Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 23:14
Behavioral task
behavioral1
Sample
08e2e70ae21108e472ece279b3e66160_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
08e2e70ae21108e472ece279b3e66160_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
08e2e70ae21108e472ece279b3e66160_NeikiAnalytics.exe
-
Size
94KB
-
MD5
08e2e70ae21108e472ece279b3e66160
-
SHA1
09fff4ba2fcb0cb8d39017a37508670c315fe7b6
-
SHA256
cb3399cb4488778d196d04fd6ba23871d5b64350696789ded42129cf3158033b
-
SHA512
fcf745bfb13408454f0dd7ff62bdd8c4800b2111ee94a8a4918f1ce67323c04daa77024dd3f753cfe2de666df0aa06f49c46a0531d7e3c3de7710ede163a3c64
-
SSDEEP
1536:krcsXWJ66zHylRiWew751itxaRQD0RfRa9HprmRfRZ:xxM3lRuw7fitxaeD05wkpv
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jpiedieo.exeHbiaemkk.exeLdbofgme.exeElhnof32.exeFgnadkic.exeGblkoham.exeHiqoeplo.exeJpfhoi32.exeMchoid32.exeHjmlhbbg.exeKkileele.exeIchmgl32.exePlolgk32.exeDkqnoh32.exeInbnhihl.exeDgiaefgg.exeCmmhaf32.exeFhgnge32.exeLngpog32.exeDemaoj32.exeDkkbkp32.exeGfgegnbb.exeNoogpfjh.exeCpnaca32.exeOdmabj32.exeFmnopp32.exeLpcoeb32.exeAeenochi.exeMgbaml32.exeIajemnia.exeIfgpnmom.exeLkjjma32.exeLhnkffeo.exeJijokbfp.exeDnjoco32.exeGlklejoo.exeKekkiq32.exeOonldcih.exeLbogfcjc.exeGpjkeoha.exeCfnmfn32.exeEelkeeah.exeFggkcl32.exeOfadnq32.exeOlebgfao.exeEkhmcelc.exeGfnjne32.exeBkknac32.exeEkfndmfb.exeCafgle32.exeIpokcdjn.exeFgldnkkf.exeInhanl32.exeKkojbf32.exeKmmebm32.exeIoohokoo.exePdmnam32.exeIeajkfmd.exeAfliclij.exeBknjfb32.exeMnojacgm.exeGncnmane.exeFblmglgm.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpiedieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbiaemkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbofgme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Elhnof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgnadkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gblkoham.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiqoeplo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpfhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mchoid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjmlhbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkileele.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ichmgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plolgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkqnoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Inbnhihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgiaefgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmmhaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhgnge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lngpog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Demaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkkbkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfgegnbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Noogpfjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpnaca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odmabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmnopp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpcoeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeenochi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgbaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iajemnia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgpnmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lkjjma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhnkffeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jijokbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dnjoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Glklejoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kekkiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oonldcih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbogfcjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpjkeoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfnmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eelkeeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fggkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofadnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olebgfao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhmcelc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfnjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkknac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekfndmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cafgle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ipokcdjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgldnkkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inhanl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkojbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmmebm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ioohokoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpcoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdmnam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ieajkfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afliclij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bknjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mnojacgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gncnmane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fblmglgm.