Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 01:03
Behavioral task
behavioral1
Sample
18b8f4445c02070ece34a58e22d5ac90_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
18b8f4445c02070ece34a58e22d5ac90_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
18b8f4445c02070ece34a58e22d5ac90_NeikiAnalytics.exe
-
Size
366KB
-
MD5
18b8f4445c02070ece34a58e22d5ac90
-
SHA1
55a39cf2bda2d6dfc4e37d5d1adb7be20f4c3844
-
SHA256
f6b61fa85c28bb20f06331bddf46f84c61cd9884bb77e22d6dafa140478de88a
-
SHA512
b84c59465eb715734a574d6b550a3f14c64d95bdd7a9771f03f3ba2b38f84e998a5b2deaaf2b3361eee787f3933cb6baab6c0f6408bf100c47301945b13e25c7
-
SSDEEP
6144:dhv1WAyLnLcdpui6yYPaIGckjh/xaSfBJKFbhD7sYQpui6yYPaIGckvN4Ni:dWTPcdpV6yYPMLnfBJKFbhDwBpV6yYPs
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Fnbkddem.exeGdamqndn.exeHkpnhgge.exeIcbimi32.exePigeqkai.exeCjndop32.exeEijcpoac.exeFehjeo32.exeIeqeidnl.exeNkmbgdfl.exeBhfagipa.exeDgaqgh32.exeInljnfkg.exeCfeddafl.exeGkgkbipp.exeGkihhhnm.exeEqonkmdh.exeEnnaieib.exeEiaiqn32.exeQlhnbf32.exeCobbhfhg.exeDqlafm32.exeFjlhneio.exeDkkpbgli.exeDjbiicon.exeEilpeooq.exeFjdbnf32.exeHdfflm32.exeOicpfh32.exePfdpip32.exeDjefobmk.exeFlabbihl.exeGelppaof.exeHpocfncj.exeChhjkl32.exeDngoibmo.exeDfgmhd32.exeEpaogi32.exePndniaop.exeBkaqmeah.exeClomqk32.exeEbpkce32.exeDnneja32.exeHlhaqogk.exePlahag32.exeBokphdld.exeBegeknan.exeFioija32.exeOngnonkb.exeAilkjmpo.exeBpfcgg32.exeQnfjna32.exeCgbdhd32.exeHggomh32.exeDhmcfkme.exeFckjalhj.exeFhhcgj32.exeFphafl32.exeAmndem32.exeBhahlj32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnbkddem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdamqndn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpnhgge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icbimi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pigeqkai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjndop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eijcpoac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fehjeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ieqeidnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkmbgdfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgaqgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Inljnfkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfeddafl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgkbipp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkihhhnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqonkmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ennaieib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiaiqn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlhnbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cobbhfhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjlhneio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkpbgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djbiicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eilpeooq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oicpfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfdpip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djefobmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flabbihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gelppaof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chhjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dngoibmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfgmhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epaogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Epaogi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pndniaop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkaqmeah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clomqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebpkce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dnneja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plahag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bokphdld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Begeknan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fioija32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ongnonkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ailkjmpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfcgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnfjna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgbdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pigeqkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Begeknan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmcfkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fckjalhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhhcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fphafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amndem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhahlj32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule behavioral1/memory/2740-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2740-6-0x0000000000450000-0x0000000000494000-memory.dmp family_berbew \Windows\SysWOW64\Nfmmin32.exe family_berbew