmbfggdo.exe Hbfepmmn.exe PID 1784 wrote to memory of 1720 1784 Gmbfggdo.exe Hbfepmmn.exe PID 1720 wrote to memory of 2740 1720 Hbfepmmn.exe Hegnahjo.exe PID 1720 wrote to memory of 2740 1720 Hbfepmmn.exe Hegnahjo.exe PID 1720 wrote to memory of 2740 1720 Hbfepmmn.exe Hegnahjo.exe PID 1720 wrote to memory of 2740 1720 Hbfepmmn.exe Hegnahjo.exe PID 2740 wrote to memory of 2544 2740 Hegnahjo.exe Ihmpobck.exe PID 2740 wrote to memory of 2544 2740 Hegnahjo.exe Ihmpobck.exe PID 2740 wrote to memory of 2544 2740 Hegnahjo.exe Ihmpobck.exe PID 2740 wrote to memory of 2544 2740 Hegnahjo.exe Ihmpobck.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\010a51854c5c5e719504143d00054920_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\010a51854c5c5e719504143d00054920_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Bepjha32.exeC:\Windows\system32\Bepjha32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Bmnlbcfg.exeC:\Windows\system32\Bmnlbcfg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Cpcnonob.exeC:\Windows\system32\Cpcnonob.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Chcloo32.exeC:\Windows\system32\Chcloo32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Cpnaca32.exeC:\Windows\system32\Cpnaca32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Dhplhc32.exeC:\Windows\system32\Dhplhc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Dlndnacm.exeC:\Windows\system32\Dlndnacm.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Ekhkjm32.exeC:\Windows\system32\Ekhkjm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Ekjgpm32.exeC:\Windows\system32\Ekjgpm32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Filgbdfd.exeC:\Windows\system32\Filgbdfd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1152 -
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Khabghdl.exeC:\Windows\system32\Khabghdl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1384 -
C:\Windows\SysWOW64\Lhelbh32.exeC:\Windows\system32\Lhelbh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Windows\SysWOW64\Mchoid32.exeC:\Windows\system32\Mchoid32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe33⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe34⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Nbniid32.exeC:\Windows\system32\Nbniid32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Olmcchlg.exeC:\Windows\system32\Olmcchlg.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe39⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe40⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Pgpgjepk.exeC:\Windows\system32\Pgpgjepk.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Poklngnf.exeC:\Windows\system32\Poklngnf.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Phcpgm32.exeC:\Windows\system32\Phcpgm32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe45⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe46⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Qaqnkafa.exeC:\Windows\system32\Qaqnkafa.exe47⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Qkibcg32.exeC:\Windows\system32\Qkibcg32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe49⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe50⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Agdmdg32.exeC:\Windows\system32\Agdmdg32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:708 -
