Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 01:06
Behavioral task
behavioral1
Sample
190d5f23efe27fbef5236b0d54d50900_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
190d5f23efe27fbef5236b0d54d50900_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
190d5f23efe27fbef5236b0d54d50900_NeikiAnalytics.exe
-
Size
177KB
-
MD5
190d5f23efe27fbef5236b0d54d50900
-
SHA1
32eee70a04e5da5227142d749c28cb05cc3beb78
-
SHA256
6cfe2a4d0b10c32b95fba3d29132d81eaaa3e55085c4b0f9780fe02829e715f3
-
SHA512
d5766e8ec4ae67edcaeca7d69cf31fbb070e9b2b4a45d61ce34e0a33567cda596c89601379aad85fe4a62214c5d71eb73ac7d7ee491bf00619301783a386a373
-
SSDEEP
3072:M1n9l8FieMyc2r3sM2bh2ijiTlg3q/haR5sS+vfvLHhjh8g1eGFyOsa:MjHGsrYiclga/harSvLHh98gwG0ON
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ecmkghcl.exeFhhcgj32.exeNnhkcj32.exePciifc32.exePklhlael.exeCahail32.exeBafidiio.exeEqdajkkb.exeMadapkmp.exeCngcjo32.exeNjlockkm.exeAlpmfdcb.exeOghlgdgk.exeOjficpfn.exeKpkofpgq.exeOnmdoioa.exeDfdjhndl.exeNqcagfim.exeNmjblg32.exePpmdbe32.exeQpgpkcpp.exeCaknol32.exeLibgjj32.exeEbedndfa.exeJfqahgpg.exeAnojbobe.exeChnqkg32.exeAmejeljk.exeIdklfpon.exeMeccii32.exeGlfhll32.exeHjhhocjj.exeLpphap32.exePeiepfgg.exeEbodiofk.exeBaakhm32.exeDliijipn.exeOomhcbjp.exeDdagfm32.exeIhankokm.exeIdhopq32.exeQbcpbo32.exeFnpnndgp.exeDglpbbbg.exeCopfbfjj.exeFjlhneio.exeGieojq32.exeOnjgiiad.exeBlpjegfm.exeJqdipqbp.exeMdkqqa32.exeCojema32.exeEqgnokip.exeEpieghdk.exeHlakpp32.exeCkignd32.exeHggomh32.exeMiooigfo.exeMkhmma32.exeJfghif32.exeDbkknojp.exeAfohaa32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecmkghcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhhcgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhkcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pciifc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pklhlael.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cahail32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafidiio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqdajkkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Madapkmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cngcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njlockkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pciifc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oghlgdgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojficpfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpkofpgq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmdoioa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfdjhndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqcagfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmjblg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppmdbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caknol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libgjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebedndfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfqahgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anojbobe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chnqkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amejeljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idklfpon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meccii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glfhll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpphap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebodiofk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baakhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dliijipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oomhcbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddagfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihankokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idhopq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbcpbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnpnndgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dglpbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Copfbfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjlhneio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onjgiiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blpjegfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqdipqbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdkqqa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cojema32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqgnokip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlakpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dliijipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckignd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hggomh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miooigfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkhmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfghif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbkknojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afohaa32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Lpjbad32.exe family_berbew C:\Windows\SysWOW64\Libgjj32.exe family_berbew \Windows\SysWOW64\Mcjkcplm.exe family_berbew C:\Windows\SysWOW64\Midcpj32.exe family_berbew \Windows\SysWOW64\Maphdl32.exe