Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 22:53
Behavioral task
behavioral1
Sample
065758121befb57fbf4d8fbd9e601f50_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
065758121befb57fbf4d8fbd9e601f50_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
065758121befb57fbf4d8fbd9e601f50_NeikiAnalytics.exe
-
Size
229KB
-
MD5
065758121befb57fbf4d8fbd9e601f50
-
SHA1
db734605cc8c4889314e8a8ca64c0fee68f6dfd8
-
SHA256
9468171447556018ceca1a15e810a8291574cbcee7afafdfd06bf26b22d7cc1b
-
SHA512
27506c68c6660038e0ff4caa04a22f62be72b5718028beeb1a4d8eec8ffdb1c04c761eac8935edb0045d905a6b3df3566a361e5f352d8446a51294b314a8a369
-
SSDEEP
6144:4Qh1PjaEEPu+271+HZ/pvkym/89bYEwPhCKvav:4QCEf7AIfFfvav
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Eeqdep32.exeGdopkn32.exeHpocfncj.exeQbelgood.exeCnmehnan.exeDhdcji32.exeEfcfga32.exeJmjjea32.exeLeajdfnm.exeOdobjg32.exeAlegac32.exeBemgilhh.exeDoobajme.exeMmahdggc.exeOmfkke32.exeObcccl32.exeAjjcbpdd.exeCnaocmmi.exeEffcma32.exeGpmjak32.exeKmopod32.exeKmaled32.exeCpkbdiqb.exeEkhhadmk.exeBdooajdc.exeDflkdp32.exeGphmeo32.exeIoijbj32.exeBbokmqie.exeCclkfdnc.exeDfamcogo.exeEnhacojl.exeBjijdadm.exeEloemi32.exeFlmefm32.exeOnjgiiad.exePamiog32.exeBpgljfbl.exeEgoife32.exeJcdbbloa.exeNacgdhlp.exeCdgneh32.exeIfcbodli.exeIcpigm32.exeAaobdjof.exeCoelaaoi.exeJcgogk32.exeKgnnln32.exeLhmjkaoc.exeQabcjgkh.exeChnqkg32.exeAplifb32.exeFdoclk32.exeIqmcpahh.exeInqcif32.exeJbnhng32.exeNncahjgl.exePbhmnkjf.exeQjjgclai.exeBpiipf32.exePgplkb32.exeBblogakg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeqdep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdopkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qbelgood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnmehnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhdcji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efcfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmjjea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Leajdfnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alegac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bemgilhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doobajme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmahdggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omfkke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obcccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajjcbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnaocmmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Effcma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpmjak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmopod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmaled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpkbdiqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhhadmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdooajdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gphmeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cclkfdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfamcogo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhacojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjijdadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flmefm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjgiiad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pamiog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpgljfbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egoife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcdbbloa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nacgdhlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdgneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifcbodli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icpigm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaobdjof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coelaaoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgogk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhmjkaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qabcjgkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chnqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aplifb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdoclk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqmcpahh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inqcif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbnhng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nncahjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbhmnkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjjgclai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpiipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chnqkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leajdfnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgplkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bblogakg.