Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 00:58
Behavioral task
behavioral1
Sample
18089e6523289161cdf87f3abb854a70_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
18089e6523289161cdf87f3abb854a70_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
18089e6523289161cdf87f3abb854a70_NeikiAnalytics.exe
-
Size
224KB
-
MD5
18089e6523289161cdf87f3abb854a70
-
SHA1
b2bca637d54837f07cae4cd83664beb495038a07
-
SHA256
beec77e98e3804abb01b0abce66988f949b299ce75d164645e8f5ab66ba5d1cc
-
SHA512
305dd5501e5c4b1dfb652bb6b0fdbfee902a50a710e731734fb2c05878fb0c2c8d61ef01f9cdc160a2940c6003f26ef52196ed2d2b18546954646b9f87471ee1
-
SSDEEP
3072:UL6bxYC9fk7h+4eyppwoTRBmDRGGurhUXvBj2QE2HegPelTeIdI7jFH8:Uf7UzPm7U5j2QE2+g24Id2jFH8
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Dlgldibq.exeDoehqead.exeKiijnq32.exeMgnfhlin.exeOqideepg.exeAhlgfdeq.exeBioqclil.exeBhigphio.exeLfmffhde.exeMbkmlh32.exeHiknhbcg.exeJoaeeklp.exeBjlqhoba.exeGepehphc.exeHlqdei32.exeNlekia32.exeLmlhnagm.exeJehkodcm.exePggbla32.exeEbjglbml.exeGhelfg32.exeMapjmehi.exeMhbped32.exeQpecfc32.exeEhgppi32.exeFpngfgle.exeFhqbkhch.exeMpmapm32.exeAekodi32.exeHipkdnmf.exeHhgdkjol.exeIlqpdm32.exeJbdonb32.exeJmhmpb32.exeMihiih32.exeCkafbbph.exeNdjfeo32.exeCojema32.exeCnobnmpl.exeHkcdafqb.exeNdkmpe32.exePeiepfgg.exePflomnkb.exeAmfcikek.exeKbbngf32.exeDbfabp32.exeLccdel32.exeAhdaee32.exeBpleef32.exeHbhomd32.exeDbkknojp.exeEmieil32.exeJhngjmlo.exeKeednado.exeMigbnb32.exeFmpkjkma.exeFnfamcoj.exeInifnq32.exeNigome32.exePdaoog32.exeChpmpg32.exeCldooj32.exeKebgia32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlgldibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doehqead.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiijnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgnfhlin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oqideepg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahlgfdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bioqclil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhigphio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfmffhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hiknhbcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joaeeklp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gepehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlqdei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlekia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmlhnagm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehkodcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pggbla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahlgfdeq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebjglbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghelfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mapjmehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhbped32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpecfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ehgppi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpngfgle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhqbkhch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpmapm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aekodi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hipkdnmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhgdkjol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilqpdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbdonb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmhmpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mihiih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckafbbph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndjfeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cojema32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnobnmpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkcdafqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndkmpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pflomnkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfcikek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbbngf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbfabp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lccdel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahdaee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpleef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbhomd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbkknojp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emieil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jhngjmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keednado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migbnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmpkjkma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnfamcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Inifnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nigome32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdaoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chpmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cldooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kebgia32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Jmhmpb32.exe family_berbew C:\Windows\SysWOW64\Jfqahgpg.exe family_berbew C:\Windows\SysWOW64\Jjlnif32.exe family_berbew \Windows\SysWOW64\Jehkodcm.exe family_berbew \Windows\SysWOW64\Jifdebic.exe family_berbew \Windows\SysWOW64\Kihqkagp.exe family_berbew \Windows\SysWOW64\Kneicieh.exe family_berbew \Windows\SysWOW64\Lkncmmle.exe family_berbew C:\Windows\SysWOW64\Lecgje32.exe family_berbew \Windows\SysWOW64\Lajhofao.exe family_berbew \Windows\SysWOW64\Mhdplq32.exe family_berbew C:\Windows\SysWOW64\Monhhk32.exe family_berbew \Windows\SysWOW64\Mihiih32.exe family_berbew \Windows\SysWOW64\Mdpjlajk.exe