behavioral1/memory/1980-14-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/3000-27-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Nqcagfim.exe family_berbew C:\Windows\SysWOW64\Nmjblg32.exe family_berbew C:\Windows\SysWOW64\Nkmbgdfl.exe family_berbew behavioral1/memory/2612-54-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Ofbfdmeb.exe family_berbew \Windows\SysWOW64\Onmkio32.exe family_berbew behavioral1/memory/2588-79-0x0000000000250000-0x0000000000294000-memory.dmp family_berbew behavioral1/memory/2168-96-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2748-112-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew \Windows\SysWOW64\Ogfpbeim.exe family_berbew C:\Windows\SysWOW64\Oicpfh32.exe family_berbew behavioral1/memory/2548-122-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew \Windows\SysWOW64\Oelmai32.exe family_berbew \Windows\SysWOW64\Ogjimd32.exe family_berbew C:\Windows\SysWOW64\Ojieip32.exe family_berbew C:\Windows\SysWOW64\Oqcnfjli.exe family_berbew behavioral1/memory/2124-206-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/1528-220-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Ongnonkb.exe family_berbew behavioral1/memory/592-231-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Piblek32.exe family_berbew behavioral1/memory/1672-295-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Plcdgfbo.exe family_berbew behavioral1/memory/2972-306-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2288-328-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2560-339-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Penfelgm.exe family_berbew C:\Windows\SysWOW64\Qlhnbf32.exe family_berbew behavioral1/memory/2528-372-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2512-387-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2704-394-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Qecoqk32.exe family_berbew behavioral1/memory/1800-430-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/1732-435-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/1804-457-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Ahchbf32.exe family_berbew C:\Windows\SysWOW64\Aalmklfi.exe family_berbew C:\Windows\SysWOW64\Abmibdlh.exe family_berbew C:\Windows\SysWOW64\Aigaon32.exe family_berbew C:\Windows\SysWOW64\Admemg32.exe family_berbew C:\Windows\SysWOW64\Afkbib32.exe family_berbew C:\Windows\SysWOW64\Apcfahio.exe family_berbew C:\Windows\SysWOW64\Aenbdoii.exe family_berbew C:\Windows\SysWOW64\Bpfcgg32.exe family_berbew C:\Windows\SysWOW64\Bagpopmj.exe family_berbew C:\Windows\SysWOW64\Bhahlj32.exe family_berbew C:\Windows\SysWOW64\Bdhhqk32.exe family_berbew C:\Windows\SysWOW64\Bommnc32.exe family_berbew C:\Windows\SysWOW64\Begeknan.exe family_berbew C:\Windows\SysWOW64\Bkdmcdoe.exe family_berbew C:\Windows\SysWOW64\Bhhnli32.exe family_berbew C:\Windows\SysWOW64\Bjijdadm.exe family_berbew C:\Windows\SysWOW64\Bpcbqk32.exe family_berbew C:\Windows\SysWOW64\Bdooajdc.exe family_berbew C:\Windows\SysWOW64\Cngcjo32.exe family_berbew C:\Windows\SysWOW64\Cgpgce32.exe family_berbew C:\Windows\SysWOW64\Cgbdhd32.exe family_berbew C:\Windows\SysWOW64\Cpjiajeb.exe family_berbew C:\Windows\SysWOW64\Cciemedf.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Nfmmin32.exeNqcagfim.exeNmjblg32.exeNkmbgdfl.exeOfbfdmeb.exeOnmkio32.exeOfdcjm32.exeOicpfh32.exeOgfpbeim.exeObnqem32.exeOelmai32.exeOgjimd32.exeOjieip32.exeOqcnfjli.exeOcajbekl.exeOngnonkb.exePcfcmd32.exePfdpip32.exePiblek32.exePlahag32.exePbkpna32.exePfflopdh.exePiehkkcl.exePlcdgfbo.exePfiidobe.exePigeqkai.exePndniaop.exePenfelgm.exeQlhnbf32.exeQnfjna32.exeQaefjm32.exeQhooggdn.exeQagcpljo.exeQecoqk32.exeAhakmf32.exeAjphib32.exeAmndem32.exeAdhlaggp.exeAhchbf32.exeAalmklfi.exeApomfh32.exeAbmibdlh.exeAigaon32.exeAlenki32.exeAdmemg32.exeAfkbib32.exeAenbdoii.exeApcfahio.exeAoffmd32.exeAfmonbqk.exeAilkjmpo.exeAhokfj32.exeBpfcgg32.exeBoiccdnf.exeBagpopmj.exeBebkpn32.exeBingpmnl.exeBhahlj32.exeBkodhe32.exeBokphdld.exeBaildokg.exeBeehencq.exeBdhhqk32.exeBkaqmeah.exepid process 1980 Nfmmin32.exe 3000 Nqcagfim.exe 2652 Nmjblg32.exe 2612 Nkmbgdfl.exe 2588 Ofbfdmeb.exe 2468 Onmkio32.exe 2168 Ofdcjm32.exe 2748 Oicpfh32.exe 2548 Ogfpbeim.exe 1308 Obnqem32.exe 1824 Oelmai32.exe 2272 Ogjimd32.exe 1632 Ojieip32.exe 2268 Oqcnfjli.exe 2124 Ocajbekl.exe 1528 Ongnonkb.exe 592 Pcfcmd32.exe 1900 Pfdpip32.exe 412 Piblek32.exe 1320 Plahag32.exe 1564 Pbkpna32.exe 1068 Pfflopdh.exe 1672 Piehkkcl.exe 2972 Plcdgfbo.exe 676 Pfiidobe.exe 2288 Pigeqkai.exe 2560 Pndniaop.exe 2952 Penfelgm.exe 2504 Qlhnbf32.exe 2528 Qnfjna32.exe 2512 Qaefjm32.exe 2704 Qhooggdn.exe 2020 Qagcpljo.exe 2008 Qecoqk32.exe 1800 Ahakmf32.exe 1732 Ajphib32.exe 1040 Amndem32.exe 1804 Adhlaggp.exe 1820 Ahchbf32.exe 1488 Aalmklfi.exe 3020 Apomfh32.exe 1096 Abmibdlh.exe 800 Aigaon32.exe 1568 Alenki32.exe 1888 Admemg32.exe 992 Afkbib32.exe 2060 Aenbdoii.exe 2100 Apcfahio.exe 2800 Aoffmd32.exe 2728 Afmonbqk.exe 2476 Ailkjmpo.exe 2752 Ahokfj32.exe 872 Bpfcgg32.exe 2796 Boiccdnf.exe 2040 Bagpopmj.exe 2424 Bebkpn32.exe 2284 Bingpmnl.exe 2660 Bhahlj32.exe 2296 Bkodhe32.exe 628 Bokphdld.exe 776 Baildokg.exe 1836 Beehencq.exe 3048 Bdhhqk32.exe 2332 Bkaqmeah.exe -
Loads dropped DLL 64 IoCs
Processes:
18b8f4445c02070ece34a58e22d5ac90_NeikiAnalytics.exeNfmmin32.exeNqcagfim.exeNmjblg32.exeNkmbgdfl.exeOfbfdmeb.exeOnmkio32.exeOfdcjm32.exeOicpfh32.exeOgfpbeim.exeObnqem32.exeOelmai32.exeOgjimd32.exeOjieip32.exeOqcnfjli.exeOcajbekl.exeOngnonkb.exePcfcmd32.exePfdpip32.exePiblek32.exePlahag32.exePbkpna32.exePfflopdh.exePiehkkcl.exePlcdgfbo.exePfiidobe.exePigeqkai.exePndniaop.exePenfelgm.exeQlhnbf32.exeQnfjna32.exeQaefjm32.exepid process 2740 18b8f4445c02070ece34a58e22d5ac90_NeikiAnalytics.exe 2740 18b8f4445c02070ece34a58e22d5ac90_NeikiAnalytics.exe 1980 Nfmmin32.exe 1980 Nfmmin32.exe 3000 Nqcagfim.exe 3000 Nqcagfim.exe 2652 Nmjblg32.exe 2652 Nmjblg32.exe 2612 Nkmbgdfl.exe 2612 Nkmbgdfl.exe 2588 Ofbfdmeb.exe 2588 Ofbfdmeb.exe 2468 Onmkio32.exe 2468 Onmkio32.exe 2168 Ofdcjm32.exe 2168 Ofdcjm32.exe 2748 Oicpfh32.exe 2748 Oicpfh32.exe 2548 Ogfpbeim.exe 2548 Ogfpbeim.exe 1308 Obnqem32.exe 1308 Obnqem32.exe 1824 Oelmai32.exe 1824 Oelmai32.exe 2272 Ogjimd32.exe 2272 Ogjimd32.exe 1632 Ojieip32.exe 1632 Ojieip32.exe 2268 Oqcnfjli.exe 2268 Oqcnfjli.exe 2124 Ocajbekl.exe 2124 Ocajbekl.exe 1528 Ongnonkb.exe 1528 Ongnonkb.exe 592 Pcfcmd32.exe 592 Pcfcmd32.exe 1900 Pfdpip32.exe 1900 Pfdpip32.exe 412 Piblek32.exe 412 Piblek32.exe 1320 Plahag32.exe 1320 Plahag32.exe 1564 Pbkpna32.exe 1564 Pbkpna32.exe 1068 Pfflopdh.exe 1068 Pfflopdh.exe 1672 Piehkkcl.exe 1672 Piehkkcl.exe 2972 Plcdgfbo.exe 2972 Plcdgfbo.exe 676 Pfiidobe.exe 676 Pfiidobe.exe 2288 Pigeqkai.exe 2288 Pigeqkai.exe 2560 Pndniaop.exe 2560 Pndniaop.exe 2952 Penfelgm.exe 2952 Penfelgm.exe 2504 Qlhnbf32.exe 2504 Qlhnbf32.exe 2528 Qnfjna32.exe 2528 Qnfjna32.exe 2512 Qaefjm32.exe 2512 Qaefjm32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Bagpopmj.exeFhffaj32.exeGobgcg32.exeHiekid32.exeOfdcjm32.exePenfelgm.exeBdlblj32.exeEilpeooq.exeFlabbihl.exeFfnphf32.exeHggomh32.exeQnfjna32.exePfiidobe.exeCndbcc32.exeEcmkghcl.exeFmjejphb.exeFjilieka.exeHlakpp32.exeHnagjbdf.exeEalnephf.exeHpmgqnfl.exeEkklaj32.exeEbgacddo.exeBaildokg.exeEjgcdb32.exeGangic32.exeBingpmnl.exeCbnbobin.exeGlaoalkh.exeGphmeo32.exeAilkjmpo.exeBeehencq.exeEgdilkbf.exeHnojdcfi.exeBoiccdnf.exeBokphdld.exeDqhhknjp.exeFmcoja32.exeDfgmhd32.exeEijcpoac.exeFdoclk32.exeHahjpbad.exeDjpmccqq.exeDjpmccqq.exeFiaeoang.exeHiqbndpb.exeHpkjko32.exeDqlafm32.exeFjdbnf32.exeQaefjm32.exeAbmibdlh.exeCjbmjplb.exeCfinoq32.exeGhhofmql.exeOnmkio32.exeDqelenlc.exeGejcjbah.exeFilldb32.exeGopkmhjk.exeIlknfn32.exeFnpnndgp.exeOicpfh32.exedescription ioc process File created C:\Windows\SysWOW64\Icplghmh.dll Bagpopmj.exe File opened for modification C:\Windows\SysWOW64\Flabbihl.exe Fhffaj32.exe File opened for modification C:\Windows\SysWOW64\Gaqcoc32.exe Gobgcg32.exe File opened for modification C:\Windows\SysWOW64\Hnagjbdf.exe Hiekid32.exe File created C:\Windows\SysWOW64\Neeeodef.dll Ofdcjm32.exe File created C:\Windows\SysWOW64\Qlhnbf32.exe Penfelgm.exe File created C:\Windows\SysWOW64\Bhhnli32.exe Bdlblj32.exe File created C:\Windows\SysWOW64\Kgcampld.dll Eilpeooq.exe File created C:\Windows\SysWOW64\Fjdbnf32.exe Flabbihl.exe File opened for modification C:\Windows\SysWOW64\Fjilieka.exe Ffnphf32.exe File opened for modification C:\Windows\SysWOW64\Hejoiedd.exe Hggomh32.exe File opened for modification C:\Windows\SysWOW64\Qaefjm32.exe Qnfjna32.exe File opened for modification C:\Windows\SysWOW64\Pigeqkai.exe Pfiidobe.exe File created C:\Windows\SysWOW64\Dbpodagk.exe Cndbcc32.exe File created C:\Windows\SysWOW64\Ebpkce32.exe Ecmkghcl.exe File created C:\Windows\SysWOW64\Jbelkc32.dll Fmjejphb.exe File created C:\Windows\SysWOW64\Filldb32.exe Fjilieka.exe File created C:\Windows\SysWOW64\Hpmgqnfl.exe Hlakpp32.exe File opened for modification C:\Windows\SysWOW64\Hpocfncj.exe Hnagjbdf.exe File opened for modification C:\Windows\SysWOW64\Fehjeo32.exe Ealnephf.exe File created C:\Windows\SysWOW64\Hdhbam32.exe Hpmgqnfl.exe File created C:\Windows\SysWOW64\Chcphm32.dll Ekklaj32.exe File opened for modification C:\Windows\SysWOW64\Eajaoq32.exe Ebgacddo.exe File created C:\Windows\SysWOW64\Cnbpqb32.dll Baildokg.exe File created C:\Windows\SysWOW64\Cgqjffca.dll Ejgcdb32.exe File created C:\Windows\SysWOW64\Gejcjbah.exe Gangic32.exe File opened for modification C:\Windows\SysWOW64\Bhahlj32.exe Bingpmnl.exe File created C:\Windows\SysWOW64\Cfinoq32.exe Cbnbobin.exe File created C:\Windows\SysWOW64\Jgdmei32.dll Glaoalkh.exe File created C:\Windows\SysWOW64\Gphmeo32.exe Gphmeo32.exe File opened for modification C:\Windows\SysWOW64\Ahokfj32.exe Ailkjmpo.exe File created C:\Windows\SysWOW64\Ikbifehk.dll Beehencq.exe File opened for modification C:\Windows\SysWOW64\Ejbfhfaj.exe Egdilkbf.exe File opened for modification C:\Windows\SysWOW64\Hlakpp32.exe Hnojdcfi.exe File created C:\Windows\SysWOW64\Bagpopmj.exe Boiccdnf.exe File created C:\Windows\SysWOW64\Dgdfmnkb.dll Bokphdld.exe File opened for modification C:\Windows\SysWOW64\Ddcdkl32.exe Dqhhknjp.exe File created C:\Windows\SysWOW64\Fhhcgj32.exe Fmcoja32.exe File created C:\Windows\SysWOW64\Djbiicon.exe Dfgmhd32.exe File created C:\Windows\SysWOW64\Emeopn32.exe Eijcpoac.exe File opened for modification C:\Windows\SysWOW64\Fhkpmjln.exe Fdoclk32.exe File opened for modification C:\Windows\SysWOW64\Hpkjko32.exe Hahjpbad.exe File created C:\Windows\SysWOW64\Djpmccqq.exe Djpmccqq.exe File created C:\Windows\SysWOW64\Hecjkifm.dll Djpmccqq.exe File created C:\Windows\SysWOW64\Fmlapp32.exe Fiaeoang.exe File opened for modification C:\Windows\SysWOW64\Hmlnoc32.exe Hiqbndpb.exe File created C:\Windows\SysWOW64\Phofkg32.dll Hpkjko32.exe File created C:\Windows\SysWOW64\Doobajme.exe Dqlafm32.exe File created C:\Windows\SysWOW64\Jmloladn.dll Fjdbnf32.exe File created C:\Windows\SysWOW64\Dbdijd32.dll Qaefjm32.exe File opened for modification C:\Windows\SysWOW64\Aigaon32.exe Abmibdlh.exe File created C:\Windows\SysWOW64\Baildokg.exe Bokphdld.exe File created C:\Windows\SysWOW64\Claifkkf.exe Cjbmjplb.exe File created C:\Windows\SysWOW64\Chhjkl32.exe Cfinoq32.exe File created C:\Windows\SysWOW64\Gkgkbipp.exe Ghhofmql.exe File created C:\Windows\SysWOW64\Ofdcjm32.exe Onmkio32.exe File created C:\Windows\SysWOW64\Njcbaa32.dll Dqelenlc.exe File opened for modification C:\Windows\SysWOW64\Gieojq32.exe Gejcjbah.exe File created C:\Windows\SysWOW64\Jeccgbbh.dll Filldb32.exe File created C:\Windows\SysWOW64\Gangic32.exe Gopkmhjk.exe File opened for modification C:\Windows\SysWOW64\Inljnfkg.exe Ilknfn32.exe File created C:\Windows\SysWOW64\Fmcoja32.exe Fnpnndgp.exe File created C:\Windows\SysWOW64\Fndldonj.dll Gobgcg32.exe File created C:\Windows\SysWOW64\Ogfpbeim.exe Oicpfh32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process 1484 4004 WerFault.exe -
Modifies registry class 64 IoCs
Processes:
Oelmai32.exeHckcmjep.exeIlknfn32.exePndniaop.exeDnlidb32.exeDchali32.exe18b8f4445c02070ece34a58e22d5ac90_NeikiAnalytics.exeNqcagfim.exeCckace32.exePcfcmd32.exeBaildokg.exeGkihhhnm.exeDjnpnc32.exeDoobajme.exeFmhheqje.exePigeqkai.exeAbmibdlh.exeFeeiob32.exeCgbdhd32.exeFpdhklkl.exeBagpopmj.exeCjndop32.exeDqelenlc.exeDjefobmk.exeFnbkddem.exeOqcnfjli.exeHlakpp32.exeBjijdadm.exeEqonkmdh.exeQaefjm32.exeEnkece32.exeHpkjko32.exeEfncicpm.exeFckjalhj.exeHicodd32.exeHejoiedd.exeCciemedf.exeDqhhknjp.exeHpocfncj.exeDcknbh32.exeFacdeo32.exeAigaon32.exeEiaiqn32.exeEgdilkbf.exeGbijhg32.exeDdokpmfo.exeDhmcfkme.exeEilpeooq.exeHlfdkoin.exeBkdmcdoe.exeHdfflm32.exeAdmemg32.exeDkhcmgnl.exeBhhnli32.exeEcpgmhai.exeEfppoc32.exeEbgacddo.exeBingpmnl.exeCjbmjplb.exeEeqdep32.exeCfeddafl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njdfjjia.dll" Oelmai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll" Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ilknfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pndniaop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfedefbi.dll" Dchali32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 18b8f4445c02070ece34a58e22d5ac90_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nqcagfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cckace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pcfcmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Baildokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkihhhnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafagk32.dll" Doobajme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pigeqkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhfbdd32.dll" Abmibdlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Feeiob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmljjm32.dll" Cgbdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icplghmh.dll" Bagpopmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjndop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djefobmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fnbkddem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oqcnfjli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hlakpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjijdadm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eqonkmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qaefjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Enkece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hpkjko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efncicpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fckjalhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknfklng.dll" Hejoiedd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cciemedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkdol32.dll" Cciemedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dqhhknjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll" Hpocfncj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dcknbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fnbkddem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Facdeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aigaon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eiaiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghmjpap.dll" Gbijhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddokpmfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhmcfkme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eilpeooq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkdmcdoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hdfflm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Admemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkhcmgnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bhhnli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ecpgmhai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efppoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebgacddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bingpmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oockje32.dll" Cjbmjplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eeqdep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfeddafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbolpc32.dll" Dkhcmgnl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
18b8f4445c02070ece34a58e22d5ac90_NeikiAnalytics.exeNfmmin32.exeNqcagfim.exeNmjblg32.exeNkmbgdfl.exeOfbfdmeb.exeOnmkio32.exeOfdcjm32.exeOicpfh32.exeOgfpbeim.exeObnqem32.exeOelmai32.exeOgjimd32.exeOjieip32.exeOqcnfjli.exeOcajbekl.exedescription pid process target process PID 2740 wrote to memory of 1980 2740 18b8f4445c02070ece34a58e22d5ac90_NeikiAnalytics.exe Nfmmin32.exe PID 2740 wrote to memory of 1980 2740 18b8f4445c02070ece34a58e22d5ac90_NeikiAnalytics.exe Nfmmin32.exe PID 2740 wrote to memory of 1980 2740 18b8f4445c02070ece34a58e22d5ac90_NeikiAnalytics.exe Nfmmin32.exe PID 2740 wrote to memory of 1980 2740 18b8f4445c02070ece34a58e22d5ac90_NeikiAnalytics.exe Nfmmin32.exe PID 1980 wrote to memory of 3000 1980 Nfmmin32.exe Nqcagfim.exe PID 1980 wrote to memory of 3000 1980 Nfmmin32.exe Nqcagfim.exe PID 1980 wrote to memory of 3000 1980 Nfmmin32.exe Nqcagfim.exe PID 1980 wrote to memory of 3000 1980 Nfmmin32.exe Nqcagfim.exe PID 3000 wrote to memory of 2652 3000 Nqcagfim.exe Nmjblg32.exe PID 3000 wrote to memory of 2652 3000 Nqcagfim.exe Nmjblg32.exe PID 3000 wrote to memory of 2652 3000 Nqcagfim.exe Nmjblg32.exe PID 3000 wrote to memory of 2652 3000 Nqcagfim.exe Nmjblg32.exe PID 2652 wrote to memory of 2612 2652 Nmjblg32.exe Nkmbgdfl.exe PID 2652 wrote to memory of 2612 2652 Nmjblg32.exe Nkmbgdfl.exe PID 2652 wrote to memory of 2612 2652 Nmjblg32.exe Nkmbgdfl.exe PID 2652 wrote to memory of 2612 2652 Nmjblg32.exe Nkmbgdfl.exe PID 2612 wrote to memory of 2588 2612 Nkmbgdfl.exe Ofbfdmeb.exe PID 2612 wrote to memory of 2588 2612 Nkmbgdfl.exe Ofbfdmeb.exe PID 2612 wrote to memory of 2588 2612 Nkmbgdfl.exe Ofbfdmeb.exe PID 2612 wrote to memory of 2588 2612 Nkmbgdfl.exe Ofbfdmeb.exe PID 2588 wrote to memory of 2468 2588 Ofbfdmeb.exe Onmkio32.exe PID 2588 wrote to memory of 2468 2588 Ofbfdmeb.exe Onmkio32.exe PID 2588 wrote to memory of 2468 2588 Ofbfdmeb.exe Onmkio32.exe PID 2588 wrote to memory of 2468 2588 Ofbfdmeb.exe Onmkio32.exe PID 2468 wrote to memory of 2168 2468 Onmkio32.exe Ofdcjm32.exe PID 2468 wrote to memory of 2168 2468 Onmkio32.exe Ofdcjm32.exe PID 2468 wrote to memory of 2168 2468 Onmkio32.exe Ofdcjm32.exe PID 2468 wrote to memory of 2168 2468 Onmkio32.exe Ofdcjm32.exe PID 2168 wrote to memory of 2748 2168 Ofdcjm32.exe Oicpfh32.exe PID 2168 wrote to memory of 2748 2168 Ofdcjm32.exe Oicpfh32.exe PID 2168 wrote to memory of 2748 2168 Ofdcjm32.exe Oicpfh32.exe PID 2168 wrote to memory of 2748 2168 Ofdcjm32.exe Oicpfh32.exe PID 2748 wrote to memory of 2548 2748 Oicpfh32.exe Ogfpbeim.exe PID 2748 wrote to memory of 2548 2748 Oicpfh32.exe Ogfpbeim.exe PID 2748 wrote to memory of 2548 2748 Oicpfh32.exe Ogfpbeim.exe PID 2748 wrote to memory of 2548 2748 Oicpfh32.exe Ogfpbeim.exe PID 2548 wrote to memory of 1308 2548 Ogfpbeim.exe Obnqem32.exe PID 2548 wrote to memory of 1308 2548 Ogfpbeim.exe Obnqem32.exe PID 2548 wrote to memory of 1308 2548 Ogfpbeim.exe Obnqem32.exe PID 2548 wrote to memory of 1308 2548 Ogfpbeim.exe Obnqem32.exe PID 1308 wrote to memory of 1824 1308 Obnqem32.exe Oelmai32.exe PID 1308 wrote to memory of 1824 1308 Obnqem32.exe Oelmai32.exe PID 1308 wrote to memory of 1824 1308 Obnqem32.exe Oelmai32.exe PID 1308 wrote to memory of 1824 1308 Obnqem32.exe Oelmai32.exe PID 1824 wrote to memory of 2272 1824 Oelmai32.exe Ogjimd32.exe PID 1824 wrote to memory of 2272 1824 Oelmai32.exe Ogjimd32.exe PID 1824 wrote to memory of 2272 1824 Oelmai32.exe Ogjimd32.exe PID 1824 wrote to memory of 2272 1824 Oelmai32.exe Ogjimd32.exe PID 2272 wrote to memory of 1632 2272 Ogjimd32.exe Ojieip32.exe PID 2272 wrote to memory of 1632 2272 Ogjimd32.exe Ojieip32.exe PID 2272 wrote to memory of 1632 2272 Ogjimd32.exe Ojieip32.exe PID 2272 wrote to memory of 1632 2272 Ogjimd32.exe Ojieip32.exe PID 1632 wrote to memory of 2268 1632 Ojieip32.exe Oqcnfjli.exe PID 1632 wrote to memory of 2268 1632 Ojieip32.exe Oqcnfjli.exe PID 1632 wrote to memory of 2268 1632 Ojieip32.exe Oqcnfjli.exe PID 1632 wrote to memory of 2268 1632 Ojieip32.exe Oqcnfjli.exe PID 2268 wrote to memory of 2124 2268 Oqcnfjli.exe Ocajbekl.exe PID 2268 wrote to memory of 2124 2268 Oqcnfjli.exe Ocajbekl.exe PID 2268 wrote to memory of 2124 2268 Oqcnfjli.exe Ocajbekl.exe PID 2268 wrote to memory of 2124 2268 Oqcnfjli.exe Ocajbekl.exe PID 2124 wrote to memory of 1528 2124 Ocajbekl.exe Ongnonkb.exe PID 2124 wrote to memory of 1528 2124 Ocajbekl.exe Ongnonkb.exe