C:\Windows\SysWOW64\Aopahjll.exeC:\Windows\system32\Aopahjll.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe53⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe54⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Bbbgod32.exeC:\Windows\system32\Bbbgod32.exe55⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Bnihdemo.exeC:\Windows\system32\Bnihdemo.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe57⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:112 -
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe59⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Cillkbac.exeC:\Windows\system32\Cillkbac.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe62⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe63⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Daofpchf.exeC:\Windows\system32\Daofpchf.exe65⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Dldkmlhl.exeC:\Windows\system32\Dldkmlhl.exe66⤵
- Modifies registry class
PID:576 -
C:\Windows\SysWOW64\Daacecfc.exeC:\Windows\system32\Daacecfc.exe67⤵PID:1968
-
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe68⤵PID:3064
-
C:\Windows\SysWOW64\Dhmhhmlm.exeC:\Windows\system32\Dhmhhmlm.exe69⤵
- Modifies registry class
PID:460 -
C:\Windows\SysWOW64\Dphmloih.exeC:\Windows\system32\Dphmloih.exe70⤵PID:1656
-
C:\Windows\SysWOW64\Dknajh32.exeC:\Windows\system32\Dknajh32.exe71⤵PID:1508
-
C:\Windows\SysWOW64\Ddfebnoo.exeC:\Windows\system32\Ddfebnoo.exe72⤵PID:2164
-
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2172 -
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe74⤵PID:892
-
C:\Windows\SysWOW64\Ecnoijbd.exeC:\Windows\system32\Ecnoijbd.exe75⤵PID:2524
-
C:\Windows\SysWOW64\Ehkhaqpk.exeC:\Windows\system32\Ehkhaqpk.exe76⤵PID:2380
-
C:\Windows\SysWOW64\Eacljf32.exeC:\Windows\system32\Eacljf32.exe77⤵PID:2452
-
C:\Windows\SysWOW64\Ecbhdi32.exeC:\Windows\system32\Ecbhdi32.exe78⤵PID:2092
-
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe79⤵PID:636
-
C:\Windows\SysWOW64\Edfbaabj.exeC:\Windows\system32\Edfbaabj.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Fnofjfhk.exeC:\Windows\system32\Fnofjfhk.exe81⤵
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Fjegog32.exeC:\Windows\system32\Fjegog32.exe82⤵PID:1920
-
C:\Windows\SysWOW64\Fkecij32.exeC:\Windows\system32\Fkecij32.exe83⤵PID:1772
-
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:584 -
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe85⤵PID:1568
-
C:\Windows\SysWOW64\Fjlmpfhg.exeC:\Windows\system32\Fjlmpfhg.exe86⤵PID:2256
-
C:\Windows\SysWOW64\Fqfemqod.exeC:\Windows\system32\Fqfemqod.exe87⤵
- Drops file in System32 directory
PID:1120 -
C:\Windows\SysWOW64\Golbnm32.exeC:\Windows\system32\Golbnm32.exe88⤵PID:3016
-
C:\Windows\SysWOW64\Gnaooi32.exeC:\Windows\system32\Gnaooi32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2020 -
C:\Windows\SysWOW64\Gifclb32.exeC:\Windows\system32\Gifclb32.exe90⤵PID:2044
-
C:\Windows\SysWOW64\Gdmdacnn.exeC:\Windows\system32\Gdmdacnn.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Gjjmijme.exeC:\Windows\system32\Gjjmijme.exe92⤵PID:1608
-
C:\Windows\SysWOW64\Ggnmbn32.exeC:\Windows\system32\Ggnmbn32.exe93⤵PID:2520
-
C:\Windows\SysWOW64\Hmkeke32.exeC:\Windows\system32\Hmkeke32.exe94⤵PID:2540
-
C:\Windows\SysWOW64\Hgpjhn32.exeC:\Windows\system32\Hgpjhn32.exe95⤵PID:1588
-
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe96⤵PID:876
-
C:\Windows\SysWOW64\Hmoofdea.exeC:\Windows\system32\Hmoofdea.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2596 -
C:\Windows\SysWOW64\Hblgnkdh.exeC:\Windows\system32\Hblgnkdh.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Hpphhp32.exeC:\Windows\system32\Hpphhp32.exe99⤵