family_berbew C:\Windows\SysWOW64\Mgnfhlin.exe family_berbew \Windows\SysWOW64\Meccii32.exe family_berbew C:\Windows\SysWOW64\Mhbped32.exe family_berbew C:\Windows\SysWOW64\Najdnj32.exe family_berbew C:\Windows\SysWOW64\Nkbhgojk.exe family_berbew C:\Windows\SysWOW64\Nlbeqb32.exe family_berbew C:\Windows\SysWOW64\Ndkmpe32.exe family_berbew C:\Windows\SysWOW64\Nhiffc32.exe family_berbew C:\Windows\SysWOW64\Nkgbbo32.exe family_berbew behavioral1/memory/964-300-0x0000000000280000-0x00000000002C3000-memory.dmp family_berbew C:\Windows\SysWOW64\Ngnbgplj.exe family_berbew C:\Windows\SysWOW64\Njlockkm.exe family_berbew C:\Windows\SysWOW64\Oklkmnbp.exe family_berbew C:\Windows\SysWOW64\Ngpolo32.exe family_berbew C:\Windows\SysWOW64\Oqideepg.exe family_berbew C:\Windows\SysWOW64\Oqkqkdne.exe family_berbew C:\Windows\SysWOW64\Ofelmloo.exe family_berbew C:\Windows\SysWOW64\Ohfeog32.exe family_berbew C:\Windows\SysWOW64\Ofjfhk32.exe family_berbew C:\Windows\SysWOW64\Ohibdf32.exe family_berbew C:\Windows\SysWOW64\Obafnlpn.exe family_berbew C:\Windows\SysWOW64\Oikojfgk.exe family_berbew behavioral1/memory/1644-416-0x0000000000250000-0x0000000000293000-memory.dmp family_berbew C:\Windows\SysWOW64\Pdaoog32.exe family_berbew C:\Windows\SysWOW64\Pgplkb32.exe family_berbew C:\Windows\SysWOW64\Pgbhabjp.exe family_berbew behavioral1/memory/2676-471-0x00000000002A0000-0x00000000002E3000-memory.dmp family_berbew C:\Windows\SysWOW64\Pnlqnl32.exe family_berbew C:\Windows\SysWOW64\Pciifc32.exe family_berbew C:\Windows\SysWOW64\Pjcabmga.exe family_berbew C:\Windows\SysWOW64\Peiepfgg.exe family_berbew C:\Windows\SysWOW64\Pggbla32.exe family_berbew C:\Windows\SysWOW64\Pjenhm32.exe family_berbew C:\Windows\SysWOW64\Pmdjdh32.exe family_berbew C:\Windows\SysWOW64\Pgioaa32.exe family_berbew C:\Windows\SysWOW64\Pflomnkb.exe family_berbew C:\Windows\SysWOW64\Pikkiijf.exe family_berbew C:\Windows\SysWOW64\Qpecfc32.exe family_berbew C:\Windows\SysWOW64\Qbcpbo32.exe family_berbew C:\Windows\SysWOW64\Qjjgclai.exe family_berbew C:\Windows\SysWOW64\Qimhoi32.exe family_berbew C:\Windows\SysWOW64\Qpgpkcpp.exe family_berbew C:\Windows\SysWOW64\Qfahhm32.exe family_berbew C:\Windows\SysWOW64\Aipddi32.exe family_berbew C:\Windows\SysWOW64\Alnqqd32.exe family_berbew C:\Windows\SysWOW64\Afcenm32.exe family_berbew C:\Windows\SysWOW64\Ahdaee32.exe family_berbew C:\Windows\SysWOW64\Aplifb32.exe family_berbew C:\Windows\SysWOW64\Anojbobe.exe family_berbew C:\Windows\SysWOW64\Aamfnkai.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Jmhmpb32.exeJfqahgpg.exeJjlnif32.exeJehkodcm.exeJifdebic.exeKihqkagp.exeKneicieh.exeLkncmmle.exeLecgje32.exeLajhofao.exeMhdplq32.exeMonhhk32.exeMihiih32.exeMdpjlajk.exeMgnfhlin.exeMeccii32.exeMhbped32.exeNajdnj32.exeNkbhgojk.exeNdkmpe32.exeNlbeqb32.exeNhiffc32.exeNkgbbo32.exeNgnbgplj.exeNjlockkm.exeNgpolo32.exeOklkmnbp.exeOqideepg.exeOfelmloo.exeOqkqkdne.exeOhfeog32.exeOfjfhk32.exeOhibdf32.exeObafnlpn.exeOikojfgk.exePdaoog32.exePgplkb32.exePgbhabjp.exePnlqnl32.exePciifc32.exePjcabmga.exePeiepfgg.exePggbla32.exePjenhm32.exePmdjdh32.exePgioaa32.exePflomnkb.exePikkiijf.exeQpecfc32.exeQbcpbo32.exeQjjgclai.exeQimhoi32.exeQpgpkcpp.exeQfahhm32.exeAipddi32.exeAlnqqd32.exeAfcenm32.exeAhdaee32.exeAplifb32.exeAnojbobe.exeAamfnkai.exeAhgnke32.exeAnafhopc.exeAekodi32.exepid process 2972 Jmhmpb32.exe 2572 Jfqahgpg.exe 2856 Jjlnif32.exe 2700 Jehkodcm.exe 2580 Jifdebic.exe 2544 Kihqkagp.exe 2644 Kneicieh.exe 2020 Lkncmmle.exe 1284 Lecgje32.exe 2200 Lajhofao.exe 320 Mhdplq32.exe 636 Monhhk32.exe 1120 Mihiih32.exe 876 Mdpjlajk.exe 2296 Mgnfhlin.exe 2120 Meccii32.exe 2720 Mhbped32.exe 1092 Najdnj32.exe 704 Nkbhgojk.exe 1860 Ndkmpe32.exe 2880 Nlbeqb32.exe 964 Nhiffc32.exe 1260 Nkgbbo32.exe 1740 Ngnbgplj.exe 2312 Njlockkm.exe 1940 Ngpolo32.exe 1580 Oklkmnbp.exe 3028 Oqideepg.exe 2664 Ofelmloo.exe 2724 Oqkqkdne.exe 2676 Ohfeog32.exe 2488 Ofjfhk32.exe 1644 Ohibdf32.exe 2388 Obafnlpn.exe 2836 Oikojfgk.exe 1256 Pdaoog32.exe 2172 Pgplkb32.exe 484 Pgbhabjp.exe 772 Pnlqnl32.exe 2152 Pciifc32.exe 272 Pjcabmga.exe 2112 Peiepfgg.exe 2448 Pggbla32.exe 2036 Pjenhm32.exe 608 Pmdjdh32.exe 2340 Pgioaa32.exe 1528 Pflomnkb.exe 1964 Pikkiijf.exe 1976 Qpecfc32.exe 1608 Qbcpbo32.exe 1664 Qjjgclai.exe 1264 Qimhoi32.exe 1588 Qpgpkcpp.exe 2688 Qfahhm32.exe 2628 Aipddi32.exe 2232 Alnqqd32.exe 2468 Afcenm32.exe 2164 Ahdaee32.exe 2812 Aplifb32.exe 108 Anojbobe.exe 1692 Aamfnkai.exe 2188 Ahgnke32.exe 1060 Anafhopc.exe 1632 Aekodi32.exe -
Loads dropped DLL 64 IoCs
Processes:
18089e6523289161cdf87f3abb854a70_NeikiAnalytics.exeJmhmpb32.exeJfqahgpg.exeJjlnif32.exeJehkodcm.exeJifdebic.exeKihqkagp.exeKneicieh.exeLkncmmle.exeLecgje32.exeLajhofao.exeMhdplq32.exeMonhhk32.exeMihiih32.exeMdpjlajk.exeMgnfhlin.exeMeccii32.exeMhbped32.exeNajdnj32.exeNkbhgojk.exeNdkmpe32.exeNlbeqb32.exeNhiffc32.exeNkgbbo32.exeNgnbgplj.exeNjlockkm.exeNgpolo32.exeOklkmnbp.exeOqideepg.exeOfelmloo.exeOqkqkdne.exeOhfeog32.exepid process 2920 18089e6523289161cdf87f3abb854a70_NeikiAnalytics.exe 2920 18089e6523289161cdf87f3abb854a70_NeikiAnalytics.exe 2972 Jmhmpb32.exe 2972 Jmhmpb32.exe 2572 Jfqahgpg.exe 2572 Jfqahgpg.exe 2856 Jjlnif32.exe 2856 Jjlnif32.exe 2700 Jehkodcm.exe 2700 Jehkodcm.exe 2580 Jifdebic.exe 2580 Jifdebic.exe 2544 Kihqkagp.exe 2544 Kihqkagp.exe 2644 Kneicieh.exe 2644 Kneicieh.exe 2020 Lkncmmle.exe 2020 Lkncmmle.exe 1284 Lecgje32.exe 1284 Lecgje32.exe 2200 Lajhofao.exe 2200 Lajhofao.exe 320 Mhdplq32.exe 320 Mhdplq32.exe 636 Monhhk32.exe 636 Monhhk32.exe 1120 Mihiih32.exe 1120 Mihiih32.exe 876 Mdpjlajk.exe 876 Mdpjlajk.exe 2296 Mgnfhlin.exe 2296 Mgnfhlin.exe 2120 Meccii32.exe 2120 Meccii32.exe 2720 Mhbped32.exe 2720 Mhbped32.exe 1092 Najdnj32.exe 1092 Najdnj32.exe 704 Nkbhgojk.exe 704 Nkbhgojk.exe 1860 Ndkmpe32.exe 1860 Ndkmpe32.exe 2880 Nlbeqb32.exe 2880 Nlbeqb32.exe 964 Nhiffc32.exe 964 Nhiffc32.exe 1260 Nkgbbo32.exe 1260 Nkgbbo32.exe 1740 Ngnbgplj.exe 1740 Ngnbgplj.exe 2312 Njlockkm.exe 2312 Njlockkm.exe 1940 Ngpolo32.exe 1940 Ngpolo32.exe 1580 Oklkmnbp.exe 1580 Oklkmnbp.exe 3028 Oqideepg.exe 3028 Oqideepg.exe 2664 Ofelmloo.exe 2664 Ofelmloo.exe 2724 Oqkqkdne.exe 2724 Oqkqkdne.exe 2676 Ohfeog32.exe 2676 Ohfeog32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Bbhela32.exeCnkicn32.exeIkkjbe32.exeKebgia32.exeBpleef32.exeEqpgol32.exeNdjfeo32.exeCpkbdiqb.exeDojald32.exeFnfamcoj.exeBjlqhoba.exeGmdadnkh.exeGfobbc32.exeJhngjmlo.exeJehkodcm.exeFmmkcoap.exeHlljjjnm.exeNkbhgojk.exeOklkmnbp.exeFjaonpnn.exeHojgfemq.exeLmikibio.exeNjlockkm.exeQpgpkcpp.exeEqbddk32.exeMkmhaj32.exeNiikceid.exeAplifb32.exeAnojbobe.exeFnhnbb32.exeHedocp32.exeIcmegf32.exeAhdaee32.exeCdikkg32.exeKegqdqbl.exeBafidiio.exeHdildlie.exeOhibdf32.exeQjjgclai.exeIpgbjl32.exeIhgainbg.exeKeednado.exeNkgbbo32.exeKbbngf32.exeNcmfqkdj.exeObafnlpn.exeJmhmpb32.exeLajhofao.exeHkaglf32.exeNkbalifo.exeNlekia32.exeQimhoi32.exeBocolb32.exeMmihhelk.exeHkfagfop.exeJjlnif32.exeDogefd32.exeEfcfga32.exeJjbpgd32.exeLmgocb32.exeMpmapm32.exedescription ioc process File created C:\Windows\SysWOW64\Chboohof.dll Bbhela32.exe File opened for modification C:\Windows\SysWOW64\Chpmpg32.exe Cnkicn32.exe File opened for modification C:\Windows\SysWOW64\Inifnq32.exe Ikkjbe32.exe File created C:\Windows\SysWOW64\Jjnbaf32.dll Kebgia32.exe File opened for modification C:\Windows\SysWOW64\Bbjbaa32.exe Bpleef32.exe File created C:\Windows\SysWOW64\Geemiobo.dll Eqpgol32.exe File created C:\Windows\SysWOW64\Kgdjgo32.dll Ndjfeo32.exe File opened for modification C:\Windows\SysWOW64\Ckafbbph.exe Cpkbdiqb.exe File created C:\Windows\SysWOW64\Edekcace.dll Dojald32.exe File opened for modification C:\Windows\SysWOW64\Fikejl32.exe Fnfamcoj.exe File created C:\Windows\SysWOW64\Bioqclil.exe Bjlqhoba.exe File created C:\Windows\SysWOW64\Gpcmpijk.exe Gmdadnkh.exe File opened for modification C:\Windows\SysWOW64\Ginnnooi.exe Gfobbc32.exe File created C:\Windows\SysWOW64\Jjpcbe32.exe Jhngjmlo.exe File opened for modification C:\Windows\SysWOW64\Jifdebic.exe Jehkodcm.exe File created C:\Windows\SysWOW64\Gedbdlbb.exe Fmmkcoap.exe File created C:\Windows\SysWOW64\Hojgfemq.exe Hlljjjnm.exe File created C:\Windows\SysWOW64\Ndkmpe32.exe Nkbhgojk.exe File created C:\Windows\SysWOW64\Nmlnnp32.dll Oklkmnbp.exe File created C:\Windows\SysWOW64\Abofbl32.dll Fjaonpnn.exe File created C:\Windows\SysWOW64\Mbnipnaf.dll Hojgfemq.exe File created C:\Windows\SysWOW64\Fdbnmk32.dll Lmikibio.exe File created C:\Windows\SysWOW64\Ngpolo32.exe Njlockkm.exe File created C:\Windows\SysWOW64\Iakdqgfi.dll Qpgpkcpp.exe File opened for modification C:\Windows\SysWOW64\Ekhhadmk.exe Eqbddk32.exe File created C:\Windows\SysWOW64\Mpjqiq32.exe Mkmhaj32.exe File opened for modification C:\Windows\SysWOW64\Nlhgoqhh.exe Niikceid.exe File opened for modification C:\Windows\SysWOW64\Anojbobe.exe Aplifb32.exe File opened for modification C:\Windows\SysWOW64\Aamfnkai.exe Anojbobe.exe File created C:\Windows\SysWOW64\Fagjnn32.exe Fnhnbb32.exe File opened for modification C:\Windows\SysWOW64\Hipkdnmf.exe Hedocp32.exe File opened for modification C:\Windows\SysWOW64\Ifkacb32.exe Icmegf32.exe File created C:\Windows\SysWOW64\Aplifb32.exe Ahdaee32.exe File created C:\Windows\SysWOW64\Cclkfdnc.exe Cdikkg32.exe File created C:\Windows\SysWOW64\Deeieqod.dll Kegqdqbl.exe File opened for modification C:\Windows\SysWOW64\Bbhela32.exe Bafidiio.exe File created C:\Windows\SysWOW64\Hipkdnmf.exe Hedocp32.exe File created C:\Windows\SysWOW64\Hlqdei32.exe Hdildlie.exe File created C:\Windows\SysWOW64\Obafnlpn.exe Ohibdf32.exe File created C:\Windows\SysWOW64\Qimhoi32.exe Qjjgclai.exe File created C:\Windows\SysWOW64\Icfofg32.exe Ipgbjl32.exe File opened for modification C:\Windows\SysWOW64\Ikfmfi32.exe Ihgainbg.exe File opened for modification C:\Windows\SysWOW64\Jjpcbe32.exe Jhngjmlo.exe File created C:\Windows\SysWOW64\Eeieql32.dll Keednado.exe File created C:\Windows\SysWOW64\Ngnbgplj.exe Nkgbbo32.exe File created C:\Windows\SysWOW64\Kfmjgeaj.exe Kbbngf32.exe File created C:\Windows\SysWOW64\Oqaedifk.dll Ncmfqkdj.exe File created C:\Windows\SysWOW64\Dpajdp32.dll Obafnlpn.exe File created C:\Windows\SysWOW64\Jfqahgpg.exe Jmhmpb32.exe File opened for modification C:\Windows\SysWOW64\Mhdplq32.exe Lajhofao.exe File opened for modification C:\Windows\SysWOW64\Hbhomd32.exe Hkaglf32.exe File created C:\Windows\SysWOW64\Nmpnhdfc.exe Nkbalifo.exe File opened for modification C:\Windows\SysWOW64\Nodgel32.exe Nlekia32.exe File opened for modification C:\Windows\SysWOW64\Qpgpkcpp.exe Qimhoi32.exe File created C:\Windows\SysWOW64\Bbokmqie.exe Bocolb32.exe File created C:\Windows\SysWOW64\Lhajpc32.dll Mmihhelk.exe File opened for modification C:\Windows\SysWOW64\Gedbdlbb.exe Fmmkcoap.exe File created C:\Windows\SysWOW64\Dkcinege.dll Hkfagfop.exe File opened for modification C:\Windows\SysWOW64\Jehkodcm.exe Jjlnif32.exe File created C:\Windows\SysWOW64\Dbfabp32.exe Dogefd32.exe File created C:\Windows\SysWOW64\Inegme32.dll Efcfga32.exe File created C:\Windows\SysWOW64\Jmplcp32.exe Jjbpgd32.exe File created C:\Windows\SysWOW64\Lpekon32.exe Lmgocb32.exe File created C:\Windows\SysWOW64\Almjnp32.dll Mpmapm32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3248 3180 WerFault.exe Nlhgoqhh.exe -
Modifies registry class 64 IoCs
Processes:
Pdaoog32.exeDfmdho32.exeNmpnhdfc.exeCnobnmpl.exeEgoife32.exeHkcdafqb.exeIhgainbg.exeBkommo32.exeBocolb32.exeHpefdl32.exeJmbiipml.exeHdnepk32.exeJocflgga.exeJgfqaiod.exePnlqnl32.exeDojald32.exeHkfagfop.exeIcjhagdp.exeMihiih32.exeQbcpbo32.exeLajhofao.exeJdehon32.exeNigome32.exeAipddi32.exeAfcenm32.exeBbhela32.exeGedbdlbb.exeGpqpjj32.exeLecgje32.exeBblogakg.exeEkhhadmk.exeBlbfjg32.exeCojema32.exeHipkdnmf.exePeiepfgg.exeHkaglf32.exeNodgel32.exePgbhabjp.exeNiikceid.exeNdhipoob.exeAamfnkai.exeIkfmfi32.exeKnmhgf32.exeMeppiblm.exeFjongcbl.exeNdemjoae.exe18089e6523289161cdf87f3abb854a70_NeikiAnalytics.exeCcngld32.exeFfhpbacb.exeLghjel32.exeOfelmloo.exeDbhnhp32.exeDbkknojp.exeFlehkhai.exeJofbag32.exeDoehqead.exeGljnej32.exeInifnq32.exeAjjcbpdd.exeFljafg32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pdaoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfacfkje.dll" Dfmdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjbgng32.dll" Nmpnhdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cnobnmpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egoife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmhnm32.dll" Hkcdafqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ihgainbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmmjh32.dll" Bkommo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bocolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hpefdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jmbiipml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bkommo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hdnepk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kigbna32.dll" Jocflgga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgfqaiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pnlqnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dojald32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkfagfop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Icjhagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mihiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qbcpbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lajhofao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jdehon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmkjbfe.dll" Nigome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aipddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbgljdk.dll" Afcenm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chboohof.dll" Bbhela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pefgcifd.dll" Gedbdlbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gpqpjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lecgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bblogakg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ekhhadmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njabih32.dll" Blbfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdidec32.dll" Cojema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hipkdnmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkaglf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nodgel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pgbhabjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolpjf32.dll" Pgbhabjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Niikceid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndhipoob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aamfnkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnbfqn32.dll" Ikfmfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlfca32.dll" Knmhgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldodg32.dll" Meppiblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fjongcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jmbiipml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndemjoae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} 18089e6523289161cdf87f3abb854a70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogilika.dll" Ccngld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmmnjfia.dll" Ffhpbacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lghjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakmkaok.dll" Ofelmloo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dbhnhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mledlaqd.dll" Dbkknojp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Flehkhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiiddiab.dll" Jofbag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Doehqead.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gljnej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkcdafqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohfbg32.dll" Inifnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncdbcl32.dll" Ajjcbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aghcamqb.dll" Fljafg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
18089e6523289161cdf87f3abb854a70_NeikiAnalytics.exeJmhmpb32.exeJfqahgpg.exeJjlnif32.exeJehkodcm.exeJifdebic.exeKihqkagp.exeKneicieh.exeLkncmmle.exeLecgje32.exeLajhofao.exeMhdplq32.exeMonhhk32.exeMihiih32.exeMdpjlajk.exeMgnfhlin.exedescription pid process target process PID 2920 wrote to memory of 2972 2920 18089e6523289161cdf87f3abb854a70_NeikiAnalytics.exe Jmhmpb32.exe PID 2920 wrote to memory of 2972 2920 18089e6523289161cdf87f3abb854a70_NeikiAnalytics.exe Jmhmpb32.exe PID 2920 wrote to memory of 2972 2920 18089e6523289161cdf87f3abb854a70_NeikiAnalytics.exe Jmhmpb32.exe PID 2920 wrote to memory of 2972 2920 18089e6523289161cdf87f3abb854a70_NeikiAnalytics.exe Jmhmpb32.exe PID 2972 wrote to memory of 2572 2972 Jmhmpb32.exe Jfqahgpg.exe PID 2972 wrote to memory of 2572 2972 Jmhmpb32.exe Jfqahgpg.exe PID 2972 wrote to memory of 2572 2972 Jmhmpb32.exe Jfqahgpg.exe PID 2972 wrote to memory of 2572 2972 Jmhmpb32.exe Jfqahgpg.exe PID 2572 wrote to memory of 2856 2572 Jfqahgpg.exe Jjlnif32.exe PID 2572 wrote to memory of 2856 2572 Jfqahgpg.exe Jjlnif32.exe PID 2572 wrote to memory of 2856 2572 Jfqahgpg.exe Jjlnif32.exe PID 2572 wrote to memory of 2856 2572 Jfqahgpg.exe Jjlnif32.exe PID 2856 wrote to memory of 2700 2856 Jjlnif32.exe Jehkodcm.exe PID 2856 wrote to memory of 2700 2856 Jjlnif32.exe Jehkodcm.exe PID 2856 wrote to memory of 2700 2856 Jjlnif32.exe Jehkodcm.exe PID 2856 wrote to memory of 2700 2856 Jjlnif32.exe Jehkodcm.exe PID 2700 wrote to memory of 2580 2700 Jehkodcm.exe Jifdebic.exe PID 2700 wrote to memory of 2580 2700 Jehkodcm.exe Jifdebic.exe PID 2700 wrote to memory of 2580 2700 Jehkodcm.exe Jifdebic.exe PID 2700 wrote to memory of 2580 2700 Jehkodcm.exe Jifdebic.exe PID 2580 wrote to memory of 2544 2580 Jifdebic.exe Kihqkagp.exe PID 2580 wrote to memory of 2544 2580 Jifdebic.exe Kihqkagp.exe PID 2580 wrote to memory of 2544 2580 Jifdebic.exe Kihqkagp.exe PID 2580 wrote to memory of 2544 2580 Jifdebic.exe Kihqkagp.exe PID 2544 wrote to memory of 2644 2544 Kihqkagp.exe Kneicieh.exe PID 2544 wrote to memory of 2644 2544 Kihqkagp.exe Kneicieh.exe PID 2544 wrote to memory of 2644 2544 Kihqkagp.exe Kneicieh.exe PID 2544 wrote to memory of 2644 2544 Kihqkagp.exe Kneicieh.exe PID 2644 wrote to memory of 2020 2644 Kneicieh.exe Lkncmmle.exe PID 2644 wrote to memory of 2020 2644 Kneicieh.exe Lkncmmle.exe PID 2644 wrote to memory of 2020 2644 Kneicieh.exe Lkncmmle.exe PID 2644 wrote to memory of 2020 2644 Kneicieh.exe Lkncmmle.exe PID 2020 wrote to memory of 1284 2020 Lkncmmle.exe Lecgje32.exe PID 2020 wrote to memory of 1284 2020 Lkncmmle.exe Lecgje32.exe PID 2020 wrote to memory of 1284 2020 Lkncmmle.exe Lecgje32.exe PID 2020 wrote to memory of 1284 2020 Lkncmmle.exe Lecgje32.exe PID 1284 wrote to memory of 2200 1284 Lecgje32.exe Lajhofao.exe PID 1284 wrote to memory of 2200 1284 Lecgje32.exe Lajhofao.exe PID 1284 wrote to memory of 2200 1284 Lecgje32.exe Lajhofao.exe PID 1284 wrote to memory of 2200 1284 Lecgje32.exe Lajhofao.exe PID 2200 wrote to memory of 320 2200 Lajhofao.exe Mhdplq32.exe PID 2200 wrote to memory of 320 2200 Lajhofao.exe Mhdplq32.exe PID 2200 wrote to memory of 320 2200 Lajhofao.exe Mhdplq32.exe PID 2200 wrote to memory of 320 2200 Lajhofao.exe Mhdplq32.exe PID 320 wrote to memory of 636 320 Mhdplq32.exe Monhhk32.exe PID 320 wrote to memory of 636 320 Mhdplq32.exe Monhhk32.exe PID 320 wrote to memory of 636 320 Mhdplq32.exe Monhhk32.exe PID 320 wrote to memory of 636 320 Mhdplq32.exe Monhhk32.exe PID 636 wrote to memory of 1120 636 Monhhk32.exe Mihiih32.exe PID 636 wrote to memory of 1120 636 Monhhk32.exe Mihiih32.exe PID 636 wrote to memory of 1120 636 Monhhk32.exe Mihiih32.exe PID 636 wrote to memory of 1120 636 Monhhk32.exe Mihiih32.exe PID 1120 wrote to memory of 876 1120 Mihiih32.exe Mdpjlajk.exe PID 1120 wrote to memory of 876 1120 Mihiih32.exe Mdpjlajk.exe PID 1120 wrote to memory of 876 1120 Mihiih32.exe Mdpjlajk.exe PID 1120 wrote to memory of 876 1120 Mihiih32.exe Mdpjlajk.exe PID 876 wrote to memory of 2296 876 Mdpjlajk.exe Mgnfhlin.exe PID 876 wrote to memory of 2296 876 Mdpjlajk.exe Mgnfhlin.exe PID 876 wrote to memory of 2296 876 Mdpjlajk.exe Mgnfhlin.exe PID 876 wrote to memory of 2296 876 Mdpjlajk.exe Mgnfhlin.exe PID 2296 wrote to memory of 2120 2296 Mgnfhlin.exe Meccii32.exe PID 2296 wrote to memory of 2120 2296 Mgnfhlin.exe Meccii32.exe PID 2296 wrote to memory of 2120 2296 Mgnfhlin.exe Meccii32.exe PID 2296 wrote to memory of 2120 2296 Mgnfhlin.exe Meccii32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18089e6523289161cdf87f3abb854a70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\18089e6523289161cdf87f3abb854a70_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Mgnfhlin.exeC:\Windows\system32\Mgnfhlin.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1092 -
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:704 -
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1260 -
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Njlockkm.exeC:\Windows\system32\Njlockkm.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Oqideepg.exeC:\Windows\system32\Oqideepg.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Ofelmloo.exeC:\Windows\system32\Ofelmloo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Oqkqkdne.exeC:\Windows\system32\Oqkqkdne.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Ohfeog32.exeC:\Windows\system32\Ohfeog32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Ofjfhk32.exeC:\Windows\system32\Ofjfhk32.exe33⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe36⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Pgplkb32.exeC:\Windows\system32\Pgplkb32.exe38⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:484 -
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:772 -
C:\Windows\SysWOW64\Pciifc32.exeC:\Windows\system32\Pciifc32.exe41⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Pjcabmga.exeC:\Windows\system32\Pjcabmga.exe42⤵
- Executes dropped EXE
PID:272 -
C:\Windows\SysWOW64\Peiepfgg.exeC:\Windows\system32\Peiepfgg.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe45⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe46⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Pgioaa32.exeC:\Windows\system32\Pgioaa32.exe47⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Pflomnkb.exeC:\Windows\system32\Pflomnkb.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Pikkiijf.exeC:\Windows\system32\Pikkiijf.exe49⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Qimhoi32.exeC:\Windows\system32\Qimhoi32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1264 -
C:\Windows\SysWOW64\Qpgpkcpp.exeC:\Windows\system32\Qpgpkcpp.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1588 -
C:\Windows\SysWOW64\Qfahhm32.exeC:\Windows\system32\Qfahhm32.exe55⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe57⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Afcenm32.exeC:\Windows\system32\Afcenm32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Ahdaee32.exeC:\Windows\system32\Ahdaee32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Aplifb32.exeC:\Windows\system32\Aplifb32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Anojbobe.exeC:\Windows\system32\Anojbobe.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:108 -
C:\Windows\SysWOW64\Aamfnkai.exeC:\Windows\system32\Aamfnkai.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Ahgnke32.exeC:\Windows\system32\Ahgnke32.exe63⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Anafhopc.exeC:\Windows\system32\Anafhopc.exe64⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Aekodi32.exeC:\Windows\system32\Aekodi32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe66⤵PID:288
-
C:\Windows\SysWOW64\Amfcikek.exeC:\Windows\system32\Amfcikek.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2272 -
C:\Windows\SysWOW64\Adpkee32.exeC:\Windows\system32\Adpkee32.exe68⤵PID:1072
-
C:\Windows\SysWOW64\Ahlgfdeq.exeC:\Windows\system32\Ahlgfdeq.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1104 -
C:\Windows\SysWOW64\Ajjcbpdd.exeC:\Windows\system32\Ajjcbpdd.exe70⤵
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Aadloj32.exeC:\Windows\system32\Aadloj32.exe71⤵PID:1984
-
C:\Windows\SysWOW64\Bdbhke32.exeC:\Windows\system32\Bdbhke32.exe72⤵PID:1960
-
C:\Windows\SysWOW64\Bjlqhoba.exeC:\Windows\system32\Bjlqhoba.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1448 -
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe75⤵
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Bbhela32.exeC:\Windows\system32\Bbhela32.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Bkommo32.exeC:\Windows\system32\Bkommo32.exe77⤵
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Blpjegfm.exeC:\Windows\system32\Blpjegfm.exe78⤵PID:3016
-
C:\Windows\SysWOW64\Bpleef32.exeC:\Windows\system32\Bpleef32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Bbjbaa32.exeC:\Windows\system32\Bbjbaa32.exe80⤵PID:2940
-
C:\Windows\SysWOW64\Behnnm32.exeC:\Windows\system32\Behnnm32.exe81⤵PID:1824
-
C:\Windows\SysWOW64\Bmpfojmp.exeC:\Windows\system32\Bmpfojmp.exe82⤵PID:1948
-
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe83⤵
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Bblogakg.exeC:\Windows\system32\Bblogakg.exe84⤵
- Modifies registry class
PID:816 -
C:\Windows\SysWOW64\Bekkcljk.exeC:\Windows\system32\Bekkcljk.exe85⤵PID:572
-
C:\Windows\SysWOW64\Bhigphio.exeC:\Windows\system32\Bhigphio.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1760 -
C:\Windows\SysWOW64\Bocolb32.exeC:\Windows\system32\Bocolb32.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Bbokmqie.exeC:\Windows\system32\Bbokmqie.exe88⤵PID:2076
-
C:\Windows\SysWOW64\Bhkdeggl.exeC:\Windows\system32\Bhkdeggl.exe89⤵PID:1096
-
C:\Windows\SysWOW64\Ckjpacfp.exeC:\Windows\system32\Ckjpacfp.exe90⤵PID:2288
-
C:\Windows\SysWOW64\Cdbdjhmp.exeC:\Windows\system32\Cdbdjhmp.exe91⤵PID:1600
-
C:\Windows\SysWOW64\Clilkfnb.exeC:\Windows\system32\Clilkfnb.exe92⤵PID:1500
-
C:\Windows\SysWOW64\Cnkicn32.exeC:\Windows\system32\Cnkicn32.exe93⤵
- Drops file in System32 directory
PID:528 -
C:\Windows\SysWOW64\Chpmpg32.exeC:\Windows\system32\Chpmpg32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:888 -
C:\Windows\SysWOW64\Cojema32.exeC:\Windows\system32\Cojema32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Cpkbdiqb.exeC:\Windows\system32\Cpkbdiqb.exe96⤵
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Ckafbbph.exeC:\Windows\system32\Ckafbbph.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2624 -
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Cdikkg32.exeC:\Windows\system32\Cdikkg32.exe99⤵
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Cclkfdnc.exeC:\Windows\system32\Cclkfdnc.exe100⤵PID:2956
-
C:\Windows\SysWOW64\Cjfccn32.exeC:\Windows\system32\Cjfccn32.exe101⤵PID:1952
-
C:\Windows\SysWOW64\Cldooj32.exeC:\Windows\system32\Cldooj32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:920 -
C:\Windows\SysWOW64\Ccngld32.exeC:\Windows\system32\Ccngld32.exe103⤵
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Dfmdho32.exeC:\Windows\system32\Dfmdho32.exe104⤵
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Dlgldibq.exeC:\Windows\system32\Dlgldibq.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2264 -
C:\Windows\SysWOW64\Doehqead.exeC:\Windows\system32\Doehqead.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Dglpbbbg.exeC:\Windows\system32\Dglpbbbg.exe107⤵PID:556
-
C:\Windows\SysWOW64\Djklnnaj.exeC:\Windows\system32\Djklnnaj.exe108⤵PID:2444
-
C:\Windows\SysWOW64\Dogefd32.exeC:\Windows\system32\Dogefd32.exe109⤵
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Dbfabp32.exeC:\Windows\system32\Dbfabp32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2204 -
C:\Windows\SysWOW64\Dhpiojfb.exeC:\Windows\system32\Dhpiojfb.exe111⤵PID:3012
-
C:\Windows\SysWOW64\Dojald32.exeC:\Windows\system32\Dojald32.exe112⤵
- Drops file in System32 directory
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Dbhnhp32.exeC:\Windows\system32\Dbhnhp32.exe113⤵
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Ddgjdk32.exeC:\Windows\system32\Ddgjdk32.exe114⤵PID:2784
-
C:\Windows\SysWOW64\Dkqbaecc.exeC:\Windows\system32\Dkqbaecc.exe115⤵PID:2136
-
C:\Windows\SysWOW64\Dbkknojp.exeC:\Windows\system32\Dbkknojp.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Ddigjkid.exeC:\Windows\system32\Ddigjkid.exe117⤵PID:1040
-
C:\Windows\SysWOW64\Dggcffhg.exeC:\Windows\system32\Dggcffhg.exe118⤵PID:1476
-
C:\Windows\SysWOW64\Dookgcij.exeC:\Windows\system32\Dookgcij.exe119⤵PID:1212
-
C:\Windows\SysWOW64\Eqpgol32.exeC:\Windows\system32\Eqpgol32.exe120⤵
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Ehgppi32.exeC:\Windows\system32\Ehgppi32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2072 -
C:\Windows\SysWOW64\Ekelld32.exeC:\Windows\system32\Ekelld32.exe122⤵PID:1928
-
C:\Windows\SysWOW64\Ejhlgaeh.exeC:\Windows\system32\Ejhlgaeh.exe123⤵PID:2332
-
C:\Windows\SysWOW64\Eqbddk32.exeC:\Windows\system32\Eqbddk32.exe124⤵
- Drops file in System32 directory
PID:1340 -
C:\Windows\SysWOW64\Ekhhadmk.exeC:\Windows\system32\Ekhhadmk.exe125⤵
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Emieil32.exeC:\Windows\system32\Emieil32.exe126⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2672 -
C:\Windows\SysWOW64\Egoife32.exeC:\Windows\system32\Egoife32.exe127⤵
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Enhacojl.exeC:\Windows\system32\Enhacojl.exe128⤵PID:2532
-
C:\Windows\SysWOW64\Emkaol32.exeC:\Windows\system32\Emkaol32.exe129⤵PID:1848
-
C:\Windows\SysWOW64\Eojnkg32.exeC:\Windows\system32\Eojnkg32.exe130⤵PID:2208
-
C:\Windows\SysWOW64\Efcfga32.exeC:\Windows\system32\Efcfga32.exe131⤵
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Emnndlod.exeC:\Windows\system32\Emnndlod.exe132⤵PID:1912
-
C:\Windows\SysWOW64\Eplkpgnh.exeC:\Windows\system32\Eplkpgnh.exe133⤵PID:2872
-
C:\Windows\SysWOW64\Ebjglbml.exeC:\Windows\system32\Ebjglbml.exe134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2124 -
C:\Windows\SysWOW64\Fjaonpnn.exeC:\Windows\system32\Fjaonpnn.exe135⤵
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Fmpkjkma.exeC:\Windows\system32\Fmpkjkma.exe136⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1536 -
C:\Windows\SysWOW64\Fpngfgle.exeC:\Windows\system32\Fpngfgle.exe137⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2412 -
C:\Windows\SysWOW64\Ffhpbacb.exeC:\Windows\system32\Ffhpbacb.exe138⤵
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Figlolbf.exeC:\Windows\system32\Figlolbf.exe139⤵PID:1576
-
C:\Windows\SysWOW64\Flehkhai.exeC:\Windows\system32\Flehkhai.exe140⤵
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Fbopgb32.exeC:\Windows\system32\Fbopgb32.exe141⤵PID:2636
-
C:\Windows\SysWOW64\Fenmdm32.exeC:\Windows\system32\Fenmdm32.exe142⤵PID:2244
-
C:\Windows\SysWOW64\Fglipi32.exeC:\Windows\system32\Fglipi32.exe143⤵PID:1236
-
C:\Windows\SysWOW64\Fpcqaf32.exeC:\Windows\system32\Fpcqaf32.exe144⤵PID:2368
-
C:\Windows\SysWOW64\Fnfamcoj.exeC:\Windows\system32\Fnfamcoj.exe145⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Fikejl32.exeC:\Windows\system32\Fikejl32.exe146⤵PID:1524
-
C:\Windows\SysWOW64\Fljafg32.exeC:\Windows\system32\Fljafg32.exe147⤵
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Fnhnbb32.exeC:\Windows\system32\Fnhnbb32.exe148⤵
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Fagjnn32.exeC:\Windows\system32\Fagjnn32.exe149⤵PID:1776
-
C:\Windows\SysWOW64\Fhqbkhch.exeC:\Windows\system32\Fhqbkhch.exe150⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:692 -
C:\Windows\SysWOW64\Fjongcbl.exeC:\Windows\system32\Fjongcbl.exe151⤵
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Fmmkcoap.exeC:\Windows\system32\Fmmkcoap.exe152⤵
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Gedbdlbb.exeC:\Windows\system32\Gedbdlbb.exe153⤵
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Ghcoqh32.exeC:\Windows\system32\Ghcoqh32.exe154⤵PID:2788
-
C:\Windows\SysWOW64\Gakcimgf.exeC:\Windows\system32\Gakcimgf.exe155⤵PID:1816
-
C:\Windows\SysWOW64\Gpncej32.exeC:\Windows\system32\Gpncej32.exe156⤵PID:2508
-
C:\Windows\SysWOW64\Ghelfg32.exeC:\Windows\system32\Ghelfg32.exe157⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1144 -
C:\Windows\SysWOW64\Gjdhbc32.exeC:\Windows\system32\Gjdhbc32.exe158⤵PID:2440
-
C:\Windows\SysWOW64\Ganpomec.exeC:\Windows\system32\Ganpomec.exe159⤵PID:1504
-
C:\Windows\SysWOW64\Gpqpjj32.exeC:\Windows\system32\Gpqpjj32.exe160⤵
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Gbomfe32.exeC:\Windows\system32\Gbomfe32.exe161⤵PID:2380
-
C:\Windows\SysWOW64\Gfjhgdck.exeC:\Windows\system32\Gfjhgdck.exe162⤵PID:2980
-
C:\Windows\SysWOW64\Gmdadnkh.exeC:\Windows\system32\Gmdadnkh.exe163⤵
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Gpcmpijk.exeC:\Windows\system32\Gpcmpijk.exe164⤵PID:1320
-
C:\Windows\SysWOW64\Gbaileio.exeC:\Windows\system32\Gbaileio.exe165⤵PID:1564
-
C:\Windows\SysWOW64\Gepehphc.exeC:\Windows\system32\Gepehphc.exe166⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2360 -
C:\Windows\SysWOW64\Gljnej32.exeC:\Windows\system32\Gljnej32.exe167⤵
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Gpejeihi.exeC:\Windows\system32\Gpejeihi.exe168⤵PID:2968
-
C:\Windows\SysWOW64\Gfobbc32.exeC:\Windows\system32\Gfobbc32.exe169⤵
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Ginnnooi.exeC:\Windows\system32\Ginnnooi.exe170⤵PID:2516
-
C:\Windows\SysWOW64\Hlljjjnm.exeC:\Windows\system32\Hlljjjnm.exe171⤵
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Hojgfemq.exeC:\Windows\system32\Hojgfemq.exe172⤵
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Hedocp32.exeC:\Windows\system32\Hedocp32.exe173⤵
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Hipkdnmf.exeC:\Windows\system32\Hipkdnmf.exe174⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Hkaglf32.exeC:\Windows\system32\Hkaglf32.exe175⤵
- Drops file in System32 directory
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Hbhomd32.exeC:\Windows\system32\Hbhomd32.exe176⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2696 -
C:\Windows\SysWOW64\Hdildlie.exeC:\Windows\system32\Hdildlie.exe177⤵
- Drops file in System32 directory
PID:672 -
C:\Windows\SysWOW64\Hlqdei32.exeC:\Windows\system32\Hlqdei32.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1916 -
C:\Windows\SysWOW64\Hkcdafqb.exeC:\Windows\system32\Hkcdafqb.exe179⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Hanlnp32.exeC:\Windows\system32\Hanlnp32.exe180⤵PID:2496
-
C:\Windows\SysWOW64\Hhgdkjol.exeC:\Windows\system32\Hhgdkjol.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:768 -
C:\Windows\SysWOW64\Hkfagfop.exeC:\Windows\system32\Hkfagfop.exe182⤵
- Drops file in System32 directory
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Hapicp32.exeC:\Windows\system32\Hapicp32.exe183⤵PID:2876
-
C:\Windows\SysWOW64\Hdnepk32.exeC:\Windows\system32\Hdnepk32.exe184⤵
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Hgmalg32.exeC:\Windows\system32\Hgmalg32.exe185⤵PID:1324
-
C:\Windows\SysWOW64\Hiknhbcg.exeC:\Windows\system32\Hiknhbcg.exe186⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:408 -
C:\Windows\SysWOW64\Hpefdl32.exeC:\Windows\system32\Hpefdl32.exe187⤵
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Iccbqh32.exeC:\Windows\system32\Iccbqh32.exe188⤵PID:2948
-
C:\Windows\SysWOW64\Ikkjbe32.exeC:\Windows\system32\Ikkjbe32.exe189⤵
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Inifnq32.exeC:\Windows\system32\Inifnq32.exe190⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Ipgbjl32.exeC:\Windows\system32\Ipgbjl32.exe191⤵
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Icfofg32.exeC:\Windows\system32\Icfofg32.exe192⤵PID:328
-
C:\Windows\SysWOW64\Iipgcaob.exeC:\Windows\system32\Iipgcaob.exe193⤵PID:1516
-
C:\Windows\SysWOW64\Inkccpgk.exeC:\Windows\system32\Inkccpgk.exe194⤵PID:1864
-
C:\Windows\SysWOW64\Iompkh32.exeC:\Windows\system32\Iompkh32.exe195⤵PID:3036
-
C:\Windows\SysWOW64\Ichllgfb.exeC:\Windows\system32\Ichllgfb.exe196⤵PID:2604
-
C:\Windows\SysWOW64\Iheddndj.exeC:\Windows\system32\Iheddndj.exe197⤵PID:2832
-
C:\Windows\SysWOW64\Ilqpdm32.exeC:\Windows\system32\Ilqpdm32.exe198⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:804 -
C:\Windows\SysWOW64\Icjhagdp.exeC:\Windows\system32\Icjhagdp.exe199⤵
- Modifies registry class
PID:3108 -
C:\Windows\SysWOW64\Iamimc32.exeC:\Windows\system32\Iamimc32.exe200⤵PID:3148
-
C:\Windows\SysWOW64\Ihgainbg.exeC:\Windows\system32\Ihgainbg.exe201⤵
- Drops file in System32 directory
- Modifies registry class
PID:3188 -
C:\Windows\SysWOW64\Ikfmfi32.exeC:\Windows\system32\Ikfmfi32.exe202⤵
- Modifies registry class
PID:3228 -
C:\Windows\SysWOW64\Icmegf32.exeC:\Windows\system32\Icmegf32.exe203⤵
- Drops file in System32 directory
PID:3268 -
C:\Windows\SysWOW64\Ifkacb32.exeC:\Windows\system32\Ifkacb32.exe204⤵PID:3308
-
C:\Windows\SysWOW64\Jocflgga.exeC:\Windows\system32\Jocflgga.exe205⤵
- Modifies registry class
PID:3348 -
C:\Windows\SysWOW64\Jfnnha32.exeC:\Windows\system32\Jfnnha32.exe206⤵PID:3388
-
C:\Windows\SysWOW64\Jgojpjem.exeC:\Windows\system32\Jgojpjem.exe207⤵PID:3428
-
C:\Windows\SysWOW64\Jofbag32.exeC:\Windows\system32\Jofbag32.exe208⤵
- Modifies registry class
PID:3468 -
C:\Windows\SysWOW64\Jbdonb32.exeC:\Windows\system32\Jbdonb32.exe209⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3508 -
C:\Windows\SysWOW64\Jhngjmlo.exeC:\Windows\system32\Jhngjmlo.exe210⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3548 -
C:\Windows\SysWOW64\Jjpcbe32.exeC:\Windows\system32\Jjpcbe32.exe211⤵PID:3588
-
C:\Windows\SysWOW64\Jbgkcb32.exeC:\Windows\system32\Jbgkcb32.exe212⤵PID:3628
-
C:\Windows\SysWOW64\Jdehon32.exeC:\Windows\system32\Jdehon32.exe213⤵
- Modifies registry class
PID:3668 -
C:\Windows\SysWOW64\Jchhkjhn.exeC:\Windows\system32\Jchhkjhn.exe214⤵PID:3708
-
C:\Windows\SysWOW64\Jjbpgd32.exeC:\Windows\system32\Jjbpgd32.exe215⤵
- Drops file in System32 directory
PID:3748 -
C:\Windows\SysWOW64\Jmplcp32.exeC:\Windows\system32\Jmplcp32.exe216⤵PID:3788
-
C:\Windows\SysWOW64\Jdgdempa.exeC:\Windows\system32\Jdgdempa.exe217⤵PID:3828
-
C:\Windows\SysWOW64\Jgfqaiod.exeC:\Windows\system32\Jgfqaiod.exe218⤵
- Modifies registry class
PID:3868 -
C:\Windows\SysWOW64\Jnpinc32.exeC:\Windows\system32\Jnpinc32.exe219⤵PID:3908
-
C:\Windows\SysWOW64\Jmbiipml.exeC:\Windows\system32\Jmbiipml.exe220⤵
- Modifies registry class
PID:3948 -
C:\Windows\SysWOW64\Joaeeklp.exeC:\Windows\system32\Joaeeklp.exe221⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3988 -
C:\Windows\SysWOW64\Jfknbe32.exeC:\Windows\system32\Jfknbe32.exe222⤵PID:4028
-
C:\Windows\SysWOW64\Kiijnq32.exeC:\Windows\system32\Kiijnq32.exe223⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4068 -
C:\Windows\SysWOW64\Kqqboncb.exeC:\Windows\system32\Kqqboncb.exe224⤵PID:3076
-
C:\Windows\SysWOW64\Kbbngf32.exeC:\Windows\system32\Kbbngf32.exe225⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3124 -
C:\Windows\SysWOW64\Kfmjgeaj.exeC:\Windows\system32\Kfmjgeaj.exe226⤵PID:3172
-
C:\Windows\SysWOW64\Kilfcpqm.exeC:\Windows\system32\Kilfcpqm.exe227⤵PID:3220
-
C:\Windows\SysWOW64\Kkjcplpa.exeC:\Windows\system32\Kkjcplpa.exe228⤵PID:3276
-
C:\Windows\SysWOW64\Kbdklf32.exeC:\Windows\system32\Kbdklf32.exe229⤵PID:3320
-
C:\Windows\SysWOW64\Kebgia32.exeC:\Windows\system32\Kebgia32.exe230⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3376 -
C:\Windows\SysWOW64\Kklpekno.exeC:\Windows\system32\Kklpekno.exe231⤵PID:3424
-
C:\Windows\SysWOW64\Kohkfj32.exeC:\Windows\system32\Kohkfj32.exe232⤵PID:3484
-
C:\Windows\SysWOW64\Kfbcbd32.exeC:\Windows\system32\Kfbcbd32.exe233⤵PID:3520
-
C:\Windows\SysWOW64\Keednado.exeC:\Windows\system32\Keednado.exe234⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3576 -
C:\Windows\SysWOW64\Kkolkk32.exeC:\Windows\system32\Kkolkk32.exe235⤵PID:3624
-
C:\Windows\SysWOW64\Knmhgf32.exeC:\Windows\system32\Knmhgf32.exe236⤵
- Modifies registry class
PID:3684 -
C:\Windows\SysWOW64\Kegqdqbl.exeC:\Windows\system32\Kegqdqbl.exe237⤵
- Drops file in System32 directory
PID:3720 -
C:\Windows\SysWOW64\Kkaiqk32.exeC:\Windows\system32\Kkaiqk32.exe238⤵PID:3776
-
C:\Windows\SysWOW64\Kbkameaf.exeC:\Windows\system32\Kbkameaf.exe239⤵PID:3820
-
C:\Windows\SysWOW64\Lanaiahq.exeC:\Windows\system32\Lanaiahq.exe240⤵PID:3884
-
C:\Windows\SysWOW64\Lghjel32.exeC:\Windows\system32\Lghjel32.exe241⤵
- Modifies registry class
PID:3924 -
C:\Windows\SysWOW64\Lmebnb32.exeC:\Windows\system32\Lmebnb32.exe242⤵PID:3972