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule behavioral1/memory/2208-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Pmagdbci.exe family_berbew behavioral1/memory/2200-19-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2544-32-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Pfikmh32.exe family_berbew \Windows\SysWOW64\Pmccjbaf.exe family_berbew behavioral1/memory/2528-40-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2208-11-0x00000000002B0000-0x00000000002F1000-memory.dmp family_berbew \Windows\SysWOW64\Qbbhgi32.exe family_berbew \Windows\SysWOW64\Qjnmlk32.exe family_berbew behavioral1/memory/2600-54-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2528-52-0x0000000000270000-0x00000000002B1000-memory.dmp family_berbew behavioral1/memory/2588-68-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Ajpjakhc.exe family_berbew behavioral1/memory/2432-80-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Aeenochi.exe family_berbew behavioral1/memory/2324-93-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Apoooa32.exe family_berbew behavioral1/memory/888-119-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Ajecmj32.exe family_berbew behavioral1/memory/792-111-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Afnagk32.exe family_berbew behavioral1/memory/888-131-0x0000000000260000-0x00000000002A1000-memory.dmp family_berbew behavioral1/memory/2756-133-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Bnielm32.exe family_berbew behavioral1/memory/1948-147-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Bhdgjb32.exe family_berbew C:\Windows\SysWOW64\Behgcf32.exe family_berbew behavioral1/memory/1576-175-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2468-174-0x00000000003B0000-0x00000000003F1000-memory.dmp family_berbew behavioral1/memory/2468-168-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Baadng32.exe family_berbew \Windows\SysWOW64\Cfnmfn32.exe family_berbew behavioral1/memory/1696-196-0x0000000000220000-0x0000000000261000-memory.dmp family_berbew behavioral1/memory/1696-194-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/3004-205-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Cklfll32.exe family_berbew behavioral1/memory/2300-219-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Cbgjqo32.exe family_berbew behavioral1/memory/620-229-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Cpkkjc32.exe family_berbew behavioral1/memory/2076-238-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Cegcbjkn.exe family_berbew behavioral1/memory/2692-245-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2076-243-0x0000000000220000-0x0000000000261000-memory.dmp family_berbew C:\Windows\SysWOW64\Cielhh32.exe family_berbew behavioral1/memory/2084-260-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Dcnqanhd.exe family_berbew behavioral1/memory/2084-265-0x00000000001B0000-0x00000000001F1000-memory.dmp family_berbew behavioral1/memory/2124-266-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2124-273-0x00000000002A0000-0x00000000002E1000-memory.dmp family_berbew C:\Windows\SysWOW64\Dhkiid32.exe family_berbew C:\Windows\SysWOW64\Dkkbkp32.exe family_berbew behavioral1/memory/2956-287-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/864-286-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Daejhjkj.exe family_berbew behavioral1/memory/2956-298-0x0000000000220000-0x0000000000261000-memory.dmp family_berbew C:\Windows\SysWOW64\Dciceaoe.exe family_berbew behavioral1/memory/2372-310-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Ejehgkdp.exe family_berbew behavioral1/memory/1988-320-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Epoqde32.exe family_berbew behavioral1/memory/1704-335-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Eqamje32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Pmagdbci.exePfikmh32.exePmccjbaf.exeQbbhgi32.exeQjnmlk32.exeAjpjakhc.exeAeenochi.exeApoooa32.exeAjecmj32.exeAfnagk32.exeBnielm32.exeBhdgjb32.exeBehgcf32.exeBaadng32.exeCfnmfn32.exeCklfll32.exeCbgjqo32.exeCpkkjc32.exeCegcbjkn.exeCielhh32.exeDcnqanhd.exeDhkiid32.exeDkkbkp32.exeDaejhjkj.exeDciceaoe.exeEjehgkdp.exeEpoqde32.exeEqamje32.exeElhnof32.exeEcbfkpfk.exeEhakigbo.exeFnndan32.exeFblmglgm.exeFkdaqa32.exeFfnbaojm.exeFiokbjgn.exeFcdopc32.exeGiahhj32.exeGfgegnbb.exeGhiaof32.exeGlgjednf.exeHfedqagp.exeHfgafadm.exeHppfog32.exeHmcfhkjg.exeHoebpc32.exeHijgml32.exeIogoec32.exeIlkpogmm.exeIbehla32.exeIlnmdgkj.exeIajemnia.exeIggned32.exeIkbifcpb.exeIdknoi32.exeIihfgp32.exeJglgpdcc.exeJdpgjhbm.exeJnhlbn32.exeJpfhoi32.exeJfcqgpfi.exeJpiedieo.exeJajala32.exeJonbee32.exepid process 2200 Pmagdbci.exe 2544 Pfikmh32.exe 2528 Pmccjbaf.exe 2600 Qbbhgi32.exe 2588 Qjnmlk32.exe 2432 Ajpjakhc.exe 2324 Aeenochi.exe 792 Apoooa32.exe 888 Ajecmj32.exe 2756 Afnagk32.exe 1948 Bnielm32.exe 2468 Bhdgjb32.exe 1576 Behgcf32.exe 1696 Baadng32.exe 3004 Cfnmfn32.exe 2300 Cklfll32.exe 620 Cbgjqo32.exe 2076 Cpkkjc32.exe 2692 Cegcbjkn.exe 2084 Cielhh32.exe 2124 Dcnqanhd.exe 864 Dhkiid32.exe 2956 Dkkbkp32.exe 1728 Daejhjkj.exe 2372 Dciceaoe.exe 1988 Ejehgkdp.exe 1704 Epoqde32.exe 2632 Eqamje32.exe 2936 Elhnof32.exe 2596 Ecbfkpfk.exe 2708 Ehakigbo.exe 2448 Fnndan32.exe 1276 Fblmglgm.exe 2016 Fkdaqa32.exe 1192 Ffnbaojm.exe 2648 Fiokbjgn.exe 2760 Fcdopc32.exe 1952 Giahhj32.exe 1844 Gfgegnbb.exe 1664 Ghiaof32.exe 1624 Glgjednf.exe 1336 Hfedqagp.exe 1552 Hfgafadm.exe 1976 Hppfog32.exe 1832 Hmcfhkjg.exe 1184 Hoebpc32.exe 1856 Hijgml32.exe 2988 Iogoec32.exe 564 Ilkpogmm.exe 2184 Ibehla32.exe 2140 Ilnmdgkj.exe 1736 Iajemnia.exe 3040 Iggned32.exe 2504 Ikbifcpb.exe 2604 Idknoi32.exe 1916 Iihfgp32.exe 2384 Jglgpdcc.exe 580 Jdpgjhbm.exe 552 Jnhlbn32.exe 2216 Jpfhoi32.exe 1656 Jfcqgpfi.exe 1964 Jpiedieo.exe 1860 Jajala32.exe 1168 Jonbee32.exe -
Loads dropped DLL 64 IoCs
Processes:
