Analysis
-
max time kernel
146s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 01:25
Behavioral task
behavioral1
Sample
1bf2e4c18912d42a28ceece28cf443f0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1bf2e4c18912d42a28ceece28cf443f0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
1bf2e4c18912d42a28ceece28cf443f0_NeikiAnalytics.exe
-
Size
768KB
-
MD5
1bf2e4c18912d42a28ceece28cf443f0
-
SHA1
26a583ac591d86331d2dd08b51a2997b9b980468
-
SHA256
1b67bcdb7fc29caf4eb0cf10441075774f9287e7e6394a23399660f4f85a8df9
-
SHA512
80e7e7eb46fe8b336e5ebef1f86ced7bd4080b6b02cc069b2a692a81a5defb3c05c07c184a13f4806f0a1ae3aba7864366c14e31c5a48a5cabe36b9b5fbec6aa
-
SSDEEP
12288:HBLv4M6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvGZ+C8lM1:HuMtaSHFaZRBEYyqmaf2qwiHPKgRC4g2
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Dggcffhg.exeNlcnda32.exeNcbplk32.exeOomjlk32.exeAnnbhi32.exeAplifb32.exeCohigamf.exeBifgdk32.exeCghggc32.exeJnffgd32.exeNgfflj32.exePcibkm32.exeMlmlecec.exeOjahnj32.exeGmdadnkh.exeIjbdha32.exeNibebfpl.exeOnhgbmfb.exeBpnbkeld.exePndpajgd.exeDgjclbdi.exeJdpndnei.exeKqqboncb.exeLegmbd32.exeHpefdl32.exeIedkbc32.exeFpngfgle.exeIoaifhid.exeAgfgqo32.exeBiojif32.exeMkeimlfm.exeAhgnke32.exeBfenbpec.exeMabgcd32.exeBidjnkdg.exeKkaiqk32.exeGljnej32.exeNpccpo32.exeBjlqhoba.exeEgafleqm.exeIompkh32.exeJgagfi32.exeJmbiipml.exeLgmcqkkh.exeIdhopq32.exeApimacnn.exeAjbggjfq.exeOobjaqaj.exeIlcmjl32.exeMholen32.exeOmfkke32.exeJqilooij.exeKconkibf.exeLaegiq32.exePfikmh32.exeKjqccigf.exeOfjfhk32.exePqjfoa32.exeAfkdakjb.exeIqopea32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dggcffhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlcnda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oomjlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Annbhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aplifb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bifgdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cghggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnffgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngfflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcibkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlmlecec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojahnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmdadnkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijbdha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nibebfpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onhgbmfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpnbkeld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pndpajgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgjclbdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdpndnei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqqboncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Legmbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpefdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iedkbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpngfgle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioaifhid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agfgqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biojif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkeimlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahgnke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mabgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bidjnkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkaiqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gljnej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npccpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pndpajgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlqhoba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egafleqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iompkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgagfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmbiipml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgmcqkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idhopq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apimacnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajbggjfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajbggjfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oobjaqaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcmjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mholen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omfkke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqilooij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kconkibf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laegiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfikmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjqccigf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofjfhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkaiqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqjfoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afkdakjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqopea32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Idhopq32.exe family_berbew \Windows\SysWOW64\Iqopea32.exe family_berbew \Windows\SysWOW64\Jjjacf32.exe family_berbew C:\Windows\SysWOW64\Jokcgmee.exe family_berbew \Windows\SysWOW64\Jfekcg32.exe family_berbew \Windows\SysWOW64\Kgkafo32.exe family_berbew C:\Windows\SysWOW64\Kmjfdejp.exe family_berbew \Windows\SysWOW64\Kjqccigf.exe family_berbew \Windows\SysWOW64\Kpmlkp32.exe family_berbew \Windows\SysWOW64\Lpdbloof.exe family_berbew C:\Windows\SysWOW64\Llnofpcg.exe family_berbew C:\Windows\SysWOW64\Cacacg32.exe