- Modifies registry class
PID:1116 -
C:\Windows\SysWOW64\Hemqpf32.exeC:\Windows\system32\Hemqpf32.exe100⤵PID:1888
-
C:\Windows\SysWOW64\Inhanl32.exeC:\Windows\system32\Inhanl32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:956 -
C:\Windows\SysWOW64\Injndk32.exeC:\Windows\system32\Injndk32.exe102⤵
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe103⤵
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Imokehhl.exeC:\Windows\system32\Imokehhl.exe104⤵
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe105⤵
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe106⤵PID:964
-
C:\Windows\SysWOW64\Iihiphln.exeC:\Windows\system32\Iihiphln.exe107⤵
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Jkhejkcq.exeC:\Windows\system32\Jkhejkcq.exe108⤵
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Jbcjnnpl.exeC:\Windows\system32\Jbcjnnpl.exe109⤵
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Jlkngc32.exeC:\Windows\system32\Jlkngc32.exe110⤵PID:1520
-
C:\Windows\SysWOW64\Jedcpi32.exeC:\Windows\system32\Jedcpi32.exe111⤵PID:2492
-
C:\Windows\SysWOW64\Jbhcim32.exeC:\Windows\system32\Jbhcim32.exe112⤵
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Jhdlad32.exeC:\Windows\system32\Jhdlad32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2772 -
C:\Windows\SysWOW64\Jampjian.exeC:\Windows\system32\Jampjian.exe114⤵
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Kncaojfb.exeC:\Windows\system32\Kncaojfb.exe115⤵PID:1896
-
C:\Windows\SysWOW64\Kkgahoel.exeC:\Windows\system32\Kkgahoel.exe116⤵PID:336
-
C:\Windows\SysWOW64\Kkjnnn32.exeC:\Windows\system32\Kkjnnn32.exe117⤵PID:2132
-
C:\Windows\SysWOW64\Lbfook32.exeC:\Windows\system32\Lbfook32.exe118⤵PID:2192
-
C:\Windows\SysWOW64\Mjaddn32.exeC:\Windows\system32\Mjaddn32.exe119⤵PID:1724
-
C:\Windows\SysWOW64\Mkqqnq32.exeC:\Windows\system32\Mkqqnq32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:880 -
C:\Windows\SysWOW64\Mggabaea.exeC:\Windows\system32\Mggabaea.exe121⤵
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Mmdjkhdh.exeC:\Windows\system32\Mmdjkhdh.exe122⤵PID:2572
-
C:\Windows\SysWOW64\Mfmndn32.exeC:\Windows\system32\Mfmndn32.exe123⤵
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Mmgfqh32.exeC:\Windows\system32\Mmgfqh32.exe124⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Mfokinhf.exeC:\Windows\system32\Mfokinhf.exe125⤵PID:1284
-
C:\Windows\SysWOW64\Mcckcbgp.exeC:\Windows\system32\Mcckcbgp.exe126⤵PID:2372
-
C:\Windows\SysWOW64\Npjlhcmd.exeC:\Windows\system32\Npjlhcmd.exe127⤵PID:2428
-
C:\Windows\SysWOW64\Nlqmmd32.exeC:\Windows\system32\Nlqmmd32.exe128⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:764 -
C:\Windows\SysWOW64\Neiaeiii.exeC:\Windows\system32\Neiaeiii.exe129⤵PID:1712
-
C:\Windows\SysWOW64\Nnafnopi.exeC:\Windows\system32\Nnafnopi.exe130⤵PID:628
-
C:\Windows\SysWOW64\Ncnngfna.exeC:\Windows\system32\Ncnngfna.exe131⤵PID:2024
-
C:\Windows\SysWOW64\Njhfcp32.exeC:\Windows\system32\Njhfcp32.exe132⤵
- Modifies registry class
PID:1112 -
C:\Windows\SysWOW64\Oadkej32.exeC:\Windows\system32\Oadkej32.exe133⤵PID:3060
-
C:\Windows\SysWOW64\Oippjl32.exeC:\Windows\system32\Oippjl32.exe134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2144 -
C:\Windows\SysWOW64\Odedge32.exeC:\Windows\system32\Odedge32.exe135⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2468 -
C:\Windows\SysWOW64\Oplelf32.exeC:\Windows\system32\Oplelf32.exe136⤵PID:1328
-