08e2e70ae21108e472ece279b3e66160_NeikiAnalytics.exePmagdbci.exePfikmh32.exePmccjbaf.exeQbbhgi32.exeQjnmlk32.exeAjpjakhc.exeAeenochi.exeApoooa32.exeAjecmj32.exeAfnagk32.exeBnielm32.exeBhdgjb32.exeBehgcf32.exeBaadng32.exeCfnmfn32.exeCklfll32.exeCbgjqo32.exeCpkkjc32.exeCegcbjkn.exeCielhh32.exeDcnqanhd.exeDhkiid32.exeDkkbkp32.exeDaejhjkj.exeDciceaoe.exeEjehgkdp.exeEpoqde32.exeEqamje32.exeElhnof32.exeEcbfkpfk.exeEhakigbo.exepid process 2208 08e2e70ae21108e472ece279b3e66160_NeikiAnalytics.exe 2208 08e2e70ae21108e472ece279b3e66160_NeikiAnalytics.exe 2200 Pmagdbci.exe 2200 Pmagdbci.exe 2544 Pfikmh32.exe 2544 Pfikmh32.exe 2528 Pmccjbaf.exe 2528 Pmccjbaf.exe 2600 Qbbhgi32.exe 2600 Qbbhgi32.exe 2588 Qjnmlk32.exe 2588 Qjnmlk32.exe 2432 Ajpjakhc.exe 2432 Ajpjakhc.exe 2324 Aeenochi.exe 2324 Aeenochi.exe 792 Apoooa32.exe 792 Apoooa32.exe 888 Ajecmj32.exe 888 Ajecmj32.exe 2756 Afnagk32.exe 2756 Afnagk32.exe 1948 Bnielm32.exe 1948 Bnielm32.exe 2468 Bhdgjb32.exe 2468 Bhdgjb32.exe 1576 Behgcf32.exe 1576 Behgcf32.exe 1696 Baadng32.exe 1696 Baadng32.exe 3004 Cfnmfn32.exe 3004 Cfnmfn32.exe 2300 Cklfll32.exe 2300 Cklfll32.exe 620 Cbgjqo32.exe 620 Cbgjqo32.exe 2076 Cpkkjc32.exe 2076 Cpkkjc32.exe 2692 Cegcbjkn.exe 2692 Cegcbjkn.exe 2084 Cielhh32.exe 2084 Cielhh32.exe 2124 Dcnqanhd.exe 2124 Dcnqanhd.exe 864 Dhkiid32.exe 864 Dhkiid32.exe 2956 Dkkbkp32.exe 2956 Dkkbkp32.exe 1728 Daejhjkj.exe 1728 Daejhjkj.exe 2372 Dciceaoe.exe 2372 Dciceaoe.exe 1988 Ejehgkdp.exe 1988 Ejehgkdp.exe 1704 Epoqde32.exe 1704 Epoqde32.exe 2632 Eqamje32.exe 2632 Eqamje32.exe 2936 Elhnof32.exe 2936 Elhnof32.exe 2596 Ecbfkpfk.exe 2596 Ecbfkpfk.exe 2708 Ehakigbo.exe 2708 Ehakigbo.exe -
Drops file in System32 directory 64 IoCs
Processes:
Eheglk32.exeKokmmkcm.exeAollokco.exeBjallg32.exeGqiimfam.exeFqfemqod.exeGoplilpf.exeOpialpld.exeIgceej32.exeNbhfke32.exeBdqlajbb.exeLdmopa32.exeFefqdl32.exeCfnmfn32.exeIihiphln.exeQnghel32.exeJnhlbn32.exeJokqnhpa.exeAnjnnk32.exeHmpaom32.exeCielhh32.exePlolgk32.exeHjlioj32.exeIcafgmbe.exeMjjdacik.exeFmnopp32.exeGdhdkn32.exePiliii32.exeBacihmoo.exeKkojbf32.exeKijkje32.exeCmfmojcb.exeEjpdai32.exeIbejdjln.exeEdaalk32.exeOdgodl32.exePopeif32.exeCpkmcldj.exeLifcib32.exeMkipao32.exeGhiaof32.exeJhbold32.exePmmeon32.exeBoljgg32.exeGcgnnlle.exeHmjoqo32.exeKekkiq32.exeJpiedieo.exeFindhdcb.exePhlclgfc.exeKaajei32.exeKgkonj32.exeFiokbjgn.exeGfgegnbb.exeClgbno32.exeFkhbgbkc.exeLjcbaamh.exePecgea32.exeFggkcl32.exeNfgjml32.exeFkdaqa32.exeLdoimh32.exedescription ioc process File created C:\Windows\SysWOW64\Glffke32.dll Eheglk32.exe File created C:\Windows\SysWOW64\Llomfpag.exe Kokmmkcm.exe File created C:\Windows\SysWOW64\Acqnnndl.exe Aollokco.exe File opened for modification C:\Windows\SysWOW64\Bcjqdmla.exe Bjallg32.exe File created C:\Windows\SysWOW64\Nabkgh32.dll Gqiimfam.exe File opened for modification C:\Windows\SysWOW64\Gfcnegnk.exe Fqfemqod.exe File created C:\Windows\SysWOW64\Dgdfdnfj.dll Goplilpf.exe File created C:\Windows\SysWOW64\Ojbbmnhc.exe Opialpld.exe File created C:\Windows\SysWOW64\Aekabb32.dll Igceej32.exe File created C:\Windows\SysWOW64\Mhlpem32.dll Nbhfke32.exe File created C:\Windows\SysWOW64\Lkknbejg.dll Bdqlajbb.exe File opened for modification C:\Windows\SysWOW64\Lkggmldl.exe Ldmopa32.exe File created C:\Windows\SysWOW64\Njfaognh.dll Fefqdl32.exe File created C:\Windows\SysWOW64\Cklfll32.exe Cfnmfn32.exe File opened for modification C:\Windows\SysWOW64\Jpbalb32.exe Iihiphln.exe File created C:\Windows\SysWOW64\Accqnc32.exe Qnghel32.exe File created C:\Windows\SysWOW64\Mljgjbmc.dll Jnhlbn32.exe File created C:\Windows\SysWOW64\Jieaofmp.exe Jokqnhpa.exe File created C:\Windows\SysWOW64\Lgljaj32.dll Anjnnk32.exe File created C:\Windows\SysWOW64\Hifbdnbi.exe Hmpaom32.exe File created C:\Windows\SysWOW64\Dcnqanhd.exe Cielhh32.exe File created C:\Windows\SysWOW64\Palepb32.exe Plolgk32.exe File opened for modification C:\Windows\SysWOW64\Hcdnhoac.exe Hjlioj32.exe File created C:\Windows\SysWOW64\Nncojg32.dll Icafgmbe.exe File created C:\Windows\SysWOW64\Mbeiefff.exe Mjjdacik.exe File created C:\Windows\SysWOW64\Flclam32.exe Fmnopp32.exe File created C:\Windows\SysWOW64\Glchpp32.exe Gdhdkn32.exe File created C:\Windows\SysWOW64\Pacajg32.exe Piliii32.exe File created C:\Windows\SysWOW64\Icjgpj32.dll Bacihmoo.exe File opened for modification C:\Windows\SysWOW64\Llpfjomf.exe Kkojbf32.exe File created C:\Windows\SysWOW64\Kbbobkol.exe Kijkje32.exe File created C:\Windows\SysWOW64\Cdmepgce.exe Cmfmojcb.exe File created C:\Windows\SysWOW64\Eqjmncna.exe Ejpdai32.exe File created C:\Windows\SysWOW64\Lcghbo32.dll Ibejdjln.exe File created C:\Windows\SysWOW64\Einjdb32.exe Edaalk32.exe File created C:\Windows\SysWOW64\Ekdledbi.dll Jokqnhpa.exe File created C:\Windows\SysWOW64\Hkojbh32.dll Odgodl32.exe File opened for modification C:\Windows\SysWOW64\Pdmnam32.exe Popeif32.exe File opened for modification C:\Windows\SysWOW64\Cehfkb32.exe Cpkmcldj.exe File created C:\Windows\SysWOW64\Mcbniafn.dll Lifcib32.exe File created C:\Windows\SysWOW64\Dmlqdp32.dll Mkipao32.exe File opened for modification C:\Windows\SysWOW64\Glgjednf.exe Ghiaof32.exe File created C:\Windows\SysWOW64\Jolghndm.exe Jhbold32.exe File created C:\Windows\SysWOW64\Fdakoaln.dll Pmmeon32.exe File opened for modification C:\Windows\SysWOW64\Bgcbhd32.exe Boljgg32.exe File opened for modification C:\Windows\SysWOW64\Gfejjgli.exe Gcgnnlle.exe File created C:\Windows\SysWOW64\Hiqoeplo.exe Hmjoqo32.exe File created C:\Windows\SysWOW64\Kocpbfei.exe Kekkiq32.exe File created C:\Windows\SysWOW64\Bmcfln32.dll Jpiedieo.exe File created C:\Windows\SysWOW64\Ffphgohm.dll Findhdcb.exe File created C:\Windows\SysWOW64\Pmkhjncg.exe Phlclgfc.exe File created C:\Windows\SysWOW64\Kgnbnpkp.exe Kaajei32.exe File created C:\Windows\SysWOW64\Cegfepjn.dll Kgkonj32.exe File created C:\Windows\SysWOW64\Fcdopc32.exe Fiokbjgn.exe File opened for modification C:\Windows\SysWOW64\Ghiaof32.exe Gfgegnbb.exe File created C:\Windows\SysWOW64\Knpkmqgb.dll Clgbno32.exe File created C:\Windows\SysWOW64\Hcdnhoac.exe Hjlioj32.exe File created C:\Windows\SysWOW64\Ebfkilbo.dll Fkhbgbkc.exe File opened for modification C:\Windows\SysWOW64\Lbogfcjc.exe Ljcbaamh.exe File created C:\Windows\SysWOW64\Pnjofo32.exe Pecgea32.exe File created C:\Windows\SysWOW64\Fnacpffh.exe Fggkcl32.exe File opened for modification C:\Windows\SysWOW64\Nggggoda.exe Nfgjml32.exe File created C:\Windows\SysWOW64\Ffnbaojm.exe Fkdaqa32.exe File opened for modification C:\Windows\SysWOW64\Lmjnak32.exe Ldoimh32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2460 3012 WerFault.exe Lepaccmo.exe -
Modifies registry class 64 IoCs
Processes:
Ejehgkdp.exeBhjlli32.exeKklikejc.exeGnpflj32.exeHahnac32.exeJbpfnh32.exeGnfkba32.exeGbaken32.exePkaehb32.exeNmcopebh.exeCmfmojcb.exeCkpckece.exeFggkcl32.exeDgiaefgg.exeHfedqagp.exeGfgegnbb.exeBgnfdm32.exeKkgahoel.exeDciceaoe.exeJehlkhig.exeIkqnlh32.exeIihfgp32.exeNallalep.exePecgea32.exeBqmpdioa.exeLifcib32.exeJfmkbebl.exeQbbhgi32.exeLlnaoh32.exeHhhgcc32.exeDmmmfc32.exeFgdnnl32.exeJfliim32.exeMnaiol32.exePfikmh32.exeCbgjqo32.exeBcjqdmla.exeBigkel32.exeNgbmlo32.exeElhnof32.exeKbdmeoob.exeLmjnak32.exeNeiaeiii.exeKcdjoaee.exePpfomk32.exeDldkmlhl.exeFolfoj32.exeIoohokoo.exeQldhkc32.exeEhakigbo.exeLjcbaamh.exeMclcijfd.exeBnhoag32.exeGlchpp32.exeIeponofk.exeDmdnbecj.exe08e2e70ae21108e472ece279b3e66160_NeikiAnalytics.exeOmcifpnp.exeNjdqka32.exeAllefimb.exeDnqlmq32.exeIedfqeka.exeCklfll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ejehgkdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcgie32.dll" Bhjlli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpjflkfg.dll" Kklikejc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdfiaojk.dll" Gnpflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hahnac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbpfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clffbc32.dll" Gnfkba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gbaken32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkaehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmcopebh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cmfmojcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckpckece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fggkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dgiaefgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfedqagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gfgegnbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bgnfdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkgahoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hphmnfda.dll" Dciceaoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jehlkhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ikqnlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iihfgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leoolamp.dll" Nallalep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pecgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bqmpdioa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lifcib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jfmkbebl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qbbhgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjgcb32.dll" Llnaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhhgcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmmmfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfalipj.dll" Fgdnnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jfliim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcelfiph.dll" Mnaiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodajl32.dll" Pfikmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cbgjqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bcjqdmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bigkel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ngbmlo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Elhnof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kbdmeoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gloiniaa.dll" Lmjnak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Neiaeiii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ejehgkdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcdjoaee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdbnfqia.dll" Ppfomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimeai32.dll" Dldkmlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Folfoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ioohokoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qldhkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehakigbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fakemm32.dll" Ljcbaamh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mclcijfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifgkmbho.dll" Bnhoag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmobfna.dll" Glchpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ieponofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecomg32.dll" Dmdnbecj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 08e2e70ae21108e472ece279b3e66160_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Omcifpnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njdqka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Allefimb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dnqlmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iedfqeka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llaemaih.dll" Cklfll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
08e2e70ae21108e472ece279b3e66160_NeikiAnalytics.exePmagdbci.exePfikmh32.exePmccjbaf.exeQbbhgi32.exeQjnmlk32.exeAjpjakhc.exeAeenochi.exeApoooa32.exeAjecmj32.exeAfnagk32.exeBnielm32.exeBhdgjb32.exeBehgcf32.exeBaadng32.exeCfnmfn32.exedescription pid process target process PID 2208 wrote to memory of 2200 2208 08e2e70ae21108e472ece279b3e66160_NeikiAnalytics.exe Pmagdbci.exe PID 2208 wrote to memory of 2200 2208 08e2e70ae21108e472ece279b3e66160_NeikiAnalytics.exe Pmagdbci.exe PID 2208 wrote to memory of 2200 2208 08e2e70ae21108e472ece279b3e66160_NeikiAnalytics.exe Pmagdbci.exe PID 2208 wrote to memory of 2200 2208 08e2e70ae21108e472ece279b3e66160_NeikiAnalytics.exe Pmagdbci.exe PID 2200 wrote to memory of 2544 2200 Pmagdbci.exe Pfikmh32.exe PID 2200 wrote to memory of 2544 2200 Pmagdbci.exe Pfikmh32.exe PID 2200 wrote to memory of 2544 2200 Pmagdbci.exe Pfikmh32.exe PID 2200 wrote to memory of 2544 2200 Pmagdbci.exe Pfikmh32.exe PID 2544 wrote to memory of 2528 2544 Pfikmh32.exe Pmccjbaf.exe PID 2544 wrote to memory of 2528 2544 Pfikmh32.exe Pmccjbaf.exe PID 2544 wrote to memory of 2528 2544 Pfikmh32.exe