Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 23:25
Behavioral task
behavioral1
Sample
0a8fd725bd1e7040b7b6bc052e9563c0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0a8fd725bd1e7040b7b6bc052e9563c0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
0a8fd725bd1e7040b7b6bc052e9563c0_NeikiAnalytics.exe
-
Size
664KB
-
MD5
0a8fd725bd1e7040b7b6bc052e9563c0
-
SHA1
9cfc70f24a8dcb1cde4aef9b9c26bc355be5a4dd
-
SHA256
545d61dc12958b73b16958e11c20d1baa0d395ade13c7c73b958e22f002527f6
-
SHA512
53884d8c1bcccd8eb910d52dc4dcee1a4554bafd33457161ba589d8a3ac7487d5f41b7417bcb38e5bc75081828d5fa3bf95887ef3c2dc62fdc52b5dcdaf1c0b1
-
SSDEEP
12288:78pV6yYPv058KpV6yYPNUir2MhNl6zX3w9As/xO23WM6tJmDYjmR54F:wWceKWNUir2MhNl6zX3w9As/xO23WM67
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Pkdihhag.exeFkecij32.exeLfbdci32.exeCcnifd32.exeFpdkpiik.exeOfcqcp32.exeCbffoabe.exeFdnjkh32.exeIamfdo32.exeLhnkffeo.exeGmeeepjp.exeHdbpekam.exeGgkqmoma.exeKjahej32.exeEgmabg32.exeMmccqbpm.exeCqaiph32.exeMlhnifmq.exeIflmjihl.exeBjkhdacm.exeEopphehb.exeLpabpcdf.exeDeakjjbk.exeJpbcek32.exeAobnniji.exeCiokijfd.exeJokqnhpa.exeKbigpn32.exeDeenjpcd.exeAklabp32.exeIbfmmb32.exeJniefm32.exeHcojam32.exeIjnkifgp.exeMphiqbon.exeCemjae32.exeHalbai32.exeLkdhoc32.exeCmfkfa32.exeJgabdlfb.exeOhiffh32.exeAnogijnb.exeBkegah32.exeDemaoj32.exeHqiqjlga.exeJimdcqom.exeEdlhqlfi.exeKbmfgk32.exeKechdf32.exeEfedga32.exeIjehdl32.exePgcmbcih.exeDdaemh32.exeFgfdie32.exeFcmdnfad.exeKhohkamc.exeNlilqbgp.exeEbckmaec.exeEgahen32.exeLcfbdd32.exePkaehb32.exeIahceq32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkdihhag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkecij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbdci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccnifd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpdkpiik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofcqcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbffoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdnjkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iamfdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhnkffeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmeeepjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdbpekam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggkqmoma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjahej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egmabg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmccqbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cqaiph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlhnifmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iflmjihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjkhdacm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eopphehb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpabpcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Deakjjbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpbcek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aobnniji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ciokijfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokqnhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbigpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deenjpcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aklabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibfmmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jniefm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcojam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijnkifgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mphiqbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cemjae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Halbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lkdhoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmfkfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgabdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohiffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anogijnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkegah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Demaoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqiqjlga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jimdcqom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edlhqlfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbmfgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kechdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqaiph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efedga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijehdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgcmbcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddaemh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgfdie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmdnfad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khohkamc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlilqbgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebckmaec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egahen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcfbdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlhnifmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkaehb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iahceq32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Cemjae32.exe family_berbew \Windows\SysWOW64\Ckahkk32.exe family_berbew C:\Windows\SysWOW64\Diibag32.exe family_berbew \Windows\SysWOW64\Dkadjn32.exe family_berbew \Windows\SysWOW64\Enbnkigh.exe family_berbew \Windows\SysWOW64\Egahen32.exe family_berbew C:\Windows\SysWOW64\Fmcjhdbc.exe family_berbew C:\Windows\SysWOW64\Fdnolfon.exe family_berbew \Windows\SysWOW64\Gcjbna32.exe family_berbew C:\Windows\SysWOW64\Gghkdp32.exe family_berbew C:\Windows\SysWOW64\Hfbaql32.exe family_berbew C:\Windows\SysWOW64\Halbai32.exe family_berbew \Windows\SysWOW64\Ijmipn32.exe