Analysis
-
max time kernel
139s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 23:24
Behavioral task
behavioral1
Sample
0a6d59bae52f7d357589713d099cef30_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0a6d59bae52f7d357589713d099cef30_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
0a6d59bae52f7d357589713d099cef30_NeikiAnalytics.exe
-
Size
669KB
-
MD5
0a6d59bae52f7d357589713d099cef30
-
SHA1
46ba5e3a1fcbf750a9cbef2b44abe36201042f68
-
SHA256
ff48b5ce64c6060f42f431fde4955411ef02923198a2cb6824d5b83b8fa854c2
-
SHA512
1fc37c2cef273c07d7227b268d97b07dbd81a8d5476626ed9ecbdec3cd1bcb8740cb5aaefc3e501a30c9cd2d007ee47299c29ac9d013e45831b025fa6642ad80
-
SSDEEP
12288:qooB+Eo+eVKhMpQnqr+cI3a72LXrY6x46UbR/qYglMi:qRBjoZchMpQnqrdX72LbY6x46uR/qYgL
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Igakgfpn.exeFnpnndgp.exeGkgkbipp.exeKgnnln32.exeGfjhgdck.exeNacgdhlp.exePoapfn32.exeLdidkbpb.exeAemkjiem.exeAeenochi.exeDgmglh32.exeAefeijle.exeCgcmlcja.exeDjklnnaj.exeOfmbnkhg.exePbfpik32.exeCldooj32.exeJjlnif32.exeKaceodek.exeKifpdelo.exeMlkopcge.exeFdapak32.exeQmfgjh32.exeFiglolbf.exeNigome32.exeJnkpbcjg.exeOdlojanh.exeAcpdko32.exeAbbeflpf.exeHhmepp32.exeGedbdlbb.exeOagmmgdm.exeBmhideol.exeDjhphncm.exeHbfbgd32.exeIcmegf32.exeNiebhf32.exeBpfeppop.exeEloemi32.exeHgdbhi32.exeHggomh32.exeLlnofpcg.exeOkfgfl32.exePgpeal32.exePqjfoa32.exeQcbllb32.exeFcefji32.exeKcakaipc.exeLbfdaigg.exeFidoim32.exeLghjel32.exeHdhbam32.exeJbjochdi.exePeiepfgg.exeBdeeqehb.exeGmgninie.exeIimjmbae.exeLmgocb32.exeNhaikn32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igakgfpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnpnndgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgkbipp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnnln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfjhgdck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacgdhlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poapfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldidkbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aemkjiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeenochi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgmglh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefeijle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcmlcja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djklnnaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofmbnkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbfpik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjlnif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaceodek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kifpdelo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlkopcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdapak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmfgjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Figlolbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nigome32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnkpbcjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odlojanh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acpdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abbeflpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gedbdlbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oagmmgdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmhideol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgcmlcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djhphncm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmhideol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbeflpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbfpik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbfbgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icmegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Niebhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nacgdhlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfeppop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hggomh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llnofpcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okfgfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgpeal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqjfoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcbllb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcefji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcakaipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbfdaigg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fidoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lghjel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdhbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbjochdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peiepfgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdeeqehb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgninie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iimjmbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmgocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhaikn32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Dflkdp32.exe family_berbew \Windows\SysWOW64\Dgmglh32.exe family_berbew behavioral1/memory/2216-28-0x0000000000440000-0x0000000000474000-memory.dmp family_berbew \Windows\SysWOW64\Dqjepm32.exe family_berbew C:\Windows\SysWOW64\Djbiicon.exe family_berbew \Windows\SysWOW64\Ekholjqg.exe family_berbew \Windows\SysWOW64\Epfhbign.exe family_berbew \Windows\SysWOW64\Eloemi32.exe family_berbew \Windows\SysWOW64\Fnpnndgp.exe family_berbew \Windows\SysWOW64\Faagpp32.exe family_berbew C:\Windows\SysWOW64\Fhkpmjln.exe family_berbew C:\Windows\SysWOW64\Filldb32.exe family_berbew \Windows\SysWOW64\Fmjejphb.exe family_berbew C:\Windows\SysWOW64\Fbgmbg32.exe family_berbew C:\Windows\SysWOW64\Gkihhhnm.exe family_berbew C:\Windows\SysWOW64\Iajcde32.exe family_berbew C:\Windows\SysWOW64\Igkdgk32.exe family_berbew C:\Windows\SysWOW64\Jicgpb32.exe family_berbew C:\Windows\SysWOW64\Jfghif32.exe family_berbew C:\Windows\SysWOW64\Kkijmm32.exe family_berbew C:\Windows\SysWOW64\Keanebkb.exe family_berbew C:\Windows\SysWOW64\Kmmcjehm.exe family_berbew C:\Windows\SysWOW64\Kjqccigf.exe family_berbew C:\Windows\SysWOW64\Llnofpcg.exe family_berbew C:\Windows\SysWOW64\Lajhofao.exe family_berbew C:\Windows\SysWOW64\Ldidkbpb.exe family_berbew C:\Windows\SysWOW64\Mpdnkb32.exe family_berbew C:\Windows\SysWOW64\Mgqcmlgl.exe family_berbew C:\Windows\SysWOW64\Mhbped32.exe family_berbew C:\Windows\SysWOW64\Ncgdbmmp.exe family_berbew C:\Windows\SysWOW64\Nlphkb32.exe family_berbew C:\Windows\SysWOW64\Mlkopcge.exe family_berbew C:\Windows\SysWOW64\Nocnbmoo.exe family_berbew C:\Windows\SysWOW64\Nejiih32.exe family_berbew C:\Windows\SysWOW64\Ndpfkdmf.exe family_berbew C:\Windows\SysWOW64\Meagci32.exe family_berbew C:\Windows\SysWOW64\Nacgdhlp.exe family_berbew C:\Windows\SysWOW64\Oklkmnbp.exe family_berbew C:\Windows\SysWOW64\Olmhdf32.exe family_berbew C:\Windows\SysWOW64\Mmfbogcn.exe family_berbew C:\Windows\SysWOW64\Mkgfckcj.exe family_berbew C:\Windows\SysWOW64\Mpbaebdd.exe family_berbew C:\Windows\SysWOW64\Mkeimlfm.exe family_berbew C:\Windows\SysWOW64\Mamddf32.exe family_berbew C:\Windows\SysWOW64\Lecgje32.exe family_berbew C:\Windows\SysWOW64\Llkbap32.exe family_berbew C:\Windows\SysWOW64\Leajdfnm.exe family_berbew C:\Windows\SysWOW64\Lpdbloof.exe family_berbew C:\Windows\SysWOW64\Leonofpp.exe family_berbew C:\Windows\SysWOW64\Lpbefoai.exe family_berbew C:\Windows\SysWOW64\Lihmjejl.exe family_berbew C:\Windows\SysWOW64\Lfjqnjkh.exe family_berbew C:\Windows\SysWOW64\Lpphap32.exe family_berbew C:\Windows\SysWOW64\Kifpdelo.exe family_berbew C:\Windows\SysWOW64\Kpmlkp32.exe family_berbew C:\Windows\SysWOW64\Kcfkfo32.exe family_berbew C:\Windows\SysWOW64\Kfbkmk32.exe family_berbew C:\Windows\SysWOW64\Kmjfdejp.exe family_berbew C:\Windows\SysWOW64\Kgnnln32.exe family_berbew C:\Windows\SysWOW64\Kneicieh.exe family_berbew C:\Windows\SysWOW64\Kaceodek.exe family_berbew C:\Windows\SysWOW64\Kihqkagp.exe family_berbew C:\Windows\SysWOW64\Kaaijdgn.exe family_berbew C:\Windows\SysWOW64\Jifdebic.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Dflkdp32.exeDgmglh32.exeDqjepm32.exeDjbiicon.exeEkholjqg.exeEpfhbign.exeEloemi32.exeFnpnndgp.exeFaagpp32.exeFhkpmjln.exeFilldb32.exeFdapak32.exeFmjejphb.exeFbgmbg32.exeFiaeoang.exeGonnhhln.exeGicbeald.exeGopkmhjk.exeGieojq32.exeGkgkbipp.exeGbnccfpb.exeGdopkn32.exeGkihhhnm.exeGeolea32.exeGkkemh32.exeGphmeo32.exeHgbebiao.exeHahjpbad.exeHgdbhi32.exeHnojdcfi.exeHdhbam32.exeHggomh32.exeHnagjbdf.exeHlcgeo32.exeHgilchkf.exeHlfdkoin.exeHacmcfge.exeHhmepp32.exeHogmmjfo.exeIeqeidnl.exeIlknfn32.exeIoijbj32.exeIdfbkq32.exeIokfhi32.exeIajcde32.exeIdhopq32.exeIjeghgoh.exeIcmlam32.exeIjgdngmf.exeIqalka32.exeIgkdgk32.exeJmhmpb32.exeJcbellac.exeJjlnif32.exeJoifam32.exeJfcnngnd.exeJkpgfn32.exeJbjochdi.exeJicgpb32.exeJonplmcb.exeJfghif32.exeJifdebic.exeJoplbl32.exeKaaijdgn.exepid process 2216 Dflkdp32.exe 2616 Dgmglh32.exe 2820 Dqjepm32.exe 2812 Djbiicon.exe 2700 Ekholjqg.exe 3004 Epfhbign.exe 2848 Eloemi32.exe 2976 Fnpnndgp.exe 1576 Faagpp32.exe 2012 Fhkpmjln.exe 1408 Filldb32.exe 536 Fdapak32.exe 1252 Fmjejphb.exe 2076 Fbgmbg32.exe 2864 Fiaeoang.exe 2104 Gonnhhln.exe 1984 Gicbeald.exe 1792 Gopkmhjk.exe 2368 Gieojq32.exe 324 Gkgkbipp.exe 1620 Gbnccfpb.exe 2944 Gdopkn32.exe 2036 Gkihhhnm.exe 1700 Geolea32.exe 2412 Gkkemh32.exe 1044 Gphmeo32.exe 1624 Hgbebiao.exe 1564 Hahjpbad.exe 2004 Hgdbhi32.exe 2920 Hnojdcfi.exe 2656 Hdhbam32.exe 2552 Hggomh32.exe 2996 Hnagjbdf.exe 2352 Hlcgeo32.exe 2852 Hgilchkf.exe 1764 Hlfdkoin.exe 2580 Hacmcfge.exe 2780 Hhmepp32.exe 1296 Hogmmjfo.exe 2052 Ieqeidnl.exe 2772 Ilknfn32.exe 1096 Ioijbj32.exe 856 Idfbkq32.exe 796 Iokfhi32.exe 624 Iajcde32.exe 1040 Idhopq32.exe 2316 Ijeghgoh.exe 564 Icmlam32.exe 2604 Ijgdngmf.exe 2728 Iqalka32.exe 2648 Igkdgk32.exe 2576 Jmhmpb32.exe 2612 Jcbellac.exe 2284 Jjlnif32.exe 2752 Joifam32.exe 1960 Jfcnngnd.exe 2060 Jkpgfn32.exe 2312 Jbjochdi.exe 1264 Jicgpb32.exe 860 Jonplmcb.exe 2972 Jfghif32.exe 2500 Jifdebic.exe 1760 Joplbl32.exe 2188 Kaaijdgn.exe -
Loads dropped DLL 64 IoCs
Processes:
0a6d59bae52f7d357589713d099cef30_NeikiAnalytics.exeDflkdp32.exeDgmglh32.exeDqjepm32.exeDjbiicon.exeEkholjqg.exeEpfhbign.exeEloemi32.exeFnpnndgp.exeFaagpp32.exeFhkpmjln.exeFilldb32.exeFdapak32.exeFmjejphb.exeFbgmbg32.exeFiaeoang.exeGonnhhln.exeGicbeald.exeGopkmhjk.exeGieojq32.exeGkgkbipp.exeGbnccfpb.exeGdopkn32.exeGkihhhnm.exeGeolea32.exeGkkemh32.exeGphmeo32.exeHgbebiao.exeHahjpbad.exeHgdbhi32.exeHnojdcfi.exeHdhbam32.exepid process 2480 0a6d59bae52f7d357589713d099cef30_NeikiAnalytics.exe 2480 0a6d59bae52f7d357589713d099cef30_NeikiAnalytics.exe 2216 Dflkdp32.exe 2216 Dflkdp32.exe 2616 Dgmglh32.exe 2616 Dgmglh32.exe 2820 Dqjepm32.exe 2820 Dqjepm32.exe 2812 Djbiicon.exe 2812 Djbiicon.exe 2700 Ekholjqg.exe 2700 Ekholjqg.exe 3004 Epfhbign.exe 3004 Epfhbign.exe 2848 Eloemi32.exe 2848 Eloemi32.exe 2976 Fnpnndgp.exe 2976 Fnpnndgp.exe 1576 Faagpp32.exe 1576 Faagpp32.exe 2012 Fhkpmjln.exe 2012 Fhkpmjln.exe 1408 Filldb32.exe 1408 Filldb32.exe 536 Fdapak32.exe 536 Fdapak32.exe 1252 Fmjejphb.exe 1252 Fmjejphb.exe 2076 Fbgmbg32.exe 2076 Fbgmbg32.exe 2864 Fiaeoang.exe 2864 Fiaeoang.exe 2104 Gonnhhln.exe 2104 Gonnhhln.exe 1984 Gicbeald.exe 1984 Gicbeald.exe 1792 Gopkmhjk.exe 1792 Gopkmhjk.exe 2368 Gieojq32.exe 2368 Gieojq32.exe 324 Gkgkbipp.exe 324 Gkgkbipp.exe 1620 Gbnccfpb.exe 1620 Gbnccfpb.exe 2944 Gdopkn32.exe 2944 Gdopkn32.exe 2036 Gkihhhnm.exe 2036 Gkihhhnm.exe 1700 Geolea32.exe 1700 Geolea32.exe 2412 Gkkemh32.exe 2412 Gkkemh32.exe 1044 Gphmeo32.exe 1044 Gphmeo32.exe 1624 Hgbebiao.exe 1624 Hgbebiao.exe 1564 Hahjpbad.exe 1564 Hahjpbad.exe 2004 Hgdbhi32.exe 2004 Hgdbhi32.exe 2920 Hnojdcfi.exe 2920 Hnojdcfi.exe 2656 Hdhbam32.exe 2656 Hdhbam32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Fdapak32.exeHnagjbdf.exeAmhpnkch.exeJgagfi32.exeAecaidjl.exeOjfaijcc.exePedleg32.exeCgejac32.exeDjhphncm.exeGjdhbc32.exeJfghif32.exeLeajdfnm.exeMlkopcge.exeAajbne32.exeAeenochi.exeBaohhgnf.exeFiaeoang.exeIlknfn32.exeOfelmloo.exeHanlnp32.exeKaldcb32.exeHggomh32.exeJjlnif32.exeOmfkke32.exeHnojdcfi.exeJkpgfn32.exeAekodi32.exeGonnhhln.exePflomnkb.exePfikmh32.exeHahjpbad.exeIqalka32.exeLpbefoai.exeMkeimlfm.exeGpcmpijk.exe0a6d59bae52f7d357589713d099cef30_NeikiAnalytics.exeGphmeo32.exeLpdbloof.exeBidjnkdg.exeGbnccfpb.exeQpecfc32.exeDccagcgk.exeDfamcogo.exeBhajdblk.exeNpccpo32.exeDjbiicon.exeHhmepp32.exeMpdnkb32.exeHbfbgd32.exeAcpdko32.exeFhkpmjln.exeBmhideol.exeHedocp32.exeCilibi32.exeOlmhdf32.exeAnojbobe.exeAidnohbk.exeNhaikn32.exedescription ioc process File created C:\Windows\SysWOW64\Cakqnc32.dll Fdapak32.exe File created C:\Windows\SysWOW64\Hlcgeo32.exe Hnagjbdf.exe File created C:\Windows\SysWOW64\Bdbhke32.exe Amhpnkch.exe File created C:\Windows\SysWOW64\Jnkpbcjg.exe Jgagfi32.exe File created C:\Windows\SysWOW64\Ccfcekqe.dll Jgagfi32.exe File created C:\Windows\SysWOW64\Akmjfn32.exe Aecaidjl.exe File opened for modification C:\Windows\SysWOW64\Oobjaqaj.exe Ojfaijcc.exe File opened for modification C:\Windows\SysWOW64\Pkndaa32.exe Pedleg32.exe File opened for modification C:\Windows\SysWOW64\Cghggc32.exe Cgejac32.exe File created C:\Windows\SysWOW64\Plnoej32.dll Djhphncm.exe File opened for modification C:\Windows\SysWOW64\Gdllkhdg.exe Gjdhbc32.exe File created C:\Windows\SysWOW64\Klaoplan.dll Jfghif32.exe File opened for modification C:\Windows\SysWOW64\Llkbap32.exe Leajdfnm.exe File created C:\Windows\SysWOW64\Mgqcmlgl.exe Mlkopcge.exe File created C:\Windows\SysWOW64\Aeenochi.exe Aajbne32.exe File created C:\Windows\SysWOW64\Annbhi32.exe Aeenochi.exe File opened for modification C:\Windows\SysWOW64\Bfkpqn32.exe Baohhgnf.exe File opened for modification C:\Windows\SysWOW64\Gonnhhln.exe Fiaeoang.exe File opened for modification C:\Windows\SysWOW64\Ioijbj32.exe Ilknfn32.exe File created C:\Windows\SysWOW64\Oqmmpd32.exe Ofelmloo.exe File created C:\Windows\SysWOW64\Hdlhjl32.exe Hanlnp32.exe File created C:\Windows\SysWOW64\Kgemplap.exe Kaldcb32.exe File created C:\Windows\SysWOW64\Hnagjbdf.exe Hggomh32.exe File created C:\Windows\SysWOW64\Ollfnfje.dll Jjlnif32.exe File created C:\Windows\SysWOW64\Fjkhohik.dll Omfkke32.exe File opened for modification C:\Windows\SysWOW64\Hdhbam32.exe Hnojdcfi.exe File created C:\Windows\SysWOW64\Jbjochdi.exe Jkpgfn32.exe File created C:\Windows\SysWOW64\Alegac32.exe Aekodi32.exe File created C:\Windows\SysWOW64\Elmnchif.dll Aecaidjl.exe File opened for modification C:\Windows\SysWOW64\Fmjejphb.exe Fdapak32.exe File created C:\Windows\SysWOW64\Gicbeald.exe Gonnhhln.exe File created C:\Windows\SysWOW64\Qmfgjh32.exe Pflomnkb.exe File created C:\Windows\SysWOW64\Lbbjgn32.dll Pfikmh32.exe File opened for modification C:\Windows\SysWOW64\Hgdbhi32.exe Hahjpbad.exe File opened for modification C:\Windows\SysWOW64\Igkdgk32.exe Iqalka32.exe File created C:\Windows\SysWOW64\Leonofpp.exe Lpbefoai.exe File created C:\Windows\SysWOW64\Mpbaebdd.exe Mkeimlfm.exe File created C:\Windows\SysWOW64\Gmgninie.exe Gpcmpijk.exe File opened for modification C:\Windows\SysWOW64\Gmgninie.exe Gpcmpijk.exe File opened for modification C:\Windows\SysWOW64\Dflkdp32.exe 0a6d59bae52f7d357589713d099cef30_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Hgbebiao.exe Gphmeo32.exe File opened for modification C:\Windows\SysWOW64\Leajdfnm.exe Lpdbloof.exe File created C:\Windows\SysWOW64\Boqbfb32.exe Bidjnkdg.exe File created C:\Windows\SysWOW64\Blnhfb32.dll Gbnccfpb.exe File created C:\Windows\SysWOW64\Qjjgclai.exe Qpecfc32.exe File created C:\Windows\SysWOW64\Dfamcogo.exe Dccagcgk.exe File created C:\Windows\SysWOW64\Dcenlceh.exe Dfamcogo.exe File opened for modification C:\Windows\SysWOW64\Beejng32.exe Bhajdblk.exe File created C:\Windows\SysWOW64\Nilhhdga.exe Npccpo32.exe File created C:\Windows\SysWOW64\Ekholjqg.exe Djbiicon.exe File created C:\Windows\SysWOW64\Ojhcelga.dll Hhmepp32.exe File opened for modification C:\Windows\SysWOW64\Meagci32.exe Mpdnkb32.exe File created C:\Windows\SysWOW64\Hedocp32.exe Hbfbgd32.exe File opened for modification C:\Windows\SysWOW64\Abbeflpf.exe Acpdko32.exe File created C:\Windows\SysWOW64\Filldb32.exe Fhkpmjln.exe File opened for modification C:\Windows\SysWOW64\Bpfeppop.exe Bmhideol.exe File created C:\Windows\SysWOW64\Hbhomd32.exe Hedocp32.exe File opened for modification C:\Windows\SysWOW64\Cacacg32.exe Cilibi32.exe File created C:\Windows\SysWOW64\Ioijbj32.exe Ilknfn32.exe File opened for modification C:\Windows\SysWOW64\Ofelmloo.exe Olmhdf32.exe File opened for modification C:\Windows\SysWOW64\Qjjgclai.exe Qpecfc32.exe File created C:\Windows\SysWOW64\Aidnohbk.exe Anojbobe.exe File opened for modification C:\Windows\SysWOW64\Anafhopc.exe Aidnohbk.exe File created C:\Windows\SysWOW64\Fibkpd32.dll Nhaikn32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3084 4072 WerFault.exe Cacacg32.exe -
Modifies registry class 64 IoCs
Processes:
Amhpnkch.exeMholen32.exeOeeecekc.exePqjfoa32.exeBhajdblk.exeEpfhbign.exeAefeijle.exeKiijnq32.exeLmgocb32.exeOagmmgdm.exeBeejng32.exeMhbped32.exeDcenlceh.exeKmmcjehm.exeGicbeald.exeKmjfdejp.exeLbfdaigg.exeGhelfg32.exeJnpinc32.exePckoam32.exeQkhpkoen.exeAbeemhkh.exeBoqbfb32.exeIipgcaob.exeNlphkb32.exeGjakmc32.exeCddaphkn.exeNilhhdga.exeAlpmfdcb.exeBdbhke32.exeAecaidjl.exeJfcnngnd.exeMmfbogcn.exeHabfipdj.exeJcjdpj32.exeKcakaipc.exeHnagjbdf.exeHoamgd32.exeJonplmcb.exeNacgdhlp.exePeiepfgg.exeEkholjqg.exeIdhopq32.exeFbmcbbki.exeLihmjejl.exeDfoqmo32.exeOobjaqaj.exeCklmgb32.exe0a6d59bae52f7d357589713d099cef30_NeikiAnalytics.exeHhmepp32.exeGebbnpfp.exeLjffag32.exeCadhnmnm.exeCgejac32.exeJifdebic.exeKneicieh.exeMffimglk.exePqhijbog.exeAkmjfn32.exeBlaopqpo.exeEloemi32.exeJmhmpb32.exeOklkmnbp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amhpnkch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mholen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgenio32.dll" Oeeecekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igciil32.dll" Pqjfoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhajdblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbjlbfp.dll" Epfhbign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acmmle32.dll" Aefeijle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnbi32.dll" Kiijnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmgocb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oagmmgdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Beejng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcenlceh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmmcjehm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gicbeald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pogjpc32.dll" Kmjfdejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhmapcq.dll" Lbfdaigg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhnlkifo.dll" Ghelfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnpinc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oeeecekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pckoam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnkga32.dll" Qkhpkoen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abeemhkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boqbfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iipgcaob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopgmbf.dll" Nlphkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Algdlcdm.dll" Gjakmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cddaphkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nilhhdga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ligkin32.dll" Bdbhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmnchif.dll" Aecaidjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfcnngnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obdkcckg.dll" Mmfbogcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Habfipdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcjdpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcakaipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hoamgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biapcobb.dll" Jonplmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocindg32.dll" Nacgdhlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chcphm32.dll" Ekholjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idhopq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbmcbbki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aagancdj.dll" Lihmjejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfoqmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmccegik.dll" Oobjaqaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 0a6d59bae52f7d357589713d099cef30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhmepp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gebbnpfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdcie32.dll" Ljffag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cadhnmnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgejac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jifdebic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kneicieh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mffimglk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pqhijbog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmnek32.dll" Akmjfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blaopqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmhmpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oklkmnbp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0a6d59bae52f7d357589713d099cef30_NeikiAnalytics.exeDflkdp32.exeDgmglh32.exeDqjepm32.exeDjbiicon.exeEkholjqg.exeEpfhbign.exeEloemi32.exeFnpnndgp.exeFaagpp32.exeFhkpmjln.exeFilldb32.exeFdapak32.exeFmjejphb.exeFbgmbg32.exeFiaeoang.exedescription pid process target process PID 2480 wrote to memory of 2216 2480 0a6d59bae52f7d357589713d099cef30_NeikiAnalytics.exe Dflkdp32.exe PID 2480 wrote to memory of 2216 2480 0a6d59bae52f7d357589713d099cef30_NeikiAnalytics.exe Dflkdp32.exe PID 2480 wrote to memory of 2216 2480 0a6d59bae52f7d357589713d099cef30_NeikiAnalytics.exe Dflkdp32.exe PID 2480 wrote to memory of 2216 2480 0a6d59bae52f7d357589713d099cef30_NeikiAnalytics.exe Dflkdp32.exe PID 2216 wrote to memory of 2616 2216 Dflkdp32.exe Dgmglh32.exe PID 2216 wrote to memory of 2616 2216 Dflkdp32.exe Dgmglh32.exe PID 2216 wrote to memory of 2616 2216 Dflkdp32.exe Dgmglh32.exe PID 2216 wrote to memory of 2616 2216 Dflkdp32.exe Dgmglh32.exe PID 2616 wrote to memory of 2820 2616 Dgmglh32.exe Dqjepm32.exe PID 2616 wrote to memory of 2820 2616 Dgmglh32.exe Dqjepm32.exe PID 2616 wrote to memory of 2820 2616 Dgmglh32.exe Dqjepm32.exe PID 2616 wrote to memory of 2820 2616 Dgmglh32.exe Dqjepm32.exe PID 2820 wrote to memory of 2812 2820 Dqjepm32.exe Djbiicon.exe PID 2820 wrote to memory of 2812 2820 Dqjepm32.exe Djbiicon.exe PID 2820 wrote to memory of 2812 2820 Dqjepm32.exe Djbiicon.exe PID 2820 wrote to memory of 2812 2820 Dqjepm32.exe Djbiicon.exe PID 2812 wrote to memory of 2700 2812 Djbiicon.exe Ekholjqg.exe PID 2812 wrote to memory of 2700 2812 Djbiicon.exe Ekholjqg.exe PID 2812 wrote to memory of 2700 2812 Djbiicon.exe Ekholjqg.exe PID 2812 wrote to memory of 2700 2812 Djbiicon.exe Ekholjqg.exe PID 2700 wrote to memory of 3004 2700 Ekholjqg.exe Epfhbign.exe PID 2700 wrote to memory of 3004 2700 Ekholjqg.exe Epfhbign.exe PID 2700 wrote to memory of 3004 2700 Ekholjqg.exe Epfhbign.exe PID 2700 wrote to memory of 3004 2700 Ekholjqg.exe Epfhbign.exe PID 3004 wrote to memory of 2848 3004 Epfhbign.exe Eloemi32.exe PID 3004 wrote to memory of 2848 3004 Epfhbign.exe Eloemi32.exe PID 3004 wrote to memory of 2848 3004 Epfhbign.exe Eloemi32.exe PID 3004 wrote to memory of 2848 3004 Epfhbign.exe Eloemi32.exe PID 2848 wrote to memory of 2976 2848 Eloemi32.exe Fnpnndgp.exe PID 2848 wrote to memory of 2976 2848 Eloemi32.exe Fnpnndgp.exe PID 2848 wrote to memory of 2976 2848 Eloemi32.exe Fnpnndgp.exe PID 2848 wrote to memory of 2976 2848 Eloemi32.exe Fnpnndgp.exe PID 2976 wrote to memory of 1576 2976 Fnpnndgp.exe Faagpp32.exe PID 2976 wrote to memory of 1576 2976 Fnpnndgp.exe Faagpp32.exe PID 2976 wrote to memory of 1576 2976 Fnpnndgp.exe Faagpp32.exe PID 2976 wrote to memory of 1576 2976 Fnpnndgp.exe Faagpp32.exe PID 1576 wrote to memory of 2012 1576 Faagpp32.exe Fhkpmjln.exe PID 1576 wrote to memory of 2012 1576 Faagpp32.exe Fhkpmjln.exe PID 1576 wrote to memory of 2012 1576 Faagpp32.exe Fhkpmjln.exe PID 1576 wrote to memory of 2012 1576 Faagpp32.exe Fhkpmjln.exe PID 2012 wrote to memory of 1408 2012 Fhkpmjln.exe Filldb32.exe PID 2012 wrote to memory of 1408 2012 Fhkpmjln.exe Filldb32.exe PID 2012 wrote to memory of 1408 2012 Fhkpmjln.exe Filldb32.exe PID 2012 wrote to memory of 1408 2012 Fhkpmjln.exe Filldb32.exe PID 1408 wrote to memory of 536 1408 Filldb32.exe Fdapak32.exe PID 1408 wrote to memory of 536 1408 Filldb32.exe Fdapak32.exe PID 1408 wrote to memory of 536 1408 Filldb32.exe Fdapak32.exe PID 1408 wrote to memory of 536 1408 Filldb32.exe Fdapak32.exe PID 536 wrote to memory of 1252 536 Fdapak32.exe Fmjejphb.exe PID 536 wrote to memory of 1252 536 Fdapak32.exe Fmjejphb.exe PID 536 wrote to memory of 1252 536 Fdapak32.exe Fmjejphb.exe PID 536 wrote to memory of 1252 536 Fdapak32.exe Fmjejphb.exe PID 1252 wrote to memory of 2076 1252 Fmjejphb.exe Fbgmbg32.exe PID 1252 wrote to memory of 2076 1252 Fmjejphb.exe Fbgmbg32.exe PID 1252 wrote to memory of 2076 1252 Fmjejphb.exe Fbgmbg32.exe PID 1252 wrote to memory of 2076 1252 Fmjejphb.exe Fbgmbg32.exe PID 2076 wrote to memory of 2864 2076 Fbgmbg32.exe Fiaeoang.exe PID 2076 wrote to memory of 2864 2076 Fbgmbg32.exe Fiaeoang.exe PID 2076 wrote to memory of 2864 2076 Fbgmbg32.exe Fiaeoang.exe PID 2076 wrote to memory of 2864 2076 Fbgmbg32.exe Fiaeoang.exe PID 2864 wrote to memory of 2104 2864 Fiaeoang.exe Gonnhhln.exe PID 2864 wrote to memory of 2104 2864 Fiaeoang.exe Gonnhhln.exe PID 2864 wrote to memory of 2104 2864 Fiaeoang.exe Gonnhhln.exe PID 2864 wrote to memory of 2104 2864 Fiaeoang.exe Gonnhhln.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a6d59bae52f7d357589713d099cef30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0a6d59bae52f7d357589713d099cef30_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:324 -
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1044 -
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe35⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe36⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe37⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe38⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe40⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe41⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe43⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe44⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe45⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe46⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe48⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe49⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe50⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe52⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe54⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe56⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Jbjochdi.exeC:\Windows\system32\Jbjochdi.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe60⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe64⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe65⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe66⤵PID:1688
-
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe67⤵
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2672 -
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2568 -
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe70⤵PID:2844
-
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe71⤵
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe72⤵PID:1324
-
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe73⤵PID:484
-
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe74⤵
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe75⤵PID:1272
-
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe76⤵PID:2388
-
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe77⤵PID:1972
-
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2256 -
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe79⤵PID:1704
-
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe80⤵PID:2408
-
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe81⤵
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe82⤵
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe83⤵PID:2384
-
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe84⤵
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe85⤵
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe86⤵PID:684
-
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe87⤵PID:1632
-
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2528 -
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe89⤵PID:2344
-
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2900 -
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe91⤵PID:3044
-
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe92⤵
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Mpbaebdd.exeC:\Windows\system32\Mpbaebdd.exe93⤵PID:2720
-
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe94⤵PID:2796
-
C:\Windows\SysWOW64\Mmfbogcn.exeC:\Windows\system32\Mmfbogcn.exe95⤵
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe96⤵
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe97⤵PID:1652
-
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe99⤵PID:2640
-
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe100⤵
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe101⤵PID:1980
-
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe102⤵
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe103⤵PID:2924
-
C:\Windows\SysWOW64\Nocnbmoo.exeC:\Windows\system32\Nocnbmoo.exe104⤵PID:2084
-
C:\Windows\SysWOW64\Ndpfkdmf.exeC:\Windows\system32\Ndpfkdmf.exe105⤵PID:2708
-
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe107⤵
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe108⤵
- Drops file in System32 directory
PID:696 -
C:\Windows\SysWOW64\Ofelmloo.exeC:\Windows\system32\Ofelmloo.exe109⤵
- Drops file in System32 directory
PID:1352 -
C:\Windows\SysWOW64\Oqmmpd32.exeC:\Windows\system32\Oqmmpd32.exe110⤵PID:1176
-
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe111⤵
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe112⤵
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\Ofmbnkhg.exeC:\Windows\system32\Ofmbnkhg.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2416 -
C:\Windows\SysWOW64\Omfkke32.exeC:\Windows\system32\Omfkke32.exe114⤵
- Drops file in System32 directory
PID:1280 -
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe115⤵PID:980
-
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe116⤵PID:892
-
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2100 -
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe118⤵
- Drops file in System32 directory
PID:1304 -
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe119⤵PID:2872
-
C:\Windows\SysWOW64\Pefijfii.exeC:\Windows\system32\Pefijfii.exe120⤵PID:608
-
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe121⤵PID:2260
-
C:\Windows\SysWOW64\Peiepfgg.exeC:\Windows\system32\Peiepfgg.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Pfjbgnme.exeC:\Windows\system32\Pfjbgnme.exe123⤵PID:2832
-
C:\Windows\SysWOW64\Papfegmk.exeC:\Windows\system32\Papfegmk.exe124⤵PID:2916
-
C:\Windows\SysWOW64\Pflomnkb.exeC:\Windows\system32\Pflomnkb.exe125⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe126⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1052 -
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe127⤵
- Drops file in System32 directory
PID:1060 -
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe128⤵PID:2940
-
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe129⤵PID:916
-
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe130⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1636 -
C:\Windows\SysWOW64\Qedhdjnh.exeC:\Windows\system32\Qedhdjnh.exe131⤵PID:1968
-
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe132⤵PID:640
-
C:\Windows\SysWOW64\Abhimnma.exeC:\Windows\system32\Abhimnma.exe133⤵PID:2536
-
C:\Windows\SysWOW64\Aefeijle.exeC:\Windows\system32\Aefeijle.exe134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Alpmfdcb.exeC:\Windows\system32\Alpmfdcb.exe135⤵
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Anojbobe.exeC:\Windows\system32\Anojbobe.exe136⤵
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Aidnohbk.exeC:\Windows\system32\Aidnohbk.exe137⤵
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Anafhopc.exeC:\Windows\system32\Anafhopc.exe138⤵PID:2516
-
C:\Windows\SysWOW64\Aekodi32.exeC:\Windows\system32\Aekodi32.exe139⤵
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Alegac32.exeC:\Windows\system32\Alegac32.exe140⤵PID:1308
-
C:\Windows\SysWOW64\Aemkjiem.exeC:\Windows\system32\Aemkjiem.exe141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3032 -
C:\Windows\SysWOW64\Amhpnkch.exeC:\Windows\system32\Amhpnkch.exe142⤵
- Drops file in System32 directory
- Modifies registry class
PID:1392 -
C:\Windows\SysWOW64\Bdbhke32.exeC:\Windows\system32\Bdbhke32.exe143⤵
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Bdeeqehb.exeC:\Windows\system32\Bdeeqehb.exe144⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2696 -
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe145⤵PID:2420
-
C:\Windows\SysWOW64\Bidjnkdg.exeC:\Windows\system32\Bidjnkdg.exe146⤵
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Boqbfb32.exeC:\Windows\system32\Boqbfb32.exe147⤵
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Bekkcljk.exeC:\Windows\system32\Bekkcljk.exe148⤵PID:560
-
C:\Windows\SysWOW64\Bocolb32.exeC:\Windows\system32\Bocolb32.exe149⤵PID:1744
-
C:\Windows\SysWOW64\Baakhm32.exeC:\Windows\system32\Baakhm32.exe150⤵PID:1988
-
C:\Windows\SysWOW64\Bhkdeggl.exeC:\Windows\system32\Bhkdeggl.exe151⤵PID:2624
-
C:\Windows\SysWOW64\Cadhnmnm.exeC:\Windows\system32\Cadhnmnm.exe152⤵
- Modifies registry class
PID:308 -
C:\Windows\SysWOW64\Clilkfnb.exeC:\Windows\system32\Clilkfnb.exe153⤵PID:2300
-
C:\Windows\SysWOW64\Cklmgb32.exeC:\Windows\system32\Cklmgb32.exe154⤵
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\Cddaphkn.exeC:\Windows\system32\Cddaphkn.exe155⤵
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Cgcmlcja.exeC:\Windows\system32\Cgcmlcja.exe156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1492 -
C:\Windows\SysWOW64\Cpkbdiqb.exeC:\Windows\system32\Cpkbdiqb.exe157⤵PID:2860
-
C:\Windows\SysWOW64\Chbjffad.exeC:\Windows\system32\Chbjffad.exe158⤵PID:2168
-
C:\Windows\SysWOW64\Cgejac32.exeC:\Windows\system32\Cgejac32.exe159⤵
- Drops file in System32 directory
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Cghggc32.exeC:\Windows\system32\Cghggc32.exe160⤵PID:2636
-
C:\Windows\SysWOW64\Cldooj32.exeC:\Windows\system32\Cldooj32.exe161⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2776 -
C:\Windows\SysWOW64\Djhphncm.exeC:\Windows\system32\Djhphncm.exe162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Doehqead.exeC:\Windows\system32\Doehqead.exe163⤵PID:2956
-
C:\Windows\SysWOW64\Dfoqmo32.exeC:\Windows\system32\Dfoqmo32.exe164⤵
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Djklnnaj.exeC:\Windows\system32\Djklnnaj.exe165⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:964 -
C:\Windows\SysWOW64\Dccagcgk.exeC:\Windows\system32\Dccagcgk.exe166⤵
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Dfamcogo.exeC:\Windows\system32\Dfamcogo.exe167⤵
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Dcenlceh.exeC:\Windows\system32\Dcenlceh.exe168⤵
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Ddgjdk32.exeC:\Windows\system32\Ddgjdk32.exe169⤵PID:2928
-
C:\Windows\SysWOW64\Dnoomqbg.exeC:\Windows\system32\Dnoomqbg.exe170⤵PID:2160
-
C:\Windows\SysWOW64\Dfffnn32.exeC:\Windows\system32\Dfffnn32.exe171⤵PID:2244
-
C:\Windows\SysWOW64\Dkcofe32.exeC:\Windows\system32\Dkcofe32.exe172⤵PID:2496
-
C:\Windows\SysWOW64\Ebmgcohn.exeC:\Windows\system32\Ebmgcohn.exe173⤵PID:2884
-
C:\Windows\SysWOW64\Ejhlgaeh.exeC:\Windows\system32\Ejhlgaeh.exe174⤵PID:2680
-
C:\Windows\SysWOW64\Eqbddk32.exeC:\Windows\system32\Eqbddk32.exe175⤵PID:1820
-
C:\Windows\SysWOW64\Edpmjj32.exeC:\Windows\system32\Edpmjj32.exe176⤵PID:2628
-
C:\Windows\SysWOW64\Ejmebq32.exeC:\Windows\system32\Ejmebq32.exe177⤵PID:448
-
C:\Windows\SysWOW64\Ecejkf32.exeC:\Windows\system32\Ecejkf32.exe178⤵PID:1512
-
C:\Windows\SysWOW64\Eibbcm32.exeC:\Windows\system32\Eibbcm32.exe179⤵PID:1876
-
C:\Windows\SysWOW64\Echfaf32.exeC:\Windows\system32\Echfaf32.exe180⤵PID:3040
-
C:\Windows\SysWOW64\Fidoim32.exeC:\Windows\system32\Fidoim32.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1552 -
C:\Windows\SysWOW64\Fbmcbbki.exeC:\Windows\system32\Fbmcbbki.exe182⤵
- Modifies registry class
PID:816 -
C:\Windows\SysWOW64\Figlolbf.exeC:\Windows\system32\Figlolbf.exe183⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1752 -
C:\Windows\SysWOW64\Fglipi32.exeC:\Windows\system32\Fglipi32.exe184⤵PID:2948
-
C:\Windows\SysWOW64\Fikejl32.exeC:\Windows\system32\Fikejl32.exe185⤵PID:2044
-
C:\Windows\SysWOW64\Fjmaaddo.exeC:\Windows\system32\Fjmaaddo.exe186⤵PID:2056
-
C:\Windows\SysWOW64\Fcefji32.exeC:\Windows\system32\Fcefji32.exe187⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:648 -