Pmccjbaf.exe PID 2544 wrote to memory of 2528 2544 Pfikmh32.exe Pmccjbaf.exe PID 2528 wrote to memory of 2600 2528 Pmccjbaf.exe Qbbhgi32.exe PID 2528 wrote to memory of 2600 2528 Pmccjbaf.exe Qbbhgi32.exe PID 2528 wrote to memory of 2600 2528 Pmccjbaf.exe Qbbhgi32.exe PID 2528 wrote to memory of 2600 2528 Pmccjbaf.exe Qbbhgi32.exe PID 2600 wrote to memory of 2588 2600 Qbbhgi32.exe Qjnmlk32.exe PID 2600 wrote to memory of 2588 2600 Qbbhgi32.exe Qjnmlk32.exe PID 2600 wrote to memory of 2588 2600 Qbbhgi32.exe Qjnmlk32.exe PID 2600 wrote to memory of 2588 2600 Qbbhgi32.exe Qjnmlk32.exe PID 2588 wrote to memory of 2432 2588 Qjnmlk32.exe Ajpjakhc.exe PID 2588 wrote to memory of 2432 2588 Qjnmlk32.exe Ajpjakhc.exe PID 2588 wrote to memory of 2432 2588 Qjnmlk32.exe Ajpjakhc.exe PID 2588 wrote to memory of 2432 2588 Qjnmlk32.exe Ajpjakhc.exe PID 2432 wrote to memory of 2324 2432 Ajpjakhc.exe Aeenochi.exe PID 2432 wrote to memory of 2324 2432 Ajpjakhc.exe Aeenochi.exe PID 2432 wrote to memory of 2324 2432 Ajpjakhc.exe Aeenochi.exe PID 2432 wrote to memory of 2324 2432 Ajpjakhc.exe Aeenochi.exe PID 2324 wrote to memory of 792 2324 Aeenochi.exe Apoooa32.exe PID 2324 wrote to memory of 792 2324 Aeenochi.exe Apoooa32.exe PID 2324 wrote to memory of 792 2324 Aeenochi.exe Apoooa32.exe PID 2324 wrote to memory of 792 2324 Aeenochi.exe Apoooa32.exe PID 792 wrote to memory of 888 792 Apoooa32.exe Ajecmj32.exe PID 792 wrote to memory of 888 792 Apoooa32.exe Ajecmj32.exe PID 792 wrote to memory of 888 792 Apoooa32.exe Ajecmj32.exe PID 792 wrote to memory of 888 792 Apoooa32.exe Ajecmj32.exe PID 888 wrote to memory of 2756 888 Ajecmj32.exe Afnagk32.exe PID 888 wrote to memory of 2756 888 Ajecmj32.exe Afnagk32.exe PID 888 wrote to memory of 2756 888 Ajecmj32.exe Afnagk32.exe PID 888 wrote to memory of 2756 888 Ajecmj32.exe Afnagk32.exe PID 2756 wrote to memory of 1948 2756 Afnagk32.exe Bnielm32.exe PID 2756 wrote to memory of 1948 2756 Afnagk32.exe Bnielm32.exe PID 2756 wrote to memory of 1948 2756 Afnagk32.exe Bnielm32.exe PID 2756 wrote to memory of 1948 2756 Afnagk32.exe Bnielm32.exe PID 1948 wrote to memory of 2468 1948 Bnielm32.exe Bhdgjb32.exe PID 1948 wrote to memory of 2468 1948 Bnielm32.exe Bhdgjb32.exe PID 1948 wrote to memory of 2468 1948 Bnielm32.exe Bhdgjb32.exe PID 1948 wrote to memory of 2468 1948 Bnielm32.exe Bhdgjb32.exe PID 2468 wrote to memory of 1576 2468 Bhdgjb32.exe Behgcf32.exe PID 2468 wrote to memory of 1576 2468 Bhdgjb32.exe Behgcf32.exe PID 2468 wrote to memory of 1576 2468 Bhdgjb32.exe Behgcf32.exe PID 2468 wrote to memory of 1576 2468 Bhdgjb32.exe Behgcf32.exe PID 1576 wrote to memory of 1696 1576 Behgcf32.exe Baadng32.exe PID 1576 wrote to memory of 1696 1576 Behgcf32.exe Baadng32.exe PID 1576 wrote to memory of 1696 1576 Behgcf32.exe Baadng32.exe PID 1576 wrote to memory of 1696 1576 Behgcf32.exe Baadng32.exe PID 1696 wrote to memory of 3004 1696 Baadng32.exe Cfnmfn32.exe PID 1696 wrote to memory of 3004 1696 Baadng32.exe Cfnmfn32.exe PID 1696 wrote to memory of 3004 1696 Baadng32.exe Cfnmfn32.exe PID 1696 wrote to memory of 3004 1696 Baadng32.exe Cfnmfn32.exe PID 3004 wrote to memory of 2300 3004 Cfnmfn32.exe Cklfll32.exe PID 3004 wrote to memory of 2300 3004 Cfnmfn32.exe Cklfll32.exe PID 3004 wrote to memory of 2300 3004 Cfnmfn32.exe Cklfll32.exe PID 3004 wrote to memory of 2300 3004 Cfnmfn32.exe Cklfll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08e2e70ae21108e472ece279b3e66160_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\08e2e70ae21108e472ece279b3e66160_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Pmagdbci.exeC:\Windows\system32\Pmagdbci.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Pfikmh32.exeC:\Windows\system32\Pfikmh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Pmccjbaf.exeC:\Windows\system32\Pmccjbaf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Qbbhgi32.exeC:\Windows\system32\Qbbhgi32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Qjnmlk32.exeC:\Windows\system32\Qjnmlk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Ajpjakhc.exeC:\Windows\system32\Ajpjakhc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Aeenochi.exeC:\Windows\system32\Aeenochi.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Apoooa32.exeC:\Windows\system32\Apoooa32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\Ajecmj32.exeC:\Windows\system32\Ajecmj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\Afnagk32.exeC:\Windows\system32\Afnagk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Bnielm32.exeC:\Windows\system32\Bnielm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Bhdgjb32.exeC:\Windows\system32\Bhdgjb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Behgcf32.exeC:\Windows\system32\Behgcf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Baadng32.exeC:\Windows\system32\Baadng32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Cfnmfn32.exeC:\Windows\system32\Cfnmfn32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Cklfll32.exeC:\Windows\system32\Cklfll32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Cbgjqo32.exeC:\Windows\system32\Cbgjqo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:620 -
C:\Windows\SysWOW64\Cpkkjc32.exeC:\Windows\system32\Cpkkjc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Cegcbjkn.exeC:\Windows\system32\Cegcbjkn.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Cielhh32.exeC:\Windows\system32\Cielhh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Dcnqanhd.exeC:\Windows\system32\Dcnqanhd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Dhkiid32.exeC:\Windows\system32\Dhkiid32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:864 -