family_berbew C:\Windows\SysWOW64\Cilibi32.exe family_berbew C:\Windows\SysWOW64\Cfnmfn32.exe family_berbew C:\Windows\SysWOW64\Cdoajb32.exe family_berbew C:\Windows\SysWOW64\Baadng32.exe family_berbew C:\Windows\SysWOW64\Bkglameg.exe family_berbew C:\Windows\SysWOW64\Bhhpeafc.exe family_berbew C:\Windows\SysWOW64\Bejdiffp.exe family_berbew C:\Windows\SysWOW64\Boplllob.exe family_berbew C:\Windows\SysWOW64\Blaopqpo.exe family_berbew C:\Windows\SysWOW64\Bdkgocpm.exe family_berbew C:\Windows\SysWOW64\Balkchpi.exe family_berbew C:\Windows\SysWOW64\Bjbcfn32.exe family_berbew C:\Windows\SysWOW64\Bhdgjb32.exe family_berbew C:\Windows\SysWOW64\Beejng32.exe family_berbew C:\Windows\SysWOW64\Bbgnak32.exe family_berbew C:\Windows\SysWOW64\Bphbeplm.exe family_berbew C:\Windows\SysWOW64\Biojif32.exe family_berbew C:\Windows\SysWOW64\Bbdallnd.exe family_berbew C:\Windows\SysWOW64\Bmhideol.exe family_berbew C:\Windows\SysWOW64\Aeqabgoj.exe family_berbew C:\Windows\SysWOW64\Abbeflpf.exe family_berbew C:\Windows\SysWOW64\Apdhjq32.exe family_berbew C:\Windows\SysWOW64\Aijpnfif.exe family_berbew C:\Windows\SysWOW64\Afkdakjb.exe family_berbew C:\Windows\SysWOW64\Acmhepko.exe family_berbew C:\Windows\SysWOW64\Amcpie32.exe family_berbew C:\Windows\SysWOW64\Ajecmj32.exe family_berbew C:\Windows\SysWOW64\Agfgqo32.exe family_berbew C:\Windows\SysWOW64\Apoooa32.exe family_berbew C:\Windows\SysWOW64\Annbhi32.exe family_berbew C:\Windows\SysWOW64\Ajbggjfq.exe family_berbew C:\Windows\SysWOW64\Achojp32.exe family_berbew C:\Windows\SysWOW64\Anlfbi32.exe family_berbew C:\Windows\SysWOW64\Akmjfn32.exe family_berbew C:\Windows\SysWOW64\Aecaidjl.exe family_berbew C:\Windows\SysWOW64\Abeemhkh.exe family_berbew C:\Windows\SysWOW64\Qjnmlk32.exe family_berbew C:\Windows\SysWOW64\Qkkmqnck.exe family_berbew C:\Windows\SysWOW64\Qeaedd32.exe family_berbew C:\Windows\SysWOW64\Qbbhgi32.exe family_berbew C:\Windows\SysWOW64\Qodlkm32.exe family_berbew C:\Windows\SysWOW64\Qgmdjp32.exe family_berbew C:\Windows\SysWOW64\Qijdocfj.exe family_berbew C:\Windows\SysWOW64\Qflhbhgg.exe family_berbew C:\Windows\SysWOW64\Pndpajgd.exe family_berbew C:\Windows\SysWOW64\Pihgic32.exe family_berbew C:\Windows\SysWOW64\Pfikmh32.exe family_berbew C:\Windows\SysWOW64\Pckoam32.exe family_berbew C:\Windows\SysWOW64\Pkdgpo32.exe family_berbew C:\Windows\SysWOW64\Piekcd32.exe family_berbew C:\Windows\SysWOW64\Pfgngh32.exe family_berbew C:\Windows\SysWOW64\Pcibkm32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Idhopq32.exeIqopea32.exeJjjacf32.exeJokcgmee.exeJfekcg32.exeKgkafo32.exeKmjfdejp.exeKjqccigf.exeKpmlkp32.exeLpdbloof.exeLlnofpcg.exeMhdplq32.exeMkclhl32.exeMamddf32.exeMdkqqa32.exeMkeimlfm.exeMaoajf32.exeMkgfckcj.exeMlibjc32.exeMdpjlajk.exeMimbdhhb.exeMpfkqb32.exeMgqcmlgl.exeMlmlecec.exeNajdnj32.exeNkbhgojk.exeNamqci32.exeNncahjgl.exeNhiffc32.exeNnennj32.exeNdpfkdmf.exeNjlockkm.exeNacgdhlp.exeNceclqan.exeOklkmnbp.exeOlmhdf32.exeOcgpappk.exeOjahnj32.exeOqkqkdne.exeOfhick32.exeOmbapedi.exeOclilp32.exeOfjfhk32.exeOmdneebf.exeOobjaqaj.exeOfmbnkhg.exeOmfkke32.exeOnhgbmfb.exePdaoog32.exePklhlael.exePbfpik32.exePgbhabjp.exePjadmnic.exePqkmjh32.exePciifc32.exePjcabmga.exePamiog32.exePfjbgnme.exePnajilng.exePpbfpd32.exePflomnkb.exePikkiijf.exeQpecfc32.exeQfokbnip.exepid process 2292 Idhopq32.exe 2040 Iqopea32.exe 2676 Jjjacf32.exe 284 Jokcgmee.exe 3044 Jfekcg32.exe 2468 Kgkafo32.exe 2964 Kmjfdejp.exe 2644 Kjqccigf.exe 2980 Kpmlkp32.exe 544 Lpdbloof.exe 1636 Llnofpcg.exe 2764 Mhdplq32.exe 1752 Mkclhl32.exe 2340 Mamddf32.exe 620 Mdkqqa32.exe 2144 Mkeimlfm.exe 2072 Maoajf32.exe 628 Mkgfckcj.exe 2248 Mlibjc32.exe 1664 Mdpjlajk.exe 608 Mimbdhhb.exe 1292 Mpfkqb32.exe 924 Mgqcmlgl.exe 2372 Mlmlecec.exe 2904 Najdnj32.exe 872 Nkbhgojk.exe 2908 Namqci32.exe 2424 Nncahjgl.exe 2708 Nhiffc32.exe 2592 Nnennj32.exe 2864 Ndpfkdmf.exe 2492 Njlockkm.exe 2508 Nacgdhlp.exe 2976 Nceclqan.exe 2848 Oklkmnbp.exe 2844 Olmhdf32.exe 1712 Ocgpappk.exe 1992 Ojahnj32.exe 2804 Oqkqkdne.exe 1632 Ofhick32.exe 2240 Ombapedi.exe 2816 Oclilp32.exe 2416 Ofjfhk32.exe 1376 Omdneebf.exe 1720 Oobjaqaj.exe 768 Ofmbnkhg.exe 2272 Omfkke32.exe 2856 Onhgbmfb.exe 804 Pdaoog32.exe 2672 Pklhlael.exe 2628 Pbfpik32.exe 2440 Pgbhabjp.exe 1764 Pjadmnic.exe 1472 Pqkmjh32.exe 1588 Pciifc32.exe 2196 Pjcabmga.exe 1100 Pamiog32.exe 2084 Pfjbgnme.exe 820 Pnajilng.exe 2648 Ppbfpd32.exe 2448 Pflomnkb.exe 1032 Pikkiijf.exe 1496 Qpecfc32.exe 348 Qfokbnip.exe -
Loads dropped DLL 64 IoCs
Processes:
1bf2e4c18912d42a28ceece28cf443f0_NeikiAnalytics.exeIdhopq32.exeIqopea32.exeJjjacf32.exeJokcgmee.exeJfekcg32.exeKgkafo32.exeKmjfdejp.exeKjqccigf.exeKpmlkp32.exeLpdbloof.exeLlnofpcg.exeMhdplq32.exeMkclhl32.exeMamddf32.exeMdkqqa32.exeMkeimlfm.exeMaoajf32.exeMkgfckcj.exeMlibjc32.exeMdpjlajk.exeMimbdhhb.exeMpfkqb32.exeMgqcmlgl.exeMlmlecec.exeNajdnj32.exeNkbhgojk.exeNhfipcid.exeNncahjgl.exeNhiffc32.exeNnennj32.exeNdpfkdmf.exepid process 2552 1bf2e4c18912d42a28ceece28cf443f0_NeikiAnalytics.exe 2552 1bf2e4c18912d42a28ceece28cf443f0_NeikiAnalytics.exe 2292 Idhopq32.exe 2292 Idhopq32.exe 2040 Iqopea32.exe 2040 Iqopea32.exe 2676 Jjjacf32.exe 2676 Jjjacf32.exe 284 Jokcgmee.exe 284 Jokcgmee.exe 3044 Jfekcg32.exe 3044 Jfekcg32.exe 2468 Kgkafo32.exe 2468 Kgkafo32.exe 2964 Kmjfdejp.exe 2964 Kmjfdejp.exe 2644 Kjqccigf.exe 2644 Kjqccigf.exe 2980 Kpmlkp32.exe 2980 Kpmlkp32.exe 544 Lpdbloof.exe 544 Lpdbloof.exe 1636 Llnofpcg.exe 1636 Llnofpcg.exe 2764 Mhdplq32.exe 2764 Mhdplq32.exe 1752 Mkclhl32.exe 1752 Mkclhl32.exe 2340 Mamddf32.exe 2340 Mamddf32.exe 620 Mdkqqa32.exe 620 Mdkqqa32.exe 2144 Mkeimlfm.exe 2144 Mkeimlfm.exe 2072 Maoajf32.exe 2072 Maoajf32.exe 628 Mkgfckcj.exe 628 Mkgfckcj.exe 2248 Mlibjc32.exe 2248 Mlibjc32.exe 1664 Mdpjlajk.exe 1664 Mdpjlajk.exe 608 Mimbdhhb.exe 608 Mimbdhhb.exe 1292 Mpfkqb32.exe 1292 Mpfkqb32.exe 924 Mgqcmlgl.exe 924 Mgqcmlgl.exe 2372 Mlmlecec.exe 2372 Mlmlecec.exe 2904 Najdnj32.exe 2904 Najdnj32.exe 872 Nkbhgojk.exe 872 Nkbhgojk.exe 2328 Nhfipcid.exe 2328 Nhfipcid.exe 2424 Nncahjgl.exe 2424 Nncahjgl.exe 2708 Nhiffc32.exe 2708 Nhiffc32.exe 2592 Nnennj32.exe 2592 Nnennj32.exe 2864 Ndpfkdmf.exe 2864 Ndpfkdmf.exe -
