Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 23:41
Behavioral task
behavioral1
Sample
0cd8f0819d3dbccf2ab1c3649467aa10_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0cd8f0819d3dbccf2ab1c3649467aa10_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
0cd8f0819d3dbccf2ab1c3649467aa10_NeikiAnalytics.exe
-
Size
128KB
-
MD5
0cd8f0819d3dbccf2ab1c3649467aa10
-
SHA1
6a21cbc056fdc5e5ed37213ad39dbd1fb31031b9
-
SHA256
dbf449cc7f9c9fa85d6555eba7517d6bf690514429b051f3a650d2c52db8ee81
-
SHA512
5d928a6afc840cb98a55b2c6ee9b85eee3bc2a822477bed749b904fa532bc858f1c8290fe7bdf4d9c6a665414cf187069c4f090ce198a5ec8e4c259c363318da
-
SSDEEP
3072:wX5ajtyofL8v4cwGx2/BhHmiImXJ2fYdV46nfPyxWhj8NCM/r:wpWfBe4BhHmNEcYj9nhV8NCU
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jjbpgd32.exeMlcbenjb.exeQbcpbo32.exeBioqclil.exeNkmdpm32.exeOkikfagn.exeBbjbaa32.exeCkccgane.exeFglipi32.exeNcjqhmkm.exeBehnnm32.exeCkafbbph.exeMpmapm32.exeDcadac32.exeFidoim32.exeIipgcaob.exeJfnnha32.exeKnklagmb.exeOjfaijcc.exePclfkc32.exeDnoomqbg.exeAnlfbi32.exeAmqccfed.exeGfhladfn.exeLcojjmea.exePcibkm32.exeOopnlacm.exeBecnhgmg.exeEffcma32.exeHakphqja.exeKfpgmdog.exeMbpnanch.exeAibajhdn.exeBafidiio.exeDccagcgk.exePqjfoa32.exeFenmdm32.exeGmdadnkh.exeHipkdnmf.exeNhiffc32.exeEgafleqm.exeNaimccpo.exeOcdmaj32.exeAgfgqo32.exeMmahdggc.exeMeagci32.exeFllnlg32.exeGpcmpijk.exeLcagpl32.exeJfiale32.exeOappcfmb.exePdaheq32.exeLihmjejl.exeFbamma32.exeOhendqhd.exeQflhbhgg.exeApalea32.exeCnkicn32.exeIkkjbe32.exeAigchgkh.exeBhfcpb32.exeGhcoqh32.exeMlaeonld.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjbpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlcbenjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbcpbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bioqclil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkmdpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okikfagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbjbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckccgane.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fglipi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncjqhmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behnnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckafbbph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpmapm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcadac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fidoim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iipgcaob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfnnha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knklagmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojfaijcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okikfagn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pclfkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnoomqbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anlfbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amqccfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfhladfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcojjmea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcibkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oopnlacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Becnhgmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Effcma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakphqja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfpgmdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbpnanch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aibajhdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafidiio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dccagcgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqjfoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fenmdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmdadnkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hipkdnmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhiffc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egafleqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naimccpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocdmaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agfgqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmahdggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meagci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fllnlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpcmpijk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcagpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfiale32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oappcfmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdaheq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lihmjejl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbamma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohendqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qflhbhgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apalea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkicn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikkjbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aigchgkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfcpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghcoqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlaeonld.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule behavioral1/memory/1700-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Kfbkmk32.exe family_berbew behavioral1/memory/1700-6-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew \Windows\SysWOW64\Kpkofpgq.exe family_berbew behavioral1/memory/2616-26-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Kiccofna.exe family_berbew behavioral1/memory/2616-34-0x0000000000450000-0x0000000000491000-memory.dmp family_berbew C:\Windows\SysWOW64\Kpmlkp32.exe family_berbew behavioral1/memory/2732-41-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2860-53-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Kifpdelo.exe family_berbew behavioral1/memory/2860-70-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew behavioral1/memory/2992-72-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2516-80-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Lldlqakb.exe family_berbew \Windows\SysWOW64\Lihmjejl.exe family_berbew behavioral1/memory/2516-92-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew behavioral1/memory/2572-96-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2516-94-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew \Windows\SysWOW64\Llfifq32.exe family_berbew behavioral1/memory/2204-108-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Lijjoe32.exe family_berbew behavioral1/memory/2804-121-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Lliflp32.exe family_berbew behavioral1/memory/2224-134-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Lafndg32.exe family_berbew behavioral1/memory/2224-146-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew \Windows\SysWOW64\Llkbap32.exe family_berbew behavioral1/memory/2236-164-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Lojomkdn.exe family_berbew behavioral1/memory/2236-169-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew \Windows\SysWOW64\Ldfgebbe.exe family_berbew behavioral1/memory/2232-186-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew \Windows\SysWOW64\Lollckbk.exe family_berbew behavioral1/memory/2232-194-0x0000000000310000-0x0000000000351000-memory.dmp family_berbew behavioral1/memory/848-205-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2232-204-0x0000000000310000-0x0000000000351000-memory.dmp family_berbew behavioral1/memory/2292-214-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Lefdpe32.exe family_berbew C:\Windows\SysWOW64\Mmahdggc.exe family_berbew behavioral1/memory/2292-228-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew C:\Windows\SysWOW64\Mamddf32.exe family_berbew behavioral1/memory/2888-230-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1120-234-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Mhgmapfi.exe family_berbew behavioral1/memory/1820-244-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Mihiih32.exe family_berbew behavioral1/memory/2100-255-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Mdmmfa32.exe family_berbew behavioral1/memory/1840-277-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Mbpnanch.exe family_berbew behavioral1/memory/1760-266-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Mcbjgn32.exe family_berbew behavioral1/memory/1824-288-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1824-293-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew C:\Windows\SysWOW64\Meagci32.exe family_berbew behavioral1/memory/1880-299-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1824-298-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew behavioral1/memory/1880-305-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew C:\Windows\SysWOW64\Miooigfo.exe family_berbew behavioral1/memory/2492-310-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2492-317-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew C:\Windows\SysWOW64\Mpigfa32.exe family_berbew behavioral1/memory/2148-320-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Kfbkmk32.exeKpkofpgq.exeKiccofna.exeKpmlkp32.exeKifpdelo.exeLldlqakb.exeLihmjejl.exeLlfifq32.exeLijjoe32.exeLliflp32.exeLafndg32.exeLlkbap32.exeLojomkdn.exeLdfgebbe.exeLollckbk.exeLefdpe32.exeMmahdggc.exeMamddf32.exeMhgmapfi.exeMihiih32.exeMdmmfa32.exeMbpnanch.exeMcbjgn32.exeMeagci32.exeMiooigfo.exeMpigfa32.exeNefpnhlc.exeNcjqhmkm.exeNhfipcid.exeNkeelohh.exeNncahjgl.exeNhiffc32.exeNpdjje32.exeNhkbkc32.exeNgnbgplj.exeOjolhk32.exeOnjgiiad.exeOddpfc32.exeOfelmloo.exeOlpdjf32.exeOcimgp32.exeOopnlacm.exeOjfaijcc.exeOmdneebf.exeOkgnab32.exeOfmbnkhg.exeOmfkke32.exeOkikfagn.exeOnhgbmfb.exePfoocjfd.exePdaoog32.exePgplkb32.exePogclp32.exePqhpdhcc.exePgbhabjp.exePjadmnic.exePbhmnkjf.exePgeefbhm.exePnomcl32.exePamiog32.exePclfkc32.exePnajilng.exePapfegmk.exePcnbablo.exepid process 2028 Kfbkmk32.exe 2616 Kpkofpgq.exe 2732 Kiccofna.exe 2860 Kpmlkp32.exe 2992 Kifpdelo.exe 2516 Lldlqakb.exe 2572 Lihmjejl.exe 2204 Llfifq32.exe 2804 Lijjoe32.exe 2224 Lliflp32.exe 2196 Lafndg32.exe 2236 Llkbap32.exe 536 Lojomkdn.exe 2232 Ldfgebbe.exe 848 Lollckbk.exe 2292 Lefdpe32.exe 2888 Mmahdggc.exe 1120 Mamddf32.exe 1820 Mhgmapfi.exe 2100 Mihiih32.exe 1760 Mdmmfa32.exe 1840 Mbpnanch.exe 1824 Mcbjgn32.exe 1880 Meagci32.exe 2492 Miooigfo.exe 2148 Mpigfa32.exe 2068 Nefpnhlc.exe 3020 Ncjqhmkm.exe 2724 Nhfipcid.exe 2760 Nkeelohh.exe 2756 Nncahjgl.exe 2552 Nhiffc32.exe 1252 Npdjje32.exe 2496 Nhkbkc32.exe 1500 Ngnbgplj.exe 2816 Ojolhk32.exe 316 Onjgiiad.exe 1040 Oddpfc32.exe 604 Ofelmloo.exe 1168 Olpdjf32.exe 1772 Ocimgp32.exe 2276 Oopnlacm.exe 2716 Ojfaijcc.exe 3028 Omdneebf.exe 1780 Okgnab32.exe 1004 Ofmbnkhg.exe 1612 Omfkke32.exe 944 Okikfagn.exe 2976 Onhgbmfb.exe 1564 Pfoocjfd.exe 1644 Pdaoog32.exe 2864 Pgplkb32.exe 2680 Pogclp32.exe 2788 Pqhpdhcc.exe 2636 Pgbhabjp.exe 2948 Pjadmnic.exe 776 Pbhmnkjf.exe 1632 Pgeefbhm.exe 2432 Pnomcl32.exe 1816 Pamiog32.exe 1624 Pclfkc32.exe 1444 Pnajilng.exe 1212 Papfegmk.exe 2936 Pcnbablo.exe -
Loads dropped DLL 64 IoCs
Processes:
0cd8f0819d3dbccf2ab1c3649467aa10_NeikiAnalytics.exeKfbkmk32.exeKpkofpgq.exeKiccofna.exeKpmlkp32.exeKifpdelo.exeLldlqakb.exeLihmjejl.exeLlfifq32.exeLijjoe32.exeLliflp32.exeLafndg32.exeLlkbap32.exeLojomkdn.exeLdfgebbe.exeLollckbk.exeLefdpe32.exeMmahdggc.exeMamddf32.exeMhgmapfi.exeMihiih32.exeMdmmfa32.exeMbpnanch.exeMcbjgn32.exeMeagci32.exeMiooigfo.exeMpigfa32.exeNefpnhlc.exeNcjqhmkm.exeNhfipcid.exeNkeelohh.exeNncahjgl.exepid process 1700 0cd8f0819d3dbccf2ab1c3649467aa10_NeikiAnalytics.exe 1700 0cd8f0819d3dbccf2ab1c3649467aa10_NeikiAnalytics.exe 2028 Kfbkmk32.exe 2028 Kfbkmk32.exe 2616 Kpkofpgq.exe 2616 Kpkofpgq.exe 2732 Kiccofna.exe 2732 Kiccofna.exe 2860 Kpmlkp32.exe 2860 Kpmlkp32.exe 2992 Kifpdelo.exe 2992 Kifpdelo.exe 2516 Lldlqakb.exe 2516 Lldlqakb.exe 2572 Lihmjejl.exe 2572 Lihmjejl.exe 2204 Llfifq32.exe 2204 Llfifq32.exe 2804 Lijjoe32.exe 2804 Lijjoe32.exe 2224 Lliflp32.exe 2224 Lliflp32.exe 2196 Lafndg32.exe 2196 Lafndg32.exe 2236 Llkbap32.exe 2236 Llkbap32.exe 536 Lojomkdn.exe 536 Lojomkdn.exe 2232 Ldfgebbe.exe 2232 Ldfgebbe.exe 848 Lollckbk.exe 848 Lollckbk.exe 2292 Lefdpe32.exe 2292 Lefdpe32.exe 2888 Mmahdggc.exe 2888 Mmahdggc.exe 1120 Mamddf32.exe 1120 Mamddf32.exe 1820 Mhgmapfi.exe 1820 Mhgmapfi.exe 2100 Mihiih32.exe 2100 Mihiih32.exe 1760 Mdmmfa32.exe 1760 Mdmmfa32.exe 1840 Mbpnanch.exe 1840 Mbpnanch.exe 1824 Mcbjgn32.exe 1824 Mcbjgn32.exe 1880 Meagci32.exe 1880 Meagci32.exe 2492 Miooigfo.exe 2492 Miooigfo.exe 2148 Mpigfa32.exe 2148 Mpigfa32.exe 2068 Nefpnhlc.exe 2068 Nefpnhlc.exe 3020 Ncjqhmkm.exe 3020 Ncjqhmkm.exe 2724 Nhfipcid.exe 2724 Nhfipcid.exe 2760 Nkeelohh.exe 2760 Nkeelohh.exe 2756 Nncahjgl.exe 2756 Nncahjgl.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ahikqd32.exeDnoomqbg.exeLcagpl32.exePqhpdhcc.exeAibajhdn.exeBbhela32.exeEqbddk32.exeApalea32.exeAjgpbj32.exePgeefbhm.exeNofdklgl.exeMiooigfo.exeEfaibbij.exeGffoldhp.exeGiieco32.exeHbfbgd32.exeIgakgfpn.exeLapnnafn.exeOhendqhd.exePamiog32.exeAbphal32.exeJgcdki32.exePokieo32.exeQeaedd32.exeGmgninie.exeIccbqh32.exeKbbngf32.exeNdhipoob.exeNmbknddp.exeQkkmqnck.exeGmbdnn32.exeOkgnab32.exeHoopae32.exeHdlhjl32.exeQmicohqm.exeLbiqfied.exeBehgcf32.exePjadmnic.exeIlqpdm32.exeKjifhc32.exeNadpgggp.exeOdoloalf.exeKfbkmk32.exeHbhomd32.exeKfpgmdog.exeHkaglf32.exeDggcffhg.exeEojnkg32.exeMpigfa32.exeCdgneh32.exeKbidgeci.exeLndohedg.exePnajilng.exeEqpgol32.exeFmmkcoap.exeNhiffc32.exeAaaoij32.exeFbopgb32.exeJnkpbcjg.exeJqlhdo32.exeNkpegi32.exeOdlojanh.exeMamddf32.exeIeidmbcc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Ajhgmpfg.exe Ahikqd32.exe File created C:\Windows\SysWOW64\Dfffnn32.exe Dnoomqbg.exe File created C:\Windows\SysWOW64\Ljkomfjl.exe Lcagpl32.exe File created C:\Windows\SysWOW64\Pgbhabjp.exe Pqhpdhcc.exe File created C:\Windows\SysWOW64\Alpmfdcb.exe Aibajhdn.exe File created C:\Windows\SysWOW64\Bkommo32.exe Bbhela32.exe File opened for modification C:\Windows\SysWOW64\Egllae32.exe Eqbddk32.exe File created C:\Windows\SysWOW64\Lfobiqka.dll Apalea32.exe File opened for modification C:\Windows\SysWOW64\Amelne32.exe Ajgpbj32.exe File opened for modification C:\Windows\SysWOW64\Pnomcl32.exe Pgeefbhm.exe File opened for modification C:\Windows\SysWOW64\Nadpgggp.exe Nofdklgl.exe File opened for modification C:\Windows\SysWOW64\Mpigfa32.exe Miooigfo.exe File created C:\Windows\SysWOW64\Ampehe32.dll Efaibbij.exe File created C:\Windows\SysWOW64\Gmpgio32.exe Gffoldhp.exe File opened for modification C:\Windows\SysWOW64\Gmdadnkh.exe Giieco32.exe File opened for modification C:\Windows\SysWOW64\Hedocp32.exe Hbfbgd32.exe File created C:\Windows\SysWOW64\Mpjmjp32.dll Igakgfpn.exe File created C:\Windows\SysWOW64\Nffjeaid.dll Lapnnafn.exe File created C:\Windows\SysWOW64\Oqacic32.exe Ohendqhd.exe File created C:\Windows\SysWOW64\Kfommp32.dll Pamiog32.exe File created C:\Windows\SysWOW64\Ajgpbj32.exe Abphal32.exe File created C:\Windows\SysWOW64\Qkhgoi32.dll Jgcdki32.exe File opened for modification C:\Windows\SysWOW64\Pcfefmnk.exe Pokieo32.exe File created C:\Windows\SysWOW64\Qgoapp32.exe Qeaedd32.exe File created C:\Windows\SysWOW64\Gpejeihi.exe Gmgninie.exe File created C:\Windows\SysWOW64\Ikkjbe32.exe Iccbqh32.exe File opened for modification C:\Windows\SysWOW64\Kjifhc32.exe Kbbngf32.exe File created C:\Windows\SysWOW64\Ngfflj32.exe Ndhipoob.exe File created C:\Windows\SysWOW64\Cnjgia32.dll Nmbknddp.exe File created C:\Windows\SysWOW64\Aaheie32.exe Qkkmqnck.exe File created C:\Windows\SysWOW64\Qmaqpohl.dll Gmbdnn32.exe File opened for modification C:\Windows\SysWOW64\Ofmbnkhg.exe Okgnab32.exe File created C:\Windows\SysWOW64\Nmmhnm32.dll Hoopae32.exe File created C:\Windows\SysWOW64\Hhgdkjol.exe Hdlhjl32.exe File created C:\Windows\SysWOW64\Qpgpkcpp.exe Qmicohqm.exe File opened for modification C:\Windows\SysWOW64\Lfdmggnm.exe Lbiqfied.exe File created C:\Windows\SysWOW64\Mlcpdacl.dll Behgcf32.exe File created C:\Windows\SysWOW64\Jejinjob.dll Pjadmnic.exe File created C:\Windows\SysWOW64\Ipllekdl.exe Ilqpdm32.exe File created C:\Windows\SysWOW64\Kmcipd32.dll Kjifhc32.exe File created C:\Windows\SysWOW64\Bfenfipk.dll Nadpgggp.exe File created C:\Windows\SysWOW64\Ihlfga32.dll Odoloalf.exe File created C:\Windows\SysWOW64\Kpkofpgq.exe Kfbkmk32.exe File created C:\Windows\SysWOW64\Hakphqja.exe Hbhomd32.exe File created C:\Windows\SysWOW64\Kincipnk.exe Kfpgmdog.exe File created C:\Windows\SysWOW64\Hbhomd32.exe Hkaglf32.exe File created C:\Windows\SysWOW64\Dookgcij.exe Dggcffhg.exe File created C:\Windows\SysWOW64\Pgicjg32.dll Eojnkg32.exe File created C:\Windows\SysWOW64\Nefpnhlc.exe Mpigfa32.exe File created C:\Windows\SysWOW64\Cgejac32.exe Cdgneh32.exe File created C:\Windows\SysWOW64\Kegqdqbl.exe Kbidgeci.exe File created C:\Windows\SysWOW64\Aepjgc32.dll Lndohedg.exe File created C:\Windows\SysWOW64\Oimpgolj.dll Pnajilng.exe File opened for modification C:\Windows\SysWOW64\Ehgppi32.exe Eqpgol32.exe File created C:\Windows\SysWOW64\Ebpopmpp.dll Fmmkcoap.exe File created C:\Windows\SysWOW64\Iigpciig.dll Nhiffc32.exe File opened for modification C:\Windows\SysWOW64\Aemkjiem.exe Aaaoij32.exe File opened for modification C:\Windows\SysWOW64\Fenmdm32.exe Fbopgb32.exe File created C:\Windows\SysWOW64\Jbgkcb32.exe Jnkpbcjg.exe File opened for modification C:\Windows\SysWOW64\Jdgdempa.exe Jqlhdo32.exe File opened for modification C:\Windows\SysWOW64\Naimccpo.exe Nkpegi32.exe File created C:\Windows\SysWOW64\Aohjlnjk.dll Odlojanh.exe File created C:\Windows\SysWOW64\Dqehhb32.dll Mamddf32.exe File created C:\Windows\SysWOW64\Ihgainbg.exe Ieidmbcc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4140 4924 WerFault.exe Cacacg32.exe -