C:\Windows\SysWOW64\Dkkbkp32.exeC:\Windows\system32\Dkkbkp32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Daejhjkj.exeC:\Windows\system32\Daejhjkj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Dciceaoe.exeC:\Windows\system32\Dciceaoe.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Ejehgkdp.exeC:\Windows\system32\Ejehgkdp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Epoqde32.exeC:\Windows\system32\Epoqde32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Eqamje32.exeC:\Windows\system32\Eqamje32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Elhnof32.exeC:\Windows\system32\Elhnof32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Ecbfkpfk.exeC:\Windows\system32\Ecbfkpfk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Ehakigbo.exeC:\Windows\system32\Ehakigbo.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Fnndan32.exeC:\Windows\system32\Fnndan32.exe33⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Fblmglgm.exeC:\Windows\system32\Fblmglgm.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Fkdaqa32.exeC:\Windows\system32\Fkdaqa32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Ffnbaojm.exeC:\Windows\system32\Ffnbaojm.exe36⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Fiokbjgn.exeC:\Windows\system32\Fiokbjgn.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Fcdopc32.exeC:\Windows\system32\Fcdopc32.exe38⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Giahhj32.exeC:\Windows\system32\Giahhj32.exe39⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Gfgegnbb.exeC:\Windows\system32\Gfgegnbb.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\Ghiaof32.exeC:\Windows\system32\Ghiaof32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Glgjednf.exeC:\Windows\system32\Glgjednf.exe42⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Hfedqagp.exeC:\Windows\system32\Hfedqagp.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1336 -
C:\Windows\SysWOW64\Hfgafadm.exeC:\Windows\system32\Hfgafadm.exe44⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Hppfog32.exeC:\Windows\system32\Hppfog32.exe45⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Hmcfhkjg.exeC:\Windows\system32\Hmcfhkjg.exe46⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Hoebpc32.exeC:\Windows\system32\Hoebpc32.exe47⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Hijgml32.exeC:\Windows\system32\Hijgml32.exe48⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Iogoec32.exeC:\Windows\system32\Iogoec32.exe49⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Ilkpogmm.exeC:\Windows\system32\Ilkpogmm.exe50⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Ibehla32.exeC:\Windows\system32\Ibehla32.exe51⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Ilnmdgkj.exeC:\Windows\system32\Ilnmdgkj.exe52⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Iajemnia.exeC:\Windows\system32\Iajemnia.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Iggned32.exeC:\Windows\system32\Iggned32.exe54⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Ikbifcpb.exeC:\Windows\system32\Ikbifcpb.exe55⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe56⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Iihfgp32.exeC:\Windows\system32\Iihfgp32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Jglgpdcc.exeC:\Windows\system32\Jglgpdcc.exe58⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Jdpgjhbm.exeC:\Windows\system32\Jdpgjhbm.exe59⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Jnhlbn32.exeC:\Windows\system32\Jnhlbn32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:552 -
C:\Windows\SysWOW64\Jpfhoi32.exeC:\Windows\system32\Jpfhoi32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Jfcqgpfi.exeC:\Windows\system32\Jfcqgpfi.exe62⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Jpiedieo.exeC:\Windows\system32\Jpiedieo.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe64⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Jonbee32.exeC:\Windows\system32\Jonbee32.exe65⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Jdkjnl32.exeC:\Windows\system32\Jdkjnl32.exe66⤵PID:1284
-
C:\Windows\SysWOW64\Jkebjf32.exeC:\Windows\system32\Jkebjf32.exe67⤵PID:1248
-
C:\Windows\SysWOW64\Khiccj32.exeC:\Windows\system32\Khiccj32.exe68⤵PID:1304
-
C:\Windows\SysWOW64\Kbaglpee.exeC:\Windows\system32\Kbaglpee.exe69⤵PID:1780
-
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1724 -
C:\Windows\SysWOW64\Knhhaaki.exeC:\Windows\system32\Knhhaaki.exe71⤵PID:1292
-
C:\Windows\SysWOW64\Kklikejc.exeC:\Windows\system32\Kklikejc.exe72⤵
- Modifies registry class
PID:1340 -
C:\Windows\SysWOW64\Kmmebm32.exeC:\Windows\system32\Kmmebm32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1784 -
C:\Windows\SysWOW64\Kgbipf32.exeC:\Windows\system32\Kgbipf32.exe74⤵PID:1568
-
C:\Windows\SysWOW64\Knmamp32.exeC:\Windows\system32\Knmamp32.exe75⤵PID:2620
-
C:\Windows\SysWOW64\Ljcbaamh.exeC:\Windows\system32\Ljcbaamh.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Lbogfcjc.exeC:\Windows\system32\Lbogfcjc.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2868 -
C:\Windows\SysWOW64\Lmdkcl32.exeC:\Windows\system32\Lmdkcl32.exe78⤵PID:1288
-
C:\Windows\SysWOW64\Lbackc32.exeC:\Windows\system32\Lbackc32.exe79⤵PID:944
-
C:\Windows\SysWOW64\Lbcpac32.exeC:\Windows\system32\Lbcpac32.exe80⤵PID:1260
-
C:\Windows\SysWOW64\Lgpiij32.exeC:\Windows\system32\Lgpiij32.exe81⤵PID:916
-
C:\Windows\SysWOW64\Ledibnco.exeC:\Windows\system32\Ledibnco.exe82⤵PID:2676
-
C:\Windows\SysWOW64\Llnaoh32.exeC:\Windows\system32\Llnaoh32.exe83⤵
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Meffhnal.exeC:\Windows\system32\Meffhnal.exe84⤵PID:2856
-
C:\Windows\SysWOW64\Mnojacgm.exeC:\Windows\system32\Mnojacgm.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2156 -
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe86⤵
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe87⤵PID:676
-
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe88⤵PID:1756
-
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe89⤵
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe90⤵PID:1920
-
C:\Windows\SysWOW64\Mioabp32.exeC:\Windows\system32\Mioabp32.exe91⤵PID:2556
-
