Analysis
-
max time kernel
143s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 23:49
Behavioral task
behavioral1
Sample
0dd87d8aee8b37dc0d1bd09d7605f990_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
0dd87d8aee8b37dc0d1bd09d7605f990_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
0dd87d8aee8b37dc0d1bd09d7605f990_NeikiAnalytics.exe
-
Size
768KB
-
MD5
0dd87d8aee8b37dc0d1bd09d7605f990
-
SHA1
90cc63d53118872c73bef171e16531826be95a6c
-
SHA256
0e3908e225c65c98f968633275f36f27d80bfa506d1240c199577d2b8c6537a8
-
SHA512
848ad6638c640444e7e39d01f86d7f074bb94d3200c3f7da39ed77283383c61bbec19387073f186b9eb6f779f3a867dcf4da1aa82a817726944bea96cdfa9f86
-
SSDEEP
12288:PWmv46IveDVqvQ6IvYvc6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvGJ:PWZq5h3q5htaSHFaZRBEYyqmaf2qwiHP
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jejhecaj.exeNgnbgplj.exeAaobdjof.exeDoehqead.exeEnhacojl.exeDbpodagk.exeDchali32.exeEbpkce32.exeKngfih32.exeOqmmpd32.exeAdnopfoj.exeDcadac32.exeChcqpmep.exeDjnpnc32.exeIhankokm.exeBblogakg.exeKmmcjehm.exePjadmnic.exeQlkdkd32.exeHkpnhgge.exeIdfbkq32.exeKgbggnhc.exeMiooigfo.exeOnmdoioa.exeEmhlfmgj.exeFjgoce32.exeGhoegl32.exeAmfcikek.exeBlbfjg32.exeDcenlceh.exeEbjglbml.exeJbjochdi.exeLafndg32.exePkpagq32.exeIcpigm32.exeKaceodek.exeNefpnhlc.exeObafnlpn.exeBfadgq32.exePijbfj32.exeDgmglh32.exeFdapak32.exeCnobnmpl.exeEfaibbij.exeAplifb32.exeAnafhopc.exeEqijej32.exeEihfjo32.exeLkncmmle.exeQimhoi32.exeOddpfc32.exeAoepcn32.exeCklmgb32.exeEbgacddo.exeMihiih32.exeGhfbqn32.exeKaklpcoc.exeLhpfqama.exeMaoajf32.exeMmfbogcn.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jejhecaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngnbgplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaobdjof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doehqead.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhacojl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbpodagk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dchali32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebpkce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngfih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqmmpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnopfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcadac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chcqpmep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djnpnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihankokm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bblogakg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmmcjehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjadmnic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlkdkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpnhgge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idfbkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgbggnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miooigfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onmdoioa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhlfmgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amfcikek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blbfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adnopfoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcenlceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcenlceh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebjglbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbjochdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lafndg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkpagq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icpigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaceodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nefpnhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obafnlpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfadgq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijbfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgmglh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnobnmpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efaibbij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aplifb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anafhopc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqijej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eihfjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkncmmle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qimhoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebgacddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mihiih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghfbqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaklpcoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhpfqama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maoajf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmfbogcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngnbgplj.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Pijbfj32.exe family_berbew \Windows\SysWOW64\Qaefjm32.exe family_berbew C:\Windows\SysWOW64\Ahakmf32.exe family_berbew C:\Windows\SysWOW64\Amndem32.exe family_berbew \Windows\SysWOW64\Aajpelhl.exe family_berbew C:\Windows\SysWOW64\Abpfhcje.exe family_berbew C:\Windows\SysWOW64\Aenbdoii.exe family_berbew C:\Windows\SysWOW64\Bagpopmj.exe family_berbew C:\Windows\SysWOW64\Bkodhe32.exe family_berbew C:\Windows\SysWOW64\Bhahlj32.exe family_berbew C:\Windows\SysWOW64\Bdooajdc.exe family_berbew C:\Windows\SysWOW64\Ckignd32.exe family_berbew \Windows\SysWOW64\Cngcjo32.exe family_berbew C:\Windows\SysWOW64\Chcqpmep.exe family_berbew C:\Windows\SysWOW64\Cfgaiaci.exe family_berbew C:\Windows\SysWOW64\Ckdjbh32.exe family_berbew C:\Windows\SysWOW64\Djnpnc32.exe family_berbew C:\Windows\SysWOW64\Djpmccqq.exe family_berbew C:\Windows\SysWOW64\Dfgmhd32.exe family_berbew C:\Windows\SysWOW64\Djbiicon.exe family_berbew C:\Windows\SysWOW64\Eihfjo32.exe family_berbew C:\Windows\SysWOW64\Ejgcdb32.exe family_berbew C:\Windows\SysWOW64\Eijcpoac.exe family_berbew C:\Windows\SysWOW64\Ebbgid32.exe family_berbew C:\Windows\SysWOW64\Ekklaj32.exe family_berbew C:\Windows\SysWOW64\Enihne32.exe family_berbew C:\Windows\SysWOW64\Eloemi32.exe family_berbew C:\Windows\SysWOW64\Ejbfhfaj.exe family_berbew C:\Windows\SysWOW64\Fmcoja32.exe family_berbew C:\Windows\SysWOW64\Fnbkddem.exe family_berbew C:\Windows\SysWOW64\Fpdhklkl.exe family_berbew C:\Windows\SysWOW64\Facdeo32.exe family_berbew C:\Windows\SysWOW64\Fbdqmghm.exe family_berbew C:\Windows\SysWOW64\Fjlhneio.exe family_berbew C:\Windows\SysWOW64\Fphafl32.exe family_berbew C:\Windows\SysWOW64\Fioija32.exe family_berbew C:\Windows\SysWOW64\Gbijhg32.exe family_berbew C:\Windows\SysWOW64\Glaoalkh.exe family_berbew C:\Windows\SysWOW64\Gopkmhjk.exe family_berbew C:\Windows\SysWOW64\Gejcjbah.exe family_berbew C:\Windows\SysWOW64\Gaqcoc32.exe family_berbew C:\Windows\SysWOW64\Ghkllmoi.exe family_berbew C:\Windows\SysWOW64\Goddhg32.exe family_berbew C:\Windows\SysWOW64\Geolea32.exe family_berbew C:\Windows\SysWOW64\Ggpimica.exe family_berbew C:\Windows\SysWOW64\Gphmeo32.exe family_berbew C:\Windows\SysWOW64\Hgbebiao.exe family_berbew C:\Windows\SysWOW64\Ghoegl32.exe family_berbew C:\Windows\SysWOW64\Hmlnoc32.exe family_berbew C:\Windows\SysWOW64\Hpkjko32.exe family_berbew C:\Windows\SysWOW64\Hcifgjgc.exe family_berbew C:\Windows\SysWOW64\Hkpnhgge.exe family_berbew C:\Windows\SysWOW64\Hnagjbdf.exe family_berbew C:\Windows\SysWOW64\Hpocfncj.exe family_berbew C:\Windows\SysWOW64\Hgilchkf.exe family_berbew C:\Windows\SysWOW64\Hcplhi32.exe family_berbew C:\Windows\SysWOW64\Hjjddchg.exe family_berbew C:\Windows\SysWOW64\Henidd32.exe family_berbew C:\Windows\SysWOW64\Ihoafpmp.exe family_berbew C:\Windows\SysWOW64\Ioijbj32.exe family_berbew C:\Windows\SysWOW64\Inljnfkg.exe family_berbew C:\Windows\SysWOW64\Idfbkq32.exe family_berbew C:\Windows\SysWOW64\Ihankokm.exe family_berbew C:\Windows\SysWOW64\Igdogl32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Pijbfj32.exeQaefjm32.exeAhakmf32.exeAmndem32.exeAajpelhl.exeApajlhka.exeAbpfhcje.exeAenbdoii.exeBagpopmj.exeBhahlj32.exeBkodhe32.exeBkfjhd32.exeBpcbqk32.exeBdooajdc.exeCkignd32.exeCngcjo32.exeCcfhhffh.exeCfeddafl.exeCjpqdp32.exeChcqpmep.exeClomqk32.exeComimg32.exeCciemedf.exeCfgaiaci.exeChemfl32.exeCkdjbh32.exeDbpodagk.exeDhjgal32.exeDgmglh32.exeDngoibmo.exeDdagfm32.exeDgodbh32.exeDjnpnc32.exeDgaqgh32.exeDjpmccqq.exeDmoipopd.exeDqjepm32.exeDchali32.exeDfgmhd32.exeDjbiicon.exeDmafennb.exeEihfjo32.exeEqonkmdh.exeEcmkghcl.exeEbpkce32.exeEjgcdb32.exeEijcpoac.exeEpdkli32.exeEcpgmhai.exeEbbgid32.exeEmhlfmgj.exeEkklaj32.exeEnihne32.exeEecqjpee.exeEgamfkdh.exeEnkece32.exeEbgacddo.exeEeempocb.exeEiaiqn32.exeEloemi32.exeEjbfhfaj.exeFhffaj32.exeFjdbnf32.exeFnpnndgp.exepid process 2944 Pijbfj32.exe 2476 Qaefjm32.exe 2452 Ahakmf32.exe 2640 Amndem32.exe 2380 Aajpelhl.exe 2840 Apajlhka.exe 2628 Abpfhcje.exe 2728 Aenbdoii.exe 2880 Bagpopmj.exe 320 Bhahlj32.exe 2516 Bkodhe32.exe 2892 Bkfjhd32.exe 1920 Bpcbqk32.exe 480 Bdooajdc.exe 1404 Ckignd32.exe 2276 Cngcjo32.exe 684 Ccfhhffh.exe 2508 Cfeddafl.exe 1460 Cjpqdp32.exe 1832 Chcqpmep.exe 912 Clomqk32.exe 2292 Comimg32.exe 2084 Cciemedf.exe 1940 Cfgaiaci.exe 2824 Chemfl32.exe 2764 Ckdjbh32.exe 2072 Dbpodagk.exe 2556 Dhjgal32.exe 3040 Dgmglh32.exe 2384 Dngoibmo.exe 2768 Ddagfm32.exe 3064 Dgodbh32.exe 2336 Djnpnc32.exe 2692 Dgaqgh32.exe 1768 Djpmccqq.exe 2388 Dmoipopd.exe 2652 Dqjepm32.exe 1600 Dchali32.exe 2024 Dfgmhd32.exe 360 Djbiicon.exe 1568 Dmafennb.exe 916 Eihfjo32.exe 2100 Eqonkmdh.exe 1692 Ecmkghcl.exe 1660 Ebpkce32.exe 1956 Ejgcdb32.exe 1952 Eijcpoac.exe 2156 Epdkli32.exe 2984 Ecpgmhai.exe 1524 Ebbgid32.exe 1564 Emhlfmgj.exe 2464 Ekklaj32.exe 2548 Enihne32.exe 2428 Eecqjpee.exe 2372 Egamfkdh.exe 2852 Enkece32.exe 2448 Ebgacddo.exe 288 Eeempocb.exe 2008 Eiaiqn32.exe 908 Eloemi32.exe 2280 Ejbfhfaj.exe 448 Fhffaj32.exe 2952 Fjdbnf32.exe 1540 Fnpnndgp.exe -
Loads dropped DLL 64 IoCs
Processes:
0dd87d8aee8b37dc0d1bd09d7605f990_NeikiAnalytics.exePijbfj32.exeQaefjm32.exeAhakmf32.exeAmndem32.exeAajpelhl.exeApajlhka.exeAbpfhcje.exeAenbdoii.exeBagpopmj.exeBhahlj32.exeBkodhe32.exeBkfjhd32.exeBpcbqk32.exeBdooajdc.exeCkignd32.exeCngcjo32.exeCcfhhffh.exeCfeddafl.exeCjpqdp32.exeChcqpmep.exeClomqk32.exeComimg32.exeCciemedf.exeCfgaiaci.exeChemfl32.exeCkdjbh32.exeDbpodagk.exeDhjgal32.exeDgmglh32.exeDngoibmo.exeDdagfm32.exepid process 2896 0dd87d8aee8b37dc0d1bd09d7605f990_NeikiAnalytics.exe 2896 0dd87d8aee8b37dc0d1bd09d7605f990_NeikiAnalytics.exe 2944 Pijbfj32.exe 2944 Pijbfj32.exe 2476 Qaefjm32.exe 2476 Qaefjm32.exe 2452 Ahakmf32.exe 2452 Ahakmf32.exe 2640 Amndem32.exe 2640 Amndem32.exe 2380 Aajpelhl.exe 2380 Aajpelhl.exe 2840 Apajlhka.exe 2840 Apajlhka.exe 2628 Abpfhcje.exe 2628 Abpfhcje.exe 2728 Aenbdoii.exe 2728 Aenbdoii.exe 2880 Bagpopmj.exe 2880 Bagpopmj.exe 320 Bhahlj32.exe 320 Bhahlj32.exe 2516 Bkodhe32.exe 2516 Bkodhe32.exe 2892 Bkfjhd32.exe 2892 Bkfjhd32.exe 1920 Bpcbqk32.exe 1920 Bpcbqk32.exe 480 Bdooajdc.exe 480 Bdooajdc.exe 1404 Ckignd32.exe 1404 Ckignd32.exe 2276 Cngcjo32.exe 2276 Cngcjo32.exe 684 Ccfhhffh.exe 684 Ccfhhffh.exe 2508 Cfeddafl.exe 2508 Cfeddafl.exe 1460 Cjpqdp32.exe 1460 Cjpqdp32.exe 1832 Chcqpmep.exe 1832 Chcqpmep.exe 912 Clomqk32.exe 912 Clomqk32.exe 2292 Comimg32.exe 2292 Comimg32.exe 2084 Cciemedf.exe 2084 Cciemedf.exe 1940 Cfgaiaci.exe 1940 Cfgaiaci.exe 2824 Chemfl32.exe 2824 Chemfl32.exe 2764 Ckdjbh32.exe 2764 Ckdjbh32.exe 2072 Dbpodagk.exe 2072 Dbpodagk.exe 2556 Dhjgal32.exe 2556 Dhjgal32.exe 3040 Dgmglh32.exe 3040 Dgmglh32.exe 2384 Dngoibmo.exe 2384 Dngoibmo.exe 2768 Ddagfm32.exe 2768 Ddagfm32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Dgmglh32.exeMmfbogcn.exeDknekeef.exe0dd87d8aee8b37dc0d1bd09d7605f990_NeikiAnalytics.exeJfekcg32.exeKmmcjehm.exeLbeknj32.exeDpeekh32.exeEeempocb.exeHpkjko32.exeHnagjbdf.exeIgkdgk32.exeAnccmo32.exeHmlnoc32.exeFjlhneio.exeIdhopq32.exeMgimmm32.exePklhlael.exeFaagpp32.exeOopnlacm.exeObojhlbq.exeDfoqmo32.exeIlknfn32.exeGlaoalkh.exeGaqcoc32.exeIhankokm.exeJjjacf32.exeMiooigfo.exeAipddi32.exeDogefd32.exeGbijhg32.exeEgjpkffe.exeFhkpmjln.exeIcpigm32.exeJcgogk32.exeOnmdoioa.exeInngcfid.exeKaaijdgn.exeLafndg32.exeMpigfa32.exePmdjdh32.exeBkodhe32.exeDgaqgh32.exeBemgilhh.exeAhakmf32.exeGloblmmj.exeCpkbdiqb.exeFjilieka.exeIqalka32.exeNamqci32.exeEchfaf32.exeIhdkao32.exeFnbkddem.exeFdapak32.exeJbjochdi.exeMkeimlfm.exePfjbgnme.exeCfeddafl.exeFpdhklkl.exeBhndldcn.exedescription ioc process File created C:\Windows\SysWOW64\Dngoibmo.exe Dgmglh32.exe File created C:\Windows\SysWOW64\Mimbdhhb.exe Mmfbogcn.exe File created C:\Windows\SysWOW64\Dojald32.exe Dknekeef.exe File created C:\Windows\SysWOW64\Pijbfj32.exe 0dd87d8aee8b37dc0d1bd09d7605f990_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Jehkodcm.exe Jfekcg32.exe File opened for modification C:\Windows\SysWOW64\Kpkofpgq.exe Kmmcjehm.exe File created C:\Windows\SysWOW64\Lahkigca.exe Lbeknj32.exe File created C:\Windows\SysWOW64\Jchafg32.dll Dpeekh32.exe File created C:\Windows\SysWOW64\Eiaiqn32.exe Eeempocb.exe File opened for modification C:\Windows\SysWOW64\Hcifgjgc.exe Hpkjko32.exe File created C:\Windows\SysWOW64\Hciofb32.dll Hnagjbdf.exe File created C:\Windows\SysWOW64\Jjjacf32.exe Igkdgk32.exe File created C:\Windows\SysWOW64\Jneohcll.dll Anccmo32.exe File created C:\Windows\SysWOW64\Codpklfq.dll Hmlnoc32.exe File created C:\Windows\SysWOW64\Ghqknigk.dll Fjlhneio.exe File created C:\Windows\SysWOW64\Iknqdmpf.dll Idhopq32.exe File created C:\Windows\SysWOW64\Mkeimlfm.exe Mgimmm32.exe File created C:\Windows\SysWOW64\Pbqpqcoj.dll Pklhlael.exe File created C:\Windows\SysWOW64\Bccnbmal.dll Faagpp32.exe File opened for modification C:\Windows\SysWOW64\Obojhlbq.exe Oopnlacm.exe File opened for modification C:\Windows\SysWOW64\Ofjfhk32.exe Obojhlbq.exe File created C:\Windows\SysWOW64\Amfcikek.exe Anccmo32.exe File opened for modification C:\Windows\SysWOW64\Dpeekh32.exe Dfoqmo32.exe File created C:\Windows\SysWOW64\Dgnijonn.dll Ilknfn32.exe File opened for modification C:\Windows\SysWOW64\Gopkmhjk.exe Glaoalkh.exe File created C:\Windows\SysWOW64\Ghkllmoi.exe Gaqcoc32.exe File opened for modification C:\Windows\SysWOW64\Igdogl32.exe Ihankokm.exe File opened for modification C:\Windows\SysWOW64\Jgnamk32.exe Jjjacf32.exe File opened for modification C:\Windows\SysWOW64\Mhbped32.exe Miooigfo.exe File created C:\Windows\SysWOW64\Alnqqd32.exe Aipddi32.exe File created C:\Windows\SysWOW64\Iifjjk32.dll Dogefd32.exe File created C:\Windows\SysWOW64\Hghmjpap.dll Gbijhg32.exe File created C:\Windows\SysWOW64\Olfeho32.dll Egjpkffe.exe File opened for modification C:\Windows\SysWOW64\Fjilieka.exe Fhkpmjln.exe File created C:\Windows\SysWOW64\Djmccf32.dll Icpigm32.exe File created C:\Windows\SysWOW64\Abqjpn32.dll Jcgogk32.exe File opened for modification C:\Windows\SysWOW64\Olpdjf32.exe Onmdoioa.exe File opened for modification C:\Windows\SysWOW64\Alnqqd32.exe Aipddi32.exe File created C:\Windows\SysWOW64\Cbolpc32.dll Dgmglh32.exe File opened for modification C:\Windows\SysWOW64\Idhopq32.exe Inngcfid.exe File created C:\Windows\SysWOW64\Nqphdm32.dll Kaaijdgn.exe File opened for modification C:\Windows\SysWOW64\Leajdfnm.exe Lafndg32.exe File created C:\Windows\SysWOW64\Fkeemhpn.dll Mpigfa32.exe File created C:\Windows\SysWOW64\Eeoffcnl.dll Pmdjdh32.exe File opened for modification C:\Windows\SysWOW64\Bkfjhd32.exe Bkodhe32.exe File created C:\Windows\SysWOW64\Djpmccqq.exe Dgaqgh32.exe File opened for modification C:\Windows\SysWOW64\Biicik32.exe Bemgilhh.exe File opened for modification C:\Windows\SysWOW64\Amndem32.exe Ahakmf32.exe File opened for modification C:\Windows\SysWOW64\Gpknlk32.exe Globlmmj.exe File opened for modification C:\Windows\SysWOW64\Cgejac32.exe Cpkbdiqb.exe File created C:\Windows\SysWOW64\Jkamkfgh.dll Fjilieka.exe File created C:\Windows\SysWOW64\Icpigm32.exe Iqalka32.exe File opened for modification C:\Windows\SysWOW64\Mimbdhhb.exe Mmfbogcn.exe File created C:\Windows\SysWOW64\Aonghnnp.dll Namqci32.exe File opened for modification C:\Windows\SysWOW64\Ebjglbml.exe Echfaf32.exe File created C:\Windows\SysWOW64\Nhnijp32.dll Ihdkao32.exe File created C:\Windows\SysWOW64\Lgahch32.dll Fnbkddem.exe File created C:\Windows\SysWOW64\Clphjpmh.dll Fdapak32.exe File created C:\Windows\SysWOW64\Jfekcg32.exe Jbjochdi.exe File created C:\Windows\SysWOW64\Mbcjffka.dll Mkeimlfm.exe File created C:\Windows\SysWOW64\Pjenhm32.exe Pfjbgnme.exe File opened for modification C:\Windows\SysWOW64\Cjpqdp32.exe Cfeddafl.exe File opened for modification C:\Windows\SysWOW64\Fhkpmjln.exe Fpdhklkl.exe File created C:\Windows\SysWOW64\Ilcbjpbn.dll Bhndldcn.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4816 4780 WerFault.exe Fkckeh32.exe -
Modifies registry class 64 IoCs
Processes:
Aenbdoii.exeMimbdhhb.exeNdkmpe32.exeOoeggp32.exeBkodhe32.exeGobgcg32.exeHenidd32.exeJjjacf32.exeBlgpef32.exeDpeekh32.exeBagpopmj.exeEloemi32.exeHgbebiao.exeOfmbnkhg.exeOkikfagn.exeCnobnmpl.exeEjgcdb32.exeJcgogk32.exeMbpnanch.exeNnhkcj32.exeOcnfbo32.exeQfahhm32.exeDjhphncm.exeNkgbbo32.exeNgnbgplj.exeAfohaa32.exeBpgljfbl.exeClilkfnb.exeCpkbdiqb.exeEjobhppq.exeEplkpgnh.exeDgaqgh32.exeInngcfid.exeOddpfc32.exeQlkdkd32.exeEdkcojga.exeHpocfncj.exeIhoafpmp.exeLbcnhjnj.exeCafecmlj.exeAjjcbpdd.exeMkclhl32.exeDfgmhd32.exeIoijbj32.exeNcgdbmmp.exeCfgaiaci.exeMgljbm32.exeObojhlbq.exePjadmnic.exeApajlhka.exeCngcjo32.exeEjbfhfaj.exeFhkpmjln.exeHpapln32.exeOfjfhk32.exeCkafbbph.exeClomqk32.exeEihfjo32.exeEbbgid32.exeKjcpii32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkdalhhc.dll" Aenbdoii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mimbdhhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndkmpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooeggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkodhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gobgcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgiaak32.dll" Jjjacf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blgpef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpeekh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bagpopmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambcae32.dll" Eloemi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofmbnkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okikfagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elgkkpon.dll" Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgqjffca.dll" Ejgcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abqjpn32.dll" Jcgogk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbpnanch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfnbefhd.dll" Nnhkcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocnfbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfahhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djhphncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkgbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjjdbdn.dll" Ngnbgplj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofmbnkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afohaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbgkoe32.dll" Bpgljfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clilkfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdjlnm32.dll" Cpkbdiqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgnia32.dll" Ejobhppq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eplkpgnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgaqgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inngcfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlkdkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geemiobo.dll" Edkcojga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll" Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jepgqikf.dll" Inngcfid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbcnhjnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhhpp32.dll" Cafecmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajjcbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkclhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbjgh32.dll" Mimbdhhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfgmhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioijbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncgdbmmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfgaiaci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfgmhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgljbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obojhlbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjadmnic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknmbn32.dll" Apajlhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cngcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejbfhfaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhkpmjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofjfhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckafbbph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clomqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eihfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjcpii32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0dd87d8aee8b37dc0d1bd09d7605f990_NeikiAnalytics.exePijbfj32.exeQaefjm32.exeAhakmf32.exeAmndem32.exeAajpelhl.exeApajlhka.exeAbpfhcje.exeAenbdoii.exeBagpopmj.exeBhahlj32.exeBkodhe32.exeBkfjhd32.exeBpcbqk32.exeBdooajdc.exeCkignd32.exedescription pid process target process PID 2896 wrote to memory of 2944 2896 0dd87d8aee8b37dc0d1bd09d7605f990_NeikiAnalytics.exe Pijbfj32.exe PID 2896 wrote to memory of 2944 2896 0dd87d8aee8b37dc0d1bd09d7605f990_NeikiAnalytics.exe Pijbfj32.exe PID 2896 wrote to memory of 2944 2896 0dd87d8aee8b37dc0d1bd09d7605f990_NeikiAnalytics.exe Pijbfj32.exe PID 2896 wrote to memory of 2944 2896 0dd87d8aee8b37dc0d1bd09d7605f990_NeikiAnalytics.exe Pijbfj32.exe PID 2944 wrote to memory of 2476 2944 Pijbfj32.exe Qaefjm32.exe PID 2944 wrote to memory of 2476 2944 Pijbfj32.exe Qaefjm32.exe PID 2944 wrote to memory of 2476 2944 Pijbfj32.exe Qaefjm32.exe PID 2944 wrote to memory of 2476 2944 Pijbfj32.exe Qaefjm32.exe PID 2476 wrote to memory of 2452 2476 Qaefjm32.exe Ahakmf32.exe PID 2476 wrote to memory of 2452 2476 Qaefjm32.exe Ahakmf32.exe PID 2476 wrote to memory of 2452 2476 Qaefjm32.exe Ahakmf32.exe PID 2476 wrote to memory of 2452 2476 Qaefjm32.exe Ahakmf32.exe PID 2452 wrote to memory of 2640 2452 Ahakmf32.exe Amndem32.exe PID 2452 wrote to memory of 2640 2452 Ahakmf32.exe Amndem32.exe PID 2452 wrote to memory of 2640 2452 Ahakmf32.exe Amndem32.exe PID 2452 wrote to memory of 2640 2452 Ahakmf32.exe Amndem32.exe PID 2640 wrote to memory of 2380 2640 Amndem32.exe Aajpelhl.exe PID 2640 wrote to memory of 2380 2640 Amndem32.exe Aajpelhl.exe PID 2640 wrote to memory of 2380 2640 Amndem32.exe Aajpelhl.exe PID 2640 wrote to memory of 2380 2640 Amndem32.exe Aajpelhl.exe PID 2380 wrote to memory of 2840 2380 Aajpelhl.exe Apajlhka.exe PID 2380 wrote to memory of 2840 2380 Aajpelhl.exe Apajlhka.exe PID 2380 wrote to memory of 2840 2380 Aajpelhl.exe Apajlhka.exe PID 2380 wrote to memory of 2840 2380 Aajpelhl.exe Apajlhka.exe PID 2840 wrote to memory of 2628 2840 Apajlhka.exe Abpfhcje.exe PID 2840 wrote to memory of 2628 2840 Apajlhka.exe Abpfhcje.exe PID 2840 wrote to memory of 2628 2840 Apajlhka.exe Abpfhcje.exe PID 2840 wrote to memory of 2628 2840 Apajlhka.exe Abpfhcje.exe PID 2628 wrote to memory of 2728 2628 Abpfhcje.exe Aenbdoii.exe PID 2628 wrote to memory of 2728 2628 Abpfhcje.exe Aenbdoii.exe PID 2628 wrote to memory of 2728 2628 Abpfhcje.exe Aenbdoii.exe PID 2628 wrote to memory of 2728 2628 Abpfhcje.exe Aenbdoii.exe PID 2728 wrote to memory of 2880 2728 Aenbdoii.exe Bagpopmj.exe PID 2728 wrote to memory of 2880 2728 Aenbdoii.exe Bagpopmj.exe PID 2728 wrote to memory of 2880 2728 Aenbdoii.exe Bagpopmj.exe PID 2728 wrote to memory of 2880 2728 Aenbdoii.exe Bagpopmj.exe PID 2880 wrote to memory of 320 2880 Bagpopmj.exe Bhahlj32.exe PID 2880 wrote to memory of 320 2880 Bagpopmj.exe Bhahlj32.exe PID 2880 wrote to memory of 320 2880 Bagpopmj.exe Bhahlj32.exe PID 2880 wrote to memory of 320 2880 Bagpopmj.exe Bhahlj32.exe PID 320 wrote to memory of 2516 320 Bhahlj32.exe Bkodhe32.exe PID 320 wrote to memory of 2516 320 Bhahlj32.exe Bkodhe32.exe PID 320 wrote to memory of 2516 320 Bhahlj32.exe Bkodhe32.exe PID 320 wrote to memory of 2516 320 Bhahlj32.exe Bkodhe32.exe PID 2516 wrote to memory of 2892 2516 Bkodhe32.exe Bkfjhd32.exe PID 2516 wrote to memory of 2892 2516 Bkodhe32.exe Bkfjhd32.exe PID 2516 wrote to memory of 2892 2516 Bkodhe32.exe Bkfjhd32.exe PID 2516 wrote to memory of 2892 2516 Bkodhe32.exe Bkfjhd32.exe PID 2892 wrote to memory of 1920 2892 Bkfjhd32.exe Bpcbqk32.exe PID 2892 wrote to memory of 1920 2892 Bkfjhd32.exe Bpcbqk32.exe PID 2892 wrote to memory of 1920 2892 Bkfjhd32.exe Bpcbqk32.exe PID 2892 wrote to memory of 1920 2892 Bkfjhd32.exe Bpcbqk32.exe PID 1920 wrote to memory of 480 1920 Bpcbqk32.exe Bdooajdc.exe PID 1920 wrote to memory of 480 1920 Bpcbqk32.exe Bdooajdc.exe PID 1920 wrote to memory of 480 1920 Bpcbqk32.exe Bdooajdc.exe PID 1920 wrote to memory of 480 1920 Bpcbqk32.exe Bdooajdc.exe PID 480 wrote to memory of 1404 480 Bdooajdc.exe Ckignd32.exe PID 480 wrote to memory of 1404 480 Bdooajdc.exe Ckignd32.exe PID 480 wrote to memory of 1404 480 Bdooajdc.exe Ckignd32.exe PID 480 wrote to memory of 1404 480 Bdooajdc.exe Ckignd32.exe PID 1404 wrote to memory of 2276 1404 Ckignd32.exe Cngcjo32.exe PID 1404 wrote to memory of 2276 1404 Ckignd32.exe Cngcjo32.exe PID 1404 wrote to memory of 2276 1404 Ckignd32.exe Cngcjo32.exe PID 1404 wrote to memory of 2276 1404 Ckignd32.exe Cngcjo32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dd87d8aee8b37dc0d1bd09d7605f990_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0dd87d8aee8b37dc0d1bd09d7605f990_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:684 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1460 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1832 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:912 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384 -
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe33⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe36⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe37⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe38⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe41⤵
- Executes dropped EXE
PID:360 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe42⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe44⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe45⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe48⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe49⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe50⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe53⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe54⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe55⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe56⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe57⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:288 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe60⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe63⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe64⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe65⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe66⤵PID:2684
-
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2284 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe68⤵
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe69⤵
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe70⤵
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:584 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe72⤵
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe73⤵PID:2948
-
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:992 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe75⤵PID:832
-
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe76⤵
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe77⤵PID:1752
-
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe78⤵PID:596
-
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe79⤵PID:2316
-
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe80⤵
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe81⤵PID:528
-
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe82⤵
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe83⤵PID:1244
-
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe84⤵PID:1576
-
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1528 -
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe86⤵
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe87⤵PID:2264
-
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe88⤵PID:1976
-
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe89⤵
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe90⤵
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe91⤵PID:336
-
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe92⤵PID:776
-
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe93⤵PID:1700
-
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe94⤵PID:1672
-
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe95⤵PID:272
-
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe96⤵PID:856
-
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1680 -
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe98⤵
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe99⤵
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe100⤵
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe101⤵PID:1628
-
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2500 -
C:\Windows\SysWOW64\Hlakpp32.exeC:\Windows\system32\Hlakpp32.exe103⤵PID:2536
-
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe104⤵
- Drops file in System32 directory
PID:268 -
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe105⤵
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe106⤵PID:1764
-
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe107⤵
- Modifies registry class
PID:704 -
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe108⤵PID:1428
-
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe109⤵
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe110⤵PID:2940
-
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe111⤵
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe112⤵
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe113⤵
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe114⤵PID:2872
-
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe115⤵PID:2744
-
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2444 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:576 -
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe118⤵PID:1104
-
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe120⤵
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe121⤵
- Drops file in System32 directory
PID:876 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe122⤵PID:2148
-
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe123⤵PID:1504
-
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe124⤵PID:1876
-
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe125⤵PID:2924
-
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe126⤵PID:1464
-
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe127⤵PID:1248
-
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe128⤵PID:1364
-
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe129⤵
- Drops file in System32 directory
PID:700 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe130⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe131⤵
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe132⤵
- Drops file in System32 directory
- Modifies registry class
PID:1432 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe133⤵PID:2996
-
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe134⤵PID:1948
-
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe135⤵PID:2352
-
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe136⤵PID:880
-
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe137⤵PID:1744
-
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe138⤵
- Drops file in System32 directory
- Modifies registry class
PID:608 -
C:\Windows\SysWOW64\Jbjochdi.exeC:\Windows\system32\Jbjochdi.exe139⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1220 -
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe140⤵
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe141⤵PID:1536
-
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe142⤵PID:1968
-
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe143⤵PID:2300
-
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe144⤵PID:980
-
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe145⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1268 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe146⤵PID:1484
-
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe147⤵PID:2220
-
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe148⤵PID:560
-
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe149⤵
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe150⤵PID:1664
-
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe151⤵PID:852
-
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe152⤵PID:2340
-
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe153⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2120 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe154⤵PID:2456
-
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe155⤵PID:764
-
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2748 -
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe157⤵PID:2772
-
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe158⤵PID:2204
-
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe159⤵PID:1796
-
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe160⤵PID:2532
-
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe161⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe162⤵PID:2604
-
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe163⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2436 -
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe164⤵PID:2780
-
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe165⤵PID:2036
-
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe166⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1936 -
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe167⤵PID:1152
-
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe168⤵PID:1548
-
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe169⤵
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe170⤵PID:836
-
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe171⤵PID:2480
-
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe172⤵PID:2088
-
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe173⤵PID:1016
-
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe174⤵PID:2612
-
C:\Windows\SysWOW64\Logbhl32.exeC:\Windows\system32\Logbhl32.exe175⤵PID:2908
-
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe176⤵
- Modifies registry class
PID:1236 -
C:\Windows\SysWOW64\Lafndg32.exeC:\Windows\system32\Lafndg32.exe177⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:784 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe178⤵PID:3068
-
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe179⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1740 -
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe180⤵PID:2236
-
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2968 -
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe182⤵
- Drops file in System32 directory
PID:292 -
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe183⤵PID:2616
-
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe184⤵PID:988
-
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe185⤵PID:760
-
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe186⤵PID:1676
-
C:\Windows\SysWOW64\Lkppbl32.exeC:\Windows\system32\Lkppbl32.exe187⤵PID:3100
-
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe188⤵PID:3140
-
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe189⤵PID:3180
-
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe190⤵PID:3220
-
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe191⤵
- Modifies registry class
PID:3260 -
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe192⤵PID:3300
-
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe193⤵PID:3340
-
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe194⤵PID:3380
-
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe195⤵PID:3408
-
C:\Windows\SysWOW64\Mgimmm32.exeC:\Windows\system32\Mgimmm32.exe196⤵
- Drops file in System32 directory
PID:3432 -
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe197⤵
- Drops file in System32 directory
PID:3472 -
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe198⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3512 -
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe199⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3552 -
C:\Windows\SysWOW64\Mpbaebdd.exeC:\Windows\system32\Mpbaebdd.exe200⤵PID:3592
-
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe201⤵
- Modifies registry class
PID:3632 -
C:\Windows\SysWOW64\Mgljbm32.exeC:\Windows\system32\Mgljbm32.exe202⤵
- Modifies registry class
PID:3672 -
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe203⤵PID:3712
-
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe204⤵PID:3752
-
C:\Windows\SysWOW64\Mmfbogcn.exeC:\Windows\system32\Mmfbogcn.exe205⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3792 -
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe206⤵
- Modifies registry class
PID:3832 -
C:\Windows\SysWOW64\Mpfkqb32.exeC:\Windows\system32\Mpfkqb32.exe207⤵PID:3872
-
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe208⤵PID:3912
-
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe209⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3952 -
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe210⤵PID:3992
-
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe211⤵
- Drops file in System32 directory
PID:4032 -
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe212⤵
- Modifies registry class
PID:4072 -
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe213⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3092 -
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe214⤵PID:3136
-
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe215⤵
- Drops file in System32 directory
PID:3188 -
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe216⤵
- Modifies registry class
PID:3248 -
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe217⤵PID:3308
-
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe218⤵PID:3356
-
C:\Windows\SysWOW64\Nglfapnl.exeC:\Windows\system32\Nglfapnl.exe219⤵PID:3420
-
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe220⤵
- Modifies registry class
PID:3480 -
C:\Windows\SysWOW64\Nocnbmoo.exeC:\Windows\system32\Nocnbmoo.exe221⤵PID:3524
-
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe222⤵PID:3580
-
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe223⤵PID:3624
-
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3684 -
C:\Windows\SysWOW64\Nnhkcj32.exeC:\Windows\system32\Nnhkcj32.exe225⤵
- Modifies registry class
PID:3748 -
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe226⤵PID:3776
-
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe227⤵PID:3828
-
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe228⤵PID:3860
-
C:\Windows\SysWOW64\Oqideepg.exeC:\Windows\system32\Oqideepg.exe229⤵PID:3904
-
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe230⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3960 -
C:\Windows\SysWOW64\Ofelmloo.exeC:\Windows\system32\Ofelmloo.exe231⤵PID:4000
-
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe232⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4044 -
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe233⤵PID:4084
-
C:\Windows\SysWOW64\Ohfeog32.exeC:\Windows\system32\Ohfeog32.exe234⤵PID:3132
-
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe235⤵PID:3176
-
C:\Windows\SysWOW64\Oqmmpd32.exeC:\Windows\system32\Oqmmpd32.exe236⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3272 -
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe237⤵
- Drops file in System32 directory
PID:3292 -
C:\Windows\SysWOW64\Obojhlbq.exeC:\Windows\system32\Obojhlbq.exe238⤵
- Drops file in System32 directory
- Modifies registry class
PID:892 -
C:\Windows\SysWOW64\Ofjfhk32.exeC:\Windows\system32\Ofjfhk32.exe239⤵
- Modifies registry class
PID:3428 -
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe240⤵PID:3488
-
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe241⤵PID:3568
-
C:\Windows\SysWOW64\Okgnab32.exeC:\Windows\system32\Okgnab32.exe242⤵PID:3640