PID 2124 wrote to memory of 1528 2124 Ocajbekl.exe Ongnonkb.exe PID 2124 wrote to memory of 1528 2124 Ocajbekl.exe Ongnonkb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18b8f4445c02070ece34a58e22d5ac90_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\18b8f4445c02070ece34a58e22d5ac90_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1900 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:412 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1320 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1564 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1068 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:676 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe33⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe34⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe35⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe36⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe37⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe39⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe40⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe41⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe42⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:800 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe45⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe47⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe48⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe49⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe50⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe51⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe53⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe57⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe60⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:628 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:776 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe64⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe66⤵PID:3016
-
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2192 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1480 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe69⤵
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe70⤵PID:540
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe71⤵PID:2872
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe72⤵
- Drops file in System32 directory
PID:1772 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe73⤵
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe74⤵PID:1500
-
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe75⤵
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe76⤵PID:2712
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe77⤵PID:3064
-
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe78⤵PID:764
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe79⤵PID:480
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe80⤵PID:2292
-
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe81⤵PID:604
-
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe82⤵PID:2568
-
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe83⤵PID:2464
-
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe85⤵PID:2880
-
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe86⤵PID:2600
-
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe87⤵PID:2280
-
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe90⤵PID:2620
-
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2720 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe92⤵PID:2344
-
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe93⤵
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe94⤵PID:2416
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe96⤵PID:2096
-
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe97⤵PID:2700
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe98⤵
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe99⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe100⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2876 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1496 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe103⤵
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe104⤵PID:1316
-
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe105⤵
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe106⤵PID:1752
-
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe107⤵
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2308 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:564 -
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe110⤵PID:2356
-
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2668 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe113⤵
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe114⤵
- Drops file in System32 directory
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe115⤵PID:1740
-
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1660 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe117⤵
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe118⤵
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe119⤵
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe120⤵PID:2884
-