Drops file in System32 directory 64 IoCs
Processes:
Nnennj32.exeKqqboncb.exeLgjfkk32.exePndpajgd.exeQpecfc32.exeHiknhbcg.exeLclnemgd.exePdaheq32.exeBkglameg.exeAjhgmpfg.exeKaldcb32.exeOgkkfmml.exePkdgpo32.exeNhfipcid.exeAaobdjof.exeDgjclbdi.exeNgdifkpi.exeBoplllob.exePfjbgnme.exeEgjpkffe.exeIgchlf32.exeNpagjpcd.exePjpnbg32.exeBmhideol.exeOfjfhk32.exeFjaonpnn.exeGifhnpea.exeGpqpjj32.exeMoidahcn.exeApoooa32.exeFljafg32.exeLaegiq32.exeLbiqfied.exeIkhjki32.exeLgmcqkkh.exeApimacnn.exeIgakgfpn.exeAbeemhkh.exeMagqncba.exeQodlkm32.exeAnnbhi32.exeHpefdl32.exeKicmdo32.exeOancnfoe.exeBdkgocpm.exeIlncom32.exeLjkomfjl.exeMeppiblm.exeJjjacf32.exeHhgdkjol.exeIhjnom32.exeMabgcd32.exeBejdiffp.exeMpfkqb32.exeNenobfak.exeAefeijle.exeIdhopq32.exeLpdbloof.exeMhhfdo32.exeKiijnq32.exedescription ioc process File created C:\Windows\SysWOW64\Ndpfkdmf.exe Nnennj32.exe File opened for modification C:\Windows\SysWOW64\Kconkibf.exe Kqqboncb.exe File created C:\Windows\SysWOW64\Ljibgg32.exe Lgjfkk32.exe File opened for modification C:\Windows\SysWOW64\Qflhbhgg.exe Pndpajgd.exe File created C:\Windows\SysWOW64\Qfokbnip.exe Qpecfc32.exe File opened for modification C:\Windows\SysWOW64\Hpefdl32.exe Hiknhbcg.exe File created C:\Windows\SysWOW64\Iimckbco.dll Lclnemgd.exe File created C:\Windows\SysWOW64\Pgpeal32.exe Pdaheq32.exe File created C:\Windows\SysWOW64\Baadng32.exe Bkglameg.exe File created C:\Windows\SysWOW64\Amfcikek.exe Ajhgmpfg.exe File created C:\Windows\SysWOW64\Kicmdo32.exe Kaldcb32.exe File created C:\Windows\SysWOW64\Chdqghfp.dll Ogkkfmml.exe File opened for modification C:\Windows\SysWOW64\Pckoam32.exe Pkdgpo32.exe File created C:\Windows\SysWOW64\Nncahjgl.exe Nhfipcid.exe File created C:\Windows\SysWOW64\Adnopfoj.exe Aaobdjof.exe File created C:\Windows\SysWOW64\Dndlim32.exe Dgjclbdi.exe File created C:\Windows\SysWOW64\Gbdalp32.dll Ngdifkpi.exe File created C:\Windows\SysWOW64\Nmmfff32.dll Boplllob.exe File created C:\Windows\SysWOW64\Cmicaonb.dll Pfjbgnme.exe File created C:\Windows\SysWOW64\Ebodiofk.exe Egjpkffe.exe File created C:\Windows\SysWOW64\Fdebncjd.dll Igchlf32.exe File opened for modification C:\Windows\SysWOW64\Ncpcfkbg.exe Npagjpcd.exe File created C:\Windows\SysWOW64\Pqjfoa32.exe Pjpnbg32.exe File created C:\Windows\SysWOW64\Bbdallnd.exe Bmhideol.exe File created C:\Windows\SysWOW64\Mijgof32.dll Ofjfhk32.exe File created C:\Windows\SysWOW64\Fpngfgle.exe Fjaonpnn.exe File created C:\Windows\SysWOW64\Gpqpjj32.exe Gifhnpea.exe File created C:\Windows\SysWOW64\Gfjhgdck.exe Gpqpjj32.exe File opened for modification C:\Windows\SysWOW64\Magqncba.exe Moidahcn.exe File created C:\Windows\SysWOW64\Agfgqo32.exe Apoooa32.exe File opened for modification C:\Windows\SysWOW64\Fagjnn32.exe Fljafg32.exe File opened for modification C:\Windows\SysWOW64\Lphhenhc.exe Laegiq32.exe File created C:\Windows\SysWOW64\Legmbd32.exe Lbiqfied.exe File created C:\Windows\SysWOW64\Jnffgd32.exe Ikhjki32.exe File created C:\Windows\SysWOW64\Ljkomfjl.exe Lgmcqkkh.exe File opened for modification C:\Windows\SysWOW64\Aefeijle.exe Apimacnn.exe File created C:\Windows\SysWOW64\Fffdil32.dll Igakgfpn.exe File created C:\Windows\SysWOW64\Emfmdo32.dll Abeemhkh.exe File created C:\Windows\SysWOW64\Ndemjoae.exe Magqncba.exe File created C:\Windows\SysWOW64\Gneolbel.dll Pjpnbg32.exe File created C:\Windows\SysWOW64\Gcnmkd32.dll Qodlkm32.exe File created C:\Windows\SysWOW64\Cdblnn32.dll Annbhi32.exe File created C:\Windows\SysWOW64\Ihfhdp32.dll Hpefdl32.exe File created C:\Windows\SysWOW64\Kkaiqk32.exe Kicmdo32.exe File opened for modification C:\Windows\SysWOW64\Odlojanh.exe Oancnfoe.exe File created C:\Windows\SysWOW64\Blaopqpo.exe Bdkgocpm.exe File created C:\Windows\SysWOW64\Cjgheann.dll Ilncom32.exe File created C:\Windows\SysWOW64\Laegiq32.exe Ljkomfjl.exe File created C:\Windows\SysWOW64\Mholen32.exe Meppiblm.exe File created C:\Windows\SysWOW64\Loclnq32.dll Jjjacf32.exe File opened for modification C:\Windows\SysWOW64\Hkfagfop.exe Hhgdkjol.exe File opened for modification C:\Windows\SysWOW64\Ikhjki32.exe Ihjnom32.exe File created C:\Windows\SysWOW64\Fnqkpajk.dll Mabgcd32.exe File created C:\Windows\SysWOW64\Jodjlm32.dll Bejdiffp.exe File opened for modification C:\Windows\SysWOW64\Mgqcmlgl.exe Mpfkqb32.exe File opened for modification C:\Windows\SysWOW64\Omdneebf.exe Ofjfhk32.exe File created C:\Windows\SysWOW64\Fhhiii32.dll Nenobfak.exe File created C:\Windows\SysWOW64\Hojgbclk.dll Aefeijle.exe File opened for modification C:\Windows\SysWOW64\Iqopea32.exe Idhopq32.exe File opened for modification C:\Windows\SysWOW64\Llnofpcg.exe Lpdbloof.exe File opened for modification C:\Windows\SysWOW64\Moanaiie.exe Mhhfdo32.exe File opened for modification C:\Windows\SysWOW64\Amfcikek.exe Ajhgmpfg.exe File created C:\Windows\SysWOW64\Iompkh32.exe Ilncom32.exe File created C:\Windows\SysWOW64\Qocjhb32.dll Kiijnq32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process 4808 2748 WerFault.exe -
Modifies registry class 64 IoCs
Processes:
Joaeeklp.exeKnmhgf32.exeLpekon32.exeNacgdhlp.exeCohigamf.exeEbodiofk.exeIjdqna32.exeBbgnak32.exeOmbapedi.exeKgkafo32.exeGdniqh32.exePqjfoa32.exeQgmdjp32.exeJfekcg32.exeChnqkg32.exePdaheq32.exeQeaedd32.exeOklkmnbp.exeHpgfki32.exeHipkdnmf.exeOobjaqaj.exeKicmdo32.exeMamddf32.exeOaiibg32.exeLpdbloof.exeLbfdaigg.exePiekcd32.exeFpngfgle.exeMffimglk.exeMholen32.exeBemgilhh.exeBeejng32.exeBkglameg.exeBhndldcn.exeBmmiij32.exeBhkdeggl.exeDoehqead.exeApoooa32.exePdaoog32.exeOmdneebf.exeBdeeqehb.exeGfjhgdck.exeJqilooij.exeOhaeia32.exeOopfakpa.exeNncahjgl.exePfikmh32.exeNkbhgojk.exeCnmehnan.exeJfiale32.exeQbbhgi32.exeIjbdha32.exeKiqpop32.exeMkeimlfm.exeOfmbnkhg.exeQmicohqm.exeCeodnl32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipikqbi.dll" Joaeeklp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knmhgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpekon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nacgdhlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebodiofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijdqna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbgnak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ombapedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gemaaoaf.dll" Kgkafo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdniqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paenhpdh.dll" Pqjfoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgmdjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfekcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chnqkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdaheq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qeaedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oklkmnbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpgfki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgkafo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hipkdnmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oobjaqaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeieqod.dll" Kicmdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mamddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmihnd32.dll" Oaiibg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acjobj32.dll" Lpdbloof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbfdaigg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldeamlkj.dll" Piekcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpngfgle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfblnnh.dll" Mffimglk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mholen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bemgilhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbfdaigg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbodgd32.dll" Beejng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkglameg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oegjkb32.dll" Bhndldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giaekk32.dll" Bmmiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhkdeggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doehqead.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apoooa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkbki32.dll" Apoooa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdaoog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omdneebf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdeeqehb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obilnl32.dll" Chnqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idgjaf32.dll" Gfjhgdck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqilooij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohaeia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oopfakpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nncahjgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfikmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkbhgojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knlafm32.dll" Omdneebf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhndldcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnmehnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nafmbhpm.dll" Jfiale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbbhgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgkafo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijbdha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiqpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkeimlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofmbnkhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flojhn32.dll" Ceodnl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1bf2e4c18912d42a28ceece28cf443f0_NeikiAnalytics.exeIdhopq32.exeIqopea32.exeJjjacf32.exeJokcgmee.exeJfekcg32.exeKgkafo32.exeKmjfdejp.exeKjqccigf.exeKpmlkp32.exeLpdbloof.exeLlnofpcg.exeMhdplq32.exeMkclhl32.exeMamddf32.exeMdkqqa32.exedescription pid process target process PID 2552 wrote to memory of 2292 2552 1bf2e4c18912d42a28ceece28cf443f0_NeikiAnalytics.exe Idhopq32.exe PID 2552 wrote to memory of 2292 2552 1bf2e4c18912d42a28ceece28cf443f0_NeikiAnalytics.exe Idhopq32.exe PID 2552 wrote to memory of 2292 2552 1bf2e4c18912d42a28ceece28cf443f0_NeikiAnalytics.exe Idhopq32.exe PID 2552 wrote to memory of 2292 2552 1bf2e4c18912d42a28ceece28cf443f0_NeikiAnalytics.exe Idhopq32.exe PID 2292 wrote to memory of 2040 2292 Idhopq32.exe Iqopea32.exe PID 2292 wrote to memory of 2040 2292 Idhopq32.exe Iqopea32.exe PID 2292 wrote to memory of 2040 2292 Idhopq32.exe Iqopea32.exe PID 2292 wrote to memory of 2040 2292 Idhopq32.exe Iqopea32.exe PID 2040 wrote to memory of 2676 2040 Iqopea32.exe Jjjacf32.exe PID 2040 wrote to memory of 2676 2040 Iqopea32.exe Jjjacf32.exe PID 2040 wrote to memory of 2676 2040 Iqopea32.exe Jjjacf32.exe PID 2040 wrote to memory of 2676 2040 Iqopea32.exe Jjjacf32.exe PID 2676 wrote to memory of 284 2676 Jjjacf32.exe Jokcgmee.exe PID 2676 wrote to memory of 284 2676 Jjjacf32.exe Jokcgmee.exe PID 2676 wrote to memory of 284 2676 Jjjacf32.exe Jokcgmee.exe PID 2676 wrote to memory of 284 2676 Jjjacf32.exe Jokcgmee.exe PID 284 wrote to memory of 3044 284 Jokcgmee.exe Jfekcg32.exe PID 284 wrote to memory of 3044 284 Jokcgmee.exe Jfekcg32.exe PID 284 wrote to memory of 3044 284 Jokcgmee.exe Jfekcg32.exe PID 284 wrote to memory of 3044 284 Jokcgmee.exe Jfekcg32.exe PID 3044 wrote to memory of 2468 3044 Jfekcg32.exe Kgkafo32.exe PID 3044 wrote to memory of 2468 3044 Jfekcg32.exe Kgkafo32.exe PID 3044 wrote to memory of 2468 3044 Jfekcg32.exe Kgkafo32.exe PID 3044 wrote to memory of 2468 3044 Jfekcg32.exe Kgkafo32.exe PID 2468 wrote to memory of 2964 2468 Kgkafo32.exe Kmjfdejp.exe PID 2468 wrote to memory of 2964 2468 Kgkafo32.exe Kmjfdejp.exe PID 2468 wrote to memory of 2964 2468 Kgkafo32.exe Kmjfdejp.exe PID 2468 wrote to memory of 2964 2468 Kgkafo32.exe Kmjfdejp.exe PID 2964 wrote to memory of 2644 2964 Kmjfdejp.exe Kjqccigf.exe PID 2964 wrote to memory of 2644 2964 Kmjfdejp.exe Kjqccigf.exe PID 2964 wrote to memory of 2644 2964 Kmjfdejp.exe Kjqccigf.exe PID 2964 wrote to memory of 2644 2964 Kmjfdejp.exe Kjqccigf.exe PID 2644 wrote to memory of 2980 2644 Kjqccigf.exe Kpmlkp32.exe PID 2644 wrote to memory of 2980 2644 Kjqccigf.exe Kpmlkp32.exe PID 2644 wrote to memory of 2980 2644 Kjqccigf.exe Kpmlkp32.exe PID 2644 wrote to memory of 2980 2644 Kjqccigf.exe Kpmlkp32.exe PID 2980 wrote to memory of 544 2980 Kpmlkp32.exe Lpdbloof.exe PID 2980 wrote to memory of 544 2980 Kpmlkp32.exe Lpdbloof.exe PID 2980 wrote to memory of 544 2980 Kpmlkp32.exe Lpdbloof.exe PID 2980 wrote to memory of 544 2980 Kpmlkp32.exe Lpdbloof.exe PID 544 wrote to memory of 1636 544 Lpdbloof.exe Llnofpcg.exe PID 544 wrote to memory of 1636 544 Lpdbloof.exe Llnofpcg.exe PID 544 wrote to memory of 1636 544 Lpdbloof.exe Llnofpcg.exe PID 544 wrote to memory of 1636 544 Lpdbloof.exe Llnofpcg.exe PID 1636 wrote to memory of 2764 1636 Llnofpcg.exe Mhdplq32.exe PID 1636 wrote to memory of 2764 1636 Llnofpcg.exe Mhdplq32.exe PID 1636 wrote to memory of 2764 1636 Llnofpcg.exe Mhdplq32.exe PID 1636 wrote to memory of 2764 1636 Llnofpcg.exe Mhdplq32.exe PID 2764 wrote to memory of 1752 2764 Mhdplq32.exe Mkclhl32.exe PID 2764 wrote to memory of 1752 2764 Mhdplq32.exe Mkclhl32.exe PID 2764 wrote to memory of 1752 2764 Mhdplq32.exe Mkclhl32.exe PID 2764 wrote to memory of 1752 2764 Mhdplq32.exe Mkclhl32.exe PID 1752 wrote to memory of 2340 1752 Mkclhl32.exe Mamddf32.exe PID 1752 wrote to memory of 2340 1752 Mkclhl32.exe Mamddf32.exe PID 1752 wrote to memory of 2340 1752 Mkclhl32.exe Mamddf32.exe PID 1752 wrote to memory of 2340 1752 Mkclhl32.exe Mamddf32.exe PID 2340 wrote to memory of 620 2340 Mamddf32.exe Mdkqqa32.exe PID 2340 wrote to memory of 620 2340 Mamddf32.exe Mdkqqa32.exe PID 2340 wrote to memory of 620 2340 Mamddf32.exe Mdkqqa32.exe PID 2340 wrote to memory of 620 2340 Mamddf32.exe Mdkqqa32.exe PID 620 wrote to memory of 2144 620 Mdkqqa32.exe Mkeimlfm.exe PID 620 wrote to memory of 2144 620 Mdkqqa32.exe Mkeimlfm.exe PID 620 wrote to memory of 2144 620 Mdkqqa32.exe Mkeimlfm.exe PID 620 wrote to memory of 2144 620 Mdkqqa32.exe Mkeimlfm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bf2e4c18912d42a28ceece28cf443f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1bf2e4c18912d42a28ceece28cf443f0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:628 -
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:608 -
C:\Windows\SysWOW64\Mpfkqb32.exeC:\Windows\system32\Mpfkqb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:924 -
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe28⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe29⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Ndpfkdmf.exeC:\Windows\system32\Ndpfkdmf.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Njlockkm.exeC:\Windows\system32\Njlockkm.exe34⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Nceclqan.exeC:\Windows\system32\Nceclqan.exe36⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe38⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Ocgpappk.exeC:\Windows\system32\Ocgpappk.exe39⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Ojahnj32.exeC:\Windows\system32\Ojahnj32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Oqkqkdne.exeC:\Windows\system32\Oqkqkdne.exe41⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe42⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Oclilp32.exeC:\Windows\system32\Oclilp32.exe44⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Ofjfhk32.exeC:\Windows\system32\Ofjfhk32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1376 -
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Ofmbnkhg.exeC:\Windows\system32\Ofmbnkhg.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Omfkke32.exeC:\Windows\system32\Omfkke32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:804 -
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe52⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe53⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe54⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe55⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Pqkmjh32.exeC:\Windows\system32\Pqkmjh32.exe56⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Pciifc32.exeC:\Windows\system32\Pciifc32.exe57⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Pjcabmga.exeC:\Windows\system32\Pjcabmga.exe58⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Pamiog32.exeC:\Windows\system32\Pamiog32.exe59⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Pfjbgnme.exeC:\Windows\system32\Pfjbgnme.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Pnajilng.exeC:\Windows\system32\Pnajilng.exe61⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Ppbfpd32.exeC:\Windows\system32\Ppbfpd32.exe62⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Pflomnkb.exeC:\Windows\system32\Pflomnkb.exe63⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Pikkiijf.exeC:\Windows\system32\Pikkiijf.exe64⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\Qfokbnip.exeC:\Windows\system32\Qfokbnip.exe66⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe67⤵
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe68⤵PID:2688
-
C:\Windows\SysWOW64\Qfahhm32.exeC:\Windows\system32\Qfahhm32.exe69⤵PID:2732
-
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Aefeijle.exeC:\Windows\system32\Aefeijle.exe71⤵
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Aplifb32.exeC:\Windows\system32\Aplifb32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2936 -
C:\Windows\SysWOW64\Aamfnkai.exeC:\Windows\system32\Aamfnkai.exe73⤵PID:1704
-
C:\Windows\SysWOW64\Ahgnke32.exeC:\Windows\system32\Ahgnke32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2952 -
C:\Windows\SysWOW64\Ajejgp32.exeC:\Windows\system32\Ajejgp32.exe75⤵PID:1180
-
C:\Windows\SysWOW64\Aaobdjof.exeC:\Windows\system32\Aaobdjof.exe76⤵
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Adnopfoj.exeC:\Windows\system32\Adnopfoj.exe77⤵PID:2068
-
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe78⤵
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\Amfcikek.exeC:\Windows\system32\Amfcikek.exe79⤵PID:2008
-
C:\Windows\SysWOW64\Adpkee32.exeC:\Windows\system32\Adpkee32.exe80⤵PID:1604
-
C:\Windows\SysWOW64\Afohaa32.exeC:\Windows\system32\Afohaa32.exe81⤵PID:3032
-
C:\Windows\SysWOW64\Amhpnkch.exeC:\Windows\system32\Amhpnkch.exe82⤵PID:344
-
C:\Windows\SysWOW64\Aadloj32.exeC:\Windows\system32\Aadloj32.exe83⤵PID:2384
-
C:\Windows\SysWOW64\Bhndldcn.exeC:\Windows\system32\Bhndldcn.exe84⤵
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Bjlqhoba.exeC:\Windows\system32\Bjlqhoba.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2500 -
C:\Windows\SysWOW64\Bmkmdk32.exeC:\Windows\system32\Bmkmdk32.exe86⤵PID:2720
-
C:\Windows\SysWOW64\Bdeeqehb.exeC:\Windows\system32\Bdeeqehb.exe87⤵
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Bfcampgf.exeC:\Windows\system32\Bfcampgf.exe88⤵PID:1236
-
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe89⤵PID:2712
-
C:\Windows\SysWOW64\Bmmiij32.exeC:\Windows\system32\Bmmiij32.exe90⤵
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Bpleef32.exeC:\Windows\system32\Bpleef32.exe91⤵PID:1092
-
C:\Windows\SysWOW64\Bfenbpec.exeC:\Windows\system32\Bfenbpec.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:444 -
C:\Windows\SysWOW64\Bidjnkdg.exeC:\Windows\system32\Bidjnkdg.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1732 -
C:\Windows\SysWOW64\Bpnbkeld.exeC:\Windows\system32\Bpnbkeld.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3028 -
C:\Windows\SysWOW64\Bblogakg.exeC:\Windows\system32\Bblogakg.exe95⤵PID:564
-
C:\Windows\SysWOW64\Bifgdk32.exeC:\Windows\system32\Bifgdk32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:980 -
C:\Windows\SysWOW64\Bldcpf32.exeC:\Windows\system32\Bldcpf32.exe97⤵PID:296
-
C:\Windows\SysWOW64\Bbokmqie.exeC:\Windows\system32\Bbokmqie.exe98⤵PID:480
-
C:\Windows\SysWOW64\Bemgilhh.exeC:\Windows\system32\Bemgilhh.exe99⤵
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Bhkdeggl.exeC:\Windows\system32\Bhkdeggl.exe100⤵
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Coelaaoi.exeC:\Windows\system32\Coelaaoi.exe101⤵PID:896
-
C:\Windows\SysWOW64\Ceodnl32.exeC:\Windows\system32\Ceodnl32.exe102⤵
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Chnqkg32.exeC:\Windows\system32\Chnqkg32.exe103⤵
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Cohigamf.exeC:\Windows\system32\Cohigamf.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Ceaadk32.exeC:\Windows\system32\Ceaadk32.exe105⤵PID:1716
-
C:\Windows\SysWOW64\Cgcmlcja.exeC:\Windows\system32\Cgcmlcja.exe106⤵PID:1580
-
C:\Windows\SysWOW64\Cnmehnan.exeC:\Windows\system32\Cnmehnan.exe107⤵
- Modifies registry class
PID:1788 -
C:\Windows\SysWOW64\Cdgneh32.exeC:\Windows\system32\Cdgneh32.exe108⤵PID:2108
-
C:\Windows\SysWOW64\Ckafbbph.exeC:\Windows\system32\Ckafbbph.exe109⤵PID:2960
-
C:\Windows\SysWOW64\Caknol32.exeC:\Windows\system32\Caknol32.exe110⤵PID:2128
-
C:\Windows\SysWOW64\Cghggc32.exeC:\Windows\system32\Cghggc32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1888 -
C:\Windows\SysWOW64\Cnaocmmi.exeC:\Windows\system32\Cnaocmmi.exe112⤵PID:1740
-
C:\Windows\SysWOW64\Cdlgpgef.exeC:\Windows\system32\Cdlgpgef.exe113⤵PID:2276
-
C:\Windows\SysWOW64\Dgjclbdi.exeC:\Windows\system32\Dgjclbdi.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Dndlim32.exeC:\Windows\system32\Dndlim32.exe115⤵PID:2352
-
C:\Windows\SysWOW64\Doehqead.exeC:\Windows\system32\Doehqead.exe116⤵
- Modifies registry class
PID:552 -
C:\Windows\SysWOW64\Dhnmij32.exeC:\Windows\system32\Dhnmij32.exe117⤵PID:1548
-
C:\Windows\SysWOW64\Dccagcgk.exeC:\Windows\system32\Dccagcgk.exe118⤵PID:2624
-
C:\Windows\SysWOW64\Dhpiojfb.exeC:\Windows\system32\Dhpiojfb.exe119⤵PID:2464
-
C:\Windows\SysWOW64\Dbhnhp32.exeC:\Windows\system32\Dbhnhp32.exe120⤵PID:1768
-
C:\Windows\SysWOW64\Dnoomqbg.exeC:\Windows\system32\Dnoomqbg.exe121⤵PID:1568
-
C:\Windows\SysWOW64\Dggcffhg.exeC:\Windows\system32\Dggcffhg.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1772 -
C:\Windows\SysWOW64\Ebmgcohn.exeC:\Windows\system32\Ebmgcohn.exe123⤵PID:3056
-
C:\Windows\SysWOW64\Egjpkffe.exeC:\Windows\system32\Egjpkffe.exe124⤵
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Ebodiofk.exeC:\Windows\system32\Ebodiofk.exe125⤵
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Egllae32.exeC:\Windows\system32\Egllae32.exe126⤵PID:2808
-
C:\Windows\SysWOW64\Emieil32.exeC:\Windows\system32\Emieil32.exe127⤵PID:3048
-
C:\Windows\SysWOW64\Egoife32.exeC:\Windows\system32\Egoife32.exe128⤵PID:1856
-
C:\Windows\SysWOW64\Emkaol32.exeC:\Windows\system32\Emkaol32.exe129⤵PID:2324
-
C:\Windows\SysWOW64\Egafleqm.exeC:\Windows\system32\Egafleqm.exe130⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2852 -
C:\Windows\SysWOW64\Eqijej32.exeC:\Windows\system32\Eqijej32.exe131⤵PID:3040
-
C:\Windows\SysWOW64\Fjaonpnn.exeC:\Windows\system32\Fjaonpnn.exe132⤵
- Drops file in System32 directory
PID:788 -
C:\Windows\SysWOW64\Fpngfgle.exeC:\Windows\system32\Fpngfgle.exe133⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Fekpnn32.exeC:\Windows\system32\Fekpnn32.exe134⤵PID:2360
-
C:\Windows\SysWOW64\Fpqdkf32.exeC:\Windows\system32\Fpqdkf32.exe135⤵PID:2364
-
C:\Windows\SysWOW64\Fenmdm32.exeC:\Windows\system32\Fenmdm32.exe136⤵PID:1304
-
C:\Windows\SysWOW64\Flgeqgog.exeC:\Windows\system32\Flgeqgog.exe137⤵PID:2752
-
C:\Windows\SysWOW64\Fadminnn.exeC:\Windows\system32\Fadminnn.exe138⤵PID:1880
-
C:\Windows\SysWOW64\Fljafg32.exeC:\Windows\system32\Fljafg32.exe139⤵
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Fagjnn32.exeC:\Windows\system32\Fagjnn32.exe140⤵PID:2700
-
C:\Windows\SysWOW64\Fjongcbl.exeC:\Windows\system32\Fjongcbl.exe141⤵PID:1240
-
C:\Windows\SysWOW64\Gdgcpi32.exeC:\Windows\system32\Gdgcpi32.exe142⤵PID:2932
-
C:\Windows\SysWOW64\Gnmgmbhb.exeC:\Windows\system32\Gnmgmbhb.exe143⤵PID:2208
-
C:\Windows\SysWOW64\Gpncej32.exeC:\Windows\system32\Gpncej32.exe144⤵PID:316
-
C:\Windows\SysWOW64\Ghelfg32.exeC:\Windows\system32\Ghelfg32.exe145⤵PID:2836
-
C:\Windows\SysWOW64\Gifhnpea.exeC:\Windows\system32\Gifhnpea.exe146⤵
- Drops file in System32 directory
PID:292 -
C:\Windows\SysWOW64\Gpqpjj32.exeC:\Windows\system32\Gpqpjj32.exe147⤵
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\Gfjhgdck.exeC:\Windows\system32\Gfjhgdck.exe148⤵
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Gmdadnkh.exeC:\Windows\system32\Gmdadnkh.exe149⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2316 -
C:\Windows\SysWOW64\Gdniqh32.exeC:\Windows\system32\Gdniqh32.exe150⤵
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Gepehphc.exeC:\Windows\system32\Gepehphc.exe151⤵PID:2580
-
C:\Windows\SysWOW64\Gljnej32.exeC:\Windows\system32\Gljnej32.exe152⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1708 -
C:\Windows\SysWOW64\Gbcfadgl.exeC:\Windows\system32\Gbcfadgl.exe153⤵PID:2404
-
C:\Windows\SysWOW64\Ginnnooi.exeC:\Windows\system32\Ginnnooi.exe154⤵PID:3068
-
C:\Windows\SysWOW64\Hpgfki32.exeC:\Windows\system32\Hpgfki32.exe155⤵
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Hbfbgd32.exeC:\Windows\system32\Hbfbgd32.exe156⤵PID:2488
-
C:\Windows\SysWOW64\Hipkdnmf.exeC:\Windows\system32\Hipkdnmf.exe157⤵
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Hkaglf32.exeC:\Windows\system32\Hkaglf32.exe158⤵PID:2588
-
C:\Windows\SysWOW64\Hakphqja.exeC:\Windows\system32\Hakphqja.exe159⤵PID:2680
-
C:\Windows\SysWOW64\Hdildlie.exeC:\Windows\system32\Hdildlie.exe160⤵PID:1028
-
C:\Windows\SysWOW64\Hoopae32.exeC:\Windows\system32\Hoopae32.exe161⤵PID:2884
-
C:\Windows\SysWOW64\Hanlnp32.exeC:\Windows\system32\Hanlnp32.exe162⤵PID:2528
-
C:\Windows\SysWOW64\Hhgdkjol.exeC:\Windows\system32\Hhgdkjol.exe163⤵
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Hkfagfop.exeC:\Windows\system32\Hkfagfop.exe164⤵PID:2288
-
C:\Windows\SysWOW64\Hapicp32.exeC:\Windows\system32\Hapicp32.exe165⤵PID:1268
-
C:\Windows\SysWOW64\Hgmalg32.exeC:\Windows\system32\Hgmalg32.exe166⤵PID:836
-
C:\Windows\SysWOW64\Hiknhbcg.exeC:\Windows\system32\Hiknhbcg.exe167⤵
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Hpefdl32.exeC:\Windows\system32\Hpefdl32.exe168⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Igonafba.exeC:\Windows\system32\Igonafba.exe169⤵PID:880
-
C:\Windows\SysWOW64\Inifnq32.exeC:\Windows\system32\Inifnq32.exe170⤵PID:1352
-
C:\Windows\SysWOW64\Idcokkak.exeC:\Windows\system32\Idcokkak.exe171⤵PID:3104
-
C:\Windows\SysWOW64\Igakgfpn.exeC:\Windows\system32\Igakgfpn.exe172⤵
- Drops file in System32 directory
PID:3144 -
C:\Windows\SysWOW64\Iedkbc32.exeC:\Windows\system32\Iedkbc32.exe173⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3184 -
C:\Windows\SysWOW64\Ilncom32.exeC:\Windows\system32\Ilncom32.exe174⤵
- Drops file in System32 directory
PID:3224 -
C:\Windows\SysWOW64\Iompkh32.exeC:\Windows\system32\Iompkh32.exe175⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3264 -
C:\Windows\SysWOW64\Igchlf32.exeC:\Windows\system32\Igchlf32.exe176⤵
- Drops file in System32 directory
PID:3304 -
C:\Windows\SysWOW64\Ijbdha32.exeC:\Windows\system32\Ijbdha32.exe177⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3344 -
C:\Windows\SysWOW64\Ilqpdm32.exeC:\Windows\system32\Ilqpdm32.exe178⤵PID:3384
-
C:\Windows\SysWOW64\Icjhagdp.exeC:\Windows\system32\Icjhagdp.exe179⤵PID:3424
-
C:\Windows\SysWOW64\Ijdqna32.exeC:\Windows\system32\Ijdqna32.exe180⤵
- Modifies registry class
PID:3464 -
C:\Windows\SysWOW64\Ilcmjl32.exeC:\Windows\system32\Ilcmjl32.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3504 -
C:\Windows\SysWOW64\Ioaifhid.exeC:\Windows\system32\Ioaifhid.exe182⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3544 -
C:\Windows\SysWOW64\Iapebchh.exeC:\Windows\system32\Iapebchh.exe183⤵PID:3584