family_berbew \Windows\SysWOW64\Jniefm32.exe family_berbew \Windows\SysWOW64\Jjbbpmgo.exe family_berbew \Windows\SysWOW64\Kgkleabc.exe family_berbew C:\Windows\SysWOW64\Kbigpn32.exe family_berbew C:\Windows\SysWOW64\Lkdhoc32.exe family_berbew C:\Windows\SysWOW64\Lneaqn32.exe family_berbew C:\Windows\SysWOW64\Lqejbiim.exe family_berbew C:\Windows\SysWOW64\Lfbbjpgd.exe family_berbew behavioral1/memory/1724-280-0x0000000000230000-0x0000000000265000-memory.dmp family_berbew C:\Windows\SysWOW64\Lcfbdd32.exe family_berbew C:\Windows\SysWOW64\Mmadbjkk.exe family_berbew C:\Windows\SysWOW64\Meoell32.exe family_berbew C:\Windows\SysWOW64\Mlhnifmq.exe family_berbew behavioral1/memory/616-306-0x0000000000220000-0x0000000000255000-memory.dmp family_berbew C:\Windows\SysWOW64\Ncfoch32.exe family_berbew C:\Windows\SysWOW64\Mpamde32.exe family_berbew behavioral1/memory/2064-341-0x0000000000220000-0x0000000000255000-memory.dmp family_berbew C:\Windows\SysWOW64\Nmqpam32.exe family_berbew behavioral1/memory/1520-356-0x00000000001B0000-0x00000000001E5000-memory.dmp family_berbew C:\Windows\SysWOW64\Npmphinm.exe family_berbew C:\Windows\SysWOW64\Nbbbdcgi.exe family_berbew C:\Windows\SysWOW64\Olkfmi32.exe family_berbew behavioral1/memory/2504-367-0x0000000000220000-0x0000000000255000-memory.dmp family_berbew C:\Windows\SysWOW64\Okpcoe32.exe family_berbew behavioral1/memory/2696-389-0x00000000001B0000-0x00000000001E5000-memory.dmp family_berbew C:\Windows\SysWOW64\Odhhgkib.exe family_berbew behavioral1/memory/2504-366-0x0000000000220000-0x0000000000255000-memory.dmp family_berbew behavioral1/memory/2416-411-0x00000000001B0000-0x00000000001E5000-memory.dmp family_berbew C:\Windows\SysWOW64\Ppcbgkka.exe family_berbew behavioral1/memory/344-422-0x0000000000220000-0x0000000000255000-memory.dmp family_berbew C:\Windows\SysWOW64\Ogknoe32.exe family_berbew C:\Windows\SysWOW64\Pmgbao32.exe family_berbew C:\Windows\SysWOW64\Poklngnf.exe family_berbew C:\Windows\SysWOW64\Pgbdodnh.exe family_berbew C:\Windows\SysWOW64\Pkdihhag.exe family_berbew behavioral1/memory/2168-471-0x00000000001C0000-0x00000000001F5000-memory.dmp family_berbew C:\Windows\SysWOW64\Qkffng32.exe family_berbew C:\Windows\SysWOW64\Qqfkln32.exe family_berbew C:\Windows\SysWOW64\Abegfa32.exe family_berbew C:\Windows\SysWOW64\Amohfo32.exe family_berbew C:\Windows\SysWOW64\Anneqafn.exe family_berbew C:\Windows\SysWOW64\Aggiigmn.exe family_berbew C:\Windows\SysWOW64\Aobnniji.exe family_berbew C:\Windows\SysWOW64\Akiobk32.exe family_berbew C:\Windows\SysWOW64\Beackp32.exe family_berbew C:\Windows\SysWOW64\Bbeded32.exe family_berbew C:\Windows\SysWOW64\Boidnh32.exe family_berbew C:\Windows\SysWOW64\Biaign32.exe family_berbew C:\Windows\SysWOW64\Bjbeofpp.exe family_berbew C:\Windows\SysWOW64\Bnqned32.exe family_berbew C:\Windows\SysWOW64\Bejfao32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Cemjae32.exeCkahkk32.exeDiibag32.exeDkadjn32.exeEnbnkigh.exeEgahen32.exeFmcjhdbc.exeFdnolfon.exeGcjbna32.exeGghkdp32.exeHfbaql32.exeHalbai32.exeIjmipn32.exeJniefm32.exeJjbbpmgo.exeKgkleabc.exeKbigpn32.exeLkdhoc32.exeLneaqn32.exeLqejbiim.exeLfbbjpgd.exeLcfbdd32.exeMmadbjkk.exeMpamde32.exeMeoell32.exeMlhnifmq.exeNcfoch32.exeNpmphinm.exeNmqpam32.exeNbbbdcgi.exeOlkfmi32.exeOkpcoe32.exeOdhhgkib.exeOgknoe32.exePpcbgkka.exePmgbao32.exePoklngnf.exePgbdodnh.exePkdihhag.exeQkffng32.exeQqfkln32.exeAbegfa32.exeAmohfo32.exeAnneqafn.exeAggiigmn.exeAobnniji.exeAkiobk32.exeBeackp32.exeBbeded32.exeBoidnh32.exeBiaign32.exeBjbeofpp.exeBnqned32.exeBejfao32.exeCmfkfa32.exeCmmagpef.exeDjgkii32.exeDmjqpdje.exeDgbeiiqe.exeDmmmfc32.exeElajgpmj.exeEiekpd32.exeEppcmncq.exeEhkhaqpk.exepid process 2068 Cemjae32.exe 2628 Ckahkk32.exe 2536 Diibag32.exe 2396 Dkadjn32.exe 2388 Enbnkigh.exe 3008 Egahen32.exe 572 Fmcjhdbc.exe 1808 Fdnolfon.exe 760 Gcjbna32.exe 2672 Gghkdp32.exe 812 Hfbaql32.exe 1592 Halbai32.exe 1340 Ijmipn32.exe 2476 Jniefm32.exe 552 Jjbbpmgo.exe 680 Kgkleabc.exe 2804 Kbigpn32.exe 440 Lkdhoc32.exe 848 Lneaqn32.exe 1252 Lqejbiim.exe 1724 Lfbbjpgd.exe 1732 Lcfbdd32.exe 616 Mmadbjkk.exe 1396 Mpamde32.exe 312 Meoell32.exe 1684 Mlhnifmq.exe 2064 Ncfoch32.exe 1520 Npmphinm.exe 2504 Nmqpam32.exe 1148 Nbbbdcgi.exe 2696 Olkfmi32.exe 2512 Okpcoe32.exe 2416 Odhhgkib.exe 344 Ogknoe32.exe 908 Ppcbgkka.exe 1452 Pmgbao32.exe 828 Poklngnf.exe 2168 Pgbdodnh.exe 1636 Pkdihhag.exe 1608 Qkffng32.exe 2620 Qqfkln32.exe 2112 Abegfa32.exe 2676 Amohfo32.exe 2568 Anneqafn.exe 2212 Aggiigmn.exe 2916 Aobnniji.exe 1268 Akiobk32.exe 1140 Beackp32.exe 1248 Bbeded32.exe 924 Boidnh32.exe 2072 Biaign32.exe 2036 Bjbeofpp.exe 644 Bnqned32.exe 1524 Bejfao32.exe 2956 Cmfkfa32.exe 2492 Cmmagpef.exe 2860 Djgkii32.exe 2428 Dmjqpdje.exe 2820 Dgbeiiqe.exe 2100 Dmmmfc32.exe 1660 Elajgpmj.exe 1472 Eiekpd32.exe 2188 Eppcmncq.exe 1640 Ehkhaqpk.exe -
Loads dropped DLL 64 IoCs
Processes:
0a8fd725bd1e7040b7b6bc052e9563c0_NeikiAnalytics.exeCemjae32.exeCkahkk32.exeDiibag32.exeDkadjn32.exeEnbnkigh.exeEgahen32.exeFmcjhdbc.exeFdnolfon.exeGcjbna32.exeGghkdp32.exeHfbaql32.exeHalbai32.exeIjmipn32.exeJniefm32.exeJjbbpmgo.exeKgkleabc.exeKbigpn32.exeLkdhoc32.exeLneaqn32.exeLqejbiim.exeLfbbjpgd.exeLcfbdd32.exeMmadbjkk.exeMpamde32.exeMeoell32.exeMlhnifmq.exeNcfoch32.exeNpmphinm.exeNmqpam32.exeNbbbdcgi.exeOlkfmi32.exepid process 2460 0a8fd725bd1e7040b7b6bc052e9563c0_NeikiAnalytics.exe 2460 0a8fd725bd1e7040b7b6bc052e9563c0_NeikiAnalytics.exe 2068 Cemjae32.exe 2068 Cemjae32.exe 2628 Ckahkk32.exe 2628 Ckahkk32.exe 2536 Diibag32.exe 2536 Diibag32.exe 2396 Dkadjn32.exe 2396 Dkadjn32.exe 2388 Enbnkigh.exe 2388 Enbnkigh.exe 3008 Egahen32.exe 3008 Egahen32.exe 572 Fmcjhdbc.exe 572 Fmcjhdbc.exe 1808 Fdnolfon.exe 1808 Fdnolfon.exe 760 Gcjbna32.exe 760 Gcjbna32.exe 2672 Gghkdp32.exe 2672 Gghkdp32.exe 812 Hfbaql32.exe 812 Hfbaql32.exe 1592 Halbai32.exe 1592 Halbai32.exe 1340 Ijmipn32.exe 1340 Ijmipn32.exe 2476 Jniefm32.exe 2476 Jniefm32.exe 552 Jjbbpmgo.exe 552 Jjbbpmgo.exe 680 Kgkleabc.exe 680 Kgkleabc.exe 2804 Kbigpn32.exe 2804 Kbigpn32.exe 440 Lkdhoc32.exe 440 Lkdhoc32.exe 848 Lneaqn32.exe 848 Lneaqn32.exe 1252 Lqejbiim.exe 1252 Lqejbiim.exe 1724 Lfbbjpgd.exe 1724 Lfbbjpgd.exe 1732 Lcfbdd32.exe 1732 Lcfbdd32.exe 616 Mmadbjkk.exe 616 Mmadbjkk.exe 1396 Mpamde32.exe 1396 Mpamde32.exe 312 Meoell32.exe 312 Meoell32.exe 1684 Mlhnifmq.exe 1684 Mlhnifmq.exe 2064 Ncfoch32.exe 2064 Ncfoch32.exe 1520 Npmphinm.exe 1520 Npmphinm.exe 2504 Nmqpam32.exe 2504 Nmqpam32.exe 1148 Nbbbdcgi.exe 1148 Nbbbdcgi.exe 2696 Olkfmi32.exe 2696 Olkfmi32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Fmkilb32.exePmkhjncg.exeFdekgjno.exeFmcjhdbc.exeEoiiijcc.exeEklqcl32.exeAccqnc32.exeGkmbmh32.exeCkahkk32.exeMmadbjkk.exeQqfkln32.exeJgabdlfb.exeAoagccfn.exeMfjkdh32.exeAjhddk32.exeCmfkfa32.exeGceailog.exeMmccqbpm.exePkjphcff.exeHbkqdepm.exeCbgobp32.exeHdbpekam.exeKmkihbho.exeCemjae32.exeAahfdihn.exeLdokfakl.exeJokqnhpa.exeLaqojfli.exeCqdfehii.exeLjfapjbi.exeKeeeje32.exeKgkonj32.exeHqiqjlga.exeLneaqn32.exeDcllbhdn.exeMpamde32.exeQlgkki32.exeKkpqlm32.exeMphiqbon.exeNnleiipc.exeAnogijnb.exeDifqji32.exeFqdiga32.exePkcbnanl.exeIfolhann.exeIeofkp32.exeOfnpnkgf.exeIjqoilii.exeNjjcip32.exeImaapa32.exeHalbai32.exeHjcppidk.exeCmmagpef.exeLopfhk32.exeKpdjaecc.exeLqejbiim.exePkdihhag.exeFhljkm32.exeHfbaql32.exeJmfafgbd.exedescription ioc process File created C:\Windows\SysWOW64\Epgfma32.dll Fmkilb32.exe File created C:\Windows\SysWOW64\Ibkhnd32.dll Pmkhjncg.exe File opened for modification C:\Windows\SysWOW64\Flapkmlj.exe Fdekgjno.exe File created C:\Windows\SysWOW64\Odikqa32.dll Fmcjhdbc.exe File created C:\Windows\SysWOW64\Moanlj32.dll Eoiiijcc.exe File opened for modification C:\Windows\SysWOW64\Eoiiijcc.exe Eklqcl32.exe File opened for modification C:\Windows\SysWOW64\Aojabdlf.exe Accqnc32.exe File created C:\Windows\SysWOW64\Imienpig.dll Gkmbmh32.exe File opened for modification C:\Windows\SysWOW64\Diibag32.exe Ckahkk32.exe File opened for modification C:\Windows\SysWOW64\Mpamde32.exe Mmadbjkk.exe File created C:\Windows\SysWOW64\Abegfa32.exe Qqfkln32.exe File opened for modification C:\Windows\SysWOW64\Jbhcim32.exe Jgabdlfb.exe File opened for modification C:\Windows\SysWOW64\Bjkhdacm.exe Aoagccfn.exe File created C:\Windows\SysWOW64\Mmccqbpm.exe Mfjkdh32.exe File created C:\Windows\SysWOW64\Icjgpj32.dll Ajhddk32.exe File created C:\Windows\SysWOW64\Amjllk32.dll Cmfkfa32.exe File created C:\Windows\SysWOW64\Eligcnhi.dll Gceailog.exe File created C:\Windows\SysWOW64\Poibnekg.dll Mmccqbpm.exe File created C:\Windows\SysWOW64\Ffeganon.dll Pkjphcff.exe File opened for modification C:\Windows\SysWOW64\Hghillnd.exe Hbkqdepm.exe File created C:\Windows\SysWOW64\Ckpckece.exe Cbgobp32.exe File created C:\Windows\SysWOW64\Hjohmbpd.exe Hdbpekam.exe File opened for modification C:\Windows\SysWOW64\Lmmfnb32.exe Kmkihbho.exe File opened for modification C:\Windows\SysWOW64\Ckahkk32.exe Cemjae32.exe File created C:\Windows\SysWOW64\Anogijnb.exe Aahfdihn.exe File created C:\Windows\SysWOW64\Jamgla32.dll Ldokfakl.exe File created C:\Windows\SysWOW64\Fmiogi32.dll Aahfdihn.exe File created C:\Windows\SysWOW64\Flapkmlj.exe Fdekgjno.exe File created C:\Windows\SysWOW64\Ahknna32.dll Jokqnhpa.exe File created C:\Windows\SysWOW64\Hbiooq32.dll Laqojfli.exe File created C:\Windows\SysWOW64\Heloek32.dll Cqdfehii.exe File created C:\Windows\SysWOW64\Lfmbek32.exe Ljfapjbi.exe File opened for modification C:\Windows\SysWOW64\Lopfhk32.exe Keeeje32.exe File created C:\Windows\SysWOW64\Aohndnll.dll Kgkonj32.exe File opened for modification C:\Windows\SysWOW64\Hffibceh.exe Hqiqjlga.exe File opened for modification C:\Windows\SysWOW64\Lqejbiim.exe Lneaqn32.exe File created C:\Windows\SysWOW64\Dhbggodl.dll Dcllbhdn.exe File created C:\Windows\SysWOW64\Meoell32.exe Mpamde32.exe File created C:\Windows\SysWOW64\Cceell32.dll Qlgkki32.exe File created C:\Windows\SysWOW64\Cmpppdfa.dll Kkpqlm32.exe File opened for modification C:\Windows\SysWOW64\Hjohmbpd.exe Hdbpekam.exe File opened for modification C:\Windows\SysWOW64\Mjqmig32.exe Mphiqbon.exe File opened for modification C:\Windows\SysWOW64\Nnnbni32.exe Nnleiipc.exe File opened for modification C:\Windows\SysWOW64\Alddjg32.exe Anogijnb.exe File created C:\Windows\SysWOW64\Hkhgoifc.dll Cbgobp32.exe File opened for modification C:\Windows\SysWOW64\Demaoj32.exe Difqji32.exe File created C:\Windows\SysWOW64\Fmkilb32.exe Fqdiga32.exe File created C:\Windows\SysWOW64\Jhbcjo32.dll Pkcbnanl.exe File opened for modification C:\Windows\SysWOW64\Ibfmmb32.exe Ifolhann.exe File created C:\Windows\SysWOW64\Ijkocg32.exe Ieofkp32.exe File created C:\Windows\SysWOW64\Dggajf32.dll Ofnpnkgf.exe File created C:\Windows\SysWOW64\Iefcfe32.exe Ijqoilii.exe File opened for modification C:\Windows\SysWOW64\Ofcqcp32.exe Njjcip32.exe File opened for modification C:\Windows\SysWOW64\Ipomlm32.exe Imaapa32.exe File created C:\Windows\SysWOW64\Ijmipn32.exe Halbai32.exe File created C:\Windows\SysWOW64\Iplfej32.dll Hjcppidk.exe File opened for modification C:\Windows\SysWOW64\Djgkii32.exe Cmmagpef.exe File created C:\Windows\SysWOW64\Lpabpcdf.exe Lopfhk32.exe File created C:\Windows\SysWOW64\Kkjnnn32.exe Kpdjaecc.exe File created C:\Windows\SysWOW64\Liobdl32.dll Lqejbiim.exe File created C:\Windows\SysWOW64\Qkffng32.exe Pkdihhag.exe File opened for modification C:\Windows\SysWOW64\Gkmbmh32.exe Fhljkm32.exe File opened for modification C:\Windows\SysWOW64\Halbai32.exe Hfbaql32.exe File opened for modification C:\Windows\SysWOW64\Jmhnkfpa.exe Jmfafgbd.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2456 3288 WerFault.exe Lbjofi32.exe -
Modifies registry class 64 IoCs
Processes:
Gceailog.exeKaompi32.exeHbkqdepm.exeHdbpekam.exeLhnkffeo.exeLmmfnb32.exeNmqpam32.exeAdifpk32.exePmjaohol.exeCkpckece.exeFdkmeiei.exeNpmphinm.exeAggiigmn.exeGmeeepjp.exeKmqmod32.exeEfedga32.exeDmjqpdje.exeEacljf32.exeFkbgckgd.exeOfnpnkgf.exeCkahkk32.exeDkadjn32.exeBfdenafn.exeQkielpdf.exeCcnifd32.exeNcfoch32.exePkcbnanl.exeMphiqbon.exeEnbnkigh.exeKeeeje32.exeBeackp32.exeQdlggg32.exeIfolhann.exeLqejbiim.exeIahceq32.exeBoljgg32.exeFdekgjno.exeNjgpij32.exeGhgfekpn.exeHhkopj32.exePgbdodnh.exeGgkqmoma.exeHjacjifm.exeIpomlm32.exeEblelb32.exeJjbbpmgo.exeHghillnd.exeAahfdihn.exeJniefm32.exeQjklenpa.exeKgkleabc.exeCmmagpef.exeLjfapjbi.exeAaejojjq.exeGpidki32.exeJnmiag32.exeDjgkii32.exeElajgpmj.exeIjclol32.exeIjehdl32.exeFqdiga32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gceailog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kaompi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eldhjg32.dll" Hbkqdepm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hdbpekam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfdkid32.dll" Lhnkffeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmmfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efpolbgp.dll" Nmqpam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodmepdn.dll" Adifpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlhdnf32.dll" Pmjaohol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnmjop32.dll" Ckpckece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnebcm32.dll" Fdkmeiei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Npmphinm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aggiigmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmeeepjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqnodo32.dll" Kmqmod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efedga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dmjqpdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofehob32.dll" Eacljf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmdcjbei.dll" Fkbgckgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ofnpnkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckahkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkadjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bfdenafn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qkielpdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmljjmf.dll" Ccnifd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmoogf32.dll" Ncfoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkcbnanl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mphiqbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fidfcc32.dll" Enbnkigh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Keeeje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Beackp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qdlggg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mphiqbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caejbmia.dll" Ifolhann.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lqejbiim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmjqpdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iahceq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Boljgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fdekgjno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njgpij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ghgfekpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhkopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pgbdodnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ggkqmoma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hjacjifm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ipomlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eblelb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjbbpmgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hghillnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aahfdihn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jniefm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qjklenpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgkleabc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjbbpmgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cmmagpef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ljfapjbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aaejojjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gpidki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jnmiag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqgono32.dll" Djgkii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feglhlfm.dll" Elajgpmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ijclol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdmji32.dll" Ijehdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jngafd32.dll" Fqdiga32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0a8fd725bd1e7040b7b6bc052e9563c0_NeikiAnalytics.exeCemjae32.exeCkahkk32.exeDiibag32.exeDkadjn32.exeEnbnkigh.exeEgahen32.exeFmcjhdbc.exeFdnolfon.exeGcjbna32.exeGghkdp32.exeHfbaql32.exeHalbai32.exeIjmipn32.exeJniefm32.exeJjbbpmgo.exedescription pid process target process PID 2460 wrote to memory of 2068 2460 0a8fd725bd1e7040b7b6bc052e9563c0_NeikiAnalytics.exe Cemjae32.exe PID 2460 wrote to memory of 2068 2460 0a8fd725bd1e7040b7b6bc052e9563c0_NeikiAnalytics.exe Cemjae32.exe PID 2460 wrote to memory of 2068 2460 0a8fd725bd1e7040b7b6bc052e9563c0_NeikiAnalytics.exe Cemjae32.exe PID 2460 wrote to memory of 2068 2460 0a8fd725bd1e7040b7b6bc052e9563c0_NeikiAnalytics.exe Cemjae32.exe PID 2068 wrote to memory of 2628 2068 Cemjae32.exe Ckahkk32.exe PID 2068 wrote to memory of 2628 2068 Cemjae32.exe Ckahkk32.exe PID 2068 wrote to memory of 2628 2068 Cemjae32.exe Ckahkk32.exe PID 2068 wrote to memory of 2628 2068 Cemjae32.exe Ckahkk32.exe PID 2628 wrote to memory of 2536 2628 Ckahkk32.exe Diibag32.exe PID 2628 wrote to memory of 2536 2628 Ckahkk32.exe Diibag32.exe PID 2628 wrote to memory of 2536 2628 Ckahkk32.exe Diibag32.exe PID 2628 wrote to memory of 2536 2628 Ckahkk32.exe Diibag32.exe PID 2536 wrote to memory of 2396 2536 Diibag32.exe Dkadjn32.exe PID 2536 wrote to memory of 2396 2536 Diibag32.exe Dkadjn32.exe PID 2536 wrote to memory of 2396 2536 Diibag32.exe Dkadjn32.exe PID 2536 wrote to memory of 2396 2536 Diibag32.exe Dkadjn32.exe PID 2396 wrote to memory of 2388 2396 Dkadjn32.exe Enbnkigh.exe PID 2396 wrote to memory of 2388 2396 Dkadjn32.exe Enbnkigh.exe PID 2396 wrote to memory of 2388 2396 Dkadjn32.exe Enbnkigh.exe PID 2396 wrote to memory of 2388 2396 Dkadjn32.exe Enbnkigh.exe PID 2388 wrote to memory of 3008 2388 Enbnkigh.exe Egahen32.exe PID 2388 wrote to memory of 3008 2388 Enbnkigh.exe Egahen32.exe PID 2388 wrote to memory of 3008 2388 Enbnkigh.exe Egahen32.exe PID 2388 wrote to memory of 3008 2388 Enbnkigh.exe Egahen32.exe PID 3008 wrote to memory of 572 3008 Egahen32.exe Fmcjhdbc.exe PID 3008 wrote to memory of 572 3008 Egahen32.exe Fmcjhdbc.exe PID 3008 wrote to memory of 572 3008 Egahen32.exe Fmcjhdbc.exe PID 3008 wrote to memory of 572 3008 Egahen32.exe Fmcjhdbc.exe PID 572 wrote to memory of 1808 572 Fmcjhdbc.exe Fdnolfon.exe PID 572 wrote to memory of 1808 572 Fmcjhdbc.exe Fdnolfon.exe PID 572 wrote to memory of 1808 572 Fmcjhdbc.exe Fdnolfon.exe PID 572 wrote to memory of 1808 572 Fmcjhdbc.exe Fdnolfon.exe PID 1808 wrote to memory of 760 1808 Fdnolfon.exe Gcjbna32.exe PID 1808 wrote to memory of 760 1808 Fdnolfon.exe Gcjbna32.exe PID 1808 wrote to memory of 760 1808 Fdnolfon.exe Gcjbna32.exe PID 1808 wrote to memory of 760 1808 Fdnolfon.exe Gcjbna32.exe PID 760 wrote to memory of 2672 760 Gcjbna32.exe Gghkdp32.exe PID 760 wrote to memory of 2672 760 Gcjbna32.exe Gghkdp32.exe PID 760 wrote to memory of 2672 760 Gcjbna32.exe Gghkdp32.exe PID 760 wrote to memory of 2672 760 Gcjbna32.exe Gghkdp32.exe PID 2672 wrote to memory of 812 2672 Gghkdp32.exe Hfbaql32.exe PID 2672 wrote to memory of 812 2672 Gghkdp32.exe Hfbaql32.exe PID 2672 wrote to memory of 812 2672 Gghkdp32.exe Hfbaql32.exe PID 2672 wrote to memory of 812 2672 Gghkdp32.exe Hfbaql32.exe PID 812 wrote to memory of 1592 812 Hfbaql32.exe Halbai32.exe PID 812 wrote to memory of 1592 812 Hfbaql32.exe Halbai32.exe PID 812 wrote to memory of 1592 812 Hfbaql32.exe Halbai32.exe PID 812 wrote to memory of 1592 812 Hfbaql32.exe Halbai32.exe PID 1592 wrote to memory of 1340 1592 Halbai32.exe Ijmipn32.exe PID 1592 wrote to memory of 1340 1592 Halbai32.exe Ijmipn32.exe PID 1592 wrote to memory of 1340 1592 Halbai32.exe Ijmipn32.exe PID 1592 wrote to memory of 1340 1592 Halbai32.exe Ijmipn32.exe PID 1340 wrote to memory of 2476 1340 Ijmipn32.exe Jniefm32.exe PID 1340 wrote to memory of 2476 1340 Ijmipn32.exe Jniefm32.exe PID 1340 wrote to memory of 2476 1340 Ijmipn32.exe Jniefm32.exe PID 1340 wrote to memory of 2476 1340 Ijmipn32.exe Jniefm32.exe PID 2476 wrote to memory of 552 2476 Jniefm32.exe Jjbbpmgo.exe PID 2476 wrote to memory of 552 2476 Jniefm32.exe Jjbbpmgo.exe PID 2476 wrote to memory of 552 2476 Jniefm32.exe Jjbbpmgo.exe PID 2476 wrote to memory of 552 2476 Jniefm32.exe Jjbbpmgo.exe PID 552 wrote to memory of 680 552 Jjbbpmgo.exe Kgkleabc.exe PID 552 wrote to memory of 680 552 Jjbbpmgo.exe Kgkleabc.exe PID 552 wrote to memory of 680 552 Jjbbpmgo.exe Kgkleabc.exe PID 552 wrote to memory of 680 552 Jjbbpmgo.exe Kgkleabc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a8fd725bd1e7040b7b6bc052e9563c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0a8fd725bd1e7040b7b6bc052e9563c0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Cemjae32.exeC:\Windows\system32\Cemjae32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Dkadjn32.exeC:\Windows\system32\Dkadjn32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Enbnkigh.exeC:\Windows\system32\Enbnkigh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Egahen32.exeC:\Windows\system32\Egahen32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Gcjbna32.exeC:\Windows\system32\Gcjbna32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Gghkdp32.exeC:\Windows\system32\Gghkdp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Jniefm32.exeC:\Windows\system32\Jniefm32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:680 -
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:440 -
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Lqejbiim.exeC:\Windows\system32\Lqejbiim.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1252 -
C:\Windows\SysWOW64\Lfbbjpgd.exeC:\Windows\system32\Lfbbjpgd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:616 -
C:\Windows\SysWOW64\Mpamde32.exeC:\Windows\system32\Mpamde32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1396 -
C:\Windows\SysWOW64\Meoell32.exeC:\Windows\system32\Meoell32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:312 -
C:\Windows\SysWOW64\Mlhnifmq.exeC:\Windows\system32\Mlhnifmq.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Npmphinm.exeC:\Windows\system32\Npmphinm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1148 -
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe33⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe34⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe35⤵
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe36⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe37⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Poklngnf.exeC:\Windows\system32\Poklngnf.exe38⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Pgbdodnh.exeC:\Windows\system32\Pgbdodnh.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Qkffng32.exeC:\Windows\system32\Qkffng32.exe41⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Abegfa32.exeC:\Windows\system32\Abegfa32.exe43⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe44⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Anneqafn.exeC:\Windows\system32\Anneqafn.exe45⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe48⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Beackp32.exeC:\Windows\system32\Beackp32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Bbeded32.exeC:\Windows\system32\Bbeded32.exe50⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe51⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe52⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe53⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe54⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe55⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe60⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Dmmmfc32.exeC:\Windows\system32\Dmmmfc32.exe61⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe63⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Eppcmncq.exeC:\Windows\system32\Eppcmncq.exe64⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Ehkhaqpk.exeC:\Windows\system32\Ehkhaqpk.exe65⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Eacljf32.exeC:\Windows\system32\Eacljf32.exe66⤵
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Eklqcl32.exeC:\Windows\system32\Eklqcl32.exe67⤵
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Eoiiijcc.exeC:\Windows\system32\Eoiiijcc.exe68⤵
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Eecafd32.exeC:\Windows\system32\Eecafd32.exe69⤵PID:2780
-
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe70⤵PID:1460
-
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe71⤵
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Fkecij32.exeC:\Windows\system32\Fkecij32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2108 -
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe73⤵PID:1464
-
C:\Windows\SysWOW64\Fqdiga32.exeC:\Windows\system32\Fqdiga32.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Fmkilb32.exeC:\Windows\system32\Fmkilb32.exe75⤵
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Gceailog.exeC:\Windows\system32\Gceailog.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Gkpfmnlb.exeC:\Windows\system32\Gkpfmnlb.exe77⤵PID:2712
-
C:\Windows\SysWOW64\Gifclb32.exeC:\Windows\system32\Gifclb32.exe78⤵PID:2612
-
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe80⤵PID:1420
-
C:\Windows\SysWOW64\Gepafc32.exeC:\Windows\system32\Gepafc32.exe81⤵PID:2320
-
C:\Windows\SysWOW64\Hqfaldbo.exeC:\Windows\system32\Hqfaldbo.exe82⤵PID:1768
-
C:\Windows\SysWOW64\Hjofdi32.exeC:\Windows\system32\Hjofdi32.exe83⤵PID:288
-
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe84⤵PID:2184
-
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe85⤵
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\Hjcppidk.exeC:\Windows\system32\Hjcppidk.exe86⤵
- Drops file in System32 directory
PID:868 -
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe87⤵PID:2724
-
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1388 -
C:\Windows\SysWOW64\Iimfld32.exeC:\Windows\system32\Iimfld32.exe89⤵PID:1440
-
C:\Windows\SysWOW64\Injndk32.exeC:\Windows\system32\Injndk32.exe90⤵PID:2760
-
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe91⤵
- Drops file in System32 directory
PID:800 -
C:\Windows\SysWOW64\Iefcfe32.exeC:\Windows\system32\Iefcfe32.exe92⤵PID:1976
-
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe93⤵
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Ijehdl32.exeC:\Windows\system32\Ijehdl32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:892 -
C:\Windows\SysWOW64\Jmfafgbd.exeC:\Windows\system32\Jmfafgbd.exe95⤵
- Drops file in System32 directory
PID:2260 -
C:\Windows\SysWOW64\Jmhnkfpa.exeC:\Windows\system32\Jmhnkfpa.exe96⤵PID:2940
-
C:\Windows\SysWOW64\Jgabdlfb.exeC:\Windows\system32\Jgabdlfb.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Jbhcim32.exeC:\Windows\system32\Jbhcim32.exe98⤵PID:1564
-
C:\Windows\SysWOW64\Jlphbbbg.exeC:\Windows\system32\Jlphbbbg.exe99⤵PID:1744
-
C:\Windows\SysWOW64\Kaompi32.exeC:\Windows\system32\Kaompi32.exe100⤵
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Kpdjaecc.exeC:\Windows\system32\Kpdjaecc.exe101⤵
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Kkjnnn32.exeC:\Windows\system32\Kkjnnn32.exe102⤵PID:1740
-
C:\Windows\SysWOW64\Kgqocoin.exeC:\Windows\system32\Kgqocoin.exe103⤵PID:952
-
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe104⤵PID:324
-
C:\Windows\SysWOW64\Kjahej32.exeC:\Windows\system32\Kjahej32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:280 -
C:\Windows\SysWOW64\Lpnmgdli.exeC:\Windows\system32\Lpnmgdli.exe106⤵PID:1028
-
C:\Windows\SysWOW64\Ljfapjbi.exeC:\Windows\system32\Ljfapjbi.exe107⤵
- Drops file in System32 directory
- Modifies registry class
PID:1112 -
C:\Windows\SysWOW64\Lfmbek32.exeC:\Windows\system32\Lfmbek32.exe108⤵PID:884
-
C:\Windows\SysWOW64\Lhnkffeo.exeC:\Windows\system32\Lhnkffeo.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Nplimbka.exeC:\Windows\system32\Nplimbka.exe110⤵PID:2736
-
C:\Windows\SysWOW64\Njjcip32.exeC:\Windows\system32\Njjcip32.exe111⤵
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Ofcqcp32.exeC:\Windows\system32\Ofcqcp32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:776 -
C:\Windows\SysWOW64\Ompefj32.exeC:\Windows\system32\Ompefj32.exe113⤵PID:2832
-
C:\Windows\SysWOW64\Obmnna32.exeC:\Windows\system32\Obmnna32.exe114⤵PID:1164
-
C:\Windows\SysWOW64\Ohiffh32.exeC:\Windows\system32\Ohiffh32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:948 -
C:\Windows\SysWOW64\Pkjphcff.exeC:\Windows\system32\Pkjphcff.exe116⤵
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Padhdm32.exeC:\Windows\system32\Padhdm32.exe117⤵PID:980
-
C:\Windows\SysWOW64\Pmkhjncg.exeC:\Windows\system32\Pmkhjncg.exe118⤵
- Drops file in System32 directory
PID:584 -
C:\Windows\SysWOW64\Pgcmbcih.exeC:\Windows\system32\Pgcmbcih.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1748 -
C:\Windows\SysWOW64\Pkaehb32.exeC:\Windows\system32\Pkaehb32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:564 -
C:\Windows\SysWOW64\Pkcbnanl.exeC:\Windows\system32\Pkcbnanl.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Qdlggg32.exeC:\Windows\system32\Qdlggg32.exe122⤵
- Modifies registry class
PID:704 -
C:\Windows\SysWOW64\Qlgkki32.exeC:\Windows\system32\Qlgkki32.exe123⤵
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\Qjklenpa.exeC:\Windows\system32\Qjklenpa.exe124⤵
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Accqnc32.exeC:\Windows\system32\Accqnc32.exe125⤵
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Aojabdlf.exeC:\Windows\system32\Aojabdlf.exe126⤵PID:1720
-
C:\Windows\SysWOW64\Alnalh32.exeC:\Windows\system32\Alnalh32.exe127⤵PID:1664
-
C:\Windows\SysWOW64\Adifpk32.exeC:\Windows\system32\Adifpk32.exe128⤵
- Modifies registry class
PID:544 -
C:\Windows\SysWOW64\Anbkipok.exeC:\Windows\system32\Anbkipok.exe129⤵PID:944
-
C:\Windows\SysWOW64\Aoagccfn.exeC:\Windows\system32\Aoagccfn.exe130⤵
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Bjkhdacm.exeC:\Windows\system32\Bjkhdacm.exe131⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2624 -
C:\Windows\SysWOW64\Bmlael32.exeC:\Windows\system32\Bmlael32.exe132⤵PID:1676
-
C:\Windows\SysWOW64\Bfdenafn.exeC:\Windows\system32\Bfdenafn.exe133⤵
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Boljgg32.exeC:\Windows\system32\Boljgg32.exe134⤵
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Bkegah32.exeC:\Windows\system32\Bkegah32.exe135⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1556 -
C:\Windows\SysWOW64\Cenljmgq.exeC:\Windows\system32\Cenljmgq.exe136⤵PID:2528
-
C:\Windows\SysWOW64\Cepipm32.exeC:\Windows\system32\Cepipm32.exe137⤵PID:2532
-
C:\Windows\SysWOW64\Cnimiblo.exeC:\Windows\system32\Cnimiblo.exe138⤵PID:1656
-
C:\Windows\SysWOW64\Cbffoabe.exeC:\Windows\system32\Cbffoabe.exe139⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1264 -
C:\Windows\SysWOW64\Cnmfdb32.exeC:\Windows\system32\Cnmfdb32.exe140⤵PID:2004
-
C:\Windows\SysWOW64\Cegoqlof.exeC:\Windows\system32\Cegoqlof.exe141⤵PID:2508
-
C:\Windows\SysWOW64\Djdgic32.exeC:\Windows\system32\Djdgic32.exe142⤵PID:2228
-
C:\Windows\SysWOW64\Dcllbhdn.exeC:\Windows\system32\Dcllbhdn.exe143⤵
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Ddaemh32.exeC:\Windows\system32\Ddaemh32.exe144⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2640 -
C:\Windows\SysWOW64\Debadpeg.exeC:\Windows\system32\Debadpeg.exe145⤵PID:2632
-
C:\Windows\SysWOW64\Dphfbiem.exeC:\Windows\system32\Dphfbiem.exe146⤵PID:2272
-
C:\Windows\SysWOW64\Deenjpcd.exeC:\Windows\system32\Deenjpcd.exe147⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1236 -
C:\Windows\SysWOW64\Eakooqih.exeC:\Windows\system32\Eakooqih.exe148⤵PID:2372
-
C:\Windows\SysWOW64\Eopphehb.exeC:\Windows\system32\Eopphehb.exe149⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1404 -
C:\Windows\SysWOW64\Edlhqlfi.exeC:\Windows\system32\Edlhqlfi.exe150⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2368 -
C:\Windows\SysWOW64\Eeldkonl.exeC:\Windows\system32\Eeldkonl.exe151⤵PID:1868
-
C:\Windows\SysWOW64\Egmabg32.exeC:\Windows\system32\Egmabg32.exe152⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1280 -
C:\Windows\SysWOW64\Ekkjheja.exeC:\Windows\system32\Ekkjheja.exe153⤵PID:2028
-
C:\Windows\SysWOW64\Fmlbjq32.exeC:\Windows\system32\Fmlbjq32.exe154⤵PID:2412
-
C:\Windows\SysWOW64\Fdekgjno.exeC:\Windows\system32\Fdekgjno.exe155⤵
- Drops file in System32 directory
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Flapkmlj.exeC:\Windows\system32\Flapkmlj.exe156⤵PID:2020
-
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe157⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2472 -
C:\Windows\SysWOW64\Flclam32.exeC:\Windows\system32\Flclam32.exe158⤵PID:1492
-
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe159⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:920 -
C:\Windows\SysWOW64\Fleifl32.exeC:\Windows\system32\Fleifl32.exe160⤵PID:1312
-
C:\Windows\SysWOW64\Fhljkm32.exeC:\Windows\system32\Fhljkm32.exe161⤵
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Gkmbmh32.exeC:\Windows\system32\Gkmbmh32.exe162⤵
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Gmeeepjp.exeC:\Windows\system32\Gmeeepjp.exe163⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Gconbj32.exeC:\Windows\system32\Gconbj32.exe164⤵PID:1712
-
C:\Windows\SysWOW64\Ghlfjq32.exeC:\Windows\system32\Ghlfjq32.exe165⤵PID:2348
-
C:\Windows\SysWOW64\Hokhbj32.exeC:\Windows\system32\Hokhbj32.exe166⤵PID:1956
-
C:\Windows\SysWOW64\Hiclkp32.exeC:\Windows\system32\Hiclkp32.exe167⤵PID:112
-
C:\Windows\SysWOW64\Homdhjai.exeC:\Windows\system32\Homdhjai.exe168⤵PID:588
-
C:\Windows\SysWOW64\Hbkqdepm.exeC:\Windows\system32\Hbkqdepm.exe169⤵
- Drops file in System32 directory
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Hghillnd.exeC:\Windows\system32\Hghillnd.exe170⤵
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\Hcojam32.exeC:\Windows\system32\Hcojam32.exe171⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3000 -
C:\Windows\SysWOW64\Ieofkp32.exeC:\Windows\system32\Ieofkp32.exe172⤵
- Drops file in System32 directory
PID:888 -
C:\Windows\SysWOW64\Ijkocg32.exeC:\Windows\system32\Ijkocg32.exe173⤵PID:2580
-
C:\Windows\SysWOW64\Ijnkifgp.exeC:\Windows\system32\Ijnkifgp.exe174⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2844 -
C:\Windows\SysWOW64\Iahceq32.exeC:\Windows\system32\Iahceq32.exe175⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Ipmqgmcd.exeC:\Windows\system32\Ipmqgmcd.exe176⤵PID:1292
-
C:\Windows\SysWOW64\Imaapa32.exeC:\Windows\system32\Imaapa32.exe177⤵
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Ipomlm32.exeC:\Windows\system32\Ipomlm32.exe178⤵
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Jelfdc32.exeC:\Windows\system32\Jelfdc32.exe179⤵PID:2648
-
C:\Windows\SysWOW64\Jacfidem.exeC:\Windows\system32\Jacfidem.exe180⤵PID:2644
-
C:\Windows\SysWOW64\Jaecod32.exeC:\Windows\system32\Jaecod32.exe181⤵PID:600
-
C:\Windows\SysWOW64\Jlkglm32.exeC:\Windows\system32\Jlkglm32.exe182⤵PID:2992
-
C:\Windows\SysWOW64\Jokqnhpa.exeC:\Windows\system32\Jokqnhpa.exe183⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Jfgebjnm.exeC:\Windows\system32\Jfgebjnm.exe184⤵PID:2772
-
