Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 01:55
Behavioral task
behavioral1
Sample
2071cafe260f2e117da11c9719029a40_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2071cafe260f2e117da11c9719029a40_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
2071cafe260f2e117da11c9719029a40_NeikiAnalytics.exe
-
Size
378KB
-
MD5
2071cafe260f2e117da11c9719029a40
-
SHA1
840bb6cc8b85c5e51de20d6d43d24dd0f7a04c38
-
SHA256
498443d8c59f1c6dca1f636703d118624b950c0c35ad3d8dd40b0ea7e4f3ac68
-
SHA512
2b48aa0a2231125660bf756c5c74b6e100909fa1905ee892be13a4b9f8aac732aef6184c58fa07ff409d494c1b8e838ff7a114c4c9cbd62915eaae1e5d43e39f
-
SSDEEP
6144:J9Q0si5VOOJt30bRV1prtMsQBma/atn9pG4l+0K76zHTgb8ecFeK8TJ4u392vVAu:JLsi5VOOJt30bRBRMsEat9pG4l+0K7WB
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Dmojkc32.exePepcelel.exeCepipm32.exeNpdhaq32.exeJjjdhc32.exeDmdnbecj.exeAbpcooea.exeFdkklp32.exeFmohco32.exeHibjbgbh.exeGdhdkn32.exeIchmgl32.exeJlhkgm32.exeLdgnklmi.exePljcllqe.exeAeoijidl.exeHfhfhbce.exeLcfbdd32.exeJpgjgboe.exePleofj32.exeHnkion32.exeBbjmpcab.exeDcdkef32.exeJnkakl32.exeAmfognic.exeHcdgmimg.exeNpbklabl.exeDifqji32.exeEcploipa.exeEkfpmf32.exeDncibp32.exeBcgdom32.exeFcmben32.exeDbabho32.exeAknlofim.exeBjebdfnn.exeJkpbdq32.exeAakjdo32.exeBjbndpmd.exeDhhhbg32.exeFppaej32.exeHkjkle32.exeAbfnpg32.exeAggiigmn.exeEihgfd32.exeLgehno32.exeIknafhjb.exeGfmgelil.exeHpphhp32.exeQldhkc32.exeJabponba.exeBjoofhgc.exeDljkcb32.exePohhna32.exeDomccejd.exeKokjdb32.exePhqmgg32.exeIjcngenj.exeLohjnf32.exeNmnclmoj.exeCfanmogq.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmojkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pepcelel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cepipm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdhaq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjdhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmdnbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abpcooea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkklp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmohco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibjbgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdhdkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ichmgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlhkgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgnklmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pljcllqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeoijidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfhfhbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcfbdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpgjgboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pleofj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnkion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbjmpcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcdkef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnkakl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pljcllqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amfognic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcdgmimg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npbklabl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difqji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecploipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekfpmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dncibp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcgdom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcmben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbabho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aknlofim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjebdfnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkpbdq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aakjdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbndpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhhhbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fppaej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjkle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abfnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aggiigmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eihgfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgehno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknafhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfmgelