Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 23:13
Behavioral task
behavioral1
Sample
08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exe
-
Size
161KB
-
MD5
08a8bb86eb04fbe319c1991fa80768b0
-
SHA1
da61ae0b807c4b6ae1ffb8a5ac5cb52e177641b5
-
SHA256
fc66d1ee7eae9136764b0164f42c4722728513bd2b8e1a7903b631305e1948cc
-
SHA512
dbea72e331176374bb5aac7cae2bf38148aeeda1a6735b0bbdab2c661a5275326b7fbbc0a0278b85e2979e0c5dbe1fc39cb6beab06994480699f94304b4dd921
-
SSDEEP
3072:jVJK+9BDKJt6pOVpy4lkuVwtCJXeex7rrIRZK8K8/kv:jVEgBmJtimyWkuVwtmeetrIyR
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ocomlemo.exeGhoegl32.exeHiqbndpb.exeHmlnoc32.exeNcoamb32.exeHellne32.exeEilpeooq.exePjmodopf.exeComimg32.exeDoobajme.exeHdfflm32.exeMofecpnl.exeEfncicpm.exeEjbfhfaj.exeGdamqndn.exePphjgfqq.exePccfge32.exeAfkbib32.exeFhffaj32.exeNnbhek32.exeNcancbha.exeOfbfdmeb.exeOdgcfijj.exePfiidobe.exeDjbiicon.exeEgamfkdh.exeLhjdbcef.exeQagcpljo.exeBnpmipql.exeDqelenlc.exeDqlafm32.exeEajaoq32.exeEcmkghcl.exeFmhheqje.exeGhhofmql.exeFjgoce32.exeOndajnme.exePiehkkcl.exeGpknlk32.exeHpkjko32.exeHjjddchg.exeNnnojlpa.exeBokphdld.exeBpafkknm.exeElmigj32.exeHogmmjfo.exeLmiipi32.exeBdjefj32.exeBnefdp32.exeAljgfioc.exeMdcnlglc.exeQlhnbf32.exeAalmklfi.exeAbbbnchb.exeCllpkl32.exeIlknfn32.exeLoapim32.exeOhqbqhde.exeMkobnqan.exePndniaop.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocomlemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghoegl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmlnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncoamb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hellne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eilpeooq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmodopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doobajme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdfflm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mofecpnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejbfhfaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pphjgfqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pccfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afkbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnbhek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncancbha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofbfdmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odgcfijj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfiidobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djbiicon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egamfkdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhjdbcef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qagcpljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnpmipql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dqlafm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eajaoq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocomlemo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecmkghcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghhofmql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ondajnme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piehkkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qagcpljo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpknlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjjddchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnnojlpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bokphdld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpafkknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elmigj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmiipi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdjefj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpafkknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnefdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aljgfioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdcnlglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlhnbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aalmklfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abbbnchb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cllpkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilknfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loapim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnnojlpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohqbqhde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkobnqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pndniaop.