Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 00:59
Behavioral task
behavioral1
Sample
182d94d45477565a03a17ed94880cd30_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
182d94d45477565a03a17ed94880cd30_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
182d94d45477565a03a17ed94880cd30_NeikiAnalytics.exe
-
Size
128KB
-
MD5
182d94d45477565a03a17ed94880cd30
-
SHA1
b6f595406407e5db928f423c2fa75a9f5e602269
-
SHA256
fade3b3ef580767338761151ee4dbf0282765506332257aaa9deed229294de44
-
SHA512
137ed7c9103f11e5bff25721ef0504e4ade8b1843897bc88e51911047c6a3dd2f1d38c6426a9c640b264ca7c2bf49bd22782350e2df526a1c486301bca8a7293
-
SSDEEP
1536:559pstdETpOYPvrqdoq8KIOXgB+enPA6pCyc9yWuPlFEhXGoZcWiqgF72S7f/Quv:5592mTNOd/Y+qAoWuKX5mW2wS7IrHrYj
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Olmela32.exeAaejojjq.exeJnofgg32.exeLibjncnc.exeHakkgc32.exeImahkg32.exeFlapkmlj.exeBlkjkflb.exeEldiehbk.exeEklqcl32.exeMfmndn32.exeQeppdo32.exeCinafkkd.exeDcbnpgkh.exeGqdgom32.exeQqfkln32.exeBflbigdb.exeNefdpjkl.exeJieaofmp.exeDnqlmq32.exeHkiicmdh.exeHgpjhn32.exeMmbmeifk.exeCnkjnb32.exeIladfn32.exeCglalbbi.exeEeohkeoe.exeOfhjopbg.exeDcllbhdn.exeAdaiee32.exeIjkocg32.exeApkgpf32.exeDicnkdnf.exeFjlmpfhg.exeHpphhp32.exeNlqmmd32.exeClojhf32.exeHnpdcf32.exeMpamde32.exeEicpcm32.exeGlnhjjml.exeBbhccm32.exeHcgmfgfd.exeAjgbkbjp.exeCiohqa32.exeCbiiog32.exeGgagmjbq.exePaaddgkj.exeKjeglh32.exeFdekgjno.exeJlnmel32.exeNagbgl32.exeIbejdjln.exeJbhcim32.exeIacjjacb.exeJhbold32.exeNeknki32.exeNdqkleln.exeAkfkbd32.exeFefqdl32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olmela32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaejojjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnofgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Libjncnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakkgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imahkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flapkmlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blkjkflb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eldiehbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libjncnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eklqcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfmndn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeppdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cinafkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcbnpgkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqdgom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqfkln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bflbigdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nefdpjkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jieaofmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnqlmq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkiicmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgpjhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbmeifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnkjnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iladfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglalbbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeohkeoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhjopbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcllbhdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adaiee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijkocg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apkgpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dicnkdnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlmpfhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpphhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlqmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnpdcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpamde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eicpcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glnhjjml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbhccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcgmfgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajgbkbjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciohqa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbiiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hakkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggagmjbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paaddgkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjeglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdekgjno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlnmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nagbgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibejdjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbhcim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cinafkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iacjjacb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcbnpgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhbold32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Neknki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndqkleln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akfkbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fefqdl32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Lfbbjpgd.exe family_berbew C:\Windows\SysWOW64\Mejlalji.exe family_berbew \Windows\SysWOW64\Mpamde32.exe family_berbew behavioral1/memory/2880-46-0x00000000001B0000-0x00000000001F0000-memory.dmp family_berbew \Windows\SysWOW64\Mlhnifmq.exe family_berbew C:\Windows\SysWOW64\Nagbgl32.exe family_berbew behavioral1/memory/2916-67-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew \Windows\SysWOW64\Nmnclmoj.exe family_berbew \Windows\SysWOW64\Nbniid32.exe family_berbew \Windows\SysWOW64\Npaich32.exe family_berbew \Windows\SysWOW64\Nfnneb32.exe family_berbew \Windows\SysWOW64\Ooicid32.exe family_berbew \Windows\SysWOW64\Ohcdhi32.exe