C:\Windows\SysWOW64\Nbhfke32.exeC:\Windows\system32\Nbhfke32.exe92⤵
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe93⤵PID:2420
-
C:\Windows\SysWOW64\Noogpfjh.exeC:\Windows\system32\Noogpfjh.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2400 -
C:\Windows\SysWOW64\Nhgkil32.exeC:\Windows\system32\Nhgkil32.exe95⤵PID:1480
-
C:\Windows\SysWOW64\Nhiholof.exeC:\Windows\system32\Nhiholof.exe96⤵PID:2680
-
C:\Windows\SysWOW64\Nocpkf32.exeC:\Windows\system32\Nocpkf32.exe97⤵PID:2236
-
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe98⤵PID:1796
-
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe99⤵PID:2104
-
C:\Windows\SysWOW64\Omkjbb32.exeC:\Windows\system32\Omkjbb32.exe100⤵PID:1972
-
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe101⤵PID:2116
-
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe102⤵PID:1172
-
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe103⤵
- Drops file in System32 directory
PID:1328 -
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe104⤵PID:3008
-
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe105⤵PID:1136
-
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe106⤵PID:2904
-
C:\Windows\SysWOW64\Ohkaco32.exeC:\Windows\system32\Ohkaco32.exe107⤵PID:2864
-
C:\Windows\SysWOW64\Peoalc32.exeC:\Windows\system32\Peoalc32.exe108⤵PID:2712
-
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe109⤵PID:2896
-
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe110⤵PID:2892
-
C:\Windows\SysWOW64\Pahogc32.exeC:\Windows\system32\Pahogc32.exe111⤵PID:1036
-
C:\Windows\SysWOW64\Pjcckf32.exeC:\Windows\system32\Pjcckf32.exe112⤵PID:1228
-
C:\Windows\SysWOW64\Aojojl32.exeC:\Windows\system32\Aojojl32.exe113⤵PID:364
-
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe114⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe115⤵PID:1488
-
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe116⤵PID:2812
-
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe117⤵
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe118⤵
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Bagkmb32.exeC:\Windows\system32\Bagkmb32.exe119⤵PID:1592
-
C:\Windows\SysWOW64\Bplhnoej.exeC:\Windows\system32\Bplhnoej.exe120⤵PID:2700
-
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe121⤵
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe122⤵
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe123⤵PID:344
-
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe124⤵PID:1904
-
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe125⤵PID:1572
-
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe126⤵
- Drops file in System32 directory
PID:964 -
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe127⤵PID:2028
-
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe128⤵PID:1608
-
C:\Windows\SysWOW64\Cafgle32.exeC:\Windows\system32\Cafgle32.exe129⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2212 -
C:\Windows\SysWOW64\Cllkin32.exeC:\Windows\system32\Cllkin32.exe130⤵PID:1280
-
C:\Windows\SysWOW64\Cmmhaf32.exeC:\Windows\system32\Cmmhaf32.exe131⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe132⤵PID:2872
-
C:\Windows\SysWOW64\Cmpdgf32.exeC:\Windows\system32\Cmpdgf32.exe133⤵PID:2732
-
C:\Windows\SysWOW64\Cpnaca32.exeC:\Windows\system32\Cpnaca32.exe134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1700 -
C:\Windows\SysWOW64\Cfhiplmp.exeC:\Windows\system32\Cfhiplmp.exe135⤵PID:1984
-
C:\Windows\SysWOW64\Ddliip32.exeC:\Windows\system32\Ddliip32.exe136⤵PID:836
-
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe137⤵
- Modifies registry class
PID:1120 -
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe138⤵PID:1792
-
C:\Windows\SysWOW64\Dohgomgf.exeC:\Windows\system32\Dohgomgf.exe139⤵PID:1620
-
C:\Windows\SysWOW64\Dllhhaep.exeC:\Windows\system32\Dllhhaep.exe140⤵PID:2492
-
C:\Windows\SysWOW64\Dkadjn32.exeC:\Windows\system32\Dkadjn32.exe141⤵PID:2580
-
C:\Windows\SysWOW64\Enbnkigh.exeC:\Windows\system32\Enbnkigh.exe142⤵PID:2120
-
C:\Windows\SysWOW64\Ekfndmfb.exeC:\Windows\system32\Ekfndmfb.exe143⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2900 -
C:\Windows\SysWOW64\Ednbncmb.exeC:\Windows\system32\Ednbncmb.exe144⤵PID:2464
-
C:\Windows\SysWOW64\Enfgfh32.exeC:\Windows\system32\Enfgfh32.exe145⤵PID:788
-
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe146⤵PID:2764
-
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe147⤵PID:1748
-
C:\Windows\SysWOW64\Ejpdai32.exeC:\Windows\system32\Ejpdai32.exe148⤵
- Drops file in System32 directory
PID:1312 -
C:\Windows\SysWOW64\Eqjmncna.exeC:\Windows\system32\Eqjmncna.exe149⤵PID:1352
-
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe150⤵PID:2352
-
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe151⤵PID:2672
-
C:\Windows\SysWOW64\Fhgnge32.exeC:\Windows\system32\Fhgnge32.exe152⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:876 -
C:\Windows\SysWOW64\Ffkoai32.exeC:\Windows\system32\Ffkoai32.exe153⤵PID:2576
-
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe154⤵PID:1500
-
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe155⤵PID:2976
-
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe156⤵PID:1720
-
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe157⤵
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe158⤵
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe159⤵PID:1800
-
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe160⤵PID:1108
-
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe161⤵PID:1588
-
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe162⤵
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Gghkdp32.exeC:\Windows\system32\Gghkdp32.exe163⤵PID:936
-
C:\Windows\SysWOW64\Giiglhjb.exeC:\Windows\system32\Giiglhjb.exe164⤵PID:2332
-
C:\Windows\SysWOW64\Gbaken32.exeC:\Windows\system32\Gbaken32.exe165⤵
- Modifies registry class
PID:612 -
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe166⤵PID:3020
-
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe167⤵PID:1668
-