Modifies registry class 64 IoCs
Processes:
Papfegmk.exeBbokmqie.exeChnqkg32.exeGffoldhp.exeGpqpjj32.exeGepehphc.exeQkkmqnck.exeEbmgcohn.exeHhgdkjol.exeOokmfk32.exeLbfdaigg.exeMamddf32.exePqhpdhcc.exeQabcjgkh.exeBjlqhoba.exeDhpiojfb.exeIhjnom32.exeQgoapp32.exeAganeoip.exePfoocjfd.exeNekbmgcn.exePogclp32.exeAjhgmpfg.exeBlbfjg32.exeAmelne32.exeBaohhgnf.exeChkmkacq.exeLdfgebbe.exeOjfaijcc.exeDlkepi32.exeFekpnn32.exeMlcbenjb.exeLafndg32.exeAlpmfdcb.exeDccagcgk.exeKfpgmdog.exeKbkameaf.exeNenobfak.exeFbopgb32.exeBfkpqn32.exeKbbngf32.exeMlfojn32.exeKgcpjmcb.exe0cd8f0819d3dbccf2ab1c3649467aa10_NeikiAnalytics.exeLlfifq32.exeMeagci32.exeQbcpbo32.exeDggcffhg.exeGfhladfn.exePfikmh32.exeKiccofna.exeKegqdqbl.exeOkfgfl32.exeBekkcljk.exeHdildlie.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnilfo32.dll" Papfegmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbokmqie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chnqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gffoldhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqapllgh.dll" Gpqpjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqnfen32.dll" Gepehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlgcclp.dll" Qkkmqnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebmgcohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmfgh32.dll" Hhgdkjol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhdqqjhl.dll" Ookmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbfdaigg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mamddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqhpdhcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qabcjgkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhpiojfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihjnom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjngcolf.dll" Lbfdaigg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgoapp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aganeoip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkhohik.dll" Pfoocjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngoohnkj.dll" Nekbmgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pogclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oglegn32.dll" Ajhgmpfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blbfjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amelne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baohhgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chkmkacq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhklfnh.dll" Ldfgebbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojfaijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlkepi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fekpnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpqpjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlcbenjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhfgj32.dll" Aganeoip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfcml32.dll" Lafndg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcjfoqkg.dll" Alpmfdcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dccagcgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfpgmdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Malllmgi.dll" Kbkameaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll" Nenobfak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iimfgo32.dll" Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjppa32.dll" Fbopgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll" Bfkpqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbbngf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlfojn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amelne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgcpjmcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 0cd8f0819d3dbccf2ab1c3649467aa10_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llfifq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mamddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpjbaocl.dll" Meagci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbcpbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dggcffhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfhladfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbkameaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodajl32.dll" Pfikmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfcijc32.dll" Kiccofna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlkepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kegqdqbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlcbenjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okfgfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bekkcljk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdildlie.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0cd8f0819d3dbccf2ab1c3649467aa10_NeikiAnalytics.exeKfbkmk32.exeKpkofpgq.exeKiccofna.exeKpmlkp32.exeKifpdelo.exeLldlqakb.exeLihmjejl.exeLlfifq32.exeLijjoe32.exeLliflp32.exeLafndg32.exeLlkbap32.exeLojomkdn.exeLdfgebbe.exeLollckbk.exedescription pid process target process PID 1700 wrote to memory of 2028 1700 0cd8f0819d3dbccf2ab1c3649467aa10_NeikiAnalytics.exe Kfbkmk32.exe PID 1700 wrote to memory of 2028 1700 0cd8f0819d3dbccf2ab1c3649467aa10_NeikiAnalytics.exe Kfbkmk32.exe PID 1700 wrote to memory of 2028 1700 0cd8f0819d3dbccf2ab1c3649467aa10_NeikiAnalytics.exe Kfbkmk32.exe PID 1700 wrote to memory of 2028 1700 0cd8f0819d3dbccf2ab1c3649467aa10_NeikiAnalytics.exe Kfbkmk32.exe PID 2028 wrote to memory of 2616 2028 Kfbkmk32.exe Kpkofpgq.exe PID 2028 wrote to memory of 2616 2028 Kfbkmk32.exe Kpkofpgq.exe PID 2028 wrote to memory of 2616 2028 Kfbkmk32.exe Kpkofpgq.exe PID 2028 wrote to memory of 2616 2028 Kfbkmk32.exe Kpkofpgq.exe PID 2616 wrote to memory of 2732 2616 Kpkofpgq.exe Kiccofna.exe PID 2616 wrote to memory of 2732 2616 Kpkofpgq.exe Kiccofna.exe PID 2616 wrote to memory of 2732 2616 Kpkofpgq.exe Kiccofna.exe PID 2616 wrote to memory of 2732 2616 Kpkofpgq.exe Kiccofna.exe PID 2732 wrote to memory of 2860 2732 Kiccofna.exe Kpmlkp32.exe PID 2732 wrote to memory of 2860 2732 Kiccofna.exe Kpmlkp32.exe PID 2732 wrote to memory of 2860 2732 Kiccofna.exe Kpmlkp32.exe PID 2732 wrote to memory of 2860 2732 Kiccofna.exe Kpmlkp32.exe PID 2860 wrote to memory of 2992 2860 Kpmlkp32.exe Kifpdelo.exe PID 2860 wrote to memory of 2992 2860 Kpmlkp32.exe Kifpdelo.exe PID 2860 wrote to memory of 2992 2860 Kpmlkp32.exe Kifpdelo.exe PID 2860 wrote to memory of 2992 2860 Kpmlkp32.exe Kifpdelo.exe PID 2992 wrote to memory of 2516 2992 Kifpdelo.exe Lldlqakb.exe PID 2992 wrote to memory of 2516 2992 Kifpdelo.exe Lldlqakb.exe PID 2992 wrote to memory of 2516 2992 Kifpdelo.exe Lldlqakb.exe PID 2992 wrote to memory of 2516 2992 Kifpdelo.exe Lldlqakb.exe PID 2516 wrote to memory of 2572 2516 Lldlqakb.exe Lihmjejl.exe PID 2516 wrote to memory of 2572 2516 Lldlqakb.exe Lihmjejl.exe PID 2516 wrote to memory of 2572 2516 Lldlqakb.exe Lihmjejl.exe PID 2516 wrote to memory of 2572 2516 Lldlqakb.exe Lihmjejl.exe PID 2572 wrote to memory of 2204 2572 Lihmjejl.exe Llfifq32.exe PID 2572 wrote to memory of 2204 2572 Lihmjejl.exe Llfifq32.exe PID 2572 wrote to memory of 2204 2572 Lihmjejl.exe Llfifq32.exe PID 2572 wrote to memory of 2204 2572 Lihmjejl.exe Llfifq32.exe PID 2204 wrote to memory of 2804 2204 Llfifq32.exe Lijjoe32.exe PID 2204 wrote to memory of 2804 2204 Llfifq32.exe Lijjoe32.exe PID 2204 wrote to memory of 2804 2204 Llfifq32.exe Lijjoe32.exe PID 2204 wrote to memory of 2804 2204 Llfifq32.exe Lijjoe32.exe PID 2804 wrote to memory of 2224 2804 Lijjoe32.exe Lliflp32.exe PID 2804 wrote to memory of 2224 2804 Lijjoe32.exe Lliflp32.exe PID 2804 wrote to memory of 2224 2804 Lijjoe32.exe Lliflp32.exe PID 2804 wrote to memory of 2224 2804 Lijjoe32.exe Lliflp32.exe PID 2224 wrote to memory of 2196 2224 Lliflp32.exe Lafndg32.exe PID 2224 wrote to memory of 2196 2224 Lliflp32.exe Lafndg32.exe PID 2224 wrote to memory of 2196 2224 Lliflp32.exe Lafndg32.exe PID 2224 wrote to memory of 2196 2224 Lliflp32.exe Lafndg32.exe PID 2196 wrote to memory of 2236 2196 Lafndg32.exe Llkbap32.exe PID 2196 wrote to memory of 2236 2196 Lafndg32.exe Llkbap32.exe PID 2196 wrote to memory of 2236 2196 Lafndg32.exe Llkbap32.exe PID 2196 wrote to memory of 2236 2196 Lafndg32.exe Llkbap32.exe PID 2236 wrote to memory of 536 2236 Llkbap32.exe Lojomkdn.exe PID 2236 wrote to memory of 536 2236 Llkbap32.exe Lojomkdn.exe PID 2236 wrote to memory of 536 2236 Llkbap32.exe Lojomkdn.exe PID 2236 wrote to memory of 536 2236 Llkbap32.exe Lojomkdn.exe PID 536 wrote to memory of 2232 536 Lojomkdn.exe Ldfgebbe.exe PID 536 wrote to memory of 2232 536 Lojomkdn.exe Ldfgebbe.exe PID 536 wrote to memory of 2232 536 Lojomkdn.exe Ldfgebbe.exe PID 536 wrote to memory of 2232 536 Lojomkdn.exe Ldfgebbe.exe PID 2232 wrote to memory of 848 2232 Ldfgebbe.exe Lollckbk.exe PID 2232 wrote to memory of 848 2232 Ldfgebbe.exe Lollckbk.exe PID 2232 wrote to memory of 848 2232 Ldfgebbe.exe Lollckbk.exe PID 2232 wrote to memory of 848 2232 Ldfgebbe.exe Lollckbk.exe PID 848 wrote to memory of 2292 848 Lollckbk.exe Lefdpe32.exe PID 848 wrote to memory of 2292 848 Lollckbk.exe Lefdpe32.exe PID 848 wrote to memory of 2292 848 Lollckbk.exe Lefdpe32.exe PID 848 wrote to memory of 2292 848 Lollckbk.exe Lefdpe32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cd8f0819d3dbccf2ab1c3649467aa10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0cd8f0819d3dbccf2ab1c3649467aa10_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Lafndg32.exeC:\Windows\system32\Lafndg32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1120 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1820 -
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1880 -
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Nkeelohh.exeC:\Windows\system32\Nkeelohh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe34⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe35⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe36⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe37⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Onjgiiad.exeC:\Windows\system32\Onjgiiad.exe38⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe39⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Ofelmloo.exeC:\Windows\system32\Ofelmloo.exe40⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe41⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe42⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe45⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Okgnab32.exeC:\Windows\system32\Okgnab32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Ofmbnkhg.exeC:\Windows\system32\Ofmbnkhg.exe47⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Omfkke32.exeC:\Windows\system32\Omfkke32.exe48⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe50⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe52⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Pgplkb32.exeC:\Windows\system32\Pgplkb32.exe53⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Pqhpdhcc.exeC:\Windows\system32\Pqhpdhcc.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe56⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe58⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe60⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Pamiog32.exeC:\Windows\system32\Pamiog32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1816 -
C:\Windows\SysWOW64\Pclfkc32.exeC:\Windows\system32\Pclfkc32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Pnajilng.exeC:\Windows\system32\Pnajilng.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1444 -
C:\Windows\SysWOW64\Papfegmk.exeC:\Windows\system32\Papfegmk.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1212 -
C:\Windows\SysWOW64\Pcnbablo.exeC:\Windows\system32\Pcnbablo.exe65⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Pflomnkb.exeC:\Windows\system32\Pflomnkb.exe66⤵PID:1684
-
C:\Windows\SysWOW64\Qabcjgkh.exeC:\Windows\system32\Qabcjgkh.exe67⤵
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe69⤵PID:1076
-
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe70⤵
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Qpgpkcpp.exeC:\Windows\system32\Qpgpkcpp.exe71⤵PID:2056
-
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe72⤵PID:2672
-
C:\Windows\SysWOW64\Qedhdjnh.exeC:\Windows\system32\Qedhdjnh.exe73⤵PID:2640
-
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe74⤵PID:2208
-
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe75⤵PID:2968
-
C:\Windows\SysWOW64\Abhimnma.exeC:\Windows\system32\Abhimnma.exe76⤵PID:1920
-
C:\Windows\SysWOW64\Aibajhdn.exeC:\Windows\system32\Aibajhdn.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Alpmfdcb.exeC:\Windows\system32\Alpmfdcb.exe78⤵
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Abjebn32.exeC:\Windows\system32\Abjebn32.exe79⤵PID:600
-
C:\Windows\SysWOW64\Aidnohbk.exeC:\Windows\system32\Aidnohbk.exe80⤵PID:3052
-
C:\Windows\SysWOW64\Ahgnke32.exeC:\Windows\system32\Ahgnke32.exe81⤵PID:2364
-
C:\Windows\SysWOW64\Ajejgp32.exeC:\Windows\system32\Ajejgp32.exe82⤵PID:2624
-
C:\Windows\SysWOW64\Anafhopc.exeC:\Windows\system32\Anafhopc.exe83⤵PID:1384
-
C:\Windows\SysWOW64\Ahikqd32.exeC:\Windows\system32\Ahikqd32.exe84⤵
- Drops file in System32 directory
PID:1796 -
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe85⤵
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Aaaoij32.exeC:\Windows\system32\Aaaoij32.exe86⤵
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Aemkjiem.exeC:\Windows\system32\Aemkjiem.exe87⤵PID:2396
-
C:\Windows\SysWOW64\Ahlgfdeq.exeC:\Windows\system32\Ahlgfdeq.exe88⤵PID:2776
-
C:\Windows\SysWOW64\Aoepcn32.exeC:\Windows\system32\Aoepcn32.exe89⤵PID:2644
-
C:\Windows\SysWOW64\Bpgljfbl.exeC:\Windows\system32\Bpgljfbl.exe90⤵PID:2420
-
C:\Windows\SysWOW64\Bhndldcn.exeC:\Windows\system32\Bhndldcn.exe91⤵PID:1972
-
C:\Windows\SysWOW64\Bjlqhoba.exeC:\Windows\system32\Bjlqhoba.exe92⤵
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:320 -
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1640 -
C:\Windows\SysWOW64\Bbhela32.exeC:\Windows\system32\Bbhela32.exe95⤵
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Bkommo32.exeC:\Windows\system32\Bkommo32.exe96⤵PID:2328
-
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe97⤵PID:1320
-
C:\Windows\SysWOW64\Bpleef32.exeC:\Windows\system32\Bpleef32.exe98⤵PID:1868
-
C:\Windows\SysWOW64\Bbjbaa32.exeC:\Windows\system32\Bbjbaa32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1856 -
C:\Windows\SysWOW64\Behnnm32.exeC:\Windows\system32\Behnnm32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1928 -
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe101⤵
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Bpnbkeld.exeC:\Windows\system32\Bpnbkeld.exe102⤵PID:2736
-
C:\Windows\SysWOW64\Bekkcljk.exeC:\Windows\system32\Bekkcljk.exe103⤵
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Bldcpf32.exeC:\Windows\system32\Bldcpf32.exe104⤵PID:2944
-
C:\Windows\SysWOW64\Bbokmqie.exeC:\Windows\system32\Bbokmqie.exe105⤵
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Baakhm32.exeC:\Windows\system32\Baakhm32.exe106⤵PID:1652
-
C:\Windows\SysWOW64\Bhkdeggl.exeC:\Windows\system32\Bhkdeggl.exe107⤵PID:2844
-
C:\Windows\SysWOW64\Coelaaoi.exeC:\Windows\system32\Coelaaoi.exe108⤵PID:1332
-
C:\Windows\SysWOW64\Cadhnmnm.exeC:\Windows\system32\Cadhnmnm.exe109⤵PID:2348
-
C:\Windows\SysWOW64\Chnqkg32.exeC:\Windows\system32\Chnqkg32.exe110⤵
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Cnkicn32.exeC:\Windows\system32\Cnkicn32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1048 -
C:\Windows\SysWOW64\Ckoilb32.exeC:\Windows\system32\Ckoilb32.exe112⤵PID:1752
-
C:\Windows\SysWOW64\Cnmehnan.exeC:\Windows\system32\Cnmehnan.exe113⤵PID:1992
-
C:\Windows\SysWOW64\Cdgneh32.exeC:\Windows\system32\Cdgneh32.exe114⤵
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Cgejac32.exeC:\Windows\system32\Cgejac32.exe115⤵PID:2876
-
C:\Windows\SysWOW64\Ckafbbph.exeC:\Windows\system32\Ckafbbph.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2576 -
C:\Windows\SysWOW64\Caknol32.exeC:\Windows\system32\Caknol32.exe117⤵PID:2764
-
C:\Windows\SysWOW64\Cdikkg32.exeC:\Windows\system32\Cdikkg32.exe118⤵PID:1256
-
C:\Windows\SysWOW64\Ckccgane.exeC:\Windows\system32\Ckccgane.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2212 -
C:\Windows\SysWOW64\Ccngld32.exeC:\Windows\system32\Ccngld32.exe120⤵PID:2104
-
C:\Windows\SysWOW64\Dfmdho32.exeC:\Windows\system32\Dfmdho32.exe121⤵PID:1976
-
C:\Windows\SysWOW64\Dndlim32.exeC:\Windows\system32\Dndlim32.exe122⤵PID:2024
-
C:\Windows\SysWOW64\Dpbheh32.exeC:\Windows\system32\Dpbheh32.exe123⤵PID:1876
-
C:\Windows\SysWOW64\Dcadac32.exeC:\Windows\system32\Dcadac32.exe124⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1592 -
C:\Windows\SysWOW64\Djklnnaj.exeC:\Windows\system32\Djklnnaj.exe125⤵PID:2652
-
C:\Windows\SysWOW64\Dhnmij32.exeC:\Windows\system32\Dhnmij32.exe126⤵PID:1668
-
C:\Windows\SysWOW64\Dpeekh32.exeC:\Windows\system32\Dpeekh32.exe127⤵PID:1028
-
C:\Windows\SysWOW64\Dccagcgk.exeC:\Windows\system32\Dccagcgk.exe128⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:584 -
C:\Windows\SysWOW64\Dhpiojfb.exeC:\Windows\system32\Dhpiojfb.exe129⤵
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Dlkepi32.exeC:\Windows\system32\Dlkepi32.exe130⤵
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Dcenlceh.exeC:\Windows\system32\Dcenlceh.exe131⤵PID:1116
-
C:\Windows\SysWOW64\Dfdjhndl.exeC:\Windows\system32\Dfdjhndl.exe132⤵PID:1712
-
C:\Windows\SysWOW64\Dkqbaecc.exeC:\Windows\system32\Dkqbaecc.exe133⤵PID:2692
-
C:\Windows\SysWOW64\Dnoomqbg.exeC:\Windows\system32\Dnoomqbg.exe134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Dfffnn32.exeC:\Windows\system32\Dfffnn32.exe135⤵PID:1948
-
C:\Windows\SysWOW64\Dggcffhg.exeC:\Windows\system32\Dggcffhg.exe136⤵
- Drops file in System32 directory
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Dookgcij.exeC:\Windows\system32\Dookgcij.exe137⤵PID:2252
-
C:\Windows\SysWOW64\Ebmgcohn.exeC:\Windows\system32\Ebmgcohn.exe138⤵
- Modifies registry class
PID:1336 -
C:\Windows\SysWOW64\Eqpgol32.exeC:\Windows\system32\Eqpgol32.exe139⤵
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Ehgppi32.exeC:\Windows\system32\Ehgppi32.exe140⤵PID:2180
-
C:\Windows\SysWOW64\Ekelld32.exeC:\Windows\system32\Ekelld32.exe141⤵PID:2088
-
C:\Windows\SysWOW64\Endhhp32.exeC:\Windows\system32\Endhhp32.exe142⤵PID:2112
-
C:\Windows\SysWOW64\Eqbddk32.exeC:\Windows\system32\Eqbddk32.exe143⤵
- Drops file in System32 directory
PID:1208 -
C:\Windows\SysWOW64\Egllae32.exeC:\Windows\system32\Egllae32.exe144⤵PID:2520
-
C:\Windows\SysWOW64\Ejkima32.exeC:\Windows\system32\Ejkima32.exe145⤵PID:2768
-
C:\Windows\SysWOW64\Eqdajkkb.exeC:\Windows\system32\Eqdajkkb.exe146⤵PID:2448
-
C:\Windows\SysWOW64\Eccmffjf.exeC:\Windows\system32\Eccmffjf.exe147⤵PID:1536
-
C:\Windows\SysWOW64\Efaibbij.exeC:\Windows\system32\Efaibbij.exe148⤵
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Enhacojl.exeC:\Windows\system32\Enhacojl.exe149⤵PID:1104
-
C:\Windows\SysWOW64\Eojnkg32.exeC:\Windows\system32\Eojnkg32.exe150⤵
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Egafleqm.exeC:\Windows\system32\Egafleqm.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1352 -
C:\Windows\SysWOW64\Ejobhppq.exeC:\Windows\system32\Ejobhppq.exe152⤵PID:2144
-
C:\Windows\SysWOW64\Eibbcm32.exeC:\Windows\system32\Eibbcm32.exe153⤵PID:2720
-
C:\Windows\SysWOW64\Eplkpgnh.exeC:\Windows\system32\Eplkpgnh.exe154⤵PID:2592
-
C:\Windows\SysWOW64\Echfaf32.exeC:\Windows\system32\Echfaf32.exe155⤵PID:812
-
C:\Windows\SysWOW64\Effcma32.exeC:\Windows\system32\Effcma32.exe156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1072 -
C:\Windows\SysWOW64\Fidoim32.exeC:\Windows\system32\Fidoim32.exe157⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2444 -
C:\Windows\SysWOW64\Fpngfgle.exeC:\Windows\system32\Fpngfgle.exe158⤵PID:3008
-
C:\Windows\SysWOW64\Fbmcbbki.exeC:\Windows\system32\Fbmcbbki.exe159⤵PID:2852
-
C:\Windows\SysWOW64\Fekpnn32.exeC:\Windows\system32\Fekpnn32.exe160⤵
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Flehkhai.exeC:\Windows\system32\Flehkhai.exe161⤵PID:2600
-
C:\Windows\SysWOW64\Fpqdkf32.exeC:\Windows\system32\Fpqdkf32.exe162⤵PID:2256
-
C:\Windows\SysWOW64\Fbopgb32.exeC:\Windows\system32\Fbopgb32.exe163⤵
- Drops file in System32 directory
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Fenmdm32.exeC:\Windows\system32\Fenmdm32.exe164⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2192 -
C:\Windows\SysWOW64\Fglipi32.exeC:\Windows\system32\Fglipi32.exe165⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1664 -
C:\Windows\SysWOW64\Fpcqaf32.exeC:\Windows\system32\Fpcqaf32.exe166⤵PID:3024
-
C:\Windows\SysWOW64\Fbamma32.exeC:\Windows\system32\Fbamma32.exe167⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1940 -
C:\Windows\SysWOW64\Fepiimfg.exeC:\Windows\system32\Fepiimfg.exe168⤵PID:2488
-
C:\Windows\SysWOW64\Fhneehek.exeC:\Windows\system32\Fhneehek.exe169⤵PID:2872
-
C:\Windows\SysWOW64\Fnhnbb32.exeC:\Windows\system32\Fnhnbb32.exe170⤵PID:1588
-
C:\Windows\SysWOW64\Fbdjbaea.exeC:\Windows\system32\Fbdjbaea.exe171⤵PID:2752
-
C:\Windows\SysWOW64\Fcefji32.exeC:\Windows\system32\Fcefji32.exe172⤵PID:1792
-
C:\Windows\SysWOW64\Fllnlg32.exeC:\Windows\system32\Fllnlg32.exe173⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2324 -
C:\Windows\SysWOW64\Fmmkcoap.exeC:\Windows\system32\Fmmkcoap.exe174⤵
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Faigdn32.exeC:\Windows\system32\Faigdn32.exe175⤵PID:2596
-
C:\Windows\SysWOW64\Ghcoqh32.exeC:\Windows\system32\Ghcoqh32.exe176⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2152 -
C:\Windows\SysWOW64\Gffoldhp.exeC:\Windows\system32\Gffoldhp.exe177⤵
- Drops file in System32 directory
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Gmpgio32.exeC:\Windows\system32\Gmpgio32.exe178⤵PID:1044
-
C:\Windows\SysWOW64\Gakcimgf.exeC:\Windows\system32\Gakcimgf.exe179⤵PID:1412
-
C:\Windows\SysWOW64\Gdjpeifj.exeC:\Windows\system32\Gdjpeifj.exe180⤵PID:2536
-
C:\Windows\SysWOW64\Gfhladfn.exeC:\Windows\system32\Gfhladfn.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Gifhnpea.exeC:\Windows\system32\Gifhnpea.exe182⤵PID:704
-
C:\Windows\SysWOW64\Gmbdnn32.exeC:\Windows\system32\Gmbdnn32.exe183⤵
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Gpqpjj32.exeC:\Windows\system32\Gpqpjj32.exe184⤵
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Gbomfe32.exeC:\Windows\system32\Gbomfe32.exe185⤵PID:2928
-
C:\Windows\SysWOW64\Giieco32.exeC:\Windows\system32\Giieco32.exe186⤵
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Gmdadnkh.exeC:\Windows\system32\Gmdadnkh.exe187⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:640 -
C:\Windows\SysWOW64\Gpcmpijk.exeC:\Windows\system32\Gpcmpijk.exe188⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3108 -
C:\Windows\SysWOW64\Gbaileio.exeC:\Windows\system32\Gbaileio.exe189⤵PID:3148
-
C:\Windows\SysWOW64\Gepehphc.exeC:\Windows\system32\Gepehphc.exe190⤵
- Modifies registry class
PID:3188 -
C:\Windows\SysWOW64\Gmgninie.exeC:\Windows\system32\Gmgninie.exe191⤵
- Drops file in System32 directory
PID:3228 -
C:\Windows\SysWOW64\Gpejeihi.exeC:\Windows\system32\Gpejeihi.exe192⤵PID:3268
-
C:\Windows\SysWOW64\Gohjaf32.exeC:\Windows\system32\Gohjaf32.exe193⤵PID:3308
-
C:\Windows\SysWOW64\Gebbnpfp.exeC:\Windows\system32\Gebbnpfp.exe194⤵PID:3348
-
C:\Windows\SysWOW64\Ghqnjk32.exeC:\Windows\system32\Ghqnjk32.exe195⤵PID:3388
-
C:\Windows\SysWOW64\Hpgfki32.exeC:\Windows\system32\Hpgfki32.exe196⤵PID:3428
-
C:\Windows\SysWOW64\Hbfbgd32.exeC:\Windows\system32\Hbfbgd32.exe197⤵
- Drops file in System32 directory
PID:3468 -
C:\Windows\SysWOW64\Hedocp32.exeC:\Windows\system32\Hedocp32.exe198⤵PID:3508
-
C:\Windows\SysWOW64\Hipkdnmf.exeC:\Windows\system32\Hipkdnmf.exe199⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3548 -
C:\Windows\SysWOW64\Hkaglf32.exeC:\Windows\system32\Hkaglf32.exe200⤵
- Drops file in System32 directory
PID:3588 -
C:\Windows\SysWOW64\Hbhomd32.exeC:\Windows\system32\Hbhomd32.exe201⤵
- Drops file in System32 directory
PID:3628 -
C:\Windows\SysWOW64\Hakphqja.exeC:\Windows\system32\Hakphqja.exe202⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3668 -
C:\Windows\SysWOW64\Hdildlie.exeC:\Windows\system32\Hdildlie.exe203⤵
- Modifies registry class
PID:3708 -
C:\Windows\SysWOW64\Hkcdafqb.exeC:\Windows\system32\Hkcdafqb.exe204⤵PID:3748
-
C:\Windows\SysWOW64\Hoopae32.exeC:\Windows\system32\Hoopae32.exe205⤵
- Drops file in System32 directory
PID:3788 -
C:\Windows\SysWOW64\Hanlnp32.exeC:\Windows\system32\Hanlnp32.exe206⤵PID:3828
-
C:\Windows\SysWOW64\Hdlhjl32.exeC:\Windows\system32\Hdlhjl32.exe207⤵
- Drops file in System32 directory
PID:3868 -
C:\Windows\SysWOW64\Hhgdkjol.exeC:\Windows\system32\Hhgdkjol.exe208⤵
- Modifies registry class
PID:3908 -
C:\Windows\SysWOW64\Hgjefg32.exeC:\Windows\system32\Hgjefg32.exe209⤵PID:3948
-
C:\Windows\SysWOW64\Hapicp32.exeC:\Windows\system32\Hapicp32.exe210⤵PID:3988
-
C:\Windows\SysWOW64\Hpbiommg.exeC:\Windows\system32\Hpbiommg.exe211⤵PID:4032
-
C:\Windows\SysWOW64\Hhjapjmi.exeC:\Windows\system32\Hhjapjmi.exe212⤵PID:4072
-
C:\Windows\SysWOW64\Hgmalg32.exeC:\Windows\system32\Hgmalg32.exe213⤵PID:3084
-
C:\Windows\SysWOW64\Hiknhbcg.exeC:\Windows\system32\Hiknhbcg.exe214⤵PID:3120
-
C:\Windows\SysWOW64\Habfipdj.exeC:\Windows\system32\Habfipdj.exe215⤵PID:3176
-
C:\Windows\SysWOW64\Hpefdl32.exeC:\Windows\system32\Hpefdl32.exe216⤵PID:3212
-
C:\Windows\SysWOW64\Iccbqh32.exeC:\Windows\system32\Iccbqh32.exe217⤵
- Drops file in System32 directory
PID:3288 -
C:\Windows\SysWOW64\Ikkjbe32.exeC:\Windows\system32\Ikkjbe32.exe218⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3320 -
C:\Windows\SysWOW64\Inifnq32.exeC:\Windows\system32\Inifnq32.exe219⤵PID:3396
-
C:\Windows\SysWOW64\Igakgfpn.exeC:\Windows\system32\Igakgfpn.exe220⤵
- Drops file in System32 directory
PID:3424 -
C:\Windows\SysWOW64\Iipgcaob.exeC:\Windows\system32\Iipgcaob.exe221⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3480 -
C:\Windows\SysWOW64\Ilncom32.exeC:\Windows\system32\Ilncom32.exe222⤵PID:3520
-
C:\Windows\SysWOW64\Ipjoplgo.exeC:\Windows\system32\Ipjoplgo.exe223⤵PID:3572
-
C:\Windows\SysWOW64\Igchlf32.exeC:\Windows\system32\Igchlf32.exe224⤵PID:3604
-
C:\Windows\SysWOW64\Iefhhbef.exeC:\Windows\system32\Iefhhbef.exe225⤵PID:3676
-
C:\Windows\SysWOW64\Ilqpdm32.exeC:\Windows\system32\Ilqpdm32.exe226⤵
- Drops file in System32 directory
PID:3728 -
C:\Windows\SysWOW64\Ipllekdl.exeC:\Windows\system32\Ipllekdl.exe227⤵PID:3772
-
C:\Windows\SysWOW64\Iamimc32.exeC:\Windows\system32\Iamimc32.exe228⤵PID:3820
-
C:\Windows\SysWOW64\Ieidmbcc.exeC:\Windows\system32\Ieidmbcc.exe229⤵
- Drops file in System32 directory
PID:3876 -
C:\Windows\SysWOW64\Ihgainbg.exeC:\Windows\system32\Ihgainbg.exe230⤵PID:3924
-
C:\Windows\SysWOW64\Ikfmfi32.exeC:\Windows\system32\Ikfmfi32.exe231⤵PID:3972
-
C:\Windows\SysWOW64\Icmegf32.exeC:\Windows\system32\Icmegf32.exe232⤵PID:4016
-
C:\Windows\SysWOW64\Ifkacb32.exeC:\Windows\system32\Ifkacb32.exe233⤵PID:4080
-
C:\Windows\SysWOW64\Ihjnom32.exeC:\Windows\system32\Ihjnom32.exe234⤵
- Modifies registry class
PID:3096 -
C:\Windows\SysWOW64\Ikhjki32.exeC:\Windows\system32\Ikhjki32.exe235⤵PID:3164
-
C:\Windows\SysWOW64\Jnffgd32.exeC:\Windows\system32\Jnffgd32.exe236⤵PID:3220
-
C:\Windows\SysWOW64\Jfnnha32.exeC:\Windows\system32\Jfnnha32.exe237⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3304 -
C:\Windows\SysWOW64\Jhljdm32.exeC:\Windows\system32\Jhljdm32.exe238⤵PID:3340
-
C:\Windows\SysWOW64\Jkjfah32.exeC:\Windows\system32\Jkjfah32.exe239⤵PID:3400
-
C:\Windows\SysWOW64\Jnicmdli.exeC:\Windows\system32\Jnicmdli.exe240⤵PID:3476
-
C:\Windows\SysWOW64\Jqgoiokm.exeC:\Windows\system32\Jqgoiokm.exe241⤵PID:3536
-
C:\Windows\SysWOW64\Jhngjmlo.exeC:\Windows\system32\Jhngjmlo.exe242⤵PID:3584