family_berbew C:\Windows\SysWOW64\Oalhqohl.exe family_berbew \Windows\SysWOW64\Omefkplm.exe family_berbew behavioral1/memory/1156-174-0x00000000002D0000-0x0000000000310000-memory.dmp family_berbew behavioral1/memory/1156-173-0x00000000002D0000-0x0000000000310000-memory.dmp family_berbew \Windows\SysWOW64\Pilfpqaa.exe family_berbew \Windows\SysWOW64\Piqpkpml.exe family_berbew \Windows\SysWOW64\Pegqpacp.exe family_berbew C:\Windows\SysWOW64\Qqfkln32.exe family_berbew C:\Windows\SysWOW64\Adcdbl32.exe family_berbew C:\Windows\SysWOW64\Ajqljc32.exe family_berbew C:\Windows\SysWOW64\Ajcipc32.exe family_berbew C:\Windows\SysWOW64\Aobnniji.exe family_berbew C:\Windows\SysWOW64\Ajgbkbjp.exe family_berbew C:\Windows\SysWOW64\Bbeded32.exe family_berbew behavioral1/memory/2012-286-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew C:\Windows\SysWOW64\Bnldjekl.exe family_berbew C:\Windows\SysWOW64\Bgdibkam.exe family_berbew C:\Windows\SysWOW64\Bnqned32.exe family_berbew C:\Windows\SysWOW64\Bflbigdb.exe family_berbew C:\Windows\SysWOW64\Cmhglq32.exe family_berbew C:\Windows\SysWOW64\Ciohqa32.exe family_berbew C:\Windows\SysWOW64\Cbiiog32.exe family_berbew C:\Windows\SysWOW64\Ddpobo32.exe family_berbew C:\Windows\SysWOW64\Doecog32.exe family_berbew C:\Windows\SysWOW64\Diaaeepi.exe family_berbew behavioral1/memory/2752-395-0x0000000000260000-0x00000000002A0000-memory.dmp family_berbew behavioral1/memory/2752-396-0x0000000000260000-0x00000000002A0000-memory.dmp family_berbew C:\Windows\SysWOW64\Dicnkdnf.exe family_berbew behavioral1/memory/2608-407-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew C:\Windows\SysWOW64\Eelkeeah.exe family_berbew C:\Windows\SysWOW64\Eeohkeoe.exe family_berbew behavioral1/memory/2408-432-0x0000000001BD0000-0x0000000001C10000-memory.dmp family_berbew behavioral1/memory/2648-431-0x0000000000440000-0x0000000000480000-memory.dmp family_berbew C:\Windows\SysWOW64\Eklqcl32.exe family_berbew C:\Windows\SysWOW64\Fgdnnl32.exe family_berbew behavioral1/memory/2460-453-0x00000000002E0000-0x0000000000320000-memory.dmp family_berbew behavioral1/memory/2460-452-0x00000000002E0000-0x0000000000320000-memory.dmp family_berbew C:\Windows\SysWOW64\Fajbke32.exe family_berbew C:\Windows\SysWOW64\Fcnkhmdp.exe family_berbew C:\Windows\SysWOW64\Fogibnha.exe family_berbew C:\Windows\SysWOW64\Fjlmpfhg.exe family_berbew C:\Windows\SysWOW64\Gfcnegnk.exe family_berbew C:\Windows\SysWOW64\Golbnm32.exe family_berbew C:\Windows\SysWOW64\Ghdgfbkl.exe family_berbew C:\Windows\SysWOW64\Gnaooi32.exe family_berbew C:\Windows\SysWOW64\Ggicgopd.exe family_berbew C:\Windows\SysWOW64\Gqahqd32.exe family_berbew C:\Windows\SysWOW64\Ggkqmoma.exe family_berbew C:\Windows\SysWOW64\Gqdefddb.exe family_berbew C:\Windows\SysWOW64\Hkiicmdh.exe family_berbew C:\Windows\SysWOW64\Hnheohcl.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Lfbbjpgd.exeMejlalji.exeMpamde32.exeMlhnifmq.exeNagbgl32.exeNmnclmoj.exeNbniid32.exeNpaich32.exeNfnneb32.exeOoicid32.exeOhcdhi32.exeOalhqohl.exeOmefkplm.exePilfpqaa.exePiqpkpml.exePegqpacp.exeQqfkln32.exeAdcdbl32.exeAjqljc32.exeAjcipc32.exeAobnniji.exeAjgbkbjp.exeBbeded32.exeBnldjekl.exeBgdibkam.exeBnqned32.exeBflbigdb.exeCmhglq32.exeCiohqa32.exeCbiiog32.exeDdpobo32.exeDoecog32.exeDiaaeepi.exeDicnkdnf.exeEelkeeah.exeEeohkeoe.exeEklqcl32.exeFgdnnl32.exeFajbke32.exeFcnkhmdp.exeFogibnha.exeFjlmpfhg.exeGfcnegnk.exeGolbnm32.exeGhdgfbkl.exeGnaooi32.exeGgicgopd.exeGqahqd32.exeGgkqmoma.exeGqdefddb.exeHkiicmdh.exeHnheohcl.exeHgpjhn32.exeHjofdi32.exeHcgjmo32.exeHjacjifm.exeHakkgc32.exeHfhcoj32.exeHpphhp32.exeHemqpf32.exeHlgimqhf.exeIikifegp.exeIpeaco32.exeIimfld32.exepid process 2308 Lfbbjpgd.exe 2880 Mejlalji.exe 3016 Mpamde32.exe 2916 Mlhnifmq.exe 2612 Nagbgl32.exe 2500 Nmnclmoj.exe 2624 Nbniid32.exe 2384 Npaich32.exe 2840 Nfnneb32.exe 1944 Ooicid32.exe 1264 Ohcdhi32.exe 1156 Oalhqohl.exe 908 Omefkplm.exe 2132 Pilfpqaa.exe 2676 Piqpkpml.exe 2728 Pegqpacp.exe 2112 Qqfkln32.exe 1504 Adcdbl32.exe 568 Ajqljc32.exe 1920 Ajcipc32.exe 1516 Aobnniji.exe 2012 Ajgbkbjp.exe 896 Bbeded32.exe 1852 Bnldjekl.exe 3012 Bgdibkam.exe 860 Bnqned32.exe 1664 Bflbigdb.exe 2272 Cmhglq32.exe 2240 Ciohqa32.exe 2776 Cbiiog32.exe 3020 Ddpobo32.exe 2752 Doecog32.exe 2608 Diaaeepi.exe 2648 Dicnkdnf.exe 2408 Eelkeeah.exe 2380 Eeohkeoe.exe 2460 Eklqcl32.exe 1260 Fgdnnl32.exe 2312 Fajbke32.exe 2280 Fcnkhmdp.exe 1644 Fogibnha.exe 1780 Fjlmpfhg.exe 660 Gfcnegnk.exe 1328 Golbnm32.exe 2560 Ghdgfbkl.exe 2056 Gnaooi32.exe 2288 Ggicgopd.exe 976 Gqahqd32.exe 1636 Ggkqmoma.exe 1160 Gqdefddb.exe 1076 Hkiicmdh.exe 2100 Hnheohcl.exe 2212 Hgpjhn32.exe 872 Hjofdi32.exe 1508 Hcgjmo32.exe 2816 Hjacjifm.exe 2276 Hakkgc32.exe 3040 Hfhcoj32.exe 2936 Hpphhp32.exe 2644 Hemqpf32.exe 2712 Hlgimqhf.exe 2444 Iikifegp.exe 3008 Ipeaco32.exe 1884 Iimfld32.exe -
Loads dropped DLL 64 IoCs
Processes:
182d94d45477565a03a17ed94880cd30_NeikiAnalytics.exeLfbbjpgd.exeMejlalji.exeMpamde32.exeMlhnifmq.exeNagbgl32.exeNmnclmoj.exeNbniid32.exeNpaich32.exeNfnneb32.exeOoicid32.exeOhcdhi32.exeOalhqohl.exeOmefkplm.exePilfpqaa.exePiqpkpml.exePegqpacp.exeQqfkln32.exeAdcdbl32.exeAjqljc32.exeAjcipc32.exeAobnniji.exeAjgbkbjp.exeBbeded32.exeBnldjekl.exeBgdibkam.exeBnqned32.exeBflbigdb.exeCmhglq32.exeCiohqa32.exeCbiiog32.exeDdpobo32.exepid process 2236 182d94d45477565a03a17ed94880cd30_NeikiAnalytics.exe 2236 182d94d45477565a03a17ed94880cd30_NeikiAnalytics.exe 2308 Lfbbjpgd.exe 2308 Lfbbjpgd.exe 2880 Mejlalji.exe 2880 Mejlalji.exe 3016 Mpamde32.exe 3016 Mpamde32.exe 2916 Mlhnifmq.exe 2916 Mlhnifmq.exe 2612 Nagbgl32.exe 2612 Nagbgl32.exe 2500 Nmnclmoj.exe 2500 Nmnclmoj.exe 2624 Nbniid32.exe 2624 Nbniid32.exe 2384 Npaich32.exe 2384 Npaich32.exe 2840 Nfnneb32.exe 2840 Nfnneb32.exe 1944 Ooicid32.exe 1944 Ooicid32.exe 1264 Ohcdhi32.exe 1264 Ohcdhi32.exe 1156 Oalhqohl.exe 1156 Oalhqohl.exe 908 Omefkplm.exe 908 Omefkplm.exe 2132 Pilfpqaa.exe 2132 Pilfpqaa.exe 2676 Piqpkpml.exe 2676 Piqpkpml.exe 2728 Pegqpacp.exe 2728 Pegqpacp.exe 2112 Qqfkln32.exe 2112 Qqfkln32.exe 1504 Adcdbl32.exe 1504 Adcdbl32.exe 568 Ajqljc32.exe 568 Ajqljc32.exe 1920 Ajcipc32.exe 1920 Ajcipc32.exe 1516 Aobnniji.exe 1516 Aobnniji.exe 2012 Ajgbkbjp.exe 2012 Ajgbkbjp.exe 896 Bbeded32.exe 896 Bbeded32.exe 1852 Bnldjekl.exe 1852 Bnldjekl.exe 3012 Bgdibkam.exe 3012 Bgdibkam.exe 860 Bnqned32.exe 860 Bnqned32.exe 1664 Bflbigdb.exe 1664 Bflbigdb.exe 2272 Cmhglq32.exe 2272 Cmhglq32.exe 2240 Ciohqa32.exe 2240 Ciohqa32.exe 2776 Cbiiog32.exe 2776 Cbiiog32.exe 3020 Ddpobo32.exe 3020 Ddpobo32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Pbemboof.exeHfjbmb32.exeAjcipc32.exeJaoqqflp.exeGconbj32.exeFooembgb.exeKekiphge.exeQeppdo32.exeNijpdfhm.exeIbcphc32.exeJapciodd.exeIpeaco32.exeBoljgg32.exeGncnmane.exeCmfmojcb.exeJpajbl32.exeKechdf32.exeMhfjjdjf.exePpkjac32.exeDnqlmq32.exeFcnkhmdp.exePebpkk32.exeEkdchf32.exeAdlcfjgh.exeDmepkn32.exeDpjbgh32.exeLkdjglfo.exeGmhkin32.exeGnaooi32.exeOmioekbo.exeObeacl32.exeOlbogqoe.exeLhiddoph.exeGqahqd32.exeHfhcoj32.exeBgdibkam.exeJokqnhpa.exePiabdiep.exeEpeoaffo.exeKidjdpie.exeGqdefddb.exeNefdpjkl.exeCalcpm32.exeFdnjkh32.exeIefcfe32.exeFhjmfnok.exeBjkhdacm.exeIacjjacb.exeLdmopa32.exeCbiiog32.exeDoecog32.exeDfpaic32.exeBqolji32.exeGhgfekpn.exeLclicpkm.exeEdcnakpa.exeCglalbbi.exeNbniid32.exeHkiicmdh.exeIimfld32.exedescription ioc process File created C:\Windows\SysWOW64\Bbjjjgna.dll Pbemboof.exe File created C:\Windows\SysWOW64\Ffbpca32.dll Hfjbmb32.exe File created C:\Windows\SysWOW64\Aobnniji.exe Ajcipc32.exe File opened for modification C:\Windows\SysWOW64\Jikeeh32.exe Jaoqqflp.exe File created C:\Windows\SysWOW64\Hofngkga.exe Gconbj32.exe File created C:\Windows\SysWOW64\Fdnjkh32.exe Fooembgb.exe File created C:\Windows\SysWOW64\Kglehp32.exe Kekiphge.exe File created C:\Windows\SysWOW64\Hcopgk32.dll Qeppdo32.exe File opened for modification C:\Windows\SysWOW64\Oeaqig32.exe Nijpdfhm.exe File created C:\Windows\SysWOW64\Igqhpj32.exe Ibcphc32.exe File opened for modification C:\Windows\SysWOW64\Jfmkbebl.exe Japciodd.exe File created C:\Windows\SysWOW64\Pkfope32.dll Ipeaco32.exe File created C:\Windows\SysWOW64\Jpebhied.dll Boljgg32.exe File created C:\Windows\SysWOW64\Gglbfg32.exe Gncnmane.exe File opened for modification C:\Windows\SysWOW64\Cglalbbi.exe Cmfmojcb.exe File opened for modification C:\Windows\SysWOW64\Jijokbfp.exe Jpajbl32.exe File created C:\Windows\SysWOW64\Kcginj32.exe Kechdf32.exe File created C:\Windows\SysWOW64\Obkglbmf.dll Mhfjjdjf.exe File created C:\Windows\SysWOW64\Ppmgfb32.exe Ppkjac32.exe File created C:\Windows\SysWOW64\Abgacn32.dll Dnqlmq32.exe File created C:\Windows\SysWOW64\Fogibnha.exe Fcnkhmdp.exe File created C:\Windows\SysWOW64\Pidfdofi.exe Pebpkk32.exe File opened for modification C:\Windows\SysWOW64\Eeiheo32.exe Ekdchf32.exe File opened for modification C:\Windows\SysWOW64\Akfkbd32.exe Adlcfjgh.exe File created C:\Windows\SysWOW64\Hilcfe32.dll Dmepkn32.exe File created C:\Windows\SysWOW64\Eakooqih.exe Dpjbgh32.exe File opened for modification C:\Windows\SysWOW64\Aobnniji.exe Ajcipc32.exe File created C:\Windows\SysWOW64\Ldmopa32.exe Lkdjglfo.exe File created C:\Windows\SysWOW64\Glnhjjml.exe Gmhkin32.exe File opened for modification C:\Windows\SysWOW64\Ggicgopd.exe Gnaooi32.exe File created C:\Windows\SysWOW64\Oomgdcce.dll Omioekbo.exe File created C:\Windows\SysWOW64\Olmela32.exe Obeacl32.exe File created C:\Windows\SysWOW64\Acfdii32.dll Olbogqoe.exe File created C:\Windows\SysWOW64\Annjfl32.dll Lhiddoph.exe File created C:\Windows\SysWOW64\Ggkqmoma.exe Gqahqd32.exe File created C:\Windows\SysWOW64\Hpphhp32.exe Hfhcoj32.exe File created C:\Windows\SysWOW64\Kfpkcm32.dll Dpjbgh32.exe File created C:\Windows\SysWOW64\Bnqned32.exe Bgdibkam.exe File opened for modification C:\Windows\SysWOW64\Jieaofmp.exe Jokqnhpa.exe File created C:\Windows\SysWOW64\Ppkjac32.exe Piabdiep.exe File opened for modification C:\Windows\SysWOW64\Eeagimdf.exe Epeoaffo.exe File created C:\Windows\SysWOW64\Kjeglh32.exe Kidjdpie.exe File created C:\Windows\SysWOW64\Lngkoe32.dll Gqdefddb.exe File created C:\Windows\SysWOW64\Kongke32.dll Nefdpjkl.exe File opened for modification C:\Windows\SysWOW64\Ccjoli32.exe Calcpm32.exe File created C:\Windows\SysWOW64\Gmhkin32.exe Fdnjkh32.exe File opened for modification C:\Windows\SysWOW64\Imahkg32.exe Iefcfe32.exe File created C:\Windows\SysWOW64\Gggpgo32.dll Adlcfjgh.exe File opened for modification C:\Windows\SysWOW64\Fepjea32.exe Fhjmfnok.exe File created C:\Windows\SysWOW64\Jcojqm32.dll Bjkhdacm.exe File created C:\Windows\SysWOW64\Nncojg32.dll Iacjjacb.exe File opened for modification C:\Windows\SysWOW64\Lcblan32.exe Ldmopa32.exe File created C:\Windows\SysWOW64\Abillbab.dll Cbiiog32.exe File created C:\Windows\SysWOW64\Diaaeepi.exe Doecog32.exe File created C:\Windows\SysWOW64\Dlljaj32.exe Dfpaic32.exe File opened for modification C:\Windows\SysWOW64\Cmfmojcb.exe Bqolji32.exe File created C:\Windows\SysWOW64\Gncnmane.exe Ghgfekpn.exe File created C:\Windows\SysWOW64\Goejbpjh.dll Lclicpkm.exe File created C:\Windows\SysWOW64\Odchbe32.exe Omioekbo.exe File created C:\Windows\SysWOW64\Egajnfoe.exe Edcnakpa.exe File created C:\Windows\SysWOW64\Cgnnab32.exe Cglalbbi.exe File opened for modification C:\Windows\SysWOW64\Npaich32.exe Nbniid32.exe File created C:\Windows\SysWOW64\Hnheohcl.exe Hkiicmdh.exe File created C:\Windows\SysWOW64\Ijnbcmkk.exe Iimfld32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5100 5076 WerFault.exe Lepaccmo.exe -
Modifies registry class 64 IoCs
Processes:
Gnaooi32.exePkmlmbcd.exeEeiheo32.exeBhkeohhn.exeDgiaefgg.exeGefmcp32.exeNbniid32.exeIbejdjln.exePhlclgfc.exeKcginj32.exeHemqpf32.exePfnmmn32.exeKekiphge.exeEeohkeoe.exeFajbke32.exeQndkpmkm.exeMcknhm32.exeIbacbcgg.exeDicnkdnf.exeJijokbfp.exeNijpdfhm.exeOlmela32.exeImggplgm.exeIgceej32.exeJbcjnnpl.exeCcmpce32.exeJokqnhpa.exeMqbbagjo.exePpkjac32.exeJhbold32.exeLegaoehg.exeDcbnpgkh.exeLibjncnc.exeDdpobo32.exeIefcfe32.exeJikeeh32.exeDokfme32.exeQkghgpfi.exeHkiicmdh.exeDnpciaef.exeJggoqimd.exeMejlalji.exeGnbejb32.exeJialfgcc.exeOpnbbe32.exeHfjbmb32.exeLcohahpn.exeJmhnkfpa.exeBnochnpm.exeJabponba.exeKidjdpie.exeAhbekjcf.exeGfcnegnk.exeFdekgjno.exeHeliepmn.exeJfieigio.exeLcmklh32.exe182d94d45477565a03a17ed94880cd30_NeikiAnalytics.exeBdcifi32.exeClojhf32.exeEdcnakpa.exeHfbcidmk.exeLkgngb32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnaooi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkmlmbcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcceba32.dll" Eeiheo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhkeohhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgiaefgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gefmcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbniid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfekkflj.dll" Ibejdjln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phlclgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcginj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hemqpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaacem32.dll" Pfnmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kekiphge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eeohkeoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fajbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qndkpmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofglaipf.dll" Mcknhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibacbcgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dicnkdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jijokbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohqngjgk.dll" Nijpdfhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olmela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miqnbfnp.dll" Imggplgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igceej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbcjnnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll" Ccmpce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jokqnhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mqbbagjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opilhdhd.dll" Ppkjac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhbold32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Legaoehg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcbnpgkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Libjncnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddpobo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iefcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hneebcff.dll" Jikeeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmbhhfg.dll" Dokfme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qkghgpfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkiicmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jggoqimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikmnfdoq.dll" Mejlalji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnbejb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jialfgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dombicdm.dll" Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffbpca32.dll" Hfjbmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgfikc32.dll" Lcohahpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmhnkfpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjeoijn.dll" Bnochnpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jabponba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kidjdpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahbekjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfnpea32.dll" Gfcnegnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdekgjno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Heliepmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfieigio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcmklh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 182d94d45477565a03a17ed94880cd30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdcifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll" Bdcifi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clojhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edcnakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfbcidmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkgngb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
182d94d45477565a03a17ed94880cd30_NeikiAnalytics.exeLfbbjpgd.exeMejlalji.exeMpamde32.exeMlhnifmq.exeNagbgl32.exeNmnclmoj.exeNbniid32.exeNpaich32.exeNfnneb32.exeOoicid32.exeOhcdhi32.exeOalhqohl.exeOmefkplm.exePilfpqaa.exePiqpkpml.exedescription pid process target process PID 2236 wrote to memory of 2308 2236 182d94d45477565a03a17ed94880cd30_NeikiAnalytics.exe Lfbbjpgd.exe PID 2236 wrote to memory of 2308 2236 182d94d45477565a03a17ed94880cd30_NeikiAnalytics.exe Lfbbjpgd.exe PID 2236 wrote to memory of 2308 2236 182d94d45477565a03a17ed94880cd30_NeikiAnalytics.exe Lfbbjpgd.exe PID 2236 wrote to memory of 2308 2236 182d94d45477565a03a17ed94880cd30_NeikiAnalytics.exe Lfbbjpgd.exe PID 2308 wrote to memory of 2880 2308 Lfbbjpgd.exe Mejlalji.exe PID 2308 wrote to memory of 2880 2308 Lfbbjpgd.exe Mejlalji.exe PID 2308 wrote to memory of 2880 2308 Lfbbjpgd.exe Mejlalji.exe PID 2308 wrote to memory of 2880 2308 Lfbbjpgd.exe Mejlalji.exe PID 2880 wrote to memory of 3016 2880 Mejlalji.exe Mpamde32.exe PID 2880 wrote to memory of 3016 2880 Mejlalji.exe Mpamde32.exe PID 2880 wrote to memory of 3016 2880 Mejlalji.exe Mpamde32.exe PID 2880 wrote to memory of 3016 2880 Mejlalji.exe Mpamde32.exe PID 3016 wrote to memory of 2916 3016 Mpamde32.exe Mlhnifmq.exe PID 3016 wrote to memory of 2916 3016 Mpamde32.exe Mlhnifmq.exe PID 3016 wrote to memory of 2916 3016 Mpamde32.exe Mlhnifmq.exe PID 3016 wrote to memory of 2916 3016 Mpamde32.exe Mlhnifmq.exe PID 2916 wrote to memory of 2612 2916 Mlhnifmq.exe Nagbgl32.exe PID 2916 wrote to memory of 2612 2916 Mlhnifmq.exe Nagbgl32.exe PID 2916 wrote to memory of 2612 2916 Mlhnifmq.exe Nagbgl32.exe PID 2916 wrote to memory of 2612 2916 Mlhnifmq.exe Nagbgl32.exe PID 2612 wrote to memory of 2500 2612 Nagbgl32.exe Nmnclmoj.exe PID 2612 wrote to memory of 2500 2612 Nagbgl32.exe Nmnclmoj.exe PID 2612 wrote to memory of 2500 2612 Nagbgl32.exe Nmnclmoj.exe PID 2612 wrote to memory of 2500 2612 Nagbgl32.exe Nmnclmoj.exe PID 2500 wrote to memory of 2624 2500 Nmnclmoj.exe Nbniid32.exe PID 2500 wrote to memory of 2624 2500 Nmnclmoj.exe Nbniid32.exe PID 2500 wrote to memory of 2624 2500 Nmnclmoj.exe Nbniid32.exe PID 2500 wrote to memory of 2624 2500 Nmnclmoj.exe Nbniid32.exe PID 2624 wrote to memory of 2384 2624 Nbniid32.exe Npaich32.exe PID 2624 wrote to memory of 2384 2624 Nbniid32.exe Npaich32.exe PID 2624 wrote to memory of 2384 2624 Nbniid32.exe Npaich32.exe PID 2624 wrote to memory of 2384 2624 Nbniid32.exe Npaich32.exe PID 2384 wrote to memory of 2840 2384 Npaich32.exe Nfnneb32.exe PID 2384 wrote to memory of 2840 2384 Npaich32.exe Nfnneb32.exe PID 2384 wrote to memory of 2840 2384 Npaich32.exe Nfnneb32.exe PID 2384 wrote to memory of 2840 2384 Npaich32.exe Nfnneb32.exe PID 2840 wrote to memory of 1944 2840 Nfnneb32.exe Ooicid32.exe PID 2840 wrote to memory of 1944 2840 Nfnneb32.exe Ooicid32.exe PID 2840 wrote to memory of 1944 2840 Nfnneb32.exe Ooicid32.exe PID 2840 wrote to memory of 1944 2840 Nfnneb32.exe Ooicid32.exe PID 1944 wrote to memory of 1264 1944 Ooicid32.exe Ohcdhi32.exe PID 1944 wrote to memory of 1264 1944 Ooicid32.exe Ohcdhi32.exe PID 1944 wrote to memory of 1264 1944 Ooicid32.exe Ohcdhi32.exe PID 1944 wrote to memory of 1264 1944 Ooicid32.exe Ohcdhi32.exe PID 1264 wrote to memory of 1156 1264 Ohcdhi32.exe Oalhqohl.exe PID 1264 wrote to memory of 1156 1264 Ohcdhi32.exe Oalhqohl.exe PID 1264 wrote to memory of 1156 1264 Ohcdhi32.exe Oalhqohl.exe PID 1264 wrote to memory of 1156 1264 Ohcdhi32.exe Oalhqohl.exe PID 1156 wrote to memory of 908 1156 Oalhqohl.exe Omefkplm.exe PID 1156 wrote to memory of 908 1156 Oalhqohl.exe Omefkplm.exe PID 1156 wrote to memory of 908 1156 Oalhqohl.exe Omefkplm.exe PID 1156 wrote to memory of 908 1156 Oalhqohl.exe Omefkplm.exe PID 908 wrote to memory of 2132 908 Omefkplm.exe Pilfpqaa.exe PID 908 wrote to memory of 2132 908 Omefkplm.exe Pilfpqaa.exe PID 908 wrote to memory of 2132 908 Omefkplm.exe Pilfpqaa.exe PID 908 wrote to memory of 2132 908 Omefkplm.exe Pilfpqaa.exe PID 2132 wrote to memory of 2676 2132 Pilfpqaa.exe Piqpkpml.exe PID 2132 wrote to memory of 2676 2132 Pilfpqaa.exe Piqpkpml.exe PID 2132 wrote to memory of 2676 2132 Pilfpqaa.exe Piqpkpml.exe PID 2132 wrote to memory of 2676 2132 Pilfpqaa.exe Piqpkpml.exe PID 2676 wrote to memory of 2728 2676 Piqpkpml.exe Pegqpacp.exe PID 2676 wrote to memory of 2728 2676 Piqpkpml.exe Pegqpacp.exe PID 2676 wrote to memory of 2728 2676 Piqpkpml.exe Pegqpacp.exe PID 2676 wrote to memory of 2728 2676 Piqpkpml.exe Pegqpacp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\182d94d45477565a03a17ed94880cd30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\182d94d45477565a03a17ed94880cd30_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Lfbbjpgd.exeC:\Windows\system32\Lfbbjpgd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Mpamde32.exeC:\Windows\system32\Mpamde32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Mlhnifmq.exeC:\Windows\system32\Mlhnifmq.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Nmnclmoj.exeC:\Windows\system32\Nmnclmoj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Nbniid32.exeC:\Windows\system32\Nbniid32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Omefkplm.exeC:\Windows\system32\Omefkplm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Pegqpacp.exeC:\Windows\system32\Pegqpacp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
C:\Windows\SysWOW64\Ajqljc32.exeC:\Windows\system32\Ajqljc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568 -
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Ajgbkbjp.exeC:\Windows\system32\Ajgbkbjp.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Bbeded32.exeC:\Windows\system32\Bbeded32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:896 -
C:\Windows\SysWOW64\Bnldjekl.exeC:\Windows\system32\Bnldjekl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1852 -
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:860 -
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe34⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Dicnkdnf.exeC:\Windows\system32\Dicnkdnf.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Eelkeeah.exeC:\Windows\system32\Eelkeeah.exe36⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Eeohkeoe.exeC:\Windows\system32\Eeohkeoe.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Eklqcl32.exeC:\Windows\system32\Eklqcl32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Fgdnnl32.exeC:\Windows\system32\Fgdnnl32.exe39⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Fcnkhmdp.exeC:\Windows\system32\Fcnkhmdp.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Fogibnha.exeC:\Windows\system32\Fogibnha.exe42⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Fjlmpfhg.exeC:\Windows\system32\Fjlmpfhg.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Gfcnegnk.exeC:\Windows\system32\Gfcnegnk.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:660 -
C:\Windows\SysWOW64\Golbnm32.exeC:\Windows\system32\Golbnm32.exe45⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Ghdgfbkl.exeC:\Windows\system32\Ghdgfbkl.exe46⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Gnaooi32.exeC:\Windows\system32\Gnaooi32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Ggicgopd.exeC:\Windows\system32\Ggicgopd.exe48⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Gqahqd32.exeC:\Windows\system32\Gqahqd32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:976 -
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe50⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Gqdefddb.exeC:\Windows\system32\Gqdefddb.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1160 -
C:\Windows\SysWOW64\Hkiicmdh.exeC:\Windows\system32\Hkiicmdh.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Hnheohcl.exeC:\Windows\system32\Hnheohcl.exe53⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Hgpjhn32.exeC:\Windows\system32\Hgpjhn32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Hjofdi32.exeC:\Windows\system32\Hjofdi32.exe55⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe56⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe57⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Hakkgc32.exeC:\Windows\system32\Hakkgc32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Hfhcoj32.exeC:\Windows\system32\Hfhcoj32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Hpphhp32.exeC:\Windows\system32\Hpphhp32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Hemqpf32.exeC:\Windows\system32\Hemqpf32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe62⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Iikifegp.exeC:\Windows\system32\Iikifegp.exe63⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Ipeaco32.exeC:\Windows\system32\Ipeaco32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3008 -
C:\Windows\SysWOW64\Iimfld32.exeC:\Windows\system32\Iimfld32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\Ijnbcmkk.exeC:\Windows\system32\Ijnbcmkk.exe66⤵PID:1956
-
C:\Windows\SysWOW64\Ibejdjln.exeC:\Windows\system32\Ibejdjln.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Ihbcmaje.exeC:\Windows\system32\Ihbcmaje.exe68⤵PID:540
-
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe69⤵PID:2060
-
C:\Windows\SysWOW64\Iefcfe32.exeC:\Windows\system32\Iefcfe32.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Imahkg32.exeC:\Windows\system32\Imahkg32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:400 -
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe72⤵PID:1372
-
C:\Windows\SysWOW64\Iihiphln.exeC:\Windows\system32\Iihiphln.exe73⤵PID:1764
-
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe74⤵
- Drops file in System32 directory
PID:1052 -
C:\Windows\SysWOW64\Jikeeh32.exeC:\Windows\system32\Jikeeh32.exe75⤵
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Jpdnbbah.exeC:\Windows\system32\Jpdnbbah.exe76⤵PID:2976
-
C:\Windows\SysWOW64\Jbcjnnpl.exeC:\Windows\system32\Jbcjnnpl.exe77⤵
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Jmhnkfpa.exeC:\Windows\system32\Jmhnkfpa.exe78⤵
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Jbefcm32.exeC:\Windows\system32\Jbefcm32.exe79⤵PID:2952
-
C:\Windows\SysWOW64\Jhbold32.exeC:\Windows\system32\Jhbold32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Jbhcim32.exeC:\Windows\system32\Jbhcim32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2640 -
C:\Windows\SysWOW64\Jialfgcc.exeC:\Windows\system32\Jialfgcc.exe82⤵
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Jkchmo32.exeC:\Windows\system32\Jkchmo32.exe83⤵PID:3064
-
C:\Windows\SysWOW64\Jehlkhig.exeC:\Windows\system32\Jehlkhig.exe84⤵PID:1244
-
C:\Windows\SysWOW64\Koaqcn32.exeC:\Windows\system32\Koaqcn32.exe85⤵PID:2336
-
C:\Windows\SysWOW64\Kekiphge.exeC:\Windows\system32\Kekiphge.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:268 -
C:\Windows\SysWOW64\Kglehp32.exeC:\Windows\system32\Kglehp32.exe87⤵PID:592
-
C:\Windows\SysWOW64\Knfndjdp.exeC:\Windows\system32\Knfndjdp.exe88⤵PID:1816
-
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe89⤵PID:2628
-
C:\Windows\SysWOW64\Knhjjj32.exeC:\Windows\system32\Knhjjj32.exe90⤵PID:1132
-
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe91⤵PID:576
-
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe92⤵PID:2992
-
C:\Windows\SysWOW64\Kpicle32.exeC:\Windows\system32\Kpicle32.exe93⤵PID:2864
-
C:\Windows\SysWOW64\Kffldlne.exeC:\Windows\system32\Kffldlne.exe94⤵PID:2200
-
C:\Windows\SysWOW64\Kpkpadnl.exeC:\Windows\system32\Kpkpadnl.exe95⤵PID:2812
-
C:\Windows\SysWOW64\Lgehno32.exeC:\Windows\system32\Lgehno32.exe96⤵PID:2924
-
C:\Windows\SysWOW64\Lclicpkm.exeC:\Windows\system32\Lclicpkm.exe97⤵
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\Ljfapjbi.exeC:\Windows\system32\Ljfapjbi.exe98⤵PID:2580
-
C:\Windows\SysWOW64\Lkgngb32.exeC:\Windows\system32\Lkgngb32.exe99⤵
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Ldpbpgoh.exeC:\Windows\system32\Ldpbpgoh.exe100⤵PID:2668
-
C:\Windows\SysWOW64\Lkjjma32.exeC:\Windows\system32\Lkjjma32.exe101⤵PID:2956
-
C:\Windows\SysWOW64\Lgchgb32.exeC:\Windows\system32\Lgchgb32.exe102⤵PID:2860
-
C:\Windows\SysWOW64\Mmbmeifk.exeC:\Windows\system32\Mmbmeifk.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1044 -
C:\Windows\SysWOW64\Mobfgdcl.exeC:\Windows\system32\Mobfgdcl.exe104⤵PID:1720
-
C:\Windows\SysWOW64\Mfmndn32.exeC:\Windows\system32\Mfmndn32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2440 -
C:\Windows\SysWOW64\Mqbbagjo.exeC:\Windows\system32\Mqbbagjo.exe106⤵
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Mfokinhf.exeC:\Windows\system32\Mfokinhf.exe107⤵PID:2452
-
C:\Windows\SysWOW64\Mimgeigj.exeC:\Windows\system32\Mimgeigj.exe108⤵PID:1756
-
C:\Windows\SysWOW64\Mcckcbgp.exeC:\Windows\system32\Mcckcbgp.exe109⤵PID:1840
-
C:\Windows\SysWOW64\Nedhjj32.exeC:\Windows\system32\Nedhjj32.exe110⤵PID:3060
-
C:\Windows\SysWOW64\Npjlhcmd.exeC:\Windows\system32\Npjlhcmd.exe111⤵PID:888
-
C:\Windows\SysWOW64\Nefdpjkl.exeC:\Windows\system32\Nefdpjkl.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Nlqmmd32.exeC:\Windows\system32\Nlqmmd32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2824 -
C:\Windows\SysWOW64\Nbjeinje.exeC:\Windows\system32\Nbjeinje.exe114⤵PID:2536
-
C:\Windows\SysWOW64\Nidmfh32.exeC:\Windows\system32\Nidmfh32.exe115⤵PID:2768