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe168⤵PID:2664
-
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe169⤵PID:2748
-
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe170⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1960 -
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe171⤵PID:2160
-
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe172⤵
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe173⤵PID:2108
-
C:\Windows\SysWOW64\Hjipenda.exeC:\Windows\system32\Hjipenda.exe174⤵PID:2512
-
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe175⤵PID:2304
-
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe176⤵PID:2268
-
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe177⤵PID:2176
-
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe178⤵PID:464
-
C:\Windows\SysWOW64\Ilabmedg.exeC:\Windows\system32\Ilabmedg.exe179⤵PID:2460
-
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe180⤵PID:1484
-
C:\Windows\SysWOW64\Ipokcdjn.exeC:\Windows\system32\Ipokcdjn.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1264 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe182⤵PID:2696
-
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe183⤵PID:2772
-
C:\Windows\SysWOW64\Jlhhndno.exeC:\Windows\system32\Jlhhndno.exe184⤵PID:1000
-
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe185⤵PID:1444
-
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe186⤵PID:2164
-
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe187⤵
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe188⤵PID:2808
-
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe189⤵
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe190⤵PID:1596
-
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe191⤵PID:1640
-
C:\Windows\SysWOW64\Kfebambf.exeC:\Windows\system32\Kfebambf.exe192⤵PID:560
-
C:\Windows\SysWOW64\Lomgjb32.exeC:\Windows\system32\Lomgjb32.exe193⤵PID:1628
-
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe194⤵PID:1032
-
C:\Windows\SysWOW64\Lnbdko32.exeC:\Windows\system32\Lnbdko32.exe195⤵PID:3100
-
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe196⤵PID:3140
-
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe197⤵PID:3180
-
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe198⤵
- Drops file in System32 directory
PID:3220 -
C:\Windows\SysWOW64\Lmjnak32.exeC:\Windows\system32\Lmjnak32.exe199⤵
- Modifies registry class
PID:3260 -
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe200⤵PID:3300
-
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe201⤵PID:3340
-
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe202⤵PID:3380
-
C:\Windows\SysWOW64\Mmogmjmn.exeC:\Windows\system32\Mmogmjmn.exe203⤵PID:3420
-
C:\Windows\SysWOW64\Mchoid32.exeC:\Windows\system32\Mchoid32.exe204⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3460 -
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe205⤵PID:3500
-
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe206⤵PID:3544
-
C:\Windows\SysWOW64\Mihdgkpp.exeC:\Windows\system32\Mihdgkpp.exe207⤵PID:3584
-
C:\Windows\SysWOW64\Mpamde32.exeC:\Windows\system32\Mpamde32.exe208⤵PID:3624
-
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe209⤵PID:3664
-
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe210⤵PID:3704
-
C:\Windows\SysWOW64\Mnifja32.exeC:\Windows\system32\Mnifja32.exe211⤵PID:3744
-
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe212⤵PID:3784
-
C:\Windows\SysWOW64\Nmnclmoj.exeC:\Windows\system32\Nmnclmoj.exe213⤵PID:3824
-
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe214⤵PID:3864
-
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe215⤵
- Modifies registry class
PID:3904 -
C:\Windows\SysWOW64\Njdqka32.exeC:\Windows\system32\Njdqka32.exe216⤵
- Modifies registry class
PID:3944 -
C:\Windows\SysWOW64\Nfkapb32.exeC:\Windows\system32\Nfkapb32.exe217⤵PID:3984
-
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe218⤵PID:4024
-
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe219⤵PID:4064
-
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe220⤵PID:3076
-
C:\Windows\SysWOW64\Oeckfndj.exeC:\Windows\system32\Oeckfndj.exe221⤵PID:3124
-
C:\Windows\SysWOW64\Olmcchlg.exeC:\Windows\system32\Olmcchlg.exe222⤵PID:3164
-
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe223⤵PID:3228
-
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3276 -
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe225⤵PID:3312
-
C:\Windows\SysWOW64\Omcifpnp.exeC:\Windows\system32\Omcifpnp.exe226⤵
- Modifies registry class
PID:3376 -
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe227⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3416 -
C:\Windows\SysWOW64\Oaqbln32.exeC:\Windows\system32\Oaqbln32.exe228⤵PID:3476
-
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe229⤵PID:3524
-
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe230⤵PID:3568
-
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe231⤵
- Modifies registry class
PID:3612 -
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe232⤵
- Drops file in System32 directory
- Modifies registry class
PID:3684 -
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe233⤵PID:3716
-
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe234⤵PID:3768
-
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe235⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3820 -
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe236⤵PID:3884
-
C:\Windows\SysWOW64\Plaimk32.exeC:\Windows\system32\Plaimk32.exe237⤵PID:3928
-
C:\Windows\SysWOW64\Popeif32.exeC:\Windows\system32\Popeif32.exe238⤵
- Drops file in System32 directory
PID:3972 -
C:\Windows\SysWOW64\Pdmnam32.exeC:\Windows\system32\Pdmnam32.exe239⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4004 -
C:\Windows\SysWOW64\Qfljkp32.exeC:\Windows\system32\Qfljkp32.exe240⤵PID:4072
-
C:\Windows\SysWOW64\Qngopb32.exeC:\Windows\system32\Qngopb32.exe241⤵PID:3084
-
C:\Windows\SysWOW64\Qdaglmcb.exeC:\Windows\system32\Qdaglmcb.exe242⤵PID:3156