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Bjijdadm.exe family_berbew C:\Windows\SysWOW64\Bdooajdc.exe family_berbew \Windows\SysWOW64\Cdakgibq.exe family_berbew \Windows\SysWOW64\Cllpkl32.exe family_berbew \Windows\SysWOW64\Cphlljge.exe family_berbew \Windows\SysWOW64\Chcqpmep.exe family_berbew \Windows\SysWOW64\Cfgaiaci.exe family_berbew \Windows\SysWOW64\Cckace32.exe family_berbew \Windows\SysWOW64\Chhjkl32.exe family_berbew C:\Windows\SysWOW64\Dbpodagk.exe family_berbew \Windows\SysWOW64\Dflkdp32.exe family_berbew \Windows\SysWOW64\Ddagfm32.exe family_berbew \Windows\SysWOW64\Dnilobkm.exe family_berbew \Windows\SysWOW64\Dcfdgiid.exe family_berbew \Windows\SysWOW64\Dqjepm32.exe family_berbew C:\Windows\SysWOW64\Dgdmmgpj.exe family_berbew C:\Windows\SysWOW64\Doobajme.exe family_berbew C:\Windows\SysWOW64\Dfijnd32.exe family_berbew C:\Windows\SysWOW64\Epaogi32.exe family_berbew C:\Windows\SysWOW64\Ecmkghcl.exe family_berbew C:\Windows\SysWOW64\Ekholjqg.exe family_berbew C:\Windows\SysWOW64\Efncicpm.exe family_berbew C:\Windows\SysWOW64\Eeqdep32.exe family_berbew C:\Windows\SysWOW64\Enihne32.exe family_berbew C:\Windows\SysWOW64\Epieghdk.exe family_berbew behavioral1/memory/2368-308-0x0000000000290000-0x00000000002D2000-memory.dmp family_berbew behavioral1/memory/2368-309-0x0000000000290000-0x00000000002D2000-memory.dmp family_berbew C:\Windows\SysWOW64\Ebgacddo.exe family_berbew C:\Windows\SysWOW64\Eloemi32.exe family_berbew C:\Windows\SysWOW64\Ennaieib.exe family_berbew C:\Windows\SysWOW64\Flabbihl.exe family_berbew C:\Windows\SysWOW64\Fnpnndgp.exe family_berbew C:\Windows\SysWOW64\Fmcoja32.exe family_berbew C:\Windows\SysWOW64\Fjgoce32.exe family_berbew C:\Windows\SysWOW64\Fdoclk32.exe family_berbew C:\Windows\SysWOW64\Ffnphf32.exe family_berbew C:\Windows\SysWOW64\Fdapak32.exe family_berbew C:\Windows\SysWOW64\Ffpmnf32.exe family_berbew C:\Windows\SysWOW64\Flmefm32.exe family_berbew C:\Windows\SysWOW64\Fbgmbg32.exe family_berbew C:\Windows\SysWOW64\Gbijhg32.exe family_berbew behavioral1/memory/1768-463-0x0000000000250000-0x0000000000292000-memory.dmp family_berbew C:\Windows\SysWOW64\Gegfdb32.exe family_berbew C:\Windows\SysWOW64\Gpmjak32.exe family_berbew C:\Windows\SysWOW64\Gbkgnfbd.exe family_berbew C:\Windows\SysWOW64\Gangic32.exe family_berbew C:\Windows\SysWOW64\Gaqcoc32.exe family_berbew C:\Windows\SysWOW64\Gdopkn32.exe family_berbew C:\Windows\SysWOW64\Glfhll32.exe family_berbew C:\Windows\SysWOW64\Gmgdddmq.exe family_berbew C:\Windows\SysWOW64\Geolea32.exe family_berbew C:\Windows\SysWOW64\Ggpimica.exe family_berbew C:\Windows\SysWOW64\Gogangdc.exe family_berbew C:\Windows\SysWOW64\Gphmeo32.exe family_berbew C:\Windows\SysWOW64\Hknach32.exe family_berbew C:\Windows\SysWOW64\Hiqbndpb.exe family_berbew C:\Windows\SysWOW64\Hdfflm32.exe family_berbew C:\Windows\SysWOW64\Hgdbhi32.exe family_berbew C:\Windows\SysWOW64\Hicodd32.exe family_berbew C:\Windows\SysWOW64\Hlakpp32.exe family_berbew C:\Windows\SysWOW64\Hckcmjep.exe family_berbew C:\Windows\SysWOW64\Hejoiedd.exe family_berbew C:\Windows\SysWOW64\Hiekid32.exe family_berbew C:\Windows\SysWOW64\Hpocfncj.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Bjijdadm.exeBdooajdc.exeCdakgibq.exeCllpkl32.exeCphlljge.exeChcqpmep.exeCfgaiaci.exeCckace32.exeChhjkl32.exeDbpodagk.exeDflkdp32.exeDdagfm32.exeDnilobkm.exeDcfdgiid.exeDqjepm32.exeDgdmmgpj.exeDoobajme.exeDfijnd32.exeEpaogi32.exeEcmkghcl.exeEkholjqg.exeEfncicpm.exeEeqdep32.exeEnihne32.exeEpieghdk.exeEbgacddo.exeEloemi32.exeEnnaieib.exeFlabbihl.exeFnpnndgp.exeFmcoja32.exeFjgoce32.exeFdoclk32.exeFfnphf32.exeFdapak32.exeFfpmnf32.exeFlmefm32.exeFbgmbg32.exeGbijhg32.exeGegfdb32.exeGpmjak32.exeGbkgnfbd.exeGangic32.exeGaqcoc32.exeGdopkn32.exeGlfhll32.exeGmgdddmq.exeGeolea32.exeGgpimica.exeGogangdc.exeGphmeo32.exeHknach32.exeHiqbndpb.exeHdfflm32.exeHgdbhi32.exeHicodd32.exeHlakpp32.exeHckcmjep.exeHejoiedd.exeHiekid32.exeHpocfncj.exeHcnpbi32.exeHellne32.exeHhjhkq32.exepid process 2124 Bjijdadm.exe 2080 Bdooajdc.exe 2732 Cdakgibq.exe 1152 Cllpkl32.exe 2796 Cphlljge.exe 2508 Chcqpmep.exe 2200 Cfgaiaci.exe 1236 Cckace32.exe 2924 Chhjkl32.exe 1852 Dbpodagk.exe 1628 Dflkdp32.exe 2152 Ddagfm32.exe 1912 Dnilobkm.exe 1388 Dcfdgiid.exe 1596 Dqjepm32.exe 1776 Dgdmmgpj.exe 380 Doobajme.exe 1040 Dfijnd32.exe 2448 Epaogi32.exe 2456 Ecmkghcl.exe 1432 Ekholjqg.exe 1516 Efncicpm.exe 1800 Eeqdep32.exe 2368 Enihne32.exe 1620 Epieghdk.exe 2084 Ebgacddo.exe 2312 Eloemi32.exe 2728 Ennaieib.exe 2860 Flabbihl.exe 2768 Fnpnndgp.exe 2212 Fmcoja32.exe 2528 Fjgoce32.exe 2320 Fdoclk32.exe 2776 Ffnphf32.exe 2920 Fdapak32.exe 2432 Ffpmnf32.exe 1588 Flmefm32.exe 1768 Fbgmbg32.exe 276 Gbijhg32.exe 308 Gegfdb32.exe 1504 Gpmjak32.exe 1600 Gbkgnfbd.exe 1780 Gangic32.exe 764 Gaqcoc32.exe 1656 Gdopkn32.exe 1784 Glfhll32.exe 2196 Gmgdddmq.exe 1592 Geolea32.exe 848 Ggpimica.exe 3000 Gogangdc.exe 1572 Gphmeo32.exe 2624 Hknach32.exe 2712 Hiqbndpb.exe 2812 Hdfflm32.exe 2492 Hgdbhi32.exe 2204 Hicodd32.exe 1220 Hlakpp32.exe 2828 Hckcmjep.exe 2412 Hejoiedd.exe 1976 Hiekid32.exe 1812 Hpocfncj.exe 1056 Hcnpbi32.exe 2284 Hellne32.exe 2864 Hhjhkq32.exe -
Loads dropped DLL 64 IoCs
Processes:
065758121befb57fbf4d8fbd9e601f50_NeikiAnalytics.exeBjijdadm.exeBdooajdc.exeCdakgibq.exeCllpkl32.exeCphlljge.exeChcqpmep.exeCfgaiaci.exeCckace32.exeChhjkl32.exeDbpodagk.exeDflkdp32.exeDdagfm32.exeDnilobkm.exeDcfdgiid.exeDqjepm32.exeDgdmmgpj.exeDoobajme.exeDfijnd32.exeEpaogi32.exeEcmkghcl.exeEkholjqg.exeEfncicpm.exeEeqdep32.exeEnihne32.exeEpieghdk.exeEbgacddo.exeEloemi32.exeEnnaieib.exeFlabbihl.exeFnpnndgp.exeFmcoja32.exepid process 2100 065758121befb57fbf4d8fbd9e601f50_NeikiAnalytics.exe 2100 065758121befb57fbf4d8fbd9e601f50_NeikiAnalytics.exe 2124 Bjijdadm.exe 2124 Bjijdadm.exe 2080 Bdooajdc.exe 2080 Bdooajdc.exe 2732 Cdakgibq.exe 2732 Cdakgibq.exe 1152 Cllpkl32.exe 1152 Cllpkl32.exe 2796 Cphlljge.exe 2796 Cphlljge.exe 2508 Chcqpmep.exe 2508 Chcqpmep.exe 2200 Cfgaiaci.exe 2200 Cfgaiaci.exe 1236 Cckace32.exe 1236 Cckace32.exe 2924 Chhjkl32.exe 2924 Chhjkl32.exe 1852 Dbpodagk.exe 1852 Dbpodagk.exe 1628 Dflkdp32.exe 1628 Dflkdp32.exe 2152 Ddagfm32.exe 2152 Ddagfm32.exe 1912 Dnilobkm.exe 1912 Dnilobkm.exe 1388 Dcfdgiid.exe 1388 Dcfdgiid.exe 1596 Dqjepm32.exe 1596 Dqjepm32.exe 1776 Dgdmmgpj.exe 1776 Dgdmmgpj.exe 380 Doobajme.exe 380 Doobajme.exe 1040 Dfijnd32.exe 1040 Dfijnd32.exe 2448 Epaogi32.exe 2448 Epaogi32.exe 2456 Ecmkghcl.exe 2456 Ecmkghcl.exe 1432 Ekholjqg.exe 1432 Ekholjqg.exe 1516 Efncicpm.exe 1516 Efncicpm.exe 1800 Eeqdep32.exe 1800 Eeqdep32.exe 2368 Enihne32.exe 2368 Enihne32.exe 1620 Epieghdk.exe 1620 Epieghdk.exe 2084 Ebgacddo.exe 2084 Ebgacddo.exe 2312 Eloemi32.exe 2312 Eloemi32.exe 2728 Ennaieib.exe 2728 Ennaieib.exe 2860 Flabbihl.exe 2860 Flabbihl.exe 2768 Fnpnndgp.exe 2768 Fnpnndgp.exe 2212 Fmcoja32.exe 2212 Fmcoja32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Hjjddchg.exeAjjcbpdd.exeHgdbhi32.exeLhbcfa32.exeApimacnn.exeDlnbeh32.exeEjkima32.exeEchfaf32.exeCckace32.exeGegfdb32.exePgplkb32.exeCclkfdnc.exeGgpimica.exeOopnlacm.exeJcgogk32.exeMoiklogi.exeCoelaaoi.exeJmmfkafa.exeBpleef32.exeCkccgane.exeDfmdho32.exeEnnaieib.exeFnpnndgp.exeAplifb32.exe065758121befb57fbf4d8fbd9e601f50_NeikiAnalytics.exeKmopod32.exeIoijbj32.exeKneicieh.exeOfhick32.exeDdagfm32.exeFjgoce32.exeBkommo32.exeDhdcji32.exeEkelld32.exeJgnamk32.exeAjejgp32.exeOddpfc32.exeJmjjea32.exeKcihlong.exeMkgfckcj.exeBpiipf32.exeEibbcm32.exeHejoiedd.exeBfadgq32.exeFfpmnf32.exeHcnpbi32.exeLijjoe32.exeBbhela32.exeOcnfbo32.exeChnqkg32.exePqkmjh32.exeEpieghdk.exeEloemi32.exeQjjgclai.exeKiccofna.exeNdbcpd32.exeDpbheh32.exeJbgbni32.exedescription ioc process File created C:\Windows\SysWOW64\Hlhaqogk.exe Hjjddchg.exe File created C:\Windows\SysWOW64\Ajjmcaea.dll Ajjcbpdd.exe File created C:\Windows\SysWOW64\Hicodd32.exe Hgdbhi32.exe File opened for modification C:\Windows\SysWOW64\Lollckbk.exe Lhbcfa32.exe File created C:\Windows\SysWOW64\Fehofegb.dll Apimacnn.exe File created C:\Windows\SysWOW64\Mmnclh32.dll Dlnbeh32.exe File opened for modification C:\Windows\SysWOW64\Eqdajkkb.exe Ejkima32.exe File opened for modification C:\Windows\SysWOW64\Effcma32.exe Echfaf32.exe File opened for modification C:\Windows\SysWOW64\Chhjkl32.exe Cckace32.exe File created C:\Windows\SysWOW64\Gpmjak32.exe Gegfdb32.exe File created C:\Windows\SysWOW64\Pnjdhmdo.exe Pgplkb32.exe File opened for modification C:\Windows\SysWOW64\Ckccgane.exe Cclkfdnc.exe File opened for modification C:\Windows\SysWOW64\Gogangdc.exe Ggpimica.exe File created C:\Windows\SysWOW64\Oclilp32.exe Oopnlacm.exe File created C:\Windows\SysWOW64\Jfekcg32.exe Jcgogk32.exe File opened for modification C:\Windows\SysWOW64\Mgqcmlgl.exe Moiklogi.exe File created C:\Windows\SysWOW64\Ccahbp32.exe Coelaaoi.exe File created C:\Windows\SysWOW64\Keledb32.dll Cckace32.exe File opened for modification C:\Windows\SysWOW64\Jokcgmee.exe Jmmfkafa.exe File opened for modification C:\Windows\SysWOW64\Bbjbaa32.exe Bpleef32.exe File created C:\Windows\SysWOW64\Cnaocmmi.exe Ckccgane.exe File opened for modification C:\Windows\SysWOW64\Dndlim32.exe Dfmdho32.exe File opened for modification C:\Windows\SysWOW64\Flabbihl.exe Ennaieib.exe File created C:\Windows\SysWOW64\Lghegkoc.dll Fnpnndgp.exe File opened for modification C:\Windows\SysWOW64\Abjebn32.exe Aplifb32.exe File created C:\Windows\SysWOW64\Alihbgdo.dll 065758121befb57fbf4d8fbd9e601f50_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Kcihlong.exe Kmopod32.exe File opened for modification C:\Windows\SysWOW64\Inljnfkg.exe Ioijbj32.exe File created C:\Windows\SysWOW64\Ldlimbcf.dll Kneicieh.exe File created C:\Windows\SysWOW64\Ohfeog32.exe Ofhick32.exe File created C:\Windows\SysWOW64\Mdeced32.dll Ddagfm32.exe File opened for modification C:\Windows\SysWOW64\Fdoclk32.exe Fjgoce32.exe File created C:\Windows\SysWOW64\Apmmjh32.dll Bkommo32.exe File created C:\Windows\SysWOW64\Cbcodmih.dll Dhdcji32.exe File created C:\Windows\SysWOW64\Njmggi32.dll Ekelld32.exe File created C:\Windows\SysWOW64\Jiondcpk.exe Jgnamk32.exe File created C:\Windows\SysWOW64\Ccnnibig.dll Ajejgp32.exe File created C:\Windows\SysWOW64\Ocgpappk.exe Oddpfc32.exe File opened for modification C:\Windows\SysWOW64\Cnaocmmi.exe Ckccgane.exe File opened for modification C:\Windows\SysWOW64\Jcdbbloa.exe Jmjjea32.exe File created C:\Windows\SysWOW64\Kfgdhjmk.exe Kcihlong.exe File created C:\Windows\SysWOW64\Mijfnh32.exe