-
C:\Windows\SysWOW64\Njfjnpgp.exeC:\Windows\system32\Njfjnpgp.exe116⤵PID:2456
-
C:\Windows\SysWOW64\Neknki32.exeC:\Windows\system32\Neknki32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1724 -
C:\Windows\SysWOW64\Nncbdomg.exeC:\Windows\system32\Nncbdomg.exe118⤵PID:2208
-
C:\Windows\SysWOW64\Ndqkleln.exeC:\Windows\system32\Ndqkleln.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:684 -
C:\Windows\SysWOW64\Nfoghakb.exeC:\Windows\system32\Nfoghakb.exe120⤵PID:2692
-
C:\Windows\SysWOW64\Omioekbo.exeC:\Windows\system32\Omioekbo.exe121⤵
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Odchbe32.exeC:\Windows\system32\Odchbe32.exe122⤵PID:1768
-
C:\Windows\SysWOW64\Ojmpooah.exeC:\Windows\system32\Ojmpooah.exe123⤵PID:1712
-
C:\Windows\SysWOW64\Opihgfop.exeC:\Windows\system32\Opihgfop.exe124⤵PID:1692
-
C:\Windows\SysWOW64\Omnipjni.exeC:\Windows\system32\Omnipjni.exe125⤵PID:2348
-
C:\Windows\SysWOW64\Odgamdef.exeC:\Windows\system32\Odgamdef.exe126⤵PID:2540
-
C:\Windows\SysWOW64\Oeindm32.exeC:\Windows\system32\Oeindm32.exe127⤵PID:1412
-
C:\Windows\SysWOW64\Opnbbe32.exeC:\Windows\system32\Opnbbe32.exe128⤵
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Ofhjopbg.exeC:\Windows\system32\Ofhjopbg.exe129⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1716 -
C:\Windows\SysWOW64\Olebgfao.exeC:\Windows\system32\Olebgfao.exe130⤵PID:2140
-
C:\Windows\SysWOW64\Oabkom32.exeC:\Windows\system32\Oabkom32.exe131⤵PID:2700
-
C:\Windows\SysWOW64\Phlclgfc.exeC:\Windows\system32\Phlclgfc.exe132⤵
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Pofkha32.exeC:\Windows\system32\Pofkha32.exe133⤵PID:2744
-
C:\Windows\SysWOW64\Padhdm32.exeC:\Windows\system32\Padhdm32.exe134⤵PID:2972
-
C:\Windows\SysWOW64\Phnpagdp.exeC:\Windows\system32\Phnpagdp.exe135⤵PID:1996
-
C:\Windows\SysWOW64\Pkmlmbcd.exeC:\Windows\system32\Pkmlmbcd.exe136⤵
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Pebpkk32.exeC:\Windows\system32\Pebpkk32.exe137⤵
- Drops file in System32 directory
PID:2932 -
C:\Windows\SysWOW64\Pidfdofi.exeC:\Windows\system32\Pidfdofi.exe138⤵PID:2520
-
C:\Windows\SysWOW64\Pcljmdmj.exeC:\Windows\system32\Pcljmdmj.exe139⤵PID:2508
-
C:\Windows\SysWOW64\Qgjccb32.exeC:\Windows\system32\Qgjccb32.exe140⤵PID:944
-
C:\Windows\SysWOW64\Qndkpmkm.exeC:\Windows\system32\Qndkpmkm.exe141⤵
- Modifies registry class
PID:1192 -
C:\Windows\SysWOW64\Qeppdo32.exeC:\Windows\system32\Qeppdo32.exe142⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Accqnc32.exeC:\Windows\system32\Accqnc32.exe143⤵PID:2828
-
C:\Windows\SysWOW64\Acfmcc32.exeC:\Windows\system32\Acfmcc32.exe144⤵PID:552
-
C:\Windows\SysWOW64\Ahbekjcf.exeC:\Windows\system32\Ahbekjcf.exe145⤵
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Achjibcl.exeC:\Windows\system32\Achjibcl.exe146⤵PID:632
-
C:\Windows\SysWOW64\Akcomepg.exeC:\Windows\system32\Akcomepg.exe147⤵PID:1740
-
C:\Windows\SysWOW64\Adlcfjgh.exeC:\Windows\system32\Adlcfjgh.exe148⤵
- Drops file in System32 directory
PID:3056 -
C:\Windows\SysWOW64\Akfkbd32.exeC:\Windows\system32\Akfkbd32.exe149⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1620 -
C:\Windows\SysWOW64\Andgop32.exeC:\Windows\system32\Andgop32.exe150⤵PID:2516
-
C:\Windows\SysWOW64\Bhjlli32.exeC:\Windows\system32\Bhjlli32.exe151⤵PID:2416
-
C:\Windows\SysWOW64\Bjkhdacm.exeC:\Windows\system32\Bjkhdacm.exe152⤵
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Bbbpenco.exeC:\Windows\system32\Bbbpenco.exe153⤵PID:1892
-
C:\Windows\SysWOW64\Bgoime32.exeC:\Windows\system32\Bgoime32.exe154⤵PID:2596
-
C:\Windows\SysWOW64\Bniajoic.exeC:\Windows\system32\Bniajoic.exe155⤵PID:668
-
C:\Windows\SysWOW64\Bdcifi32.exeC:\Windows\system32\Bdcifi32.exe156⤵
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Bfdenafn.exeC:\Windows\system32\Bfdenafn.exe157⤵PID:864
-
C:\Windows\SysWOW64\Boljgg32.exeC:\Windows\system32\Boljgg32.exe158⤵
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Bieopm32.exeC:\Windows\system32\Bieopm32.exe159⤵PID:2076
-
C:\Windows\SysWOW64\Boogmgkl.exeC:\Windows\system32\Boogmgkl.exe160⤵PID:2164
-
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe161⤵PID:2028
-
C:\Windows\SysWOW64\Bmbgfkje.exeC:\Windows\system32\Bmbgfkje.exe162⤵PID:1248
-
C:\Windows\SysWOW64\Ccmpce32.exeC:\Windows\system32\Ccmpce32.exe163⤵
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Cenljmgq.exeC:\Windows\system32\Cenljmgq.exe164⤵PID:240
-
C:\Windows\SysWOW64\Cocphf32.exeC:\Windows\system32\Cocphf32.exe165⤵PID:1612
-
C:\Windows\SysWOW64\Cbblda32.exeC:\Windows\system32\Cbblda32.exe166⤵PID:3028
-
C:\Windows\SysWOW64\Cgoelh32.exeC:\Windows\system32\Cgoelh32.exe167⤵PID:2396
-
C:\Windows\SysWOW64\Cpfmmf32.exeC:\Windows\system32\Cpfmmf32.exe168⤵PID:936
-
C:\Windows\SysWOW64\Cinafkkd.exeC:\Windows\system32\Cinafkkd.exe169⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2892 -
C:\Windows\SysWOW64\Cnkjnb32.exeC:\Windows\system32\Cnkjnb32.exe170⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2096 -
C:\Windows\SysWOW64\Ceebklai.exeC:\Windows\system32\Ceebklai.exe171⤵PID:2376
-
C:\Windows\SysWOW64\Clojhf32.exeC:\Windows\system32\Clojhf32.exe172⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Calcpm32.exeC:\Windows\system32\Calcpm32.exe173⤵
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Ccjoli32.exeC:\Windows\system32\Ccjoli32.exe174⤵PID:1696
-
C:\Windows\SysWOW64\Dnpciaef.exeC:\Windows\system32\Dnpciaef.exe175⤵
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Danpemej.exeC:\Windows\system32\Danpemej.exe176⤵PID:2684
-
C:\Windows\SysWOW64\Dcllbhdn.exeC:\Windows\system32\Dcllbhdn.exe177⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2588 -
C:\Windows\SysWOW64\Dfkhndca.exeC:\Windows\system32\Dfkhndca.exe178⤵PID:2584
-
C:\Windows\SysWOW64\Dmepkn32.exeC:\Windows\system32\Dmepkn32.exe179⤵
- Drops file in System32 directory
PID:956 -
C:\Windows\SysWOW64\Dcohghbk.exeC:\Windows\system32\Dcohghbk.exe180⤵PID:3084
-
C:\Windows\SysWOW64\Dmgmpnhl.exeC:\Windows\system32\Dmgmpnhl.exe181⤵PID:3124
-
C:\Windows\SysWOW64\Ddaemh32.exeC:\Windows\system32\Ddaemh32.exe182⤵PID:3164
-
C:\Windows\SysWOW64\Dfpaic32.exeC:\Windows\system32\Dfpaic32.exe183⤵
- Drops file in System32 directory
PID:3204 -
C:\Windows\SysWOW64\Dlljaj32.exeC:\Windows\system32\Dlljaj32.exe184⤵PID:3244
-
C:\Windows\SysWOW64\Dokfme32.exeC:\Windows\system32\Dokfme32.exe185⤵
- Modifies registry class
PID:3284 -
C:\Windows\SysWOW64\Dipjkn32.exeC:\Windows\system32\Dipjkn32.exe186⤵PID:3324
-
C:\Windows\SysWOW64\Dpjbgh32.exeC:\Windows\system32\Dpjbgh32.exe187⤵
- Drops file in System32 directory
PID:3364 -
C:\Windows\SysWOW64\Eakooqih.exeC:\Windows\system32\Eakooqih.exe188⤵PID:3404
-
C:\Windows\SysWOW64\Eibgpnjk.exeC:\Windows\system32\Eibgpnjk.exe189⤵PID:3444
-
C:\Windows\SysWOW64\Ekdchf32.exeC:\Windows\system32\Ekdchf32.exe190⤵
- Drops file in System32 directory
PID:3484 -
C:\Windows\SysWOW64\Eeiheo32.exeC:\Windows\system32\Eeiheo32.exe191⤵
- Modifies registry class
PID:3532 -
C:\Windows\SysWOW64\Edcnakpa.exeC:\Windows\system32\Edcnakpa.exe192⤵
- Drops file in System32 directory
- Modifies registry class
PID:3572 -
C:\Windows\SysWOW64\Egajnfoe.exeC:\Windows\system32\Egajnfoe.exe193⤵PID:3612
-
C:\Windows\SysWOW64\Flocfmnl.exeC:\Windows\system32\Flocfmnl.exe194⤵PID:3652
-
C:\Windows\SysWOW64\Fdekgjno.exeC:\Windows\system32\Fdekgjno.exe195⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3692 -
C:\Windows\SysWOW64\Feggob32.exeC:\Windows\system32\Feggob32.exe196⤵PID:3732
-
C:\Windows\SysWOW64\Flapkmlj.exeC:\Windows\system32\Flapkmlj.exe197⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3772 -
C:\Windows\SysWOW64\Foolgh32.exeC:\Windows\system32\Foolgh32.exe198⤵PID:3812
-
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe199⤵PID:3852
-
C:\Windows\SysWOW64\Flclam32.exeC:\Windows\system32\Flclam32.exe200⤵PID:3892
-
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe201⤵PID:3932
-
C:\Windows\SysWOW64\Felajbpg.exeC:\Windows\system32\Felajbpg.exe202⤵PID:3972
-
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe203⤵
- Drops file in System32 directory
PID:4012 -
C:\Windows\SysWOW64\Fepjea32.exeC:\Windows\system32\Fepjea32.exe204⤵PID:4052
-
C:\Windows\SysWOW64\Ggagmjbq.exeC:\Windows\system32\Ggagmjbq.exe205⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4092 -
C:\Windows\SysWOW64\Gagkjbaf.exeC:\Windows\system32\Gagkjbaf.exe206⤵PID:3116
-
C:\Windows\SysWOW64\Gdegfn32.exeC:\Windows\system32\Gdegfn32.exe207⤵PID:3184
-
C:\Windows\SysWOW64\Gjbpne32.exeC:\Windows\system32\Gjbpne32.exe208⤵PID:3236
-
C:\Windows\SysWOW64\Gckdgjeb.exeC:\Windows\system32\Gckdgjeb.exe209⤵PID:3296
-
C:\Windows\SysWOW64\Gnphdceh.exeC:\Windows\system32\Gnphdceh.exe210⤵PID:3348
-
C:\Windows\SysWOW64\Gdjqamme.exeC:\Windows\system32\Gdjqamme.exe211⤵PID:3400
-
C:\Windows\SysWOW64\Gnbejb32.exeC:\Windows\system32\Gnbejb32.exe212⤵
- Modifies registry class
PID:3460 -
C:\Windows\SysWOW64\Gconbj32.exeC:\Windows\system32\Gconbj32.exe213⤵
- Drops file in System32 directory
PID:3516 -
C:\Windows\SysWOW64\Hofngkga.exeC:\Windows\system32\Hofngkga.exe214⤵PID:3588
-
C:\Windows\SysWOW64\Hinbppna.exeC:\Windows\system32\Hinbppna.exe215⤵PID:3640
-
C:\Windows\SysWOW64\Hfbcidmk.exeC:\Windows\system32\Hfbcidmk.exe216⤵
- Modifies registry class
PID:3700 -
C:\Windows\SysWOW64\Hnnhngjf.exeC:\Windows\system32\Hnnhngjf.exe217⤵PID:3756
-
C:\Windows\SysWOW64\Hnpdcf32.exeC:\Windows\system32\Hnpdcf32.exe218⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3808 -
C:\Windows\SysWOW64\Hkdemk32.exeC:\Windows\system32\Hkdemk32.exe219⤵PID:3868
-
C:\Windows\SysWOW64\Heliepmn.exeC:\Windows\system32\Heliepmn.exe220⤵
- Modifies registry class
PID:3924 -
C:\Windows\SysWOW64\Iacjjacb.exeC:\Windows\system32\Iacjjacb.exe221⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3988 -
C:\Windows\SysWOW64\Ijkocg32.exeC:\Windows\system32\Ijkocg32.exe222⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3832 -
C:\Windows\SysWOW64\Ijnkifgp.exeC:\Windows\system32\Ijnkifgp.exe223⤵PID:3748
-
C:\Windows\SysWOW64\Icfpbl32.exeC:\Windows\system32\Icfpbl32.exe224⤵PID:1036
-
C:\Windows\SysWOW64\Iladfn32.exeC:\Windows\system32\Iladfn32.exe225⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3464 -
C:\Windows\SysWOW64\Ifgicg32.exeC:\Windows\system32\Ifgicg32.exe226⤵PID:4048
-
C:\Windows\SysWOW64\Jfieigio.exeC:\Windows\system32\Jfieigio.exe227⤵
- Modifies registry class
PID:4064 -
C:\Windows\SysWOW64\Jpajbl32.exeC:\Windows\system32\Jpajbl32.exe228⤵
- Drops file in System32 directory
PID:3092 -
C:\Windows\SysWOW64\Jijokbfp.exeC:\Windows\system32\Jijokbfp.exe229⤵
- Modifies registry class
PID:3156 -
C:\Windows\SysWOW64\Joidhh32.exeC:\Windows\system32\Joidhh32.exe230⤵PID:3220
-
C:\Windows\SysWOW64\Jokqnhpa.exeC:\Windows\system32\Jokqnhpa.exe231⤵
- Drops file in System32 directory
- Modifies registry class
PID:3276 -
C:\Windows\SysWOW64\Jieaofmp.exeC:\Windows\system32\Jieaofmp.exe232⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3360 -
C:\Windows\SysWOW64\Kfibhjlj.exeC:\Windows\system32\Kfibhjlj.exe233⤵PID:3420
-
C:\Windows\SysWOW64\Kpafapbk.exeC:\Windows\system32\Kpafapbk.exe234⤵PID:3260
-
C:\Windows\SysWOW64\Kenoifpb.exeC:\Windows\system32\Kenoifpb.exe235⤵PID:3544
-
C:\Windows\SysWOW64\Kofcbl32.exeC:\Windows\system32\Kofcbl32.exe236⤵PID:3624
-
C:\Windows\SysWOW64\Kljdkpfl.exeC:\Windows\system32\Kljdkpfl.exe237⤵PID:3684
-
C:\Windows\SysWOW64\Kechdf32.exeC:\Windows\system32\Kechdf32.exe238⤵
- Drops file in System32 directory
PID:3764 -
C:\Windows\SysWOW64\Kcginj32.exeC:\Windows\system32\Kcginj32.exe239⤵
- Modifies registry class
PID:3836 -
C:\Windows\SysWOW64\Lonibk32.exeC:\Windows\system32\Lonibk32.exe240⤵PID:3908
-
C:\Windows\SysWOW64\Legaoehg.exeC:\Windows\system32\Legaoehg.exe241⤵
- Modifies registry class
PID:3964 -
C:\Windows\SysWOW64\Lkdjglfo.exeC:\Windows\system32\Lkdjglfo.exe242⤵
- Drops file in System32 directory
PID:3144