C:\Windows\SysWOW64\Oidiekdn.exeC:\Windows\system32\Oidiekdn.exe137⤵PID:1960
-
C:\Windows\SysWOW64\Oekjjl32.exeC:\Windows\system32\Oekjjl32.exe138⤵
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\Opqoge32.exeC:\Windows\system32\Opqoge32.exe139⤵
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Oemgplgo.exeC:\Windows\system32\Oemgplgo.exe140⤵
- Drops file in System32 directory
PID:864 -
C:\Windows\SysWOW64\Pbagipfi.exeC:\Windows\system32\Pbagipfi.exe141⤵PID:2100
-
C:\Windows\SysWOW64\Pebpkk32.exeC:\Windows\system32\Pebpkk32.exe142⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2976 -
C:\Windows\SysWOW64\Phcilf32.exeC:\Windows\system32\Phcilf32.exe143⤵PID:2872
-
C:\Windows\SysWOW64\Pdjjag32.exeC:\Windows\system32\Pdjjag32.exe144⤵PID:2484
-
C:\Windows\SysWOW64\Qgjccb32.exeC:\Windows\system32\Qgjccb32.exe145⤵
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Qeppdo32.exeC:\Windows\system32\Qeppdo32.exe146⤵
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Alihaioe.exeC:\Windows\system32\Alihaioe.exe147⤵
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Ahpifj32.exeC:\Windows\system32\Ahpifj32.exe148⤵PID:2276
-
C:\Windows\SysWOW64\Ahbekjcf.exeC:\Windows\system32\Ahbekjcf.exe149⤵
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Adifpk32.exeC:\Windows\system32\Adifpk32.exe150⤵PID:1072
-
C:\Windows\SysWOW64\Akcomepg.exeC:\Windows\system32\Akcomepg.exe151⤵PID:1716
-
C:\Windows\SysWOW64\Aoagccfn.exeC:\Windows\system32\Aoagccfn.exe152⤵PID:484
-
C:\Windows\SysWOW64\Aqbdkk32.exeC:\Windows\system32\Aqbdkk32.exe153⤵
- Drops file in System32 directory
PID:556 -
C:\Windows\SysWOW64\Bjkhdacm.exeC:\Windows\system32\Bjkhdacm.exe154⤵PID:1340
-
C:\Windows\SysWOW64\Bccmmf32.exeC:\Windows\system32\Bccmmf32.exe155⤵
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Bjmeiq32.exeC:\Windows\system32\Bjmeiq32.exe156⤵PID:1544
-
C:\Windows\SysWOW64\Bfdenafn.exeC:\Windows\system32\Bfdenafn.exe157⤵
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Boljgg32.exeC:\Windows\system32\Boljgg32.exe158⤵PID:2424
-
C:\Windows\SysWOW64\Bjbndpmd.exeC:\Windows\system32\Bjbndpmd.exe159⤵PID:2176
-
C:\Windows\SysWOW64\Bqlfaj32.exeC:\Windows\system32\Bqlfaj32.exe160⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:324 -
C:\Windows\SysWOW64\Coacbfii.exeC:\Windows\system32\Coacbfii.exe161⤵
- Drops file in System32 directory
- Modifies registry class
PID:308 -
C:\Windows\SysWOW64\Ckhdggom.exeC:\Windows\system32\Ckhdggom.exe162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1156 -
C:\Windows\SysWOW64\Cepipm32.exeC:\Windows\system32\Cepipm32.exe163⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2088 -
C:\Windows\SysWOW64\Cnimiblo.exeC:\Windows\system32\Cnimiblo.exe164⤵PID:564
-
C:\Windows\SysWOW64\Cgaaah32.exeC:\Windows\system32\Cgaaah32.exe165⤵PID:2568
-
C:\Windows\SysWOW64\Clojhf32.exeC:\Windows\system32\Clojhf32.exe166⤵
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Calcpm32.exeC:\Windows\system32\Calcpm32.exe167⤵PID:608
-
C:\Windows\SysWOW64\Cfhkhd32.exeC:\Windows\system32\Cfhkhd32.exe168⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2548 -
C:\Windows\SysWOW64\Dfkhndca.exeC:\Windows\system32\Dfkhndca.exe169⤵
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Dpcmgi32.exeC:\Windows\system32\Dpcmgi32.exe170⤵
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Dilapopb.exeC:\Windows\system32\Dilapopb.exe171⤵PID:3036
-
C:\Windows\SysWOW64\Debadpeg.exeC:\Windows\system32\Debadpeg.exe172⤵PID:2684
-
C:\Windows\SysWOW64\Dfbnoc32.exeC:\Windows\system32\Dfbnoc32.exe173⤵PID:2652