Mkgfckcj.exe File created C:\Windows\SysWOW64\Igmdobgi.dll Bpiipf32.exe File opened for modification C:\Windows\SysWOW64\Eqijej32.exe Eibbcm32.exe File created C:\Windows\SysWOW64\Hmhfjo32.dll Gegfdb32.exe File opened for modification C:\Windows\SysWOW64\Hiekid32.exe Hejoiedd.exe File opened for modification C:\Windows\SysWOW64\Bmkmdk32.exe Bfadgq32.exe File created C:\Windows\SysWOW64\Flmefm32.exe Ffpmnf32.exe File opened for modification C:\Windows\SysWOW64\Abhimnma.exe Apimacnn.exe File created C:\Windows\SysWOW64\Pljpdpao.dll Hcnpbi32.exe File opened for modification C:\Windows\SysWOW64\Blpjegfm.exe Bkommo32.exe File opened for modification C:\Windows\SysWOW64\Lhmjkaoc.exe Lijjoe32.exe File created C:\Windows\SysWOW64\Bkommo32.exe Bbhela32.exe File created C:\Windows\SysWOW64\Qiejdkkn.dll Ocnfbo32.exe File created C:\Windows\SysWOW64\Obilnl32.dll Chnqkg32.exe File opened for modification C:\Windows\SysWOW64\Pgeefbhm.exe Pqkmjh32.exe File created C:\Windows\SysWOW64\Ebgacddo.exe Epieghdk.exe File created C:\Windows\SysWOW64\Jdnaob32.dll Ioijbj32.exe File opened for modification C:\Windows\SysWOW64\Ennaieib.exe Eloemi32.exe File created C:\Windows\SysWOW64\Gcghbk32.dll Qjjgclai.exe File created C:\Windows\SysWOW64\Kmopod32.exe Kiccofna.exe File created C:\Windows\SysWOW64\Omkepc32.dll Ndbcpd32.exe File opened for modification C:\Windows\SysWOW64\Dcadac32.exe Dpbheh32.exe File opened for modification C:\Windows\SysWOW64\Jjojofgn.exe Jbgbni32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4268 4244 WerFault.exe Fkckeh32.exe -
Modifies registry class 64 IoCs
Processes:
Fjgoce32.exeFdapak32.exeApimacnn.exePimkpfeh.exeEgoife32.exeHlfdkoin.exeMppepcfg.exeMlkopcge.exeBpnbkeld.exeCafecmlj.exeKahojc32.exeLpdbloof.exeLahkigca.exeHjjddchg.exeOnhgbmfb.exeNdpfkdmf.exeEnnaieib.exeIqopea32.exeMkeimlfm.exeKaceodek.exeKmopod32.exeMgqcmlgl.exeCkafbbph.exeEcmkghcl.exeHicodd32.exeHlakpp32.exeGogangdc.exeKjljhjkl.exePqhpdhcc.exePmdjdh32.exeAplifb32.exeEpieghdk.exeFfnphf32.exeGbkgnfbd.exeAmhpnkch.exeDcfdgiid.exeIdceea32.exeChcqpmep.exeJgnamk32.exeEqdajkkb.exeMdpjlajk.exeCnmehnan.exeKgkafo32.exePkndaa32.exeChnqkg32.exeNkbhgojk.exeOnmdoioa.exeOclilp32.exeCphlljge.exeFnpnndgp.exeFlmefm32.exeObcccl32.exeDdagfm32.exeIfcbodli.exeAaobdjof.exeDpbheh32.exeDlnbeh32.exeDhdcji32.exeEkhhadmk.exeMpigfa32.exeBlpjegfm.exeBmpfojmp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdooi32.dll" Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apimacnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pimkpfeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egoife32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlfdkoin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mppepcfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlkopcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpnbkeld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nanbpedg.dll" Cafecmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kahojc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpdbloof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lahkigca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbgan32.dll" Hjjddchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmefakc.dll" Onhgbmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndpfkdmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ennaieib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iqopea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkeimlfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kaceodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmopod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgqcmlgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnfhlh32.dll" Ckafbbph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecmkghcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll" Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlakpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjljhjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpkof32.dll" Pqhpdhcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmdjdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aplifb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncnkh32.dll" Gbkgnfbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amhpnkch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcfdgiid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idceea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chcqpmep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgnamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpncj32.dll" Eqdajkkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlppdeb.dll" Ennaieib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdpjlajk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnmehnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqljpedj.dll" Kgkafo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkndaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chnqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll" Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bakbapml.dll" Nkbhgojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inlepd32.dll" Onmdoioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oclilp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cphlljge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnpnndgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flmefm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obcccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddagfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghlpli32.dll" Ifcbodli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelpgepb.dll" Aaobdjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eofjhkoj.dll" Dpbheh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlnbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhdcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekhhadmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpigfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giaekk32.dll" Blpjegfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmpfojmp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
065758121befb57fbf4d8fbd9e601f50_NeikiAnalytics.exeBjijdadm.exeBdooajdc.exeCdakgibq.exeCllpkl32.exeCphlljge.exeChcqpmep.exeCfgaiaci.exeCckace32.exeChhjkl32.exeDbpodagk.exeDflkdp32.exeDdagfm32.exeDnilobkm.exeDcfdgiid.exeDqjepm32.exedescription pid process target process PID 2100 wrote to memory of 2124 2100 065758121befb57fbf4d8fbd9e601f50_NeikiAnalytics.exe Bjijdadm.exe PID 2100 wrote to memory of 2124 2100 065758121befb57fbf4d8fbd9e601f50_NeikiAnalytics.exe Bjijdadm.exe PID 2100 wrote to memory of 2124 2100 065758121befb57fbf4d8fbd9e601f50_NeikiAnalytics.exe Bjijdadm.exe PID 2100 wrote to memory of 2124 2100 065758121befb57fbf4d8fbd9e601f50_NeikiAnalytics.exe Bjijdadm.exe PID 2124 wrote to memory of 2080 2124 Bjijdadm.exe Bdooajdc.exe PID 2124 wrote to memory of 2080 2124 Bjijdadm.exe Bdooajdc.exe PID 2124 wrote to memory of 2080 2124 Bjijdadm.exe Bdooajdc.exe PID 2124 wrote to memory of 2080 2124 Bjijdadm.exe Bdooajdc.exe PID 2080 wrote to memory of 2732 2080 Bdooajdc.exe Cdakgibq.exe PID 2080 wrote to memory of 2732 2080 Bdooajdc.exe Cdakgibq.exe PID 2080 wrote to memory of 2732 2080 Bdooajdc.exe Cdakgibq.exe PID 2080 wrote to memory of 2732 2080 Bdooajdc.exe Cdakgibq.exe PID 2732 wrote to memory of 1152 2732 Cdakgibq.exe Cllpkl32.exe PID 2732 wrote to memory of 1152 2732 Cdakgibq.exe Cllpkl32.exe PID 2732 wrote to memory of 1152 2732 Cdakgibq.exe Cllpkl32.exe PID 2732 wrote to memory of 1152 2732 Cdakgibq.exe Cllpkl32.exe PID 1152 wrote to memory of 2796 1152 Cllpkl32.exe Cphlljge.exe PID 1152 wrote to memory of 2796 1152 Cllpkl32.exe Cphlljge.exe PID 1152 wrote to memory of 2796 1152 Cllpkl32.exe Cphlljge.exe PID 1152 wrote to memory of 2796 1152 Cllpkl32.exe Cphlljge.exe PID 2796 wrote to memory of 2508 2796 Cphlljge.exe Chcqpmep.exe PID 2796 wrote to memory of 2508 2796 Cphlljge.exe Chcqpmep.exe PID 2796 wrote to memory of 2508 2796 Cphlljge.exe Chcqpmep.exe PID 2796 wrote to memory of 2508 2796 Cphlljge.exe Chcqpmep.exe PID 2508 wrote to memory of 2200 2508 Chcqpmep.exe Cfgaiaci.exe PID 2508 wrote to memory of 2200 2508 Chcqpmep.exe Cfgaiaci.exe PID 2508 wrote to memory of 2200 2508 Chcqpmep.exe Cfgaiaci.exe PID 2508 wrote to memory of 2200 2508 Chcqpmep.exe Cfgaiaci.exe PID 2200 wrote to memory of 1236 2200 Cfgaiaci.exe Cckace32.exe PID 2200 wrote to memory of 1236 2200 Cfgaiaci.exe Cckace32.exe PID 2200 wrote to memory of 1236 2200 Cfgaiaci.exe Cckace32.exe PID 2200 wrote to memory of 1236 2200 Cfgaiaci.exe Cckace32.exe PID 1236 wrote to memory of 2924 1236 Cckace32.exe Chhjkl32.exe PID 1236 wrote to memory of 2924 1236 Cckace32.exe Chhjkl32.exe PID 1236 wrote to memory of 2924 1236 Cckace32.exe Chhjkl32.exe PID 1236 wrote to memory of 2924 1236 Cckace32.exe Chhjkl32.exe PID 2924 wrote to memory of 1852 2924 Chhjkl32.exe Dbpodagk.exe PID 2924 wrote to memory of 1852 2924 Chhjkl32.exe Dbpodagk.exe PID 2924 wrote to memory of 1852 2924 Chhjkl32.exe Dbpodagk.exe PID 2924 wrote to memory of 1852 2924 Chhjkl32.exe Dbpodagk.exe PID 1852 wrote to memory of 1628 1852 Dbpodagk.exe Dflkdp32.exe PID 1852 wrote to memory of 1628 1852 Dbpodagk.exe Dflkdp32.exe PID 1852 wrote to memory of 1628 1852 Dbpodagk.exe Dflkdp32.exe PID 1852 wrote to memory of 1628 1852 Dbpodagk.exe Dflkdp32.exe PID 1628 wrote to memory of 2152 1628 Dflkdp32.exe Ddagfm32.exe PID 1628 wrote to memory of 2152 1628 Dflkdp32.exe Ddagfm32.exe PID 1628 wrote to memory of 2152 1628 Dflkdp32.exe Ddagfm32.exe PID 1628 wrote to memory of 2152 1628 Dflkdp32.exe Ddagfm32.exe PID 2152 wrote to memory of 1912 2152 Ddagfm32.exe Dnilobkm.exe PID 2152 wrote to memory of 1912 2152 Ddagfm32.exe Dnilobkm.exe PID 2152 wrote to memory of 1912 2152 Ddagfm32.exe Dnilobkm.exe PID 2152 wrote to memory of 1912 2152 Ddagfm32.exe Dnilobkm.exe PID 1912 wrote to memory of 1388 1912 Dnilobkm.exe Dcfdgiid.exe PID 1912 wrote to memory of 1388 1912 Dnilobkm.exe Dcfdgiid.exe PID 1912 wrote to memory of 1388 1912 Dnilobkm.exe Dcfdgiid.exe PID 1912 wrote to memory of 1388 1912 Dnilobkm.exe Dcfdgiid.exe PID 