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Jgenhp32.exe family_berbew \Windows\SysWOW64\Jmbgpg32.exe family_berbew \Windows\SysWOW64\Jpqclb32.exe family_berbew \Windows\SysWOW64\Jfkkimlh.exe family_berbew \Windows\SysWOW64\Jmdcfg32.exe family_berbew behavioral1/memory/2620-61-0x0000000000440000-0x000000000047F000-memory.dmp family_berbew \Windows\SysWOW64\Kpcpbb32.exe family_berbew \Windows\SysWOW64\Kbalnnam.exe family_berbew \Windows\SysWOW64\Kljqgc32.exe family_berbew \Windows\SysWOW64\Kfoedl32.exe family_berbew \Windows\SysWOW64\Kllmmc32.exe family_berbew \Windows\SysWOW64\Kipnfged.exe family_berbew \Windows\SysWOW64\Komfnnck.exe family_berbew behavioral1/memory/1780-170-0x0000000001FC0000-0x0000000001FFF000-memory.dmp family_berbew \Windows\SysWOW64\Klqfhbbe.exe family_berbew behavioral1/memory/1696-185-0x00000000002C0000-0x00000000002FF000-memory.dmp family_berbew behavioral1/memory/1696-184-0x00000000002C0000-0x00000000002FF000-memory.dmp family_berbew \Windows\SysWOW64\Lhggmchi.exe family_berbew \Windows\SysWOW64\Loapim32.exe family_berbew \Windows\SysWOW64\Lhjdbcef.exe family_berbew behavioral1/memory/2344-225-0x0000000000250000-0x000000000028F000-memory.dmp family_berbew C:\Windows\SysWOW64\Lpeifeca.exe family_berbew C:\Windows\SysWOW64\Lgoacojo.exe family_berbew C:\Windows\SysWOW64\Lmiipi32.exe family_berbew C:\Windows\SysWOW64\Lpgele32.exe family_berbew behavioral1/memory/1696-273-0x00000000002C0000-0x00000000002FF000-memory.dmp family_berbew C:\Windows\SysWOW64\Lipjejgp.exe family_berbew behavioral1/memory/900-291-0x00000000002D0000-0x000000000030F000-memory.dmp family_berbew C:\Windows\SysWOW64\Llnfaffc.exe family_berbew behavioral1/memory/1916-300-0x0000000000250000-0x000000000028F000-memory.dmp family_berbew C:\Windows\SysWOW64\Lmnbkinf.exe family_berbew C:\Windows\SysWOW64\Lplogdmj.exe family_berbew behavioral1/memory/1196-320-0x0000000000260000-0x000000000029F000-memory.dmp family_berbew C:\Windows\SysWOW64\Mcjkcplm.exe family_berbew behavioral1/memory/108-333-0x00000000002E0000-0x000000000031F000-memory.dmp family_berbew C:\Windows\SysWOW64\Mhgclfje.exe family_berbew C:\Windows\SysWOW64\Mekdekin.exe family_berbew C:\Windows\SysWOW64\Mochnppo.exe family_berbew behavioral1/memory/2152-374-0x0000000000310000-0x000000000034F000-memory.dmp family_berbew C:\Windows\SysWOW64\Mabejlob.exe family_berbew C:\Windows\SysWOW64\Mofecpnl.exe family_berbew C:\Windows\SysWOW64\Mdcnlglc.exe family_berbew C:\Windows\SysWOW64\Mgajhbkg.exe family_berbew behavioral1/memory/2604-420-0x0000000000270000-0x00000000002AF000-memory.dmp family_berbew C:\Windows\SysWOW64\Mohbip32.exe family_berbew C:\Windows\SysWOW64\Mpjoqhah.exe family_berbew C:\Windows\SysWOW64\Mkobnqan.exe family_berbew C:\Windows\SysWOW64\Nnnojlpa.exe family_berbew C:\Windows\SysWOW64\Naikkk32.exe family_berbew C:\Windows\SysWOW64\Nplkfgoe.exe family_berbew C:\Windows\SysWOW64\Ncjgbcoi.exe family_berbew C:\Windows\SysWOW64\Nkaocp32.exe family_berbew C:\Windows\SysWOW64\Nlblkhei.exe family_berbew C:\Windows\SysWOW64\Ndjdlffl.exe family_berbew C:\Windows\SysWOW64\Nghphaeo.exe family_berbew C:\Windows\SysWOW64\Njgldmdc.exe family_berbew C:\Windows\SysWOW64\Nnbhek32.exe family_berbew C:\Windows\SysWOW64\Nocemcbj.exe family_berbew C:\Windows\SysWOW64\Ncoamb32.exe family_berbew C:\Windows\SysWOW64\Nfmmin32.exe family_berbew C:\Windows\SysWOW64\Nhlifi32.exe family_berbew C:\Windows\SysWOW64\Nqcagfim.exe family_berbew C:\Windows\SysWOW64\Ncancbha.exe family_berbew C:\Windows\SysWOW64\Nbdnoo32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Jgenhp32.exeJmbgpg32.exeJpqclb32.exeJfkkimlh.exeJmdcfg32.exeKpcpbb32.exeKbalnnam.exeKljqgc32.exeKfoedl32.exeKllmmc32.exeKipnfged.exeKomfnnck.exeKlqfhbbe.exeLhggmchi.exeLoapim32.exeLhjdbcef.exeLpeifeca.exeLgoacojo.exeLmiipi32.exeLpgele32.exeLipjejgp.exeLlnfaffc.exeLmnbkinf.exeLplogdmj.exeMcjkcplm.exeMhgclfje.exeMekdekin.exeMochnppo.exeMabejlob.exeMofecpnl.exeMdcnlglc.exeMgajhbkg.exeMohbip32.exeMpjoqhah.exeMkobnqan.exeNnnojlpa.exeNaikkk32.exeNplkfgoe.exeNcjgbcoi.exeNkaocp32.exeNlblkhei.exeNdjdlffl.exeNghphaeo.exeNjgldmdc.exeNnbhek32.exeNocemcbj.exeNcoamb32.exeNfmmin32.exeNhlifi32.exeNqcagfim.exeNcancbha.exeNbdnoo32.exeNjkfpl32.exeNkmbgdfl.exeNccjhafn.exeOfbfdmeb.exeOdegpj32.exeOhqbqhde.exeOojknblb.exeOnmkio32.exeOdgcfijj.exeOgfpbeim.exeOomhcbjp.exeOnphoo32.exepid process 2384 Jgenhp32.exe 1720 Jmbgpg32.exe 2692 Jpqclb32.exe 2620 Jfkkimlh.exe 2736 Jmdcfg32.exe 2724 Kpcpbb32.exe 2796 Kbalnnam.exe 2344 Kljqgc32.exe 2168 Kfoedl32.exe 1168 Kllmmc32.exe 1780 Kipnfged.exe 1696 Komfnnck.exe 1484 Klqfhbbe.exe 2276 Lhggmchi.exe 1916 Loapim32.exe 1196 Lhjdbcef.exe 1456 Lpeifeca.exe 1976 Lgoacojo.exe 108 Lmiipi32.exe 900 Lpgele32.exe 2360 Lipjejgp.exe 2180 Llnfaffc.exe 872 Lmnbkinf.exe 2956 Lplogdmj.exe 2768 Mcjkcplm.exe 2604 Mhgclfje.exe 2152 Mekdekin.exe 2776 Mochnppo.exe 2752 Mabejlob.exe 1644 Mofecpnl.exe 1060 Mdcnlglc.exe 2920 Mgajhbkg.exe 800 Mohbip32.exe 1736 Mpjoqhah.exe 1332 Mkobnqan.exe 2892 Nnnojlpa.exe 2572 Naikkk32.exe 1256 Nplkfgoe.exe 2184 Ncjgbcoi.exe 348 Nkaocp32.exe 2440 Nlblkhei.exe 2668 Ndjdlffl.exe 612 Nghphaeo.exe 400 Njgldmdc.exe 1156 Nnbhek32.exe 2316 Nocemcbj.exe 884 Ncoamb32.exe 1612 Nfmmin32.exe 1616 Nhlifi32.exe 2148 Nqcagfim.exe 3000 Ncancbha.exe 2636 Nbdnoo32.exe 2644 Njkfpl32.exe 2552 Nkmbgdfl.exe 2164 Nccjhafn.exe 2448 Ofbfdmeb.exe 1844 Odegpj32.exe 2676 Ohqbqhde.exe 1772 Oojknblb.exe 2052 Onmkio32.exe 2304 Odgcfijj.exe 2252 Ogfpbeim.exe 832 Oomhcbjp.exe 1800 Onphoo32.exe -
Loads dropped DLL 64 IoCs
Processes:
08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exeJgenhp32.exeJmbgpg32.exeJpqclb32.exeJfkkimlh.exeJmdcfg32.exeKpcpbb32.exeKbalnnam.exeKljqgc32.exeKfoedl32.exeKllmmc32.exeKipnfged.exeKomfnnck.exeKlqfhbbe.exeLhggmchi.exeLoapim32.exeLhjdbcef.exeLpeifeca.exeLgoacojo.exeLmiipi32.exeLpgele32.exeLipjejgp.exeLlnfaffc.exeLmnbkinf.exeLplogdmj.exeMcjkcplm.exeMhgclfje.exeMekdekin.exeMochnppo.exeMabejlob.exeMofecpnl.exeMdcnlglc.exepid process 2880 08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exe 2880 08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exe 2384 Jgenhp32.exe 2384 Jgenhp32.exe 1720 Jmbgpg32.exe 1720 Jmbgpg32.exe 2692 Jpqclb32.exe 2692 Jpqclb32.exe 2620 Jfkkimlh.exe 2620 Jfkkimlh.exe 2736 Jmdcfg32.exe 2736 Jmdcfg32.exe 2724 Kpcpbb32.exe 2724 Kpcpbb32.exe 2796 Kbalnnam.exe 2796 Kbalnnam.exe 2344 Kljqgc32.exe 2344 Kljqgc32.exe 2168 Kfoedl32.exe 2168 Kfoedl32.exe 1168 Kllmmc32.exe 1168 Kllmmc32.exe 1780 Kipnfged.exe 1780 Kipnfged.exe 1696 Komfnnck.exe 1696 Komfnnck.exe 1484 Klqfhbbe.exe 1484 Klqfhbbe.exe 2276 Lhggmchi.exe 2276 Lhggmchi.exe 1916 Loapim32.exe 1916 Loapim32.exe 1196 Lhjdbcef.exe 1196 Lhjdbcef.exe 1456 Lpeifeca.exe 1456 Lpeifeca.exe 1976 Lgoacojo.exe 1976 Lgoacojo.exe 108 Lmiipi32.exe 108 Lmiipi32.exe 900 Lpgele32.exe 900 Lpgele32.exe 2360 Lipjejgp.exe 2360 Lipjejgp.exe 2180 Llnfaffc.exe 2180 Llnfaffc.exe 872 Lmnbkinf.exe 872 Lmnbkinf.exe 2956 Lplogdmj.exe 2956 Lplogdmj.exe 2768 Mcjkcplm.exe 2768 Mcjkcplm.exe 2604 Mhgclfje.exe 2604 Mhgclfje.exe 2152 Mekdekin.exe 2152 Mekdekin.exe 2776 Mochnppo.exe 2776 Mochnppo.exe 2752 Mabejlob.exe 2752 Mabejlob.exe 1644 Mofecpnl.exe 1644 Mofecpnl.exe 1060 Mdcnlglc.exe 1060 Mdcnlglc.exe -
Drops file in System32 directory 64 IoCs
Processes:
Boiccdnf.exeOjficpfn.exeAffhncfc.exeBebkpn32.exeCjlgiqbk.exeEpdkli32.exeFcmgfkeg.exeFhkpmjln.exeLhggmchi.exeOhqbqhde.exeOndajnme.exeAnkdiqih.exeMgajhbkg.exeAdhlaggp.exeHiekid32.exeQecoqk32.exePlfamfpm.exeCfgaiaci.exeJgenhp32.exeAilkjmpo.exeEfncicpm.exePfiidobe.exeCkffgg32.exeOnmkio32.exeQnigda32.exeLhjdbcef.exeClcflkic.exeAjphib32.exeQaefjm32.exeEgdilkbf.exeFpfdalii.exeGkihhhnm.exeHhjhkq32.exeMofecpnl.exePjmodopf.exePipopl32.exeDgaqgh32.exeApajlhka.exeCjpqdp32.exeLlnfaffc.exeOdgcfijj.exeBeehencq.exeCoklgg32.exeHenidd32.exeMhgclfje.exeOenifh32.exePpmdbe32.exeAdjigg32.exeAbbbnchb.exeFehjeo32.exeGddifnbk.exeLplogdmj.exeFhffaj32.exeAbpfhcje.exeQagcpljo.exeDbpodagk.exeDjbiicon.exeHjjddchg.exeOnphoo32.exedescription ioc process File created C:\Windows\SysWOW64\Boiccdnf.exe Boiccdnf.exe File created C:\Windows\SysWOW64\Ompoljfn.dll Ojficpfn.exe File created C:\Windows\SysWOW64\Kfqpfb32.dll Affhncfc.exe File created C:\Windows\SysWOW64\Bhahlj32.exe Bebkpn32.exe File created C:\Windows\SysWOW64\Ognnoaka.dll Cjlgiqbk.exe File created C:\Windows\SysWOW64\Ebbgid32.exe Epdkli32.exe File opened for modification C:\Windows\SysWOW64\Ffkcbgek.exe Fcmgfkeg.exe File created C:\Windows\SysWOW64\Filldb32.exe Fhkpmjln.exe File opened for modification C:\Windows\SysWOW64\Loapim32.exe Lhggmchi.exe File created C:\Windows\SysWOW64\Abmjii32.dll Ohqbqhde.exe File opened for modification C:\Windows\SysWOW64\Dnelgk32.dll Ondajnme.exe File created C:\Windows\SysWOW64\Aplpai32.exe Ankdiqih.exe File created C:\Windows\SysWOW64\Omocdp32.dll Mgajhbkg.exe File opened for modification C:\Windows\SysWOW64\Affhncfc.exe Adhlaggp.exe File opened for modification C:\Windows\SysWOW64\Hnagjbdf.exe Hiekid32.exe File opened for modification C:\Windows\SysWOW64\Adeplhib.exe Qecoqk32.exe File opened for modification C:\Windows\SysWOW64\Ppamme32.exe Plfamfpm.exe File created C:\Windows\SysWOW64\Pheafa32.dll Cfgaiaci.exe File created C:\Windows\SysWOW64\Machcjcf.dll Jgenhp32.exe File opened for modification C:\Windows\SysWOW64\Aljgfioc.exe Ailkjmpo.exe File created C:\Windows\SysWOW64\Eilpeooq.exe Efncicpm.exe File opened for modification C:\Windows\SysWOW64\Plfamfpm.exe Pfiidobe.exe File created C:\Windows\SysWOW64\Dbpodagk.exe Ckffgg32.exe File opened for modification C:\Windows\SysWOW64\Odgcfijj.exe Onmkio32.exe File opened for modification C:\Windows\SysWOW64\Qagcpljo.exe Qnigda32.exe File opened for modification C:\Windows\SysWOW64\Lpeifeca.exe Lhjdbcef.exe File opened for modification C:\Windows\SysWOW64\Ckffgg32.exe Clcflkic.exe File opened for modification C:\Windows\SysWOW64\Ankdiqih.exe Ajphib32.exe File created C:\Windows\SysWOW64\Qdccfh32.exe Qaefjm32.exe File opened for modification C:\Windows\SysWOW64\Ejbfhfaj.exe Egdilkbf.exe File created C:\Windows\SysWOW64\Clphjpmh.dll Fpfdalii.exe File created C:\Windows\SysWOW64\Dbnkge32.dll Gkihhhnm.exe File created C:\Windows\SysWOW64\Glqllcbf.dll Hhjhkq32.exe File created C:\Windows\SysWOW64\Mdcnlglc.exe Mofecpnl.exe File created C:\Windows\SysWOW64\Bbdoqc32.dll Pjmodopf.exe File opened for modification C:\Windows\SysWOW64\Paggai32.exe Pipopl32.exe File created C:\Windows\SysWOW64\Kkfofpak.dll Pfiidobe.exe File created C:\Windows\SysWOW64\Djpmccqq.exe Dgaqgh32.exe File created C:\Windows\SysWOW64\Odgcfijj.exe Onmkio32.exe File created C:\Windows\SysWOW64\Abpfhcje.exe Apajlhka.exe