-
C:\Windows\SysWOW64\Eoblnd32.exeC:\Windows\system32\Eoblnd32.exe174⤵
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Emgioakg.exeC:\Windows\system32\Emgioakg.exe175⤵PID:2140
-
C:\Windows\SysWOW64\Ehlmljkm.exeC:\Windows\system32\Ehlmljkm.exe176⤵
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Ecfnmh32.exeC:\Windows\system32\Ecfnmh32.exe177⤵PID:1468
-
C:\Windows\SysWOW64\Fpjofl32.exeC:\Windows\system32\Fpjofl32.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Foolgh32.exeC:\Windows\system32\Foolgh32.exe179⤵
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe180⤵PID:2636
-
C:\Windows\SysWOW64\Foahmh32.exeC:\Windows\system32\Foahmh32.exe181⤵
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Fkhibino.exeC:\Windows\system32\Fkhibino.exe182⤵PID:2504
-
C:\Windows\SysWOW64\Fdqnkoep.exeC:\Windows\system32\Fdqnkoep.exe183⤵
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Flhflleb.exeC:\Windows\system32\Flhflleb.exe184⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Gnkoid32.exeC:\Windows\system32\Gnkoid32.exe185⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2252 -
C:\Windows\SysWOW64\Gkoobhhg.exeC:\Windows\system32\Gkoobhhg.exe186⤵PID:2456
-
C:\Windows\SysWOW64\Gckdgjeb.exeC:\Windows\system32\Gckdgjeb.exe187⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Gjdldd32.exeC:\Windows\system32\Gjdldd32.exe188⤵PID:960
-
C:\Windows\SysWOW64\Gfkmie32.exeC:\Windows\system32\Gfkmie32.exe189⤵
- Modifies registry class
PID:804 -
C:\Windows\SysWOW64\Gqaafn32.exeC:\Windows\system32\Gqaafn32.exe190⤵PID:3092
-
C:\Windows\SysWOW64\Gqcnln32.exeC:\Windows\system32\Gqcnln32.exe191⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3132 -
C:\Windows\SysWOW64\Hmjoqo32.exeC:\Windows\system32\Hmjoqo32.exe192⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3172 -
C:\Windows\SysWOW64\Hfbcidmk.exeC:\Windows\system32\Hfbcidmk.exe193⤵PID:3212
-
C:\Windows\SysWOW64\Hmlkfo32.exeC:\Windows\system32\Hmlkfo32.exe194⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3252 -
C:\Windows\SysWOW64\Hiclkp32.exeC:\Windows\system32\Hiclkp32.exe195⤵
- Drops file in System32 directory
- Modifies registry class
PID:3300 -
C:\Windows\SysWOW64\Hbkqdepm.exeC:\Windows\system32\Hbkqdepm.exe196⤵PID:3340
-
C:\Windows\SysWOW64\Hbnmienj.exeC:\Windows\system32\Hbnmienj.exe197⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3380 -
C:\Windows\SysWOW64\Ikfbbjdj.exeC:\Windows\system32\Ikfbbjdj.exe198⤵
- Modifies registry class
PID:3420 -
C:\Windows\SysWOW64\Ieofkp32.exeC:\Windows\system32\Ieofkp32.exe199⤵PID:3460
-
C:\Windows\SysWOW64\Ijkocg32.exeC:\Windows\system32\Ijkocg32.exe200⤵PID:3500
-
C:\Windows\SysWOW64\Ifbphh32.exeC:\Windows\system32\Ifbphh32.exe201⤵PID:3540
-
C:\Windows\SysWOW64\Iahceq32.exeC:\Windows\system32\Iahceq32.exe202⤵PID:3580
-
C:\Windows\SysWOW64\Ijphofem.exeC:\Windows\system32\Ijphofem.exe203⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3620 -
C:\Windows\SysWOW64\Ipmqgmcd.exeC:\Windows\system32\Ipmqgmcd.exe204⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3660 -
C:\Windows\SysWOW64\Imaapa32.exeC:\Windows\system32\Imaapa32.exe205⤵
- Modifies registry class
PID:3700 -
C:\Windows\SysWOW64\Jfieigio.exeC:\Windows\system32\Jfieigio.exe206⤵
- Drops file in System32 directory
- Modifies registry class
PID:3740 -
C:\Windows\SysWOW64\Jenbjc32.exeC:\Windows\system32\Jenbjc32.exe207⤵PID:3780
-
C:\Windows\SysWOW64\Joggci32.exeC:\Windows\system32\Joggci32.exe208⤵
- Modifies registry class
