Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 00:47
Behavioral task
behavioral1
Sample
163102364ede906230dcc915f9a2a320_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
163102364ede906230dcc915f9a2a320_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
163102364ede906230dcc915f9a2a320_NeikiAnalytics.exe
-
Size
565KB
-
MD5
163102364ede906230dcc915f9a2a320
-
SHA1
e4eb91ad52993a5dbff6f7e58ce1996337db5c23
-
SHA256
decfb0f3e04afd480d68d483d2bfdc450cabde7b8e2ce15044519cbd03ad0c6e
-
SHA512
47b15ad3a18025506afb5b4caf85004a3a1772be1538eac0ca28ef0ce7e76ab46c8107acaa2e17cb5e3f7fb4f88b9b4a41856f9927e38c99d2c622520f099176
-
SSDEEP
12288:ikWA55HtntuFjAh//+zrWAIAqWim/+zrWAI5KF8OX:i7E51tuFjAh/mvFimm09OX
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Aaobdjof.exeHhehek32.exeHkhnle32.exeKbidgeci.exeMcegmm32.exeMlmlecec.exeDgodbh32.exeIblpjdpk.exeBaakhm32.exeLapnnafn.exeLihmjejl.exeLpdbloof.exeMdkqqa32.exeAfcenm32.exeKiqpop32.exeHgilchkf.exeLlnofpcg.exeKjdilgpc.exeAbjebn32.exeBppoqeja.exeDknekeef.exeGebbnpfp.exeIkhjki32.exeModkfi32.exeFnbkddem.exeNocnbmoo.exeNajdnj32.exeCgejac32.exeIpjoplgo.exeDgjclbdi.exeHkfagfop.exeMffimglk.exeNkpegi32.exeHkkalk32.exeKihqkagp.exeMeijhc32.exeJnclnihj.exeAipddi32.exeIpgbjl32.exeJqilooij.exeJqnejn32.exeKfmjgeaj.exeFfklhqao.exeGepehphc.exeHbhomd32.exePqkmjh32.exeJmhmpb32.exeFnfamcoj.exeGlgaok32.exeJnmlhchd.exeBekkcljk.exeDookgcij.exeNgkogj32.exeIedkbc32.exeDjklnnaj.exeApimacnn.exeEgoife32.exeBkommo32.exeKbdklf32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaobdjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaobdjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhehek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkhnle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbidgeci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcegmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlmlecec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgodbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iblpjdpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baakhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lapnnafn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lihmjejl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpdbloof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdkqqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afcenm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiqpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llnofpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjdilgpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abjebn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bppoqeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dknekeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gebbnpfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikhjki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnbkddem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nocnbmoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najdnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgejac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipjoplgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgjclbdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkfagfop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mffimglk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkpegi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkkalk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihqkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meijhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnclnihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aipddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipgbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqilooij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqnejn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfmjgeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffklhqao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gepehphc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbhomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqkmjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknekeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmhmpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnfamcoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glgaok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnmlhchd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bekkcljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dookgcij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnclnihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngkogj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iedkbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kiqpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkkalk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djklnnaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apimacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egoife32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkommo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbdklf32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule behavioral1/memory/2100-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew \Windows\SysWOW64\Cpeofk32.exe family_berbew behavioral1/memory/2100-6-0x00000000002D0000-0x0000000000314000-memory.dmp family_berbew \Windows\SysWOW64\Cgbdhd32.exe family_berbew behavioral1/memory/2340-27-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew \Windows\SysWOW64\Chemfl32.exe family_berbew behavioral1/memory/2732-41-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew \Windows\SysWOW64\Cobbhfhg.exe family_berbew behavioral1/memory/3036-55-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew \Windows\SysWOW64\Dgodbh32.exe family_berbew behavioral1/memory/3036-68-0x0000000000250000-0x0000000000294000-memory.dmp family_berbew C:\Windows\SysWOW64\Dnlidb32.exe family_berbew behavioral1/memory/2540-82-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew \Windows\SysWOW64\Dcknbh32.exe family_berbew behavioral1/memory/2540-89-0x0000000000250000-0x0000000000294000-memory.dmp family_berbew behavioral1/memory/1524-96-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew \Windows\SysWOW64\Eijcpoac.exe family_berbew behavioral1/memory/2780-110-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew \Windows\SysWOW64\Epfhbign.exe family_berbew behavioral1/memory/2308-130-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew \Windows\SysWOW64\Eiomkn32.exe family_berbew behavioral1/memory/1976-139-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew \Windows\SysWOW64\Faokjpfd.exe family_berbew behavioral1/memory/1976-146-0x0000000000340000-0x0000000000384000-memory.dmp family_berbew behavioral1/memory/1256-157-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew \Windows\SysWOW64\Fnbkddem.exe family_berbew behavioral1/memory/1056-167-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew \Windows\SysWOW64\Flmefm32.exe family_berbew behavioral1/memory/1056-175-0x0000000000290000-0x00000000002D4000-memory.dmp family_berbew behavioral1/memory/2244-181-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Gicbeald.exe family_berbew behavioral1/memory/2800-195-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew \Windows\SysWOW64\Gldkfl32.exe family_berbew behavioral1/memory/2800-203-0x0000000000250000-0x0000000000294000-memory.dmp family_berbew behavioral1/memory/2476-213-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew \Windows\SysWOW64\Gelppaof.exe family_berbew behavioral1/memory/1000-222-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Gddifnbk.exe family_berbew behavioral1/memory/1000-232-0x0000000000450000-0x0000000000494000-memory.dmp family_berbew behavioral1/memory/1788-237-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Hmlnoc32.exe family_berbew behavioral1/memory/304-243-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Hicodd32.exe family_berbew behavioral1/memory/2132-258-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/1336-265-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Hlakpp32.exe family_berbew C:\Windows\SysWOW64\Hobcak32.exe family_berbew behavioral1/memory/1940-280-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/612-287-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Hgilchkf.exe family_berbew C:\Windows\SysWOW64\Hpapln32.exe family_berbew behavioral1/memory/2436-298-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Hkkalk32.exe family_berbew behavioral1/memory/2000-309-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Iknnbklc.exe family_berbew C:\Windows\SysWOW64\Ifcbodli.exe family_berbew behavioral1/memory/888-328-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2060-330-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2060-340-0x0000000000250000-0x0000000000294000-memory.dmp family_berbew C:\Windows\SysWOW64\Iokfhi32.exe family_berbew C:\Windows\SysWOW64\Iblpjdpk.exe family_berbew behavioral1/memory/2680-355-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Idklfpon.exe family_berbew C:\Windows\SysWOW64\Idmhkpml.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Cpeofk32.exeCgbdhd32.exeChemfl32.exeCobbhfhg.exeDgodbh32.exeDnlidb32.exeDcknbh32.exeEijcpoac.exeEpfhbign.exeEiomkn32.exeFaokjpfd.exeFnbkddem.exeFlmefm32.exeGicbeald.exeGldkfl32.exeGelppaof.exeGddifnbk.exeHmlnoc32.exeHicodd32.exeHlakpp32.exeHobcak32.exeHgilchkf.exeHpapln32.exeHkkalk32.exeIknnbklc.exeIfcbodli.exeIokfhi32.exeIblpjdpk.exeIdklfpon.exeIdmhkpml.exeIcpigm32.exeJmhmpb32.exeJqdipqbp.exeJoifam32.exeJbjochdi.exeJehkodcm.exeJnclnihj.exeKihqkagp.exeKkijmm32.exeKmjfdejp.exeKnjbnh32.exeKfegbj32.exeKaklpcoc.exeKjcpii32.exeLpphap32.exeLfjqnjkh.exeLihmjejl.exeLpbefoai.exeLflmci32.exeLpdbloof.exeLbcnhjnj.exeLimfed32.exeLojomkdn.exeLecgje32.exeLlnofpcg.exeLajhofao.exeLdidkbpb.exeMonhhk32.exeMdkqqa32.exeMgimmm32.exeMdmmfa32.exeMkgfckcj.exeMpdnkb32.exeMmhodf32.exepid process 2124 Cpeofk32.exe 2340 Cgbdhd32.exe 2732 Chemfl32.exe 3036 Cobbhfhg.exe 2212 Dgodbh32.exe 2540 Dnlidb32.exe 1524 Dcknbh32.exe 2780 Eijcpoac.exe 2308 Epfhbign.exe 1976 Eiomkn32.exe 1256 Faokjpfd.exe 1056 Fnbkddem.exe 2244 Flmefm32.exe 2800 Gicbeald.exe 2476 Gldkfl32.exe 1000 Gelppaof.exe 1788 Gddifnbk.exe 304 Hmlnoc32.exe 2132 Hicodd32.exe 1336 Hlakpp32.exe 1940 Hobcak32.exe 612 Hgilchkf.exe 2436 Hpapln32.exe 2000 Hkkalk32.exe 888 Iknnbklc.exe 2060 Ifcbodli.exe 1572 Iokfhi32.exe 2680 Iblpjdpk.exe 2716 Idklfpon.exe 2848 Idmhkpml.exe 2532 Icpigm32.exe 2760 Jmhmpb32.exe 2548 Jqdipqbp.exe 1924 Joifam32.exe 2820 Jbjochdi.exe 2036 Jehkodcm.exe 2040 Jnclnihj.exe 2304 Kihqkagp.exe 2592 Kkijmm32.exe 1744 Kmjfdejp.exe 2276 Knjbnh32.exe 1180 Kfegbj32.exe 484 Kaklpcoc.exe 1480 Kjcpii32.exe 1088 Lpphap32.exe 1432 Lfjqnjkh.exe 1760 Lihmjejl.exe 1972 Lpbefoai.exe 1800 Lflmci32.exe 2888 Lpdbloof.exe 1632 Lbcnhjnj.exe 1492 Limfed32.exe 3044 Lojomkdn.exe 3052 Lecgje32.exe 2648 Llnofpcg.exe 2720 Lajhofao.exe 2816 Ldidkbpb.exe 2664 Monhhk32.exe 1220 Mdkqqa32.exe 1908 Mgimmm32.exe 1092 Mdmmfa32.exe 2152 Mkgfckcj.exe 2584 Mpdnkb32.exe 1388 Mmhodf32.exe -
Loads dropped DLL 64 IoCs
Processes:
163102364ede906230dcc915f9a2a320_NeikiAnalytics.exeCpeofk32.exeCgbdhd32.exeChemfl32.exeCobbhfhg.exeDgodbh32.exeDnlidb32.exeDcknbh32.exeEijcpoac.exeEpfhbign.exeEiomkn32.exeFaokjpfd.exeFnbkddem.exeFlmefm32.exeGicbeald.exeGldkfl32.exeGelppaof.exeGddifnbk.exeHmlnoc32.exeHicodd32.exeHlakpp32.exeHobcak32.exeHgilchkf.exeHpapln32.exeHkkalk32.exeIknnbklc.exeIfcbodli.exeIokfhi32.exeIblpjdpk.exeIdklfpon.exeIdmhkpml.exeIcpigm32.exepid process 2100 163102364ede906230dcc915f9a2a320_NeikiAnalytics.exe 2100 163102364ede906230dcc915f9a2a320_NeikiAnalytics.exe 2124 Cpeofk32.exe 2124 Cpeofk32.exe 2340 Cgbdhd32.exe 2340 Cgbdhd32.exe 2732 Chemfl32.exe 2732 Chemfl32.exe 3036 Cobbhfhg.exe 3036 Cobbhfhg.exe 2212 Dgodbh32.exe 2212 Dgodbh32.exe 2540 Dnlidb32.exe 2540 Dnlidb32.exe 1524 Dcknbh32.exe 1524 Dcknbh32.exe 2780 Eijcpoac.exe 2780 Eijcpoac.exe 2308 Epfhbign.exe 2308 Epfhbign.exe 1976 Eiomkn32.exe 1976 Eiomkn32.exe 1256 Faokjpfd.exe 1256 Faokjpfd.exe 1056 Fnbkddem.exe 1056 Fnbkddem.exe 2244 Flmefm32.exe 2244 Flmefm32.exe 2800 Gicbeald.exe 2800 Gicbeald.exe 2476 Gldkfl32.exe 2476 Gldkfl32.exe 1000 Gelppaof.exe 1000 Gelppaof.exe 1788 Gddifnbk.exe 1788 Gddifnbk.exe 304 Hmlnoc32.exe 304 Hmlnoc32.exe 2132 Hicodd32.exe 2132 Hicodd32.exe 1336 Hlakpp32.exe 1336 Hlakpp32.exe 1940 Hobcak32.exe 1940 Hobcak32.exe 612 Hgilchkf.exe 612 Hgilchkf.exe 2436 Hpapln32.exe 2436 Hpapln32.exe 2000 Hkkalk32.exe 2000 Hkkalk32.exe 888 Iknnbklc.exe 888 Iknnbklc.exe 2060 Ifcbodli.exe 2060 Ifcbodli.exe 1572 Iokfhi32.exe 1572 Iokfhi32.exe 2680 Iblpjdpk.exe 2680 Iblpjdpk.exe 2716 Idklfpon.exe 2716 Idklfpon.exe 2848 Idmhkpml.exe 2848 Idmhkpml.exe 2532 Icpigm32.exe 2532 Icpigm32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Lpjdjmfp.exeQbelgood.exeClilkfnb.exeDookgcij.exePnomcl32.exeGhelfg32.exeGmgninie.exeHhehek32.exeLapnnafn.exeDnlidb32.exeFnbkddem.exeLfjqnjkh.exeQfokbnip.exeLabkdack.exeHpapln32.exeLimfed32.exeNceclqan.exeKkaiqk32.exeModkfi32.exeHmlnoc32.exeFfhpbacb.exeHbhomd32.exeJqgoiokm.exeMmneda32.exeMkmhaj32.exeIknnbklc.exeNkbhgojk.exeEnfenplo.exeLecgje32.exeMlmlecec.exeQmfgjh32.exeBekkcljk.exeCgejac32.exeCgbdhd32.exeJmhmpb32.exeKaklpcoc.exeGmbdnn32.exeIkhjki32.exeKjdilgpc.exeMcegmm32.exeGedbdlbb.exeDgjclbdi.exeDfffnn32.exeFfklhqao.exeJcjdpj32.exeKcakaipc.exeDcknbh32.exeGddifnbk.exeNacgdhlp.exeLmlhnagm.exeJdpndnei.exeJqilooij.exeLpbefoai.exePapfegmk.exeHmbpmapf.exeHapicp32.exeIleiplhn.exeCpeofk32.exeAipddi32.exeCnobnmpl.exedescription ioc process File created C:\Windows\SysWOW64\Ibddljof.dll Lpjdjmfp.exe File created C:\Windows\SysWOW64\Aelcmdee.dll Qbelgood.exe File created C:\Windows\SysWOW64\Cafecmlj.exe Clilkfnb.exe File created C:\Windows\SysWOW64\Gogcek32.dll Dookgcij.exe File created C:\Windows\SysWOW64\Ilbgbe32.dll Pnomcl32.exe File created C:\Windows\SysWOW64\Mmjhjhkh.dll Ghelfg32.exe File created C:\Windows\SysWOW64\Cehkbgdf.dll Gmgninie.exe File opened for modification C:\Windows\SysWOW64\Hmbpmapf.exe Hhehek32.exe File created C:\Windows\SysWOW64\Mmdcie32.dll Lapnnafn.exe File created C:\Windows\SysWOW64\Dcknbh32.exe Dnlidb32.exe File created C:\Windows\SysWOW64\Flmefm32.exe Fnbkddem.exe File created C:\Windows\SysWOW64\Ckqfeoma.dll Lfjqnjkh.exe File opened for modification C:\Windows\SysWOW64\Qbelgood.exe Qfokbnip.exe File opened for modification C:\Windows\SysWOW64\Lcagpl32.exe Labkdack.exe File opened for modification C:\Windows\SysWOW64\Legmbd32.exe Lpjdjmfp.exe File created C:\Windows\SysWOW64\Hkkalk32.exe Hpapln32.exe File created C:\Windows\SysWOW64\Lojomkdn.exe Limfed32.exe File created C:\Windows\SysWOW64\Omkepc32.dll Nceclqan.exe File created C:\Windows\SysWOW64\Kjdilgpc.exe Kkaiqk32.exe File created C:\Windows\SysWOW64\Ibebkc32.dll Kkaiqk32.exe File created C:\Windows\SysWOW64\Hendhe32.dll Modkfi32.exe File created C:\Windows\SysWOW64\Hicodd32.exe Hmlnoc32.exe File created C:\Windows\SysWOW64\Ibijie32.dll Ffhpbacb.exe File created C:\Windows\SysWOW64\Hhehek32.exe Hbhomd32.exe File created C:\Windows\SysWOW64\Imfegi32.dll Jqgoiokm.exe File created C:\Windows\SysWOW64\Mffimglk.exe Mmneda32.exe File created C:\Windows\SysWOW64\Cgmgbeon.dll Mkmhaj32.exe File created C:\Windows\SysWOW64\Dcpdmj32.dll Iknnbklc.exe File opened for modification C:\Windows\SysWOW64\Ncjqhmkm.exe Nkbhgojk.exe File created C:\Windows\SysWOW64\Ffpncj32.dll Enfenplo.exe File opened for modification C:\Windows\SysWOW64\Llnofpcg.exe Lecgje32.exe File opened for modification C:\Windows\SysWOW64\Najdnj32.exe Mlmlecec.exe File created C:\Windows\SysWOW64\Idnhde32.dll Qmfgjh32.exe File created C:\Windows\SysWOW64\Bppoqeja.exe Bekkcljk.exe File opened for modification C:\Windows\SysWOW64\Cnobnmpl.exe Cgejac32.exe File created C:\Windows\SysWOW64\Chemfl32.exe Cgbdhd32.exe File created C:\Windows\SysWOW64\Jqdipqbp.exe Jmhmpb32.exe File opened for modification C:\Windows\SysWOW64\Kjcpii32.exe Kaklpcoc.exe File created C:\Windows\SysWOW64\Gbomfe32.exe Gmbdnn32.exe File opened for modification C:\Windows\SysWOW64\Jdpndnei.exe Ikhjki32.exe File created C:\Windows\SysWOW64\Leimip32.exe Kjdilgpc.exe File opened for modification C:\Windows\SysWOW64\Miooigfo.exe Mcegmm32.exe File opened for modification C:\Windows\SysWOW64\Gffoldhp.exe Gedbdlbb.exe File created C:\Windows\SysWOW64\Gmbdnn32.exe Ghelfg32.exe File opened for modification C:\Windows\SysWOW64\Dndlim32.exe Dgjclbdi.exe File created C:\Windows\SysWOW64\Jkhgfq32.dll Dfffnn32.exe File created C:\Windows\SysWOW64\Gdgphd32.dll Ffklhqao.exe File created C:\Windows\SysWOW64\Jnpinc32.exe Jcjdpj32.exe File created C:\Windows\SysWOW64\Pplhdp32.dll Kcakaipc.exe File created C:\Windows\SysWOW64\Cgqjffca.dll Dcknbh32.exe File created C:\Windows\SysWOW64\Ncolgf32.dll Gddifnbk.exe File opened for modification C:\Windows\SysWOW64\Nceclqan.exe Nacgdhlp.exe File opened for modification C:\Windows\SysWOW64\Lpjdjmfp.exe Lmlhnagm.exe File created C:\Windows\SysWOW64\Eiemmk32.dll Jdpndnei.exe File opened for modification C:\Windows\SysWOW64\Jchhkjhn.exe Jqilooij.exe File created C:\Windows\SysWOW64\Lflmci32.exe Lpbefoai.exe File created C:\Windows\SysWOW64\Qmfgjh32.exe Papfegmk.exe File opened for modification C:\Windows\SysWOW64\Heihnoph.exe Hmbpmapf.exe File created C:\Windows\SysWOW64\Gjpmgg32.dll Dgjclbdi.exe File created C:\Windows\SysWOW64\Hkhnle32.exe Hapicp32.exe File created C:\Windows\SysWOW64\Mecjiaic.dll Ileiplhn.exe File created C:\Windows\SysWOW64\Jaqlckoi.dll Cpeofk32.exe File opened for modification C:\Windows\SysWOW64\Apimacnn.exe Aipddi32.exe File created C:\Windows\SysWOW64\Cclkfdnc.exe Cnobnmpl.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3984 3964 WerFault.exe Nlhgoqhh.exe -
Modifies registry class 64 IoCs
Processes:
Lapnnafn.exeNajdnj32.exeGldkfl32.exeLfjqnjkh.exeAmfcikek.exeGlgaok32.exeOfmbnkhg.exeKpjhkjde.exeLmikibio.exeMponel32.exeJnmlhchd.exeJbjochdi.exeMcegmm32.exeApimacnn.exeBaakhm32.exeMhloponc.exeBekkcljk.exeDcknbh32.exeNoqamn32.exeNaoniipe.exePnomcl32.exeCgejac32.exeLpdbloof.exeFaokjpfd.exeCclkfdnc.exeIpjoplgo.exeCahail32.exeOnjgiiad.exeLpbefoai.exeCafecmlj.exeBlbfjg32.exeLeimip32.exeLgjfkk32.exeNodgel32.exeNkbhgojk.exeMdmmfa32.exeOnmdoioa.exeDndlim32.exeKbdklf32.exeLphhenhc.exeNkpegi32.exeHgilchkf.exeJoifam32.exeEmnndlod.exeHlngpjlj.exeJqlhdo32.exeEiomkn32.exeLabkdack.exeKmjfdejp.exeGepehphc.exeLlcefjgf.exeMeijhc32.exeHlakpp32.exeIdklfpon.exeModkfi32.exeLlnofpcg.exeAbjebn32.exeAaobdjof.exeHhehek32.exeHmbpmapf.exeClilkfnb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lapnnafn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Najdnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabakh32.dll" Gldkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckqfeoma.dll" Lfjqnjkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cahqdihi.dll" Amfcikek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glgaok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofmbnkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpjhkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnddig32.dll" Lmikibio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mponel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnmlhchd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeoliecf.dll" Jbjochdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcegmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apimacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekebnbmn.dll" Mhloponc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddpkh32.dll" Bekkcljk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcknbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Noqamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Naoniipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilbgbe32.dll" Pnomcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgejac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpdbloof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaeldika.dll" Faokjpfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cclkfdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipjoplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lklohbmo.dll" Cclkfdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cahail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghniakc.dll" Onjgiiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpbefoai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cafecmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blbfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iimckbco.dll" Leimip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgjfkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklcab32.dll" Nodgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkbhgojk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdmmfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inkaippf.dll" Onmdoioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dndlim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbdklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjcbn32.dll" Lphhenhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkpegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abqjpn32.dll" Joifam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahoanjcc.dll" Emnndlod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlngpjlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jqlhdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqmnhocj.dll" Eiomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Labkdack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmjfdejp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gepehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pelggd32.dll" Kpjhkjde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llcefjgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Meijhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll" Hlakpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idklfpon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Modkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llnofpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaobdjof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blbfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmlko32.dll" Hhehek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmbpmapf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clilkfnb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
163102364ede906230dcc915f9a2a320_NeikiAnalytics.exeCpeofk32.exeCgbdhd32.exeChemfl32.exeCobbhfhg.exeDgodbh32.exeDnlidb32.exeDcknbh32.exeEijcpoac.exeEpfhbign.exeEiomkn32.exeFaokjpfd.exeFnbkddem.exeFlmefm32.exeGicbeald.exeGldkfl32.exedescription pid process target process PID 2100 wrote to memory of 2124 2100 163102364ede906230dcc915f9a2a320_NeikiAnalytics.exe Cpeofk32.exe PID 2100 wrote to memory of 2124 2100 163102364ede906230dcc915f9a2a320_NeikiAnalytics.exe Cpeofk32.exe PID 2100 wrote to memory of 2124 2100 163102364ede906230dcc915f9a2a320_NeikiAnalytics.exe Cpeofk32.exe PID 2100 wrote to memory of 2124 2100 163102364ede906230dcc915f9a2a320_NeikiAnalytics.exe Cpeofk32.exe PID 2124 wrote to memory of 2340 2124 Cpeofk32.exe Cgbdhd32.exe PID 2124 wrote to memory of 2340 2124 Cpeofk32.exe Cgbdhd32.exe PID 2124 wrote to memory of 2340 2124 Cpeofk32.exe Cgbdhd32.exe PID 2124 wrote to memory of 2340 2124 Cpeofk32.exe Cgbdhd32.exe PID 2340 wrote to memory of 2732 2340 Cgbdhd32.exe Chemfl32.exe PID 2340 wrote to memory of 2732 2340 Cgbdhd32.exe Chemfl32.exe PID 2340 wrote to memory of 2732 2340 Cgbdhd32.exe Chemfl32.exe PID 2340 wrote to memory of 2732 2340 Cgbdhd32.exe Chemfl32.exe PID 2732 wrote to memory of 3036 2732 Chemfl32.exe Cobbhfhg.exe PID 2732 wrote to memory of 3036 2732 Chemfl32.exe Cobbhfhg.exe PID 2732 wrote to memory of 3036 2732 Chemfl32.exe Cobbhfhg.exe PID 2732 wrote to memory of 3036 2732 Chemfl32.exe Cobbhfhg.exe PID 3036 wrote to memory of 2212 3036 Cobbhfhg.exe Dgodbh32.exe PID 3036 wrote to memory of 2212 3036 Cobbhfhg.exe Dgodbh32.exe PID 3036 wrote to memory of 2212 3036 Cobbhfhg.exe Dgodbh32.exe PID 3036 wrote to memory of 2212 3036 Cobbhfhg.exe Dgodbh32.exe PID 2212 wrote to memory of 2540 2212 Dgodbh32.exe Dnlidb32.exe PID 2212 wrote to memory of 2540 2212 Dgodbh32.exe Dnlidb32.exe PID 2212 wrote to memory of 2540 2212 Dgodbh32.exe Dnlidb32.exe PID 2212 wrote to memory of 2540 2212 Dgodbh32.exe Dnlidb32.exe PID 2540 wrote to memory of 1524 2540 Dnlidb32.exe Dcknbh32.exe PID 2540 wrote to memory of 1524 2540 Dnlidb32.exe Dcknbh32.exe PID 2540 wrote to memory of 1524 2540 Dnlidb32.exe Dcknbh32.exe PID 2540 wrote to memory of 1524 2540 Dnlidb32.exe Dcknbh32.exe PID 1524 wrote to memory of 2780 1524 Dcknbh32.exe Eijcpoac.exe PID 1524 wrote to memory of 2780 1524 Dcknbh32.exe Eijcpoac.exe PID 1524 wrote to memory of 2780 1524 Dcknbh32.exe Eijcpoac.exe PID 1524 wrote to memory of 2780 1524 Dcknbh32.exe Eijcpoac.exe PID 2780 wrote to memory of 2308 2780 Eijcpoac.exe Epfhbign.exe PID 2780 wrote to memory of 2308 2780 Eijcpoac.exe Epfhbign.exe PID 2780 wrote to memory of 2308 2780 Eijcpoac.exe Epfhbign.exe PID 2780 wrote to memory of 2308 2780 Eijcpoac.exe Epfhbign.exe PID 2308 wrote to memory of 1976 2308 Epfhbign.exe Eiomkn32.exe PID 2308 wrote to memory of 1976 2308 Epfhbign.exe Eiomkn32.exe PID 2308 wrote to memory of 1976 2308 Epfhbign.exe Eiomkn32.exe PID 2308 wrote to memory of 1976 2308 Epfhbign.exe Eiomkn32.exe PID 1976 wrote to memory of 1256 1976 Eiomkn32.exe Faokjpfd.exe PID 1976 wrote to memory of 1256 1976 Eiomkn32.exe Faokjpfd.exe PID 1976 wrote to memory of 1256 1976 Eiomkn32.exe Faokjpfd.exe PID 1976 wrote to memory of 1256 1976 Eiomkn32.exe Faokjpfd.exe PID 1256 wrote to memory of 1056 1256 Faokjpfd.exe Fnbkddem.exe PID 1256 wrote to memory of 1056 1256 Faokjpfd.exe Fnbkddem.exe PID 1256 wrote to memory of 1056 1256 Faokjpfd.exe Fnbkddem.exe PID 1256 wrote to memory of 1056 1256 Faokjpfd.exe Fnbkddem.exe PID 1056 wrote to memory of 2244 1056 Fnbkddem.exe Flmefm32.exe PID 1056 wrote to memory of 2244 1056 Fnbkddem.exe Flmefm32.exe PID 1056 wrote to memory of 2244 1056 Fnbkddem.exe Flmefm32.exe PID 1056 wrote to memory of 2244 1056 Fnbkddem.exe Flmefm32.exe PID 2244 wrote to memory of 2800 2244 Flmefm32.exe Gicbeald.exe PID 2244 wrote to memory of 2800 2244 Flmefm32.exe Gicbeald.exe PID 2244 wrote to memory of 2800 2244 Flmefm32.exe Gicbeald.exe PID 2244 wrote to memory of 2800 2244 Flmefm32.exe Gicbeald.exe PID 2800 wrote to memory of 2476 2800 Gicbeald.exe Gldkfl32.exe PID 2800 wrote to memory of 2476 2800 Gicbeald.exe Gldkfl32.exe PID 2800 wrote to memory of 2476 2800 Gicbeald.exe Gldkfl32.exe PID 2800 wrote to memory of 2476 2800 Gicbeald.exe Gldkfl32.exe PID 2476 wrote to memory of 1000 2476 Gldkfl32.exe Gelppaof.exe PID 2476 wrote to memory of 1000 2476 Gldkfl32.exe Gelppaof.exe PID 2476 wrote to memory of 1000 2476 Gldkfl32.exe Gelppaof.exe PID 2476 wrote to memory of 1000 2476 Gldkfl32.exe Gelppaof.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\163102364ede906230dcc915f9a2a320_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\163102364ede906230dcc915f9a2a320_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1000 -
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:304 -
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Hlakpp32.exeC:\Windows\system32\Hlakpp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1336 -
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:612 -
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:888 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe34⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Jbjochdi.exeC:\Windows\system32\Jbjochdi.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe37⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe40⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe42⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe43⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:484 -
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe45⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe46⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1432 -
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe50⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe52⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1492 -
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe54⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe57⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe58⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe59⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Mgimmm32.exeC:\Windows\system32\Mgimmm32.exe61⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe63⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe64⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Mmhodf32.exeC:\Windows\system32\Mmhodf32.exe65⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe66⤵PID:2688
-
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe68⤵PID:640
-
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe71⤵PID:560
-
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe73⤵PID:2984
-
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe74⤵PID:2112
-
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe75⤵PID:2624
-
C:\Windows\SysWOW64\Noqamn32.exeC:\Windows\system32\Noqamn32.exe76⤵
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Naoniipe.exeC:\Windows\system32\Naoniipe.exe77⤵
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe78⤵PID:2572
-
C:\Windows\SysWOW64\Nocnbmoo.exeC:\Windows\system32\Nocnbmoo.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2828 -
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe80⤵PID:1320
-
C:\Windows\SysWOW64\Njlockkm.exeC:\Windows\system32\Njlockkm.exe81⤵PID:1444
-
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe82⤵
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Nceclqan.exeC:\Windows\system32\Nceclqan.exe83⤵
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe84⤵PID:2172
-
C:\Windows\SysWOW64\Onjgiiad.exeC:\Windows\system32\Onjgiiad.exe85⤵
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe86⤵PID:2116
-
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe87⤵PID:1932
-
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe88⤵
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Ohfeog32.exeC:\Windows\system32\Ohfeog32.exe89⤵PID:2032
-
C:\Windows\SysWOW64\Oclilp32.exeC:\Windows\system32\Oclilp32.exe90⤵PID:2312
-
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe91⤵PID:2692
-
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe92⤵PID:2700
-
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe93⤵PID:2504
-
C:\Windows\SysWOW64\Ofmbnkhg.exeC:\Windows\system32\Ofmbnkhg.exe94⤵
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe95⤵PID:1808
-
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe96⤵PID:2904
-
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe97⤵PID:2428
-
C:\Windows\SysWOW64\Pnjdhmdo.exeC:\Windows\system32\Pnjdhmdo.exe98⤵PID:772
-
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe99⤵PID:544
-
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe100⤵PID:2256
-
C:\Windows\SysWOW64\Pqkmjh32.exeC:\Windows\system32\Pqkmjh32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:692 -
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe102⤵PID:2868
-
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:588 -
C:\Windows\SysWOW64\Peiepfgg.exeC:\Windows\system32\Peiepfgg.exe104⤵PID:1108
-
C:\Windows\SysWOW64\Pnajilng.exeC:\Windows\system32\Pnajilng.exe105⤵PID:1948
-
C:\Windows\SysWOW64\Papfegmk.exeC:\Windows\system32\Papfegmk.exe106⤵
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe107⤵
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe108⤵PID:3020
-
C:\Windows\SysWOW64\Qfokbnip.exeC:\Windows\system32\Qfokbnip.exe109⤵
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Qbelgood.exeC:\Windows\system32\Qbelgood.exe110⤵
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Afcenm32.exeC:\Windows\system32\Afcenm32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2300 -
C:\Windows\SysWOW64\Ahdaee32.exeC:\Windows\system32\Ahdaee32.exe114⤵PID:628
-
C:\Windows\SysWOW64\Abjebn32.exeC:\Windows\system32\Abjebn32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Ahgnke32.exeC:\Windows\system32\Ahgnke32.exe116⤵PID:376
-
C:\Windows\SysWOW64\Aaobdjof.exeC:\Windows\system32\Aaobdjof.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Adnopfoj.exeC:\Windows\system32\Adnopfoj.exe118⤵PID:1340
-
C:\Windows\SysWOW64\Alegac32.exeC:\Windows\system32\Alegac32.exe119⤵PID:912
-
C:\Windows\SysWOW64\Amfcikek.exeC:\Windows\system32\Amfcikek.exe120⤵
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Ahlgfdeq.exeC:\Windows\system32\Ahlgfdeq.exe121⤵PID:2652
-
C:\Windows\SysWOW64\Aoepcn32.exeC:\Windows\system32\Aoepcn32.exe122⤵PID:2484
-
C:\Windows\SysWOW64\Aadloj32.exeC:\Windows\system32\Aadloj32.exe123⤵PID:2472
-
C:\Windows\SysWOW64\Bjlqhoba.exeC:\Windows\system32\Bjlqhoba.exe124⤵PID:1292
-
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe125⤵PID:2424
-
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe126⤵PID:448
-
C:\Windows\SysWOW64\Bkommo32.exeC:\Windows\system32\Bkommo32.exe127⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:636 -
C:\Windows\SysWOW64\Behnnm32.exeC:\Windows\system32\Behnnm32.exe128⤵PID:2892
-
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe129⤵
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Bekkcljk.exeC:\Windows\system32\Bekkcljk.exe130⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Bppoqeja.exeC:\Windows\system32\Bppoqeja.exe131⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2600 -
C:\Windows\SysWOW64\Baakhm32.exeC:\Windows\system32\Baakhm32.exe132⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Ckjpacfp.exeC:\Windows\system32\Ckjpacfp.exe133⤵PID:1316
-
C:\Windows\SysWOW64\Clilkfnb.exeC:\Windows\system32\Clilkfnb.exe134⤵
- Drops file in System32 directory
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Cafecmlj.exeC:\Windows\system32\Cafecmlj.exe135⤵
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Cgcmlcja.exeC:\Windows\system32\Cgcmlcja.exe136⤵PID:2556
-
C:\Windows\SysWOW64\Cahail32.exeC:\Windows\system32\Cahail32.exe137⤵
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Cgejac32.exeC:\Windows\system32\Cgejac32.exe138⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe139⤵
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Cclkfdnc.exeC:\Windows\system32\Cclkfdnc.exe140⤵
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Cnaocmmi.exeC:\Windows\system32\Cnaocmmi.exe141⤵PID:3064
-
C:\Windows\SysWOW64\Dgjclbdi.exeC:\Windows\system32\Dgjclbdi.exe142⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Dndlim32.exeC:\Windows\system32\Dndlim32.exe143⤵
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Dglpbbbg.exeC:\Windows\system32\Dglpbbbg.exe144⤵PID:1684
-
C:\Windows\SysWOW64\Djklnnaj.exeC:\Windows\system32\Djklnnaj.exe145⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2324 -
C:\Windows\SysWOW64\Dccagcgk.exeC:\Windows\system32\Dccagcgk.exe146⤵PID:2460
-
C:\Windows\SysWOW64\Dknekeef.exeC:\Windows\system32\Dknekeef.exe147⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2628 -
C:\Windows\SysWOW64\Dfdjhndl.exeC:\Windows\system32\Dfdjhndl.exe148⤵PID:1996
-
C:\Windows\SysWOW64\Dkqbaecc.exeC:\Windows\system32\Dkqbaecc.exe149⤵PID:108
-
C:\Windows\SysWOW64\Dfffnn32.exeC:\Windows\system32\Dfffnn32.exe150⤵
- Drops file in System32 directory
PID:808 -
C:\Windows\SysWOW64\Dookgcij.exeC:\Windows\system32\Dookgcij.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Edkcojga.exeC:\Windows\system32\Edkcojga.exe152⤵PID:1844
-
C:\Windows\SysWOW64\Ejhlgaeh.exeC:\Windows\system32\Ejhlgaeh.exe153⤵PID:1764
-
C:\Windows\SysWOW64\Egllae32.exeC:\Windows\system32\Egllae32.exe154⤵PID:2224
-
C:\Windows\SysWOW64\Enfenplo.exeC:\Windows\system32\Enfenplo.exe155⤵
- Drops file in System32 directory
PID:840 -
C:\Windows\SysWOW64\Egoife32.exeC:\Windows\system32\Egoife32.exe156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2704 -
C:\Windows\SysWOW64\Emkaol32.exeC:\Windows\system32\Emkaol32.exe157⤵PID:1236
-
C:\Windows\SysWOW64\Emnndlod.exeC:\Windows\system32\Emnndlod.exe158⤵
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Eplkpgnh.exeC:\Windows\system32\Eplkpgnh.exe159⤵PID:2028
-
C:\Windows\SysWOW64\Ffhpbacb.exeC:\Windows\system32\Ffhpbacb.exe160⤵
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Flehkhai.exeC:\Windows\system32\Flehkhai.exe161⤵PID:596
-
C:\Windows\SysWOW64\Ffklhqao.exeC:\Windows\system32\Ffklhqao.exe162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1028 -
C:\Windows\SysWOW64\Fnfamcoj.exeC:\Windows\system32\Fnfamcoj.exe163⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3004 -
C:\Windows\SysWOW64\Fhneehek.exeC:\Windows\system32\Fhneehek.exe164⤵PID:3024
-
C:\Windows\SysWOW64\Fnhnbb32.exeC:\Windows\system32\Fnhnbb32.exe165⤵PID:2684
-
C:\Windows\SysWOW64\Fcefji32.exeC:\Windows\system32\Fcefji32.exe166⤵PID:2932
-
C:\Windows\SysWOW64\Fllnlg32.exeC:\Windows\system32\Fllnlg32.exe167⤵PID:2384
-
C:\Windows\SysWOW64\Gedbdlbb.exeC:\Windows\system32\Gedbdlbb.exe168⤵
- Drops file in System32 directory
PID:320 -
C:\Windows\SysWOW64\Gffoldhp.exeC:\Windows\system32\Gffoldhp.exe169⤵PID:1776
-
C:\Windows\SysWOW64\Gakcimgf.exeC:\Windows\system32\Gakcimgf.exe170⤵PID:1240
-
C:\Windows\SysWOW64\Ghelfg32.exeC:\Windows\system32\Ghelfg32.exe171⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Gmbdnn32.exeC:\Windows\system32\Gmbdnn32.exe172⤵
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Gbomfe32.exeC:\Windows\system32\Gbomfe32.exe173⤵PID:1820
-
C:\Windows\SysWOW64\Giieco32.exeC:\Windows\system32\Giieco32.exe174⤵PID:1416
-
C:\Windows\SysWOW64\Glgaok32.exeC:\Windows\system32\Glgaok32.exe175⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Gepehphc.exeC:\Windows\system32\Gepehphc.exe176⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Gmgninie.exeC:\Windows\system32\Gmgninie.exe177⤵
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Gebbnpfp.exeC:\Windows\system32\Gebbnpfp.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1712 -
C:\Windows\SysWOW64\Ghqnjk32.exeC:\Windows\system32\Ghqnjk32.exe179⤵PID:1064
-
C:\Windows\SysWOW64\Hbfbgd32.exeC:\Windows\system32\Hbfbgd32.exe180⤵PID:1616
-
C:\Windows\SysWOW64\Hipkdnmf.exeC:\Windows\system32\Hipkdnmf.exe181⤵PID:1580
-
C:\Windows\SysWOW64\Hlngpjlj.exeC:\Windows\system32\Hlngpjlj.exe182⤵
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Hbhomd32.exeC:\Windows\system32\Hbhomd32.exe183⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Hhehek32.exeC:\Windows\system32\Hhehek32.exe184⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1276 -
C:\Windows\SysWOW64\Hmbpmapf.exeC:\Windows\system32\Hmbpmapf.exe185⤵
- Drops file in System32 directory
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Heihnoph.exeC:\Windows\system32\Heihnoph.exe186⤵PID:1980
-
C:\Windows\SysWOW64\Hkfagfop.exeC:\Windows\system32\Hkfagfop.exe187⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1672 -
C:\Windows\SysWOW64\Hapicp32.exeC:\Windows\system32\Hapicp32.exe188⤵
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Hkhnle32.exeC:\Windows\system32\Hkhnle32.exe189⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2268 -
C:\Windows\SysWOW64\Iccbqh32.exeC:\Windows\system32\Iccbqh32.exe190⤵PID:2724
-
C:\Windows\SysWOW64\Ikkjbe32.exeC:\Windows\system32\Ikkjbe32.exe191⤵PID:1448
-
C:\Windows\SysWOW64\Ipgbjl32.exeC:\Windows\system32\Ipgbjl32.exe192⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3060 -
C:\Windows\SysWOW64\Iedkbc32.exeC:\Windows\system32\Iedkbc32.exe193⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:380 -
C:\Windows\SysWOW64\Ipjoplgo.exeC:\Windows\system32\Ipjoplgo.exe194⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Iompkh32.exeC:\Windows\system32\Iompkh32.exe195⤵PID:2608
-
C:\Windows\SysWOW64\Ipllekdl.exeC:\Windows\system32\Ipllekdl.exe196⤵PID:1848
-
C:\Windows\SysWOW64\Ieidmbcc.exeC:\Windows\system32\Ieidmbcc.exe197⤵PID:1728
-
C:\Windows\SysWOW64\Ikfmfi32.exeC:\Windows\system32\Ikfmfi32.exe198⤵PID:3108
-
C:\Windows\SysWOW64\Iapebchh.exeC:\Windows\system32\Iapebchh.exe199⤵PID:3148
-
C:\Windows\SysWOW64\Ileiplhn.exeC:\Windows\system32\Ileiplhn.exe200⤵
- Drops file in System32 directory
PID:3188 -
C:\Windows\SysWOW64\Ikhjki32.exeC:\Windows\system32\Ikhjki32.exe201⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3228 -
C:\Windows\SysWOW64\Jdpndnei.exeC:\Windows\system32\Jdpndnei.exe202⤵
- Drops file in System32 directory
PID:3268 -
C:\Windows\SysWOW64\Jgojpjem.exeC:\Windows\system32\Jgojpjem.exe203⤵PID:3308
-
C:\Windows\SysWOW64\Jnicmdli.exeC:\Windows\system32\Jnicmdli.exe204⤵PID:3348
-
C:\Windows\SysWOW64\Jqgoiokm.exeC:\Windows\system32\Jqgoiokm.exe205⤵
- Drops file in System32 directory
PID:3392 -
C:\Windows\SysWOW64\Jqilooij.exeC:\Windows\system32\Jqilooij.exe206⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3432 -
C:\Windows\SysWOW64\Jchhkjhn.exeC:\Windows\system32\Jchhkjhn.exe207⤵PID:3472
-
C:\Windows\SysWOW64\Jnmlhchd.exeC:\Windows\system32\Jnmlhchd.exe208⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3516 -
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe209⤵
- Modifies registry class
PID:3556 -
C:\Windows\SysWOW64\Jcjdpj32.exeC:\Windows\system32\Jcjdpj32.exe210⤵
- Drops file in System32 directory
PID:3596 -
C:\Windows\SysWOW64\Jnpinc32.exeC:\Windows\system32\Jnpinc32.exe211⤵PID:3636
-
C:\Windows\SysWOW64\Jqnejn32.exeC:\Windows\system32\Jqnejn32.exe212⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3676 -
C:\Windows\SysWOW64\Jghmfhmb.exeC:\Windows\system32\Jghmfhmb.exe213⤵PID:3716
-
C:\Windows\SysWOW64\Kconkibf.exeC:\Windows\system32\Kconkibf.exe214⤵PID:3756
-
C:\Windows\SysWOW64\Kfmjgeaj.exeC:\Windows\system32\Kfmjgeaj.exe215⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3796 -
C:\Windows\SysWOW64\Kcakaipc.exeC:\Windows\system32\Kcakaipc.exe216⤵
- Drops file in System32 directory
PID:3836 -
C:\Windows\SysWOW64\Kbdklf32.exeC:\Windows\system32\Kbdklf32.exe217⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3876 -
C:\Windows\SysWOW64\Kohkfj32.exeC:\Windows\system32\Kohkfj32.exe218⤵PID:3916
-
C:\Windows\SysWOW64\Kiqpop32.exeC:\Windows\system32\Kiqpop32.exe219⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3956 -
C:\Windows\SysWOW64\Kpjhkjde.exeC:\Windows\system32\Kpjhkjde.exe220⤵
- Modifies registry class
PID:3996 -
C:\Windows\SysWOW64\Kbidgeci.exeC:\Windows\system32\Kbidgeci.exe221⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4036 -
C:\Windows\SysWOW64\Kkaiqk32.exeC:\Windows\system32\Kkaiqk32.exe222⤵
- Drops file in System32 directory
PID:4076 -
C:\Windows\SysWOW64\Kjdilgpc.exeC:\Windows\system32\Kjdilgpc.exe223⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3084 -
C:\Windows\SysWOW64\Leimip32.exeC:\Windows\system32\Leimip32.exe224⤵
- Modifies registry class
PID:3132 -
C:\Windows\SysWOW64\Llcefjgf.exeC:\Windows\system32\Llcefjgf.exe225⤵
- Modifies registry class
PID:3176 -
C:\Windows\SysWOW64\Lapnnafn.exeC:\Windows\system32\Lapnnafn.exe226⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3236 -
C:\Windows\SysWOW64\Lgjfkk32.exeC:\Windows\system32\Lgjfkk32.exe227⤵
- Modifies registry class
PID:3276 -
C:\Windows\SysWOW64\Labkdack.exeC:\Windows\system32\Labkdack.exe228⤵
- Drops file in System32 directory
- Modifies registry class
PID:3324 -
C:\Windows\SysWOW64\Lcagpl32.exeC:\Windows\system32\Lcagpl32.exe229⤵PID:3380
-
C:\Windows\SysWOW64\Lmikibio.exeC:\Windows\system32\Lmikibio.exe230⤵
- Modifies registry class
PID:3424 -
C:\Windows\SysWOW64\Lphhenhc.exeC:\Windows\system32\Lphhenhc.exe231⤵
- Modifies registry class
PID:3488 -
C:\Windows\SysWOW64\Lmlhnagm.exeC:\Windows\system32\Lmlhnagm.exe232⤵
- Drops file in System32 directory
PID:3536 -
C:\Windows\SysWOW64\Lpjdjmfp.exeC:\Windows\system32\Lpjdjmfp.exe233⤵
- Drops file in System32 directory
PID:3592 -
C:\Windows\SysWOW64\Legmbd32.exeC:\Windows\system32\Legmbd32.exe234⤵PID:3632
-
C:\Windows\SysWOW64\Mmneda32.exeC:\Windows\system32\Mmneda32.exe235⤵
- Drops file in System32 directory
PID:3648 -
C:\Windows\SysWOW64\Mffimglk.exeC:\Windows\system32\Mffimglk.exe236⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3732 -
C:\Windows\SysWOW64\Meijhc32.exeC:\Windows\system32\Meijhc32.exe237⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3780 -
C:\Windows\SysWOW64\Mponel32.exeC:\Windows\system32\Mponel32.exe238⤵
- Modifies registry class
PID:3824 -
C:\Windows\SysWOW64\Moanaiie.exeC:\Windows\system32\Moanaiie.exe239⤵PID:3884
-
C:\Windows\SysWOW64\Mhjbjopf.exeC:\Windows\system32\Mhjbjopf.exe240⤵PID:3928
-
C:\Windows\SysWOW64\Modkfi32.exeC:\Windows\system32\Modkfi32.exe241⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3976 -
C:\Windows\SysWOW64\Mencccop.exeC:\Windows\system32\Mencccop.exe242⤵PID:4020