C:\Windows\SysWOW64\Fnkjhb32.exeC:\Windows\system32\Fnkjhb32.exe188⤵PID:1812
-
C:\Windows\SysWOW64\Gedbdlbb.exeC:\Windows\system32\Gedbdlbb.exe189⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1680 -
C:\Windows\SysWOW64\Gjakmc32.exeC:\Windows\system32\Gjakmc32.exe190⤵
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Gmpgio32.exeC:\Windows\system32\Gmpgio32.exe191⤵PID:1840
-
C:\Windows\SysWOW64\Ghelfg32.exeC:\Windows\system32\Ghelfg32.exe192⤵
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Gjdhbc32.exeC:\Windows\system32\Gjdhbc32.exe193⤵
- Drops file in System32 directory
PID:320 -
C:\Windows\SysWOW64\Gdllkhdg.exeC:\Windows\system32\Gdllkhdg.exe194⤵PID:1940
-
C:\Windows\SysWOW64\Gfjhgdck.exeC:\Windows\system32\Gfjhgdck.exe195⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2548 -
C:\Windows\SysWOW64\Gpcmpijk.exeC:\Windows\system32\Gpcmpijk.exe196⤵
- Drops file in System32 directory
PID:408 -
C:\Windows\SysWOW64\Gmgninie.exeC:\Windows\system32\Gmgninie.exe197⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2356 -
C:\Windows\SysWOW64\Gohjaf32.exeC:\Windows\system32\Gohjaf32.exe198⤵PID:2288
-
C:\Windows\SysWOW64\Gebbnpfp.exeC:\Windows\system32\Gebbnpfp.exe199⤵
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Hbfbgd32.exeC:\Windows\system32\Hbfbgd32.exe200⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3100 -
C:\Windows\SysWOW64\Hedocp32.exeC:\Windows\system32\Hedocp32.exe201⤵
- Drops file in System32 directory
PID:3140 -
C:\Windows\SysWOW64\Hbhomd32.exeC:\Windows\system32\Hbhomd32.exe202⤵PID:3192
-
C:\Windows\SysWOW64\Hhehek32.exeC:\Windows\system32\Hhehek32.exe203⤵PID:3340
-
C:\Windows\SysWOW64\Hanlnp32.exeC:\Windows\system32\Hanlnp32.exe204⤵
- Drops file in System32 directory
PID:3380 -
C:\Windows\SysWOW64\Hdlhjl32.exeC:\Windows\system32\Hdlhjl32.exe205⤵PID:3420
-
C:\Windows\SysWOW64\Hoamgd32.exeC:\Windows\system32\Hoamgd32.exe206⤵
- Modifies registry class
PID:3460 -
C:\Windows\SysWOW64\Hapicp32.exeC:\Windows\system32\Hapicp32.exe207⤵PID:3500
-
C:\Windows\SysWOW64\Hiknhbcg.exeC:\Windows\system32\Hiknhbcg.exe208⤵PID:3540
-
C:\Windows\SysWOW64\Habfipdj.exeC:\Windows\system32\Habfipdj.exe209⤵
- Modifies registry class
PID:3580 -
C:\Windows\SysWOW64\Igonafba.exeC:\Windows\system32\Igonafba.exe210⤵PID:3620
-
C:\Windows\SysWOW64\Iimjmbae.exeC:\Windows\system32\Iimjmbae.exe211⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3660 -
C:\Windows\SysWOW64\Igakgfpn.exeC:\Windows\system32\Igakgfpn.exe212⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3700 -
C:\Windows\SysWOW64\Iipgcaob.exeC:\Windows\system32\Iipgcaob.exe213⤵
- Modifies registry class
PID:3740 -
C:\Windows\SysWOW64\Igchlf32.exeC:\Windows\system32\Igchlf32.exe214⤵PID:3780
-
C:\Windows\SysWOW64\Ioolqh32.exeC:\Windows\system32\Ioolqh32.exe215⤵PID:3820
-
C:\Windows\SysWOW64\Ijdqna32.exeC:\Windows\system32\Ijdqna32.exe216⤵PID:3864
-
C:\Windows\SysWOW64\Ikfmfi32.exeC:\Windows\system32\Ikfmfi32.exe217⤵PID:3904
-
C:\Windows\SysWOW64\Icmegf32.exeC:\Windows\system32\Icmegf32.exe218⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3944 -
C:\Windows\SysWOW64\Ileiplhn.exeC:\Windows\system32\Ileiplhn.exe219⤵PID:3984
-
C:\Windows\SysWOW64\Jfnnha32.exeC:\Windows\system32\Jfnnha32.exe220⤵PID:4024
-
C:\Windows\SysWOW64\Jofbag32.exeC:\Windows\system32\Jofbag32.exe221⤵PID:4064
-
C:\Windows\SysWOW64\Jgagfi32.exeC:\Windows\system32\Jgagfi32.exe222⤵
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Jnkpbcjg.exeC:\Windows\system32\Jnkpbcjg.exe223⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3108 -
C:\Windows\SysWOW64\Jqilooij.exeC:\Windows\system32\Jqilooij.exe224⤵PID:3160
-
C:\Windows\SysWOW64\Jjbpgd32.exeC:\Windows\system32\Jjbpgd32.exe225⤵PID:3236
-
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe226⤵PID:3348
-
C:\Windows\SysWOW64\Jcjdpj32.exeC:\Windows\system32\Jcjdpj32.exe227⤵
- Modifies registry class
PID:3264 -
C:\Windows\SysWOW64\Jnpinc32.exeC:\Windows\system32\Jnpinc32.exe228⤵
- Modifies registry class
PID:3324 -
C:\Windows\SysWOW64\Jqnejn32.exeC:\Windows\system32\Jqnejn32.exe229⤵PID:3372
-
C:\Windows\SysWOW64\Kiijnq32.exeC:\Windows\system32\Kiijnq32.exe230⤵
- Modifies registry class
PID:3436 -
C:\Windows\SysWOW64\Kbbngf32.exeC:\Windows\system32\Kbbngf32.exe231⤵PID:3480
-
C:\Windows\SysWOW64\Kmgbdo32.exeC:\Windows\system32\Kmgbdo32.exe232⤵PID:3512
-
C:\Windows\SysWOW64\Kcakaipc.exeC:\Windows\system32\Kcakaipc.exe233⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3572 -
C:\Windows\SysWOW64\Kohkfj32.exeC:\Windows\system32\Kohkfj32.exe234⤵PID:3604
-
C:\Windows\SysWOW64\Kbfhbeek.exeC:\Windows\system32\Kbfhbeek.exe235⤵PID:3680
-
C:\Windows\SysWOW64\Kkolkk32.exeC:\Windows\system32\Kkolkk32.exe236⤵PID:3724
-
C:\Windows\SysWOW64\Kaldcb32.exeC:\Windows\system32\Kaldcb32.exe237⤵
- Drops file in System32 directory
PID:3768 -
C:\Windows\SysWOW64\Kgemplap.exeC:\Windows\system32\Kgemplap.exe238⤵PID:3828
-
C:\Windows\SysWOW64\Kbkameaf.exeC:\Windows\system32\Kbkameaf.exe239⤵PID:3880
-
C:\Windows\SysWOW64\Lghjel32.exeC:\Windows\system32\Lghjel32.exe240⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3928 -
C:\Windows\SysWOW64\Ljffag32.exeC:\Windows\system32\Ljffag32.exe241⤵
- Modifies registry class
PID:3972 -
C:\Windows\SysWOW64\Lgjfkk32.exeC:\Windows\system32\Lgjfkk32.exe242⤵PID:4032