family_berbew \Windows\SysWOW64\Mkhmma32.exe family_berbew \Windows\SysWOW64\Menakj32.exe family_berbew \Windows\SysWOW64\Mhlmgf32.exe family_berbew \Windows\SysWOW64\Madapkmp.exe family_berbew \Windows\SysWOW64\Mhnjle32.exe family_berbew \Windows\SysWOW64\Mpjoqhah.exe family_berbew \Windows\SysWOW64\Mkobnqan.exe family_berbew \Windows\SysWOW64\Njbcim32.exe family_berbew \Windows\SysWOW64\Njdpomfe.exe family_berbew \Windows\SysWOW64\Ncmdhb32.exe family_berbew C:\Windows\SysWOW64\Njgldmdc.exe family_berbew C:\Windows\SysWOW64\Ngkmnacm.exe family_berbew C:\Windows\SysWOW64\Njiijlbp.exe family_berbew C:\Windows\SysWOW64\Nqcagfim.exe family_berbew behavioral1/memory/1788-240-0x0000000000250000-0x0000000000290000-memory.dmp family_berbew C:\Windows\SysWOW64\Nbdnoo32.exe family_berbew C:\Windows\SysWOW64\Nmjblg32.exe family_berbew behavioral1/memory/832-265-0x00000000002E0000-0x0000000000320000-memory.dmp family_berbew C:\Windows\SysWOW64\Nohnhc32.exe family_berbew behavioral1/memory/832-267-0x00000000002E0000-0x0000000000320000-memory.dmp family_berbew C:\Windows\SysWOW64\Nccjhafn.exe family_berbew C:\Windows\SysWOW64\Okoomd32.exe family_berbew C:\Windows\SysWOW64\Ofdcjm32.exe family_berbew C:\Windows\SysWOW64\Odgcfijj.exe family_berbew C:\Windows\SysWOW64\Oomhcbjp.exe family_berbew C:\Windows\SysWOW64\Oghlgdgk.exe family_berbew C:\Windows\SysWOW64\Ojficpfn.exe family_berbew behavioral1/memory/2672-350-0x0000000000250000-0x0000000000290000-memory.dmp family_berbew C:\Windows\SysWOW64\Ogjimd32.exe family_berbew C:\Windows\SysWOW64\Oqcnfjli.exe family_berbew C:\Windows\SysWOW64\Ocajbekl.exe family_berbew C:\Windows\SysWOW64\Ongnonkb.exe family_berbew behavioral1/memory/2572-392-0x0000000000250000-0x0000000000290000-memory.dmp family_berbew behavioral1/memory/2572-391-0x0000000000250000-0x0000000000290000-memory.dmp family_berbew C:\Windows\SysWOW64\Pphjgfqq.exe family_berbew behavioral1/memory/2124-402-0x0000000000250000-0x0000000000290000-memory.dmp family_berbew C:\Windows\SysWOW64\Pipopl32.exe family_berbew behavioral1/memory/1488-414-0x0000000000260000-0x00000000002A0000-memory.dmp family_berbew behavioral1/memory/1488-413-0x0000000000260000-0x00000000002A0000-memory.dmp family_berbew C:\Windows\SysWOW64\Pbiciana.exe family_berbew behavioral1/memory/1880-425-0x00000000002D0000-0x0000000000310000-memory.dmp family_berbew behavioral1/memory/1880-424-0x00000000002D0000-0x0000000000310000-memory.dmp family_berbew C:\Windows\SysWOW64\Pmnhfjmg.exe family_berbew behavioral1/memory/2108-443-0x0000000000260000-0x00000000002A0000-memory.dmp family_berbew C:\Windows\SysWOW64\Ppmdbe32.exe family_berbew C:\Windows\SysWOW64\Peiljl32.exe family_berbew behavioral1/memory/760-454-0x0000000000270000-0x00000000002B0000-memory.dmp family_berbew behavioral1/memory/1420-469-0x0000000000250000-0x0000000000290000-memory.dmp family_berbew C:\Windows\SysWOW64\Ppoqge32.exe family_berbew behavioral1/memory/1420-465-0x0000000000250000-0x0000000000290000-memory.dmp family_berbew C:\Windows\SysWOW64\Pfiidobe.exe family_berbew C:\Windows\SysWOW64\Pigeqkai.exe family_berbew C:\Windows\SysWOW64\Penfelgm.exe family_berbew C:\Windows\SysWOW64\Qhmbagfa.exe family_berbew C:\Windows\SysWOW64\Qbbfopeg.exe family_berbew C:\Windows\SysWOW64\Qeqbkkej.exe family_berbew C:\Windows\SysWOW64\Qhooggdn.exe family_berbew C:\Windows\SysWOW64\Qljkhe32.exe family_berbew C:\Windows\SysWOW64\Qagcpljo.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Lpjbad32.exeLibgjj32.exeMcjkcplm.exeMidcpj32.exeMaphdl32.exeMkhmma32.exeMenakj32.exeMhlmgf32.exeMadapkmp.exeMhnjle32.exeMpjoqhah.exeMkobnqan.exeNjbcim32.exeNjdpomfe.exeNcmdhb32.exeNjgldmdc.exeNgkmnacm.exeNjiijlbp.exeNqcagfim.exeNbdnoo32.exeNmjblg32.exeNohnhc32.exeNccjhafn.exeOkoomd32.exeOfdcjm32.exeOdgcfijj.exeOomhcbjp.exeOghlgdgk.exeOjficpfn.exeOgjimd32.exeOqcnfjli.exeOcajbekl.exeOngnonkb.exePphjgfqq.exePipopl32.exePbiciana.exePmnhfjmg.exePpmdbe32.exePeiljl32.exePpoqge32.exePfiidobe.exePigeqkai.exePenfelgm.exeQhmbagfa.exeQbbfopeg.exeQeqbkkej.exeQhooggdn.exeQljkhe32.exeQagcpljo.exeQecoqk32.exeAhakmf32.exeAnkdiqih.exeAajpelhl.exeAdhlaggp.exeAffhncfc.exeAjbdna32.exeAalmklfi.exeAdjigg32.exeAfiecb32.exeAjdadamj.exeAlenki32.exeAdmemg32.exeAfkbib32.exeAmejeljk.exepid process 2988 Lpjbad32.exe 2688 Libgjj32.exe 2456 Mcjkcplm.exe 2476 Midcpj32.exe 2448 Maphdl32.exe 2960 Mkhmma32.exe 1716 Menakj32.exe 2424 Mhlmgf32.exe 1860 Madapkmp.exe 1648 Mhnjle32.exe 2140 Mpjoqhah.exe 2096 Mkobnqan.exe 1324 Njbcim32.exe 2932 Njdpomfe.exe 1896 Ncmdhb32.exe 264 Njgldmdc.exe 584 Ngkmnacm.exe 1788 Njiijlbp.exe 600 Nqcagfim.exe 832 Nbdnoo32.exe 3008 Nmjblg32.exe 2816 Nohnhc32.exe 924 Nccjhafn.exe 896 Okoomd32.exe 2856 Ofdcjm32.exe 1248 Odgcfijj.exe 2908 Oomhcbjp.exe 2672 Oghlgdgk.exe 3004 Ojficpfn.exe 2636 Ogjimd32.exe 2504 Oqcnfjli.exe 2572 Ocajbekl.exe 2124 Ongnonkb.exe 1488 Pphjgfqq.exe 1880 Pipopl32.exe 2080 Pbiciana.exe 2108 Pmnhfjmg.exe 760 Ppmdbe32.exe 1420 Peiljl32.exe 2912 Ppoqge32.exe 2212 Pfiidobe.exe 2736 Pigeqkai.exe 480 Penfelgm.exe 1468 Qhmbagfa.exe 848 Qbbfopeg.exe 404 Qeqbkkej.exe 1464 Qhooggdn.exe 1016 Qljkhe32.exe 1008 Qagcpljo.exe 2844 Qecoqk32.exe 1500 Ahakmf32.exe 2592 Ankdiqih.exe 2716 Aajpelhl.exe 2744 Adhlaggp.exe 2028 Affhncfc.exe 2896 Ajbdna32.exe 992 Aalmklfi.exe 1548 Adjigg32.exe 2408 Afiecb32.exe 1840 Ajdadamj.exe 1868 Alenki32.exe 2772 Admemg32.exe 2924 Afkbib32.exe 1200 Amejeljk.exe -
Loads dropped DLL 64 IoCs
Processes:
190d5f23efe27fbef5236b0d54d50900_NeikiAnalytics.exeLpjbad32.exeLibgjj32.exeMcjkcplm.exeMidcpj32.exeMaphdl32.exeMkhmma32.exeMenakj32.exeMhlmgf32.exeMadapkmp.exeMhnjle32.exeMpjoqhah.exeMkobnqan.exeNjbcim32.exeNjdpomfe.exeNcmdhb32.exeNjgldmdc.exeNgkmnacm.exeNjiijlbp.exeNqcagfim.exeNbdnoo32.exeNmjblg32.exeNohnhc32.exeNccjhafn.exeOkoomd32.exeOfdcjm32.exeOdgcfijj.exeOomhcbjp.exeOghlgdgk.exeOjficpfn.exeOgjimd32.exeOqcnfjli.exepid process 1924 190d5f23efe27fbef5236b0d54d50900_NeikiAnalytics.exe 1924 190d5f23efe27fbef5236b0d54d50900_NeikiAnalytics.exe 2988 Lpjbad32.exe 2988 Lpjbad32.exe 2688 Libgjj32.exe 2688 Libgjj32.exe 2456 Mcjkcplm.exe 2456 Mcjkcplm.exe 2476 Midcpj32.exe 2476 Midcpj32.exe 2448 Maphdl32.exe 2448 Maphdl32.exe 2960 Mkhmma32.exe 2960 Mkhmma32.exe 1716 Menakj32.exe 1716 Menakj32.exe 2424 Mhlmgf32.exe 2424 Mhlmgf32.exe 1860 Madapkmp.exe 1860 Madapkmp.exe 1648 Mhnjle32.exe 1648 Mhnjle32.exe 2140 Mpjoqhah.exe 2140 Mpjoqhah.exe 2096 Mkobnqan.exe 2096 Mkobnqan.exe 1324 Njbcim32.exe 1324 Njbcim32.exe 2932 Njdpomfe.exe 2932 Njdpomfe.exe 1896 Ncmdhb32.exe 1896 Ncmdhb32.exe 264 Njgldmdc.exe 264 Njgldmdc.exe 584 Ngkmnacm.exe 584 Ngkmnacm.exe 1788 Njiijlbp.exe 1788 Njiijlbp.exe 600 Nqcagfim.exe 600 Nqcagfim.exe 832 Nbdnoo32.exe 832 Nbdnoo32.exe 3008 Nmjblg32.exe 3008 Nmjblg32.exe 2816 Nohnhc32.exe 2816 Nohnhc32.exe 924 Nccjhafn.exe 924 Nccjhafn.exe 896 Okoomd32.exe 896 Okoomd32.exe 2856 Ofdcjm32.exe 2856 Ofdcjm32.exe 1248 Odgcfijj.exe 1248 Odgcfijj.exe 2908 Oomhcbjp.exe 2908 Oomhcbjp.exe 2672 Oghlgdgk.exe 2672 Oghlgdgk.exe 3004 Ojficpfn.exe 3004 Ojficpfn.exe 2636 Ogjimd32.exe 2636 Ogjimd32.exe 2504 Oqcnfjli.exe 2504 Oqcnfjli.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ogjimd32.exeAdjigg32.exeGhmiam32.exeKgkafo32.exeBmmiij32.exeMenakj32.exeDgfjbgmh.exeInljnfkg.exeLefdpe32.exeAfmonbqk.exeGfefiemq.exeGkihhhnm.exeCaknol32.exeDdokpmfo.exeOghlgdgk.exeCkignd32.exeEihfjo32.exeIgihbknb.exeDfamcogo.exeNohnhc32.exePklhlael.exeAemkjiem.exeHpkjko32.exeBokphdld.exeOjficpfn.exeHggomh32.exeNkeelohh.exeAmkpegnj.exeNjiijlbp.exeCcfhhffh.exeOfelmloo.exeOfmbnkhg.exeAdnopfoj.exeAdpkee32.exeEqgnokip.exeOfdcjm32.exeDdagfm32.exeOnjgiiad.exeBblogakg.exePenfelgm.exeLafndg32.exeMdpjlajk.exeBlgpef32.exeCeodnl32.exeJgnamk32.exeGobgcg32.exeJcgogk32.exeKfgdhjmk.exeMkeimlfm.exeNialog32.exeNncahjgl.exePdaoog32.exeNgkmnacm.exeEdkcojga.exeEmcbkn32.exeNlphkb32.exeNgnbgplj.exePjcabmga.exeQimhoi32.exeMkhmma32.exeLlfifq32.exeObojhlbq.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Oqcnfjli.exe Ogjimd32.exe File created C:\Windows\SysWOW64\Afiecb32.exe Adjigg32.exe File opened for modification C:\Windows\SysWOW64\Ggpimica.exe Ghmiam32.exe File created C:\Windows\SysWOW64\Afldcl32.dll Kgkafo32.exe File opened for modification C:\Windows\SysWOW64\Blpjegfm.exe Bmmiij32.exe File opened for modification C:\Windows\SysWOW64\Mhlmgf32.exe Menakj32.exe File opened for modification C:\Windows\SysWOW64\Eihfjo32.exe Dgfjbgmh.exe File created C:\Windows\SysWOW64\Ifcbodli.exe Inljnfkg.exe File created C:\Windows\SysWOW64\Mggpgmof.exe Lefdpe32.exe File created C:\Windows\SysWOW64\Jfcfmmpb.dll Afmonbqk.exe File created C:\Windows\SysWOW64\Gicbeald.exe Gfefiemq.exe File created C:\Windows\SysWOW64\Elpbcapg.dll Gkihhhnm.exe File created C:\Windows\SysWOW64\Bebpkk32.dll Caknol32.exe File opened for modification C:\Windows\SysWOW64\Dgmglh32.exe Ddokpmfo.exe File opened for modification C:\Windows\SysWOW64\Ojficpfn.exe Oghlgdgk.exe File created C:\Windows\SysWOW64\Cngcjo32.exe Ckignd32.exe File created C:\Windows\SysWOW64\Mmqgncdn.dll Eihfjo32.exe File created C:\Windows\SysWOW64\Ijgdngmf.exe Igihbknb.exe File created C:\Windows\SysWOW64\Dlkepi32.exe Dfamcogo.exe File created C:\Windows\SysWOW64\Eakjok32.dll Nohnhc32.exe File created C:\Windows\SysWOW64\Bgmlpbdc.dll Pklhlael.exe File created C:\Windows\SysWOW64\Dkjgaecj.dll Aemkjiem.exe File created C:\Windows\SysWOW64\Cnkajfop.dll Hpkjko32.exe File created C:\Windows\SysWOW64\Baildokg.exe Bokphdld.exe File opened for modification C:\Windows\SysWOW64\Ogjimd32.exe Ojficpfn.exe File opened for modification C:\Windows\SysWOW64\Hiekid32.exe Hggomh32.exe File created C:\Windows\SysWOW64\Hbgodfkh.dll Nkeelohh.exe File created C:\Windows\SysWOW64\Abjlmo32.dll Amkpegnj.exe File opened for modification C:\Windows\SysWOW64\Nqcagfim.exe Njiijlbp.exe File created C:\Windows\SysWOW64\Cfeddafl.exe Ccfhhffh.exe File created C:\Windows\SysWOW64\Onmdoioa.exe Ofelmloo.exe File created C:\Windows\SysWOW64\Dpajdp32.dll Ofmbnkhg.exe File created C:\Windows\SysWOW64\Ajdplfmo.dll Adnopfoj.exe File created C:\Windows\SysWOW64\Hnhijl32.dll Adpkee32.exe File opened for modification C:\Windows\SysWOW64\Egafleqm.exe Eqgnokip.exe File created C:\Windows\SysWOW64\Glamna32.dll Ofdcjm32.exe File opened for modification C:\Windows\SysWOW64\Dkkpbgli.exe Ddagfm32.exe File created C:\Windows\SysWOW64\Oddpfc32.exe Onjgiiad.exe File created C:\Windows\SysWOW64\Afohaa32.exe Adpkee32.exe File created C:\Windows\SysWOW64\Bghjhp32.exe Bblogakg.exe File created C:\Windows\SysWOW64\Qhmbagfa.exe Penfelgm.exe File opened for modification C:\Windows\SysWOW64\Limfed32.exe Lafndg32.exe File created C:\Windows\SysWOW64\Mgnfhlin.exe Mdpjlajk.exe File created C:\Windows\SysWOW64\Eekkdc32.dll Blgpef32.exe File opened for modification C:\Windows\SysWOW64\Chnqkg32.exe Ceodnl32.exe File created C:\Windows\SysWOW64\Jfqahgpg.exe Jgnamk32.exe File created C:\Windows\SysWOW64\Gdopkn32.exe Gobgcg32.exe File opened for modification C:\Windows\SysWOW64\Jehkodcm.exe Jcgogk32.exe File opened for modification C:\Windows\SysWOW64\Kifpdelo.exe Kfgdhjmk.exe File opened for modification C:\Windows\SysWOW64\Mmceigep.exe Mkeimlfm.exe File created C:\Windows\SysWOW64\Nlphkb32.exe Nialog32.exe File opened for modification C:\Windows\SysWOW64\Naoniipe.exe Nncahjgl.exe File created C:\Windows\SysWOW64\Fpkeqmgm.dll Pdaoog32.exe File created C:\Windows\SysWOW64\Fcmgmp32.dll Ngkmnacm.exe File created C:\Windows\SysWOW64\Abkphdmd.dll Edkcojga.exe File created C:\Windows\SysWOW64\Dmljjm32.dll Ccfhhffh.exe File opened for modification C:\Windows\SysWOW64\Ecmkghcl.exe Emcbkn32.exe File created C:\Windows\SysWOW64\Ngogde32.dll Nlphkb32.exe File created C:\Windows\SysWOW64\Njlockkm.exe Ngnbgplj.exe File opened for modification C:\Windows\SysWOW64\Pnomcl32.exe Pjcabmga.exe File created C:\Windows\SysWOW64\Gcghbk32.dll Qimhoi32.exe File opened for modification C:\Windows\SysWOW64\Menakj32.exe Mkhmma32.exe File created C:\Windows\SysWOW64\Lbqabkql.exe Llfifq32.exe File created C:\Windows\SysWOW64\Ojfaijcc.exe Obojhlbq.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5144 5104 WerFault.exe Fkckeh32.exe -
Modifies registry class 64 IoCs
Processes:
Odgcfijj.exeBloqah32.exeBdjefj32.exeEqgnokip.exeCfbhnaho.exeCllpkl32.exeGfefiemq.exeLefdpe32.exeBioqclil.exeCdikkg32.exeEqijej32.exeAbbbnchb.exeAfmonbqk.exeIknnbklc.exeKeoapb32.exePbhmnkjf.exeAlbjlcao.exeDgmglh32.exeFjdbnf32.exeHkkalk32.exeEnhacojl.exeQeqbkkej.exeCddaphkn.exeCaknol32.exeCcngld32.exeNqcagfim.exeOomhcbjp.exeLliflp32.exeAdnopfoj.exePpoqge32.exeDjpmccqq.exeHggomh32.exeNocnbmoo.exePpbfpd32.exeDodonf32.exeNncahjgl.exeNaoniipe.exeDmoipopd.exeEijcpoac.exeFjilieka.exeGobgcg32.exeNhkbkc32.exeOjfaijcc.exeOfmbnkhg.exeCahail32.exeBpafkknm.exeDqhhknjp.exeEpieghdk.exeAalmklfi.exeBopicc32.exeCphlljge.exeOjcecjee.exeCjdfmo32.exeAjbdna32.exeAnojbobe.exeAidnohbk.exePjenhm32.exeEjkima32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odgcfijj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lilchoah.dll" Bloqah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdjefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgicjg32.dll" Eqgnokip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfbhnaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cllpkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll" Gfefiemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmamfo32.dll" Lefdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geiiogja.dll" Bioqclil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdikkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najgne32.dll" Eqijej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abbbnchb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afmonbqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iknnbklc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keoapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbhmnkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjchig32.dll" Albjlcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afmonbqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgmglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll" Hkkalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keoapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaqddb32.dll" Enhacojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbdijd32.dll" Qeqbkkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfcfmmpb.dll" Afmonbqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfjnod32.dll" Cddaphkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebpkk32.dll" Caknol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogilika.dll" Ccngld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqcagfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldmndi32.dll" Oomhcbjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lliflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdplfmo.dll" Adnopfoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppoqge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeqjnho.dll" Djpmccqq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hggomh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nocnbmoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppbfpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dodonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkkgfioo.dll" Nncahjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Naoniipe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enhacojl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmoipopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glpjaf32.dll" Eijcpoac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjilieka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnilfo32.dll" Ppbfpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gobgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhkbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfjpdigc.dll" Ojfaijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpajdp32.dll" Ofmbnkhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cahail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oomhcbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpafkknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqhhknjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epieghdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aalmklfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdecfpj.dll" Bopicc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cphlljge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgefik32.dll" Ojcecjee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjdfmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajbdna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anojbobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjifqd32.dll" Aidnohbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiilgb32.dll" Pjenhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejkima32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
190d5f23efe27fbef5236b0d54d50900_NeikiAnalytics.exeLpjbad32.exeLibgjj32.exeMcjkcplm.exeMidcpj32.exeMaphdl32.exeMkhmma32.exeMenakj32.exeMhlmgf32.exeMadapkmp.exeMhnjle32.exeMpjoqhah.exeMkobnqan.exeNjbcim32.exeNjdpomfe.exeNcmdhb32.exedescription pid process target process PID 1924 wrote to memory of 2988 1924 190d5f23efe27fbef5236b0d54d50900_NeikiAnalytics.exe Lpjbad32.exe PID 1924 wrote to memory of 2988 1924 190d5f23efe27fbef5236b0d54d50900_NeikiAnalytics.exe Lpjbad32.exe PID 1924 wrote to memory of 2988 1924 190d5f23efe27fbef5236b0d54d50900_NeikiAnalytics.exe Lpjbad32.exe PID 1924 wrote to memory of 2988 1924 190d5f23efe27fbef5236b0d54d50900_NeikiAnalytics.exe Lpjbad32.exe PID 2988 wrote to memory of 2688 2988 Lpjbad32.exe Libgjj32.exe PID 2988 wrote to memory of 2688 2988 Lpjbad32.exe Libgjj32.exe PID 2988 wrote to memory of 2688 2988 Lpjbad32.exe Libgjj32.exe PID 2988 wrote to memory of 2688 2988 Lpjbad32.exe Libgjj32.exe PID 2688 wrote to memory of 2456 2688 Libgjj32.exe Mcjkcplm.exe PID 2688 wrote to memory of 2456 2688 Libgjj32.exe Mcjkcplm.exe PID 2688 wrote to memory of 2456 2688 Libgjj32.exe Mcjkcplm.exe PID 2688 wrote to memory of 2456 2688 Libgjj32.exe Mcjkcplm.exe PID 2456 wrote to memory of 2476 2456 Mcjkcplm.exe Midcpj32.exe PID 2456 wrote to memory of 2476 2456 Mcjkcplm.exe Midcpj32.exe PID 2456 wrote to memory of 2476 2456 Mcjkcplm.exe Midcpj32.exe PID 2456 wrote to memory of 2476 2456 Mcjkcplm.exe Midcpj32.exe PID 2476 wrote to memory of 2448 2476 Midcpj32.exe Maphdl32.exe PID 2476 wrote to memory of 2448 2476 Midcpj32.exe Maphdl32.exe PID 2476 wrote to memory of 2448 2476 Midcpj32.exe Maphdl32.exe PID 2476 wrote to memory of 2448 2476 Midcpj32.exe Maphdl32.exe PID 2448 wrote to memory of 2960 2448 Maphdl32.exe Mkhmma32.exe PID 2448 wrote to memory of 2960 2448 Maphdl32.exe Mkhmma32.exe PID 2448 wrote to memory of 2960 2448 Maphdl32.exe Mkhmma32.exe PID 2448 wrote to memory of 2960 2448 Maphdl32.exe Mkhmma32.exe PID 2960 wrote to memory of 1716 2960 Mkhmma32.exe Menakj32.exe PID 2960 wrote to memory of 1716 2960 Mkhmma32.exe Menakj32.exe PID 2960 wrote to memory of 1716 2960 Mkhmma32.exe Menakj32.exe PID 2960 wrote to memory of 1716 2960 Mkhmma32.exe Menakj32.exe PID 1716 wrote to memory of 2424 1716 Menakj32.exe Mhlmgf32.exe PID 1716 wrote to memory of 2424 1716 Menakj32.exe Mhlmgf32.exe PID 1716 wrote to memory of 2424 1716 Menakj32.exe Mhlmgf32.exe PID 1716 wrote to memory of 2424 1716 Menakj32.exe Mhlmgf32.exe PID 2424 wrote to memory of 1860 2424 Mhlmgf32.exe Madapkmp.exe PID 2424 wrote to memory of 1860 2424 Mhlmgf32.exe Madapkmp.exe PID 2424 wrote to memory of 1860 2424 Mhlmgf32.exe Madapkmp.exe PID 2424 wrote to memory of 1860 2424 Mhlmgf32.exe Madapkmp.exe PID 1860 wrote to memory of 1648 1860 Madapkmp.exe Mhnjle32.exe PID 1860 wrote to memory of 1648 1860 Madapkmp.exe Mhnjle32.exe PID 1860 wrote to memory of 1648 1860 Madapkmp.exe Mhnjle32.exe PID 1860 wrote to memory of 1648 1860 Madapkmp.exe Mhnjle32.exe PID 1648 wrote to memory of 2140 1648 Mhnjle32.exe Mpjoqhah.exe PID 1648 wrote to memory of 2140 1648 Mhnjle32.exe Mpjoqhah.exe PID 1648 wrote to memory of 2140 1648 Mhnjle32.exe Mpjoqhah.exe PID 1648 wrote to memory of 2140 1648 Mhnjle32.exe Mpjoqhah.exe PID 2140 wrote to memory of 2096 2140 Mpjoqhah.exe Mkobnqan.exe PID 2140 wrote to memory of 2096 2140 Mpjoqhah.exe Mkobnqan.exe PID 2140 wrote to memory of 2096 2140 Mpjoqhah.exe Mkobnqan.exe PID 2140 wrote to memory of 2096 2140 Mpjoqhah.exe Mkobnqan.exe PID 2096 wrote to memory of 1324 2096 Mkobnqan.exe Njbcim32.exe PID 2096 wrote to memory of 1324 2096 Mkobnqan.exe Njbcim32.exe PID 2096 wrote to memory of 1324 2096 Mkobnqan.exe Njbcim32.exe PID 2096 wrote to memory of 1324 2096 Mkobnqan.exe Njbcim32.exe PID 1324 wrote to memory of 2932 1324 Njbcim32.exe Njdpomfe.exe PID 1324 wrote to memory of 2932 1324 Njbcim32.exe Njdpomfe.exe PID 1324 wrote to memory of 2932 1324 Njbcim32.exe Njdpomfe.exe PID 1324 wrote to memory of 2932 1324 Njbcim32.exe Njdpomfe.exe PID 2932 wrote to memory of 1896 2932 Njdpomfe.exe Ncmdhb32.exe PID 2932 wrote to memory of 1896 2932 Njdpomfe.exe Ncmdhb32.exe PID 2932 wrote to memory of 1896 2932 Njdpomfe.exe Ncmdhb32.exe PID 2932 wrote to memory of 1896 2932 Njdpomfe.exe Ncmdhb32.exe PID 1896 wrote to memory of 264 1896 Ncmdhb32.exe Njgldmdc.exe PID 1896 wrote to memory of 264 1896 Ncmdhb32.exe Njgldmdc.exe PID 1896 wrote to memory of 264 1896 Ncmdhb32.exe Njgldmdc.exe PID 1896 wrote to memory of 264 1896 Ncmdhb32.exe Njgldmdc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\190d5f23efe27fbef5236b0d54d50900_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\190d5f23efe27fbef5236b0d54d50900_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:264 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:584 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:600 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:924 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:896 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe33⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe34⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe35⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe36⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe37⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe38⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe40⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe42⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe43⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:480 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe45⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe46⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:404 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe48⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe49⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe50⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe51⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe52⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe53⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe54⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe55⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe56⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:992 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe60⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe61⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe62⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe63⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe64⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe66⤵PID:1604
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe67⤵
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe69⤵PID:3016
-
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe70⤵PID:2660
-
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe71⤵PID:1752
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe72⤵PID:2984
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe73⤵
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe74⤵PID:2600
-
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe75⤵
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe76⤵PID:2888
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe77⤵PID:1524
-
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe78⤵
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe79⤵PID:316
-
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe80⤵
- Modifies registry class
PID:620 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe81⤵
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe82⤵PID:1084
-
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe83⤵PID:836
-
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe84⤵PID:2764
-
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe85⤵PID:1220
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1984 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe88⤵PID:2684
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe89⤵PID:2656
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe90⤵
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe91⤵
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe92⤵
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe93⤵
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe94⤵PID:1428
-
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe95⤵PID:2852
-
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe96⤵PID:2488
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe97⤵PID:2864
-
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe98⤵PID:1596
-
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2068 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe100⤵PID:1572
-
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe101⤵PID:1300
-
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe102⤵PID:2356
-
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe103⤵PID:2732
-
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe104⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe105⤵
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe106⤵
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe107⤵PID:2112
-
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:344 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe109⤵PID:2184
-
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe110⤵PID:1104
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe111⤵
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe112⤵
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe113⤵
- Modifies registry class
PID:1180 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe114⤵PID:1612
-
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe115⤵PID:2700
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe116⤵PID:2904
-
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe117⤵PID:1576
-
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe118⤵
- Drops file in System32 directory
PID:1876 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe119⤵
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe120⤵
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:880 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe122⤵PID:2992
-
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe123⤵
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe124⤵PID:3060
-
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe125⤵PID:2460
-
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe126⤵PID:860
-
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe127⤵PID:2120
-
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe128⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2292 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe129⤵PID:2064
-
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe130⤵PID:576
-
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe131⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe132⤵PID:1712
-
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe133⤵PID:2560
-
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe134⤵PID:1088
-
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe135⤵PID:2612
-
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe136⤵PID:2032
-
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe137⤵
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe138⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1412 -
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe139⤵PID:1280
-
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe140⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2196 -
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe141⤵PID:628
-
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe142⤵PID:1076
-
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe143⤵PID:2368
-
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe144⤵PID:680
-
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe145⤵
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe146⤵PID:1652
-
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe147⤵PID:2900
-
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe148⤵PID:1020
-
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe149⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1380 -
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe150⤵PID:2200
-
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe151⤵PID:804
-
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe152⤵PID:1956
-
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe153⤵PID:2288
-
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe154⤵PID:2608
-
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe155⤵PID:2524
-
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe156⤵PID:2512
-
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe157⤵
- Drops file in System32 directory
- Modifies registry class
PID:1288 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe158⤵PID:2204
-
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe159⤵PID:2264
-
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe160⤵PID:2272
-
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe161⤵PID:2804
-
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2480 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe163⤵PID:2540
-
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe164⤵PID:1864
-
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe165⤵
- Drops file in System32 directory
- Modifies registry class
PID:1408 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe166⤵PID:1656
-
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe167⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2576 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe168⤵
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe169⤵PID:2352
-
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe170⤵
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe171⤵PID:1832
-
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe172⤵PID:2484
-
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe173⤵PID:1584
-
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe174⤵PID:2884
-
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe175⤵PID:1948
-
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe176⤵PID:1580
-
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe177⤵
- Drops file in System32 directory
PID:572 -
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe178⤵PID:644
-
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe179⤵PID:2348
-
C:\Windows\SysWOW64\Hlakpp32.exeC:\Windows\system32\Hlakpp32.exe180⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2756 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe181⤵PID:2752
-
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe182⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe183⤵PID:1720
-
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe184⤵PID:2556
-
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe185⤵PID:1520
-
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe186⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2800 -
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe187⤵PID:1736
-
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe188⤵PID:2044
-
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe189⤵PID:3080
-
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe190⤵PID:3120
-
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe191⤵
- Modifies registry class
PID:3160 -
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe192⤵PID:3200
-
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe193⤵PID:3240
-
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe194⤵
- Modifies registry class
PID:3280 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe195⤵
- Drops file in System32 directory
PID:3320 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe196⤵PID:3360
-
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe197⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3400 -
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe198⤵PID:3440
-
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe199⤵PID:3480
-
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe200⤵PID:3520
-
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe201⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3560 -
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe202⤵PID:3600
-
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe203⤵PID:3640
-
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe204⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3680 -
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe205⤵
- Drops file in System32 directory
PID:3720 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe206⤵PID:3760
-
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe207⤵PID:3800
-
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe208⤵PID:3840
-
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe209⤵PID:3880
-
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe210⤵PID:3924
-
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe211⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3964 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe212⤵
- Drops file in System32 directory
PID:4004 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe213⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4044 -
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe214⤵PID:4084
-
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe215⤵PID:3092
-
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe216⤵PID:3144
-
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe217⤵PID:3184
-
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe218⤵PID:3256
-
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe219⤵PID:3292
-
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe220⤵
- Drops file in System32 directory
PID:3348 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe221⤵PID:3388
-
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe222⤵PID:3452
-
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe223⤵PID:3492
-
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3556 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe225⤵PID:3592
-
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe226⤵PID:3648
-
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe227⤵PID:3692
-
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe228⤵PID:3744
-
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe229⤵
- Drops file in System32 directory
PID:3792 -
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe230⤵PID:3848
-
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe231⤵PID:3904
-
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe232⤵
- Modifies registry class
PID:3948 -
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe233⤵PID:3996
-
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe234⤵PID:4052
-
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe235⤵PID:696
-
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe236⤵PID:3132
-
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe237⤵PID:3172
-
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe238⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3264 -
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe239⤵PID:3344
-
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe240⤵PID:3408
-
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe241⤵PID:3448
-
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe242⤵PID:3512