-
C:\Windows\SysWOW64\Ihjnom32.exeC:\Windows\system32\Ihjnom32.exe184⤵
- Drops file in System32 directory
PID:3624 -
C:\Windows\SysWOW64\Ikhjki32.exeC:\Windows\system32\Ikhjki32.exe185⤵
- Drops file in System32 directory
PID:3664 -
C:\Windows\SysWOW64\Jnffgd32.exeC:\Windows\system32\Jnffgd32.exe186⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3704 -
C:\Windows\SysWOW64\Jdpndnei.exeC:\Windows\system32\Jdpndnei.exe187⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3744 -
C:\Windows\SysWOW64\Jgojpjem.exeC:\Windows\system32\Jgojpjem.exe188⤵PID:3784
-
C:\Windows\SysWOW64\Jofbag32.exeC:\Windows\system32\Jofbag32.exe189⤵PID:3824
-
C:\Windows\SysWOW64\Jqgoiokm.exeC:\Windows\system32\Jqgoiokm.exe190⤵PID:3864
-
C:\Windows\SysWOW64\Jgagfi32.exeC:\Windows\system32\Jgagfi32.exe191⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3908 -
C:\Windows\SysWOW64\Jjpcbe32.exeC:\Windows\system32\Jjpcbe32.exe192⤵PID:3948
-
C:\Windows\SysWOW64\Jnkpbcjg.exeC:\Windows\system32\Jnkpbcjg.exe193⤵PID:3988
-
C:\Windows\SysWOW64\Jqilooij.exeC:\Windows\system32\Jqilooij.exe194⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4028 -
C:\Windows\SysWOW64\Jchhkjhn.exeC:\Windows\system32\Jchhkjhn.exe195⤵PID:4068
-
C:\Windows\SysWOW64\Jkoplhip.exeC:\Windows\system32\Jkoplhip.exe196⤵PID:1744
-
C:\Windows\SysWOW64\Jnmlhchd.exeC:\Windows\system32\Jnmlhchd.exe197⤵PID:1624
-
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe198⤵PID:2540
-
C:\Windows\SysWOW64\Jcjdpj32.exeC:\Windows\system32\Jcjdpj32.exe199⤵PID:3084
-
C:\Windows\SysWOW64\Jfiale32.exeC:\Windows\system32\Jfiale32.exe200⤵
- Modifies registry class
PID:3136 -
C:\Windows\SysWOW64\Jjdmmdnh.exeC:\Windows\system32\Jjdmmdnh.exe201⤵PID:3172
-
C:\Windows\SysWOW64\Jmbiipml.exeC:\Windows\system32\Jmbiipml.exe202⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3232 -
C:\Windows\SysWOW64\Joaeeklp.exeC:\Windows\system32\Joaeeklp.exe203⤵
- Modifies registry class
PID:3292 -
C:\Windows\SysWOW64\Jghmfhmb.exeC:\Windows\system32\Jghmfhmb.exe204⤵PID:3352
-
C:\Windows\SysWOW64\Kjfjbdle.exeC:\Windows\system32\Kjfjbdle.exe205⤵PID:3400
-
C:\Windows\SysWOW64\Kiijnq32.exeC:\Windows\system32\Kiijnq32.exe206⤵
- Drops file in System32 directory
PID:3448 -
C:\Windows\SysWOW64\Kqqboncb.exeC:\Windows\system32\Kqqboncb.exe207⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3520 -
C:\Windows\SysWOW64\Kconkibf.exeC:\Windows\system32\Kconkibf.exe208⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1144 -
C:\Windows\SysWOW64\Kbbngf32.exeC:\Windows\system32\Kbbngf32.exe209⤵PID:3576
-
C:\Windows\SysWOW64\Kjifhc32.exeC:\Windows\system32\Kjifhc32.exe210⤵PID:3644
-
C:\Windows\SysWOW64\Kmgbdo32.exeC:\Windows\system32\Kmgbdo32.exe211⤵PID:3696
-
C:\Windows\SysWOW64\Kkjcplpa.exeC:\Windows\system32\Kkjcplpa.exe212⤵PID:3732
-
C:\Windows\SysWOW64\Kcakaipc.exeC:\Windows\system32\Kcakaipc.exe213⤵PID:3804
-
C:\Windows\SysWOW64\Kfpgmdog.exeC:\Windows\system32\Kfpgmdog.exe214⤵PID:3852
-
C:\Windows\SysWOW64\Kincipnk.exeC:\Windows\system32\Kincipnk.exe215⤵PID:3900
-
C:\Windows\SysWOW64\Kklpekno.exeC:\Windows\system32\Kklpekno.exe216⤵PID:3956
-
C:\Windows\SysWOW64\Knklagmb.exeC:\Windows\system32\Knklagmb.exe217⤵PID:4024
-
C:\Windows\SysWOW64\Kfbcbd32.exeC:\Windows\system32\Kfbcbd32.exe218⤵PID:4088
-
C:\Windows\SysWOW64\Kiqpop32.exeC:\Windows\system32\Kiqpop32.exe219⤵
- Modifies registry class
PID:1504 -
C:\Windows\SysWOW64\Kkolkk32.exeC:\Windows\system32\Kkolkk32.exe220⤵PID:264
-
C:\Windows\SysWOW64\Knmhgf32.exeC:\Windows\system32\Knmhgf32.exe221⤵
- Modifies registry class
PID:3120 -
C:\Windows\SysWOW64\Kaldcb32.exeC:\Windows\system32\Kaldcb32.exe222⤵
- Drops file in System32 directory
PID:3096 -
C:\Windows\SysWOW64\Kicmdo32.exeC:\Windows\system32\Kicmdo32.exe223⤵
- Drops file in System32 directory
- Modifies registry class
PID:3168 -
C:\Windows\SysWOW64\Kkaiqk32.exeC:\Windows\system32\Kkaiqk32.exe224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3436 -
C:\Windows\SysWOW64\Kbkameaf.exeC:\Windows\system32\Kbkameaf.exe225⤵PID:1328
-
C:\Windows\SysWOW64\Lclnemgd.exeC:\Windows\system32\Lclnemgd.exe226⤵
- Drops file in System32 directory
PID:3368 -
C:\Windows\SysWOW64\Llcefjgf.exeC:\Windows\system32\Llcefjgf.exe227⤵PID:3596
-
C:\Windows\SysWOW64\Lnbbbffj.exeC:\Windows\system32\Lnbbbffj.exe228⤵PID:3528
-
C:\Windows\SysWOW64\Lapnnafn.exeC:\Windows\system32\Lapnnafn.exe229⤵PID:3572
-
C:\Windows\SysWOW64\Lgjfkk32.exeC:\Windows\system32\Lgjfkk32.exe230⤵
- Drops file in System32 directory
PID:3660 -
C:\Windows\SysWOW64\Ljibgg32.exeC:\Windows\system32\Ljibgg32.exe231⤵PID:3760
-
C:\Windows\SysWOW64\Lmgocb32.exeC:\Windows\system32\Lmgocb32.exe232⤵PID:2916
-
C:\Windows\SysWOW64\Lpekon32.exeC:\Windows\system32\Lpekon32.exe233⤵
- Modifies registry class
PID:3860 -
C:\Windows\SysWOW64\Lgmcqkkh.exeC:\Windows\system32\Lgmcqkkh.exe234⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3944 -
C:\Windows\SysWOW64\Ljkomfjl.exeC:\Windows\system32\Ljkomfjl.exe235⤵
- Drops file in System32 directory
PID:4004 -
C:\Windows\SysWOW64\Laegiq32.exeC:\Windows\system32\Laegiq32.exe236⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Lphhenhc.exeC:\Windows\system32\Lphhenhc.exe237⤵PID:2164
-
C:\Windows\SysWOW64\Lbfdaigg.exeC:\Windows\system32\Lbfdaigg.exe238⤵
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Ljmlbfhi.exeC:\Windows\system32\Ljmlbfhi.exe239⤵PID:3092
-
C:\Windows\SysWOW64\Lmlhnagm.exeC:\Windows\system32\Lmlhnagm.exe240⤵PID:3212
-
C:\Windows\SysWOW64\Lpjdjmfp.exeC:\Windows\system32\Lpjdjmfp.exe241⤵PID:3284
-
C:\Windows\SysWOW64\Lbiqfied.exeC:\Windows\system32\Lbiqfied.exe242⤵
- Drops file in System32 directory
PID:3364