PID:3820 -
C:\Windows\SysWOW64\Jjnhhjjk.exeC:\Windows\system32\Jjnhhjjk.exe209⤵
- Drops file in System32 directory
PID:3864 -
C:\Windows\SysWOW64\Jagpdd32.exeC:\Windows\system32\Jagpdd32.exe210⤵
- Drops file in System32 directory
PID:3904 -
C:\Windows\SysWOW64\Jjpdmi32.exeC:\Windows\system32\Jjpdmi32.exe211⤵PID:3944
-
C:\Windows\SysWOW64\Jajmjcoe.exeC:\Windows\system32\Jajmjcoe.exe212⤵
- Modifies registry class
PID:3984 -
C:\Windows\SysWOW64\Jkbaci32.exeC:\Windows\system32\Jkbaci32.exe213⤵
- Modifies registry class
PID:4024 -
C:\Windows\SysWOW64\Kalipcmb.exeC:\Windows\system32\Kalipcmb.exe214⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4064 -
C:\Windows\SysWOW64\Kmcjedcg.exeC:\Windows\system32\Kmcjedcg.exe215⤵PID:3076
-
C:\Windows\SysWOW64\Kbpbmkan.exeC:\Windows\system32\Kbpbmkan.exe216⤵
- Drops file in System32 directory
PID:3120 -
C:\Windows\SysWOW64\Kpdcfoph.exeC:\Windows\system32\Kpdcfoph.exe217⤵
- Modifies registry class
PID:3168 -
C:\Windows\SysWOW64\Kgnkci32.exeC:\Windows\system32\Kgnkci32.exe218⤵PID:3236
-
C:\Windows\SysWOW64\Kljdkpfl.exeC:\Windows\system32\Kljdkpfl.exe219⤵PID:3276
-
C:\Windows\SysWOW64\Kaglcgdc.exeC:\Windows\system32\Kaglcgdc.exe220⤵
- Drops file in System32 directory
PID:3348 -
C:\Windows\SysWOW64\Kcginj32.exeC:\Windows\system32\Kcginj32.exe221⤵PID:3376
-
C:\Windows\SysWOW64\Lhcafa32.exeC:\Windows\system32\Lhcafa32.exe222⤵PID:3392
-
C:\Windows\SysWOW64\Laleof32.exeC:\Windows\system32\Laleof32.exe223⤵PID:3480
-
C:\Windows\SysWOW64\Lopfhk32.exeC:\Windows\system32\Lopfhk32.exe224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3512 -
C:\Windows\SysWOW64\Lkggmldl.exeC:\Windows\system32\Lkggmldl.exe225⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3568 -
C:\Windows\SysWOW64\Laqojfli.exeC:\Windows\system32\Laqojfli.exe226⤵PID:3628
-
C:\Windows\SysWOW64\Lkicbk32.exeC:\Windows\system32\Lkicbk32.exe227⤵PID:3684
-
C:\Windows\SysWOW64\Lnjldf32.exeC:\Windows\system32\Lnjldf32.exe228⤵PID:3736
-
C:\Windows\SysWOW64\Mjqmig32.exeC:\Windows\system32\Mjqmig32.exe229⤵PID:3776
-
C:\Windows\SysWOW64\Momfan32.exeC:\Windows\system32\Momfan32.exe230⤵
- Drops file in System32 directory
PID:3840 -
C:\Windows\SysWOW64\Mkdffoij.exeC:\Windows\system32\Mkdffoij.exe231⤵
- Modifies registry class
PID:3892 -
C:\Windows\SysWOW64\Mbnocipg.exeC:\Windows\system32\Mbnocipg.exe232⤵PID:3932
-
C:\Windows\SysWOW64\Mbqkiind.exeC:\Windows\system32\Mbqkiind.exe233⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3956 -
C:\Windows\SysWOW64\Opfegp32.exeC:\Windows\system32\Opfegp32.exe234⤵PID:4044
-
C:\Windows\SysWOW64\Onlahm32.exeC:\Windows\system32\Onlahm32.exe235⤵PID:4088
-
C:\Windows\SysWOW64\Pmehdh32.exeC:\Windows\system32\Pmehdh32.exe236⤵
- Drops file in System32 directory
- Modifies registry class
PID:1472 -
C:\Windows\SysWOW64\Pmjaohol.exeC:\Windows\system32\Pmjaohol.exe237⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3188 -
C:\Windows\SysWOW64\Pbgjgomc.exeC:\Windows\system32\Pbgjgomc.exe238⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3248 -
C:\Windows\SysWOW64\Ppkjac32.exeC:\Windows\system32\Ppkjac32.exe239⤵PID:3320
-
C:\Windows\SysWOW64\Pehcij32.exeC:\Windows\system32\Pehcij32.exe240⤵
- Modifies registry class
PID:3364 -
C:\Windows\SysWOW64\Pblcbn32.exeC:\Windows\system32\Pblcbn32.exe241⤵
- Drops file in System32 directory
- Modifies registry class
PID:3444 -
C:\Windows\SysWOW64\Qhilkege.exeC:\Windows\system32\Qhilkege.exe242⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3516