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe121⤵PID:2848
-
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe122⤵
- Modifies registry class
PID:496 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe123⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:632 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe124⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1948 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe125⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2544 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe126⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:792 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe127⤵
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe128⤵
- Modifies registry class
PID:280 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe129⤵PID:2072
-
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe130⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe131⤵PID:1952
-
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe132⤵PID:1372
-
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe133⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1728 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe135⤵
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe136⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:284 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe137⤵
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe138⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe139⤵PID:2148
-
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe140⤵PID:1604
-
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe141⤵
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe142⤵PID:2716
-
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe143⤵
- Modifies registry class
PID:548 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe144⤵
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe145⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe146⤵PID:2920
-
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe147⤵
- Drops file in System32 directory
PID:652 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe148⤵PID:2492
-
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe149⤵PID:1648
-
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe150⤵
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe151⤵PID:1884
-
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe152⤵PID:1560
-
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe153⤵PID:556
-
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe154⤵PID:2436
-
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe155⤵
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe156⤵
- Drops file in System32 directory
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe157⤵PID:2516
-
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe158⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe159⤵PID:1044
-
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe160⤵
- Drops file in System32 directory
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe161⤵PID:2252
-
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2572 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe163⤵PID:2744
-
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe164⤵
- Drops file in System32 directory
PID:3100 -
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe165⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3140 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe166⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3180 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe167⤵
- Drops file in System32 directory
PID:3220 -
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe168⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3260 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe169⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3300 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe170⤵
- Drops file in System32 directory
PID:3340 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe171⤵
- Drops file in System32 directory
PID:3380 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe172⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3420 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe173⤵PID:3460
-
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe174⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3504 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe175⤵PID:3544
-
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe176⤵PID:3584
-
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe177⤵
- Modifies registry class
PID:3612 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe178⤵
- Drops file in System32 directory
PID:3636 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe179⤵PID:3676
-
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe180⤵
- Drops file in System32 directory
PID:3716 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe181⤵
- Drops file in System32 directory
PID:3756 -
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe182⤵
- Drops file in System32 directory
PID:3796 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe183⤵