1388 wrote to memory of 1596 1388 Dcfdgiid.exe Dqjepm32.exe PID 1388 wrote to memory of 1596 1388 Dcfdgiid.exe Dqjepm32.exe PID 1388 wrote to memory of 1596 1388 Dcfdgiid.exe Dqjepm32.exe PID 1388 wrote to memory of 1596 1388 Dcfdgiid.exe Dqjepm32.exe PID 1596 wrote to memory of 1776 1596 Dqjepm32.exe Dgdmmgpj.exe PID 1596 wrote to memory of 1776 1596 Dqjepm32.exe Dgdmmgpj.exe PID 1596 wrote to memory of 1776 1596 Dqjepm32.exe Dgdmmgpj.exe PID 1596 wrote to memory of 1776 1596 Dqjepm32.exe Dgdmmgpj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\065758121befb57fbf4d8fbd9e601f50_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\065758121befb57fbf4d8fbd9e601f50_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:380 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1432 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe39⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe40⤵
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:308 -
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe44⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe45⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe47⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe48⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe49⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe53⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe54⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe55⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Hlakpp32.exeC:\Windows\system32\Hlakpp32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1220 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe59⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe61⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe64⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe65⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe66⤵
- Modifies registry class
PID:792 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe67⤵PID:2452
-
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe68⤵PID:3064
-
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe69⤵
- Drops file in System32 directory
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe70⤵PID:2404
-
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe71⤵PID:2008
-
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe72⤵
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe74⤵PID:2816
-
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe76⤵PID:2672
-
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe77⤵PID:2952
-
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe78⤵PID:1964
-
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1772 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe80⤵PID:108
-
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2688 -
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe82⤵
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe83⤵PID:1276
-
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe84⤵PID:1564
-
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe85⤵PID:2900
-
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe86⤵PID:2884
-
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2332 -
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe88⤵PID:2844
-
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe89⤵PID:2752
-
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe91⤵PID:2824
-
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1320 -
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2160 -
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe94⤵
- Drops file in System32 directory
PID:236 -
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe95⤵PID:2268
-
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe96⤵PID:2676
-
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe97⤵
- Drops file in System32 directory
PID:816 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe98⤵PID:1672
-
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe100⤵PID:880
-
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe101⤵PID:1548
-
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe102⤵PID:2588
-
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe103⤵PID:2832
-
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe104⤵PID:2632
-
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2780 -
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe106⤵
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe107⤵
- Drops file in System32 directory
PID:1128 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe108⤵
- Modifies registry class
PID:316 -
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1904 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe110⤵
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe111⤵PID:2132
-
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe112⤵PID:2836
-
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe113⤵PID:1740
-
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe114⤵
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe115⤵PID:2524
-
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe116⤵PID:856
-