C:\Windows\SysWOW64\Kmqmod32.exeC:\Windows\system32\Kmqmod32.exe185⤵
- Modifies registry class
PID:1444 -
C:\Windows\SysWOW64\Kbmfgk32.exeC:\Windows\system32\Kbmfgk32.exe186⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2340 -
C:\Windows\SysWOW64\Kigndekn.exeC:\Windows\system32\Kigndekn.exe187⤵PID:2432
-
C:\Windows\SysWOW64\Kgkonj32.exeC:\Windows\system32\Kgkonj32.exe188⤵
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Khohkamc.exeC:\Windows\system32\Khohkamc.exe189⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Kechdf32.exeC:\Windows\system32\Kechdf32.exe190⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2144 -
C:\Windows\SysWOW64\Kkpqlm32.exeC:\Windows\system32\Kkpqlm32.exe191⤵
- Drops file in System32 directory
PID:3096 -
C:\Windows\SysWOW64\Keeeje32.exeC:\Windows\system32\Keeeje32.exe192⤵
- Drops file in System32 directory
- Modifies registry class
PID:3136 -
C:\Windows\SysWOW64\Lopfhk32.exeC:\Windows\system32\Lopfhk32.exe193⤵
- Drops file in System32 directory
PID:3176 -
C:\Windows\SysWOW64\Lpabpcdf.exeC:\Windows\system32\Lpabpcdf.exe194⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3216 -
C:\Windows\SysWOW64\Laqojfli.exeC:\Windows\system32\Laqojfli.exe195⤵
- Drops file in System32 directory
PID:3256 -
C:\Windows\SysWOW64\Ldokfakl.exeC:\Windows\system32\Ldokfakl.exe196⤵
- Drops file in System32 directory
PID:3296 -
C:\Windows\SysWOW64\Lfbdci32.exeC:\Windows\system32\Lfbdci32.exe197⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3336 -
C:\Windows\SysWOW64\Mphiqbon.exeC:\Windows\system32\Mphiqbon.exe198⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3376 -
C:\Windows\SysWOW64\Mjqmig32.exeC:\Windows\system32\Mjqmig32.exe199⤵PID:3416
-
C:\Windows\SysWOW64\Mloiec32.exeC:\Windows\system32\Mloiec32.exe200⤵PID:3456
-
C:\Windows\SysWOW64\Mfjkdh32.exeC:\Windows\system32\Mfjkdh32.exe201⤵
- Drops file in System32 directory
PID:3496 -
C:\Windows\SysWOW64\Mmccqbpm.exeC:\Windows\system32\Mmccqbpm.exe202⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3536 -
C:\Windows\SysWOW64\Mbqkiind.exeC:\Windows\system32\Mbqkiind.exe203⤵PID:3576
-
C:\Windows\SysWOW64\Mbchni32.exeC:\Windows\system32\Mbchni32.exe204⤵PID:3620
-
C:\Windows\SysWOW64\Ndcapd32.exeC:\Windows\system32\Ndcapd32.exe205⤵PID:3660
-
C:\Windows\SysWOW64\Nnleiipc.exeC:\Windows\system32\Nnleiipc.exe206⤵
- Drops file in System32 directory
PID:3700 -
C:\Windows\SysWOW64\Nnnbni32.exeC:\Windows\system32\Nnnbni32.exe207⤵PID:3740
-
C:\Windows\SysWOW64\Nggggoda.exeC:\Windows\system32\Nggggoda.exe208⤵PID:3780
-
C:\Windows\SysWOW64\Njgpij32.exeC:\Windows\system32\Njgpij32.exe209⤵
- Modifies registry class
PID:3820 -
C:\Windows\SysWOW64\Nlilqbgp.exeC:\Windows\system32\Nlilqbgp.exe210⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3860 -
C:\Windows\SysWOW64\Ofnpnkgf.exeC:\Windows\system32\Ofnpnkgf.exe211⤵
- Drops file in System32 directory
- Modifies registry class
PID:3900 -
C:\Windows\SysWOW64\Oniebmda.exeC:\Windows\system32\Oniebmda.exe212⤵PID:3940
-
C:\Windows\SysWOW64\Onlahm32.exeC:\Windows\system32\Onlahm32.exe213⤵PID:3980
-
C:\Windows\SysWOW64\Oiafee32.exeC:\Windows\system32\Oiafee32.exe214⤵PID:4020
-
C:\Windows\SysWOW64\Olbogqoe.exeC:\Windows\system32\Olbogqoe.exe215⤵PID:4060
-
C:\Windows\SysWOW64\Oejcpf32.exeC:\Windows\system32\Oejcpf32.exe216⤵PID:3092
-
C:\Windows\SysWOW64\Ppddpd32.exeC:\Windows\system32\Ppddpd32.exe217⤵PID:3128
-
C:\Windows\SysWOW64\Pjihmmbk.exeC:\Windows\system32\Pjihmmbk.exe218⤵PID:3184
-
C:\Windows\SysWOW64\Pmjaohol.exeC:\Windows\system32\Pmjaohol.exe219⤵
- Modifies registry class
PID:3232 -
C:\Windows\SysWOW64\Pfbfhm32.exeC:\Windows\system32\Pfbfhm32.exe220⤵PID:3280
-
C:\Windows\SysWOW64\Picojhcm.exeC:\Windows\system32\Picojhcm.exe221⤵PID:3324
-
C:\Windows\SysWOW64\Popgboae.exeC:\Windows\system32\Popgboae.exe222⤵PID:3368
-
C:\Windows\SysWOW64\Qbnphngk.exeC:\Windows\system32\Qbnphngk.exe223⤵PID:3428
-
C:\Windows\SysWOW64\Qkielpdf.exeC:\Windows\system32\Qkielpdf.exe224⤵
- Modifies registry class
PID:3396 -
C:\Windows\SysWOW64\Aklabp32.exeC:\Windows\system32\Aklabp32.exe225⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3512 -
C:\Windows\SysWOW64\Aaejojjq.exeC:\Windows\system32\Aaejojjq.exe226⤵
- Modifies registry class
PID:3568 -
C:\Windows\SysWOW64\Aahfdihn.exeC:\Windows\system32\Aahfdihn.exe227⤵
- Drops file in System32 directory
- Modifies registry class
PID:3632 -
C:\Windows\SysWOW64\Anogijnb.exeC:\Windows\system32\Anogijnb.exe228⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3672 -
C:\Windows\SysWOW64\Alddjg32.exeC:\Windows\system32\Alddjg32.exe229⤵PID:3724
-
C:\Windows\SysWOW64\Ajhddk32.exeC:\Windows\system32\Ajhddk32.exe230⤵
- Drops file in System32 directory
PID:3764 -
C:\Windows\SysWOW64\Bkknac32.exeC:\Windows\system32\Bkknac32.exe231⤵PID:3792
-
C:\Windows\SysWOW64\Blkjkflb.exeC:\Windows\system32\Blkjkflb.exe232⤵PID:3880
-
C:\Windows\SysWOW64\Bgdkkc32.exeC:\Windows\system32\Bgdkkc32.exe233⤵PID:3924
-
C:\Windows\SysWOW64\Bbjpil32.exeC:\Windows\system32\Bbjpil32.exe234⤵PID:3968
-
C:\Windows\SysWOW64\Ccnifd32.exeC:\Windows\system32\Ccnifd32.exe235⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4016 -
C:\Windows\SysWOW64\Cqaiph32.exeC:\Windows\system32\Cqaiph32.exe236⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4068 -
C:\Windows\SysWOW64\Cqdfehii.exeC:\Windows\system32\Cqdfehii.exe237⤵
- Drops file in System32 directory
PID:3120 -
C:\Windows\SysWOW64\Ciokijfd.exeC:\Windows\system32\Ciokijfd.exe238⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3160 -
C:\Windows\SysWOW64\Cbgobp32.exeC:\Windows\system32\Cbgobp32.exe239⤵
- Drops file in System32 directory
PID:3224 -
C:\Windows\SysWOW64\Ckpckece.exeC:\Windows\system32\Ckpckece.exe240⤵
- Modifies registry class
PID:3304 -
C:\Windows\SysWOW64\Ckbpqe32.exeC:\Windows\system32\Ckbpqe32.exe241⤵PID:3316
-
C:\Windows\SysWOW64\Difqji32.exeC:\Windows\system32\Difqji32.exe242⤵
- Drops file in System32 directory
PID:3408