- Modifies registry class
PID:3836 -
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe184⤵
- Modifies registry class
PID:3876 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe185⤵PID:3916
-
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe186⤵PID:3956
-
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe187⤵PID:3996
-
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe188⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4036 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe189⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4076 -
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe190⤵
- Drops file in System32 directory
PID:3092 -
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe191⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3152 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe192⤵PID:3196
-
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe193⤵PID:3248
-
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe194⤵
- Modifies registry class
PID:3296 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe195⤵
- Drops file in System32 directory
PID:3352 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe196⤵PID:3408
-
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe197⤵PID:3452
-
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe198⤵PID:1028
-
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe199⤵
- Modifies registry class
PID:3512 -
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe200⤵PID:2992
-
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe201⤵PID:3620
-
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe202⤵
- Drops file in System32 directory
PID:3668 -
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe203⤵
- Drops file in System32 directory
PID:3724 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe204⤵
- Drops file in System32 directory
PID:3780 -
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe205⤵
- Drops file in System32 directory
PID:3828 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe206⤵PID:3892
-
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe207⤵
- Drops file in System32 directory
PID:3940 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe208⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3984 -
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe209⤵
- Drops file in System32 directory
PID:4044 -
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe210⤵PID:1776
-
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe211⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3132 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe212⤵PID:3212
-
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe213⤵PID:3268
-
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe214⤵PID:3328
-
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe215⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3392 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe216⤵PID:3200
-
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe217⤵PID:1656
-
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe218⤵PID:3500
-
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe219⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3572 -
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe220⤵PID:3628
-
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe221⤵PID:3672
-
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe222⤵PID:3708
-
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe223⤵PID:3776
-
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe224⤵PID:3824
-
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe225⤵PID:3868
-
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe226⤵PID:3932
-
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe227⤵
- Drops file in System32 directory
PID:3992 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe228⤵PID:4028
-
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe229⤵PID:4056
-
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe230⤵PID:3108
-
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe231⤵PID:3656
-
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe232⤵
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe233⤵PID:1940
-
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe234⤵PID:3388
-
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe235⤵
- Drops file in System32 directory
PID:3444 -
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe236⤵
- Drops file in System32 directory
- Modifies registry class
PID:3472 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe237⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3552 -
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe238⤵PID:2584
-
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe239⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2032 -
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe240⤵
- Modifies registry class
PID:3808 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe241⤵
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Hlakpp32.exeC:\Windows\system32\Hlakpp32.exe242⤵
- Drops file in System32 directory
- Modifies registry class
PID:3972