File created C:\Windows\SysWOW64\Clomqk32.exe Cjpqdp32.exe File created C:\Windows\SysWOW64\Ihedjnpm.dll Llnfaffc.exe File created C:\Windows\SysWOW64\Poaljn32.dll Odgcfijj.exe File created C:\Windows\SysWOW64\Ikbifehk.dll Beehencq.exe File created C:\Windows\SysWOW64\Ccfhhffh.exe Coklgg32.exe File opened for modification C:\Windows\SysWOW64\Fbdqmghm.exe Fpfdalii.exe File created C:\Windows\SysWOW64\Hjjddchg.exe Henidd32.exe File opened for modification C:\Windows\SysWOW64\Mekdekin.exe Mhgclfje.exe File created C:\Windows\SysWOW64\Gdcbnc32.dll Oenifh32.exe File opened for modification C:\Windows\SysWOW64\Pbkpna32.exe Ppmdbe32.exe File created C:\Windows\SysWOW64\Hqddgc32.dll Adhlaggp.exe File created C:\Windows\SysWOW64\Abmibdlh.exe Adjigg32.exe File opened for modification C:\Windows\SysWOW64\Jbfpbmji.dll Abbbnchb.exe File created C:\Windows\SysWOW64\Gadkgl32.dll Fehjeo32.exe File opened for modification C:\Windows\SysWOW64\Ghoegl32.exe Gddifnbk.exe File opened for modification C:\Windows\SysWOW64\Mcjkcplm.exe Lplogdmj.exe File created C:\Windows\SysWOW64\Dchfknpg.dll Fhffaj32.exe File created C:\Windows\SysWOW64\Afkbib32.exe Abpfhcje.exe File opened for modification C:\Windows\SysWOW64\Qecoqk32.exe Qagcpljo.exe File created C:\Windows\SysWOW64\Ddokpmfo.exe Dbpodagk.exe File opened for modification C:\Windows\SysWOW64\Dqlafm32.exe Djbiicon.exe File created C:\Windows\SysWOW64\Ambcae32.dll Egdilkbf.exe File opened for modification C:\Windows\SysWOW64\Hlhaqogk.exe Hjjddchg.exe File opened for modification C:\Windows\SysWOW64\Odjpkihg.exe Onphoo32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3484 3284 WerFault.exe Iagfoe32.exe -
Modifies registry class 64 IoCs
Processes:
Pbmmcq32.exeEjgcdb32.exeOcomlemo.exePaggai32.exeBkaqmeah.exeDqhhknjp.exeIoijbj32.exeLhggmchi.exeOgfpbeim.exeFmcoja32.exeQlhnbf32.exeAbpfhcje.exeBaqbenep.exeCgpgce32.exeFilldb32.exeFmjejphb.exeGpknlk32.exeHdfflm32.exeOmgaek32.exeQaefjm32.exeHpmgqnfl.exeEbedndfa.exeHellne32.exeNaikkk32.exeEjbfhfaj.exeCjlgiqbk.exeEecqjpee.exePjmodopf.exeBdooajdc.exeApajlhka.exeHicodd32.exeLmnbkinf.exeNnbhek32.exeOndajnme.exeMgajhbkg.exeMkobnqan.exeAjphib32.exeHgilchkf.exeCkignd32.exeDcfdgiid.exeFfpmnf32.exeGkkemh32.exeOdgcfijj.exeDjnpnc32.exeNqcagfim.exePphjgfqq.exeFcmgfkeg.exeGpmjak32.exeKbalnnam.exeMhgclfje.exeOqqapjnk.exeBoiccdnf.exeBnpmipql.exeCcdlbf32.exeFiaeoang.exeHpkjko32.exeJpqclb32.exeLmiipi32.exeCbnbobin.exeOojknblb.exeLplogdmj.exeOomhcbjp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbmmcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejgcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqpnhgek.dll" Ocomlemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Paggai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjecnop.dll" Bkaqmeah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dqhhknjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ioijbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhggmchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbjlmdgj.dll" Ogfpbeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmcoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojiha32.dll" Qlhnbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abpfhcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Baqbenep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgpgce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Filldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmjejphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjcidbb.dll" Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdppp32.dll" Omgaek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elgpfqll.dll" Qaefjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabknqko.dll" Hpmgqnfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebedndfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hellne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmihgeia.dll" Naikkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjlgiqbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eecqjpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjmodopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdooajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknmbn32.dll" Apajlhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll" Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojopmqk.dll" Hellne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmnbkinf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnbhek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikeelnol.dll" Ondajnme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgajhbkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkobnqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimcgn32.dll" Ajphib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakeiib.dll" Ckignd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcfdgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffpmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll" Gkkemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odgcfijj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkcmiimi.dll" Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqcagfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pphjgfqq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcmgfkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpmjak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbalnnam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifdjp32.dll" Mhgclfje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqpnhgek.dll" Oqqapjnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Boiccdnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnpmipql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gclcefmh.dll" Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phofkg32.dll" Hpkjko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpqclb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmiipi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbnbobin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gooqhm32.dll" Oojknblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oojknblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlbpenqj.dll" Lplogdmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oomhcbjp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exeJgenhp32.exeJmbgpg32.exeJpqclb32.exeJfkkimlh.exeJmdcfg32.exeKpcpbb32.exeKbalnnam.exeKljqgc32.exeKfoedl32.exeKllmmc32.exeKipnfged.exeKomfnnck.exeKlqfhbbe.exeLhggmchi.exeLoapim32.exedescription pid process target process PID 2880 wrote to memory of 2384 2880 08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exe Jgenhp32.exe PID 2880 wrote to memory of 2384 2880 08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exe Jgenhp32.exe PID 2880 wrote to memory of 2384 2880 08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exe Jgenhp32.exe PID 2880 wrote to memory of 2384 2880 08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exe Jgenhp32.exe PID 2384 wrote to memory of 1720 2384 Jgenhp32.exe Jmbgpg32.exe PID 2384 wrote to memory of 1720 2384 Jgenhp32.exe Jmbgpg32.exe PID 2384 wrote to memory of 1720 2384 Jgenhp32.exe Jmbgpg32.exe PID 2384 wrote to memory of 1720 2384 Jgenhp32.exe Jmbgpg32.exe PID 1720 wrote to memory of 2692 1720 Jmbgpg32.exe Jpqclb32.exe PID 1720 wrote to memory of 2692 1720 Jmbgpg32.exe Jpqclb32.exe PID 1720 wrote to memory of 2692 1720 Jmbgpg32.exe Jpqclb32.exe PID 1720 wrote to memory of 2692 1720 Jmbgpg32.exe Jpqclb32.exe PID 2692 wrote to memory of 2620 2692 Jpqclb32.exe Jfkkimlh.exe PID 2692 wrote to memory of 2620 2692 Jpqclb32.exe Jfkkimlh.exe PID 2692 wrote to memory of 2620 2692 Jpqclb32.exe Jfkkimlh.exe PID 2692 wrote to memory of 2620 2692 Jpqclb32.exe Jfkkimlh.exe PID 2620 wrote to memory of 2736 2620 Jfkkimlh.exe Jmdcfg32.exe PID 2620 wrote to memory of 2736 2620 Jfkkimlh.exe Jmdcfg32.exe PID 2620 wrote to memory of 2736 2620 Jfkkimlh.exe Jmdcfg32.exe PID 2620 wrote to memory of 2736 2620 Jfkkimlh.exe Jmdcfg32.exe PID 2736 wrote to memory of 2724 2736 Jmdcfg32.exe Kpcpbb32.exe PID 2736 wrote to memory of 2724 2736 Jmdcfg32.exe Kpcpbb32.exe PID 2736 wrote to memory of 2724 2736 Jmdcfg32.exe Kpcpbb32.exe PID 2736 wrote to memory of 2724 2736 Jmdcfg32.exe Kpcpbb32.exe PID 2724 wrote to memory of 2796 2724 Kpcpbb32.exe Kbalnnam.exe PID 2724 wrote to memory of 2796 2724 Kpcpbb32.exe Kbalnnam.exe PID 2724 wrote to memory of 2796 2724 Kpcpbb32.exe Kbalnnam.exe PID 2724 wrote to memory of 2796 2724 Kpcpbb32.exe Kbalnnam.exe PID 2796 wrote to memory of 2344 2796 Kbalnnam.exe Kljqgc32.exe PID 2796 wrote to memory of 2344 2796 Kbalnnam.exe Kljqgc32.exe PID 2796 wrote to memory of 2344 2796 Kbalnnam.exe Kljqgc32.exe PID 2796 wrote to memory of 2344 2796 Kbalnnam.exe Kljqgc32.exe PID 2344 wrote to memory of 2168 2344 Kljqgc32.exe Kfoedl32.exe PID 2344 wrote to memory of 2168 2344 Kljqgc32.exe Kfoedl32.exe PID 2344 wrote to memory of 2168 2344 Kljqgc32.exe Kfoedl32.exe PID 2344 wrote to memory of 2168 2344 Kljqgc32.exe Kfoedl32.exe PID 2168 wrote to memory of 1168 2168 Kfoedl32.exe Kllmmc32.exe PID 2168 wrote to memory of 1168 2168 Kfoedl32.exe Kllmmc32.exe PID 2168 wrote to memory of 1168 2168 Kfoedl32.exe Kllmmc32.exe PID 2168 wrote to memory of 1168 2168 Kfoedl32.exe Kllmmc32.exe PID 1168 wrote to memory of 1780 1168 Kllmmc32.exe Kipnfged.exe PID 1168 wrote to memory of 1780 1168 Kllmmc32.exe Kipnfged.exe PID 1168 wrote to memory of 1780 1168 Kllmmc32.exe Kipnfged.exe PID 1168 wrote to memory of 1780 1168 Kllmmc32.exe Kipnfged.exe PID 1780 wrote to memory of 1696 1780 Kipnfged.exe Komfnnck.exe PID 1780 wrote to memory of 1696 1780 Kipnfged.exe Komfnnck.exe PID 1780 wrote to memory of 1696 1780 Kipnfged.exe Komfnnck.exe PID 1780 wrote to memory of 1696 1780 Kipnfged.exe Komfnnck.exe PID 1696 wrote to memory of 1484 1696 Komfnnck.exe Klqfhbbe.exe PID 1696 wrote to memory of 1484 1696 Komfnnck.exe Klqfhbbe.exe PID 1696 wrote to memory of 1484 1696 Komfnnck.exe Klqfhbbe.exe PID 1696 wrote to memory of 1484 1696 Komfnnck.exe Klqfhbbe.exe PID 1484 wrote to memory of 2276 1484 Klqfhbbe.exe Lhggmchi.exe PID 1484 wrote to memory of 2276 1484 Klqfhbbe.exe Lhggmchi.exe PID 1484 wrote to memory of 2276 1484 Klqfhbbe.exe Lhggmchi.exe PID 1484 wrote to memory of 2276 1484 Klqfhbbe.exe Lhggmchi.exe PID 2276 wrote to memory of 1916 2276 Lhggmchi.exe Loapim32.exe PID 2276 wrote to memory of 1916 2276 Lhggmchi.exe Loapim32.exe PID 2276 wrote to memory of 1916 2276 Lhggmchi.exe Loapim32.exe PID 2276 wrote to memory of 1916 2276 Lhggmchi.exe Loapim32.exe PID 1916 wrote to memory of 1196 1916 Loapim32.exe Lhjdbcef.exe PID 1916 wrote to memory of 1196 1916 Loapim32.exe Lhjdbcef.exe PID 1916 wrote to memory of 1196 1916 Loapim32.exe Lhjdbcef.exe PID 1916 wrote to memory of 1196 1916 Loapim32.exe Lhjdbcef.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Jgenhp32.exeC:\Windows\system32\Jgenhp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Kpcpbb32.exeC:\Windows\system32\Kpcpbb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Kllmmc32.exeC:\Windows\system32\Kllmmc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1196 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1456 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:108 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1060 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe34⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe35⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe39⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe40⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe41⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe42⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe43⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe44⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe45⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe47⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe49⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe50⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe53⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe54⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe55⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe56⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe58⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe66⤵PID:1164
-
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe67⤵PID:2264
-
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe68⤵PID:1872
-
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe69⤵
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe70⤵
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe72⤵PID:2624
-
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe74⤵
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe75⤵
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe76⤵
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe77⤵PID:2504
-
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe78⤵PID:2936
-
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe79⤵PID:2512
-
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1596 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe83⤵
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe84⤵
- Modifies registry class
PID:1292 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe85⤵PID:1056
-
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe86⤵PID:972
-
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe87⤵PID:2024
-
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe88⤵PID:1008
-
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe89⤵
- Drops file in System32 directory
PID:1768 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe90⤵PID:1836
-
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe91⤵PID:1728
-
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2704 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe93⤵PID:2568
-
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe94⤵PID:2488
-
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe95⤵
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1068 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe97⤵
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe98⤵PID:1712
-
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1308 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe100⤵PID:828
-
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe101⤵PID:1028
-
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:496 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe103⤵PID:1856
-
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe105⤵PID:2852
-
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe106⤵PID:2948
-
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe107⤵
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe109⤵
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe110⤵PID:2808
-
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe112⤵
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe113⤵PID:1968
-
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe114⤵
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe115⤵
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe116⤵PID:616
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1144 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe118⤵
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe119⤵PID:2868
-
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe120⤵PID:2764
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe121⤵PID:2516
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe122⤵
- Drops file in System32 directory
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe123⤵
- Drops file in System32 directory
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe124⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2688 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe125⤵PID:2916
-
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe126⤵PID:1764
-
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe127⤵PID:1888
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe128⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe129⤵PID:308
-
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe130⤵
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe131⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2508 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe132⤵
- Drops file in System32 directory
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe133⤵PID:2528
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe134⤵
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe135⤵PID:2428
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe136⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1640 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe137⤵
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe138⤵PID:3064
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe139⤵
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe140⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2104 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe142⤵PID:2140
-
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe143⤵PID:2176
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe144⤵PID:936
-
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe145⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:608 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe146⤵PID:1636
-
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe147⤵PID:1880
-
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe148⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2016 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe149⤵
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe150⤵
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe151⤵PID:3056
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe152⤵
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe153⤵
- Drops file in System32 directory
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe154⤵PID:2912
-
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe155⤵PID:1216
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe156⤵
- Modifies registry class
PID:1840 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe157⤵
- Modifies registry class
PID:752 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe158⤵PID:2200
-
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe159⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1832 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe160⤵
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe161⤵PID:1140
-
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe162⤵PID:2112
-
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe163⤵
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe164⤵PID:1172
-
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe165⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2672 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe166⤵PID:2536
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe167⤵
- Drops file in System32 directory
PID:764 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe168⤵PID:2292
-
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe169⤵PID:2556
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe170⤵PID:2824
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe171⤵
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe172⤵PID:2932
-
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe173⤵
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe174⤵
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe175⤵
- Drops file in System32 directory
PID:928 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe176⤵PID:2080
-
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe177⤵PID:2584
-
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe178⤵PID:2812
-
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe179⤵PID:2372
-
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe180⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1036 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe181⤵PID:2028
-
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe182⤵PID:1652
-
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe183⤵
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe184⤵PID:1992