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe117⤵
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe119⤵
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe120⤵PID:2172
-
C:\Windows\SysWOW64\Kmaled32.exeC:\Windows\system32\Kmaled32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:844 -
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe122⤵PID:2156
-
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe123⤵PID:2364
-
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe124⤵PID:2600
-
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe125⤵PID:1836
-
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe126⤵
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe127⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2308 -
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe128⤵
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe129⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:672 -
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe130⤵PID:988
-
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe131⤵PID:2168
-
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe132⤵PID:840
-
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe133⤵
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe134⤵PID:2496
-
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe135⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe136⤵PID:2772
-
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe137⤵PID:2556
-
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe138⤵PID:768
-
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe139⤵PID:2424
-
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe140⤵PID:2856
-
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:376 -
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe142⤵
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe143⤵PID:3040
-
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe144⤵
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe145⤵PID:2612
-
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe146⤵PID:772
-
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe147⤵PID:2664
-
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe148⤵
- Drops file in System32 directory
PID:1396 -
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe149⤵PID:2028
-
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe150⤵PID:1988
-
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe151⤵
- Modifies registry class
PID:1252 -
C:\Windows\SysWOW64\Mgnfhlin.exeC:\Windows\system32\Mgnfhlin.exe152⤵PID:2580
-
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe153⤵PID:1576
-
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe154⤵
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe155⤵
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe156⤵
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe157⤵PID:1416
-
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe158⤵PID:1480
-
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe159⤵
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe160⤵PID:372
-
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe161⤵PID:2700
-
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe162⤵PID:2532
-
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe163⤵
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe164⤵PID:2244
-
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe165⤵PID:304
-
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe166⤵PID:2888
-
C:\Windows\SysWOW64\Nkeelohh.exeC:\Windows\system32\Nkeelohh.exe167⤵PID:2756
-
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe168⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe169⤵PID:1984
-
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe170⤵PID:1616
-
C:\Windows\SysWOW64\Nglfapnl.exeC:\Windows\system32\Nglfapnl.exe171⤵PID:2504
-
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe172⤵PID:2940
-
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe173⤵PID:628
-
C:\Windows\SysWOW64\Ndpfkdmf.exeC:\Windows\system32\Ndpfkdmf.exe174⤵
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe175⤵PID:2692
-
C:\Windows\SysWOW64\Njlockkm.exeC:\Windows\system32\Njlockkm.exe176⤵PID:1652
-
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe177⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:580 -
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe178⤵
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe179⤵PID:2416
-
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe180⤵PID:2644
-
C:\Windows\SysWOW64\Onjgiiad.exeC:\Windows\system32\Onjgiiad.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2260 -
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe182⤵
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Ocgpappk.exeC:\Windows\system32\Ocgpappk.exe183⤵PID:2180
-
C:\Windows\SysWOW64\Ojahnj32.exeC:\Windows\system32\Ojahnj32.exe184⤵PID:2036
-
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe185⤵
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe186⤵PID:3004
-
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe187⤵PID:1860
-