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe185⤵
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe186⤵
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe187⤵
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe188⤵PID:2632
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe189⤵PID:3096
-
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe190⤵PID:3136
-
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe191⤵PID:3176
-
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe192⤵PID:3216
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe193⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3256 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe194⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3296 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe195⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3336 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe196⤵PID:3376
-
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe197⤵PID:3416
-
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe198⤵PID:3456
-
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe199⤵PID:3496
-
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe200⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3536 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe201⤵PID:3576
-
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe202⤵
- Modifies registry class
PID:3616 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe203⤵PID:3656
-
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe204⤵PID:3696
-
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe205⤵
- Drops file in System32 directory
PID:3736 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe206⤵PID:3776
-
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe207⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3816 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe208⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3856 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe209⤵PID:3896
-
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe210⤵PID:3936
-
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe211⤵
- Modifies registry class
PID:3976 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe212⤵
- Modifies registry class
PID:4016 -
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe213⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4056 -
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe214⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2396 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe215⤵PID:3076
-
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe216⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3164 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe217⤵PID:3212
-
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe218⤵
- Drops file in System32 directory
PID:3272 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe219⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3312 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe220⤵PID:3364
-
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe221⤵
- Drops file in System32 directory
PID:3424 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe222⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3428 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe223⤵PID:3520
-
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe224⤵
- Modifies registry class
PID:3572 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe225⤵
- Drops file in System32 directory
- Modifies registry class
PID:3624 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe226⤵PID:3676
-
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe227⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3724 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe228⤵PID:3768
-
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe229⤵PID:3824
-
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe230⤵PID:3864
-
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe231⤵
- Drops file in System32 directory
PID:3876 -
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe232⤵
- Modifies registry class
PID:3968 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe233⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4012 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe234⤵
- Drops file in System32 directory
PID:4072 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe235⤵PID:3080
-
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe236⤵
- Modifies registry class
PID:3156 -
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe237⤵
- Modifies registry class
PID:3200 -
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe238⤵PID:3232
-
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe239⤵PID:3288
-
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe240⤵PID:3404
-
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe241⤵
- Modifies registry class
PID:3448 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe242⤵PID:3544