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe188⤵
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Ohfeog32.exeC:\Windows\system32\Ohfeog32.exe189⤵PID:3096
-
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe190⤵
- Drops file in System32 directory
PID:3136 -
C:\Windows\SysWOW64\Oclilp32.exeC:\Windows\system32\Oclilp32.exe191⤵
- Modifies registry class
PID:3176 -
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe192⤵PID:3216
-
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe193⤵PID:3256
-
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe194⤵PID:3296
-
C:\Windows\SysWOW64\Ocnfbo32.exeC:\Windows\system32\Ocnfbo32.exe195⤵
- Drops file in System32 directory
PID:3336 -
C:\Windows\SysWOW64\Odobjg32.exeC:\Windows\system32\Odobjg32.exe196⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3376 -
C:\Windows\SysWOW64\Omfkke32.exeC:\Windows\system32\Omfkke32.exe197⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3416 -
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe198⤵
- Modifies registry class
PID:3456 -
C:\Windows\SysWOW64\Obcccl32.exeC:\Windows\system32\Obcccl32.exe199⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3496 -
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe200⤵
- Modifies registry class
PID:3536 -
C:\Windows\SysWOW64\Pgplkb32.exeC:\Windows\system32\Pgplkb32.exe201⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3576 -
C:\Windows\SysWOW64\Pnjdhmdo.exeC:\Windows\system32\Pnjdhmdo.exe202⤵PID:3616
-
C:\Windows\SysWOW64\Pqhpdhcc.exeC:\Windows\system32\Pqhpdhcc.exe203⤵
- Modifies registry class
PID:3656 -
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe204⤵PID:3696
-
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe205⤵
- Modifies registry class
PID:3736 -
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe206⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3776 -
C:\Windows\SysWOW64\Pqkmjh32.exeC:\Windows\system32\Pqkmjh32.exe207⤵
- Drops file in System32 directory
PID:3816 -
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe208⤵PID:3864
-
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe209⤵PID:3904
-
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe210⤵PID:3944
-
C:\Windows\SysWOW64\Pamiog32.exeC:\Windows\system32\Pamiog32.exe211⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3984 -
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe212⤵PID:4024
-
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe213⤵PID:4064
-
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe214⤵
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Ppbfpd32.exeC:\Windows\system32\Ppbfpd32.exe215⤵PID:3124
-
C:\Windows\SysWOW64\Pcnbablo.exeC:\Windows\system32\Pcnbablo.exe216⤵PID:3148
-
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe217⤵PID:3228
-
C:\Windows\SysWOW64\Pikkiijf.exeC:\Windows\system32\Pikkiijf.exe218⤵PID:3268
-
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe219⤵PID:3332
-
C:\Windows\SysWOW64\Qabcjgkh.exeC:\Windows\system32\Qabcjgkh.exe220⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3372 -
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe221⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3432 -
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe222⤵PID:3472
-
C:\Windows\SysWOW64\Qpgpkcpp.exeC:\Windows\system32\Qpgpkcpp.exe223⤵PID:3520
-
C:\Windows\SysWOW64\Qbelgood.exeC:\Windows\system32\Qbelgood.exe224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3572 -
C:\Windows\SysWOW64\Qedhdjnh.exeC:\Windows\system32\Qedhdjnh.exe225⤵PID:3624
-
C:\Windows\SysWOW64\Amkpegnj.exeC:\Windows\system32\Amkpegnj.exe226⤵PID:3636
-
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe227⤵
- Drops file in System32 directory
- Modifies registry class
PID:3716 -
C:\Windows\SysWOW64\Abhimnma.exeC:\Windows\system32\Abhimnma.exe228⤵PID:3760
-
C:\Windows\SysWOW64\Aefeijle.exeC:\Windows\system32\Aefeijle.exe229⤵PID:3824
-
C:\Windows\SysWOW64\Ahdaee32.exeC:\Windows\system32\Ahdaee32.exe230⤵PID:3884
-
C:\Windows\SysWOW64\Aplifb32.exeC:\Windows\system32\Aplifb32.exe231⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3916 -
C:\Windows\SysWOW64\Abjebn32.exeC:\Windows\system32\Abjebn32.exe232⤵PID:3976
-
C:\Windows\SysWOW64\Aehboi32.exeC:\Windows\system32\Aehboi32.exe233⤵PID:4020
-
C:\Windows\SysWOW64\Ahgnke32.exeC:\Windows\system32\Ahgnke32.exe234⤵PID:4080
-
C:\Windows\SysWOW64\Ajejgp32.exeC:\Windows\system32\Ajejgp32.exe235⤵
- Drops file in System32 directory
PID:3104 -
C:\Windows\SysWOW64\Abmbhn32.exeC:\Windows\system32\Abmbhn32.exe236⤵PID:3164
-
C:\Windows\SysWOW64\Aaobdjof.exeC:\Windows\system32\Aaobdjof.exe237⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3212 -
C:\Windows\SysWOW64\Adnopfoj.exeC:\Windows\system32\Adnopfoj.exe238⤵PID:3288
-
C:\Windows\SysWOW64\Alegac32.exeC:\Windows\system32\Alegac32.exe239⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3348 -
C:\Windows\SysWOW64\Amfcikek.exeC:\Windows\system32\Amfcikek.exe240⤵PID:3396
-
C:\Windows\SysWOW64\Aaaoij32.exeC:\Windows\system32\Aaaoij32.exe241⤵PID:3468
-
C:\Windows\SysWOW64\Adpkee32.exeC:\Windows\system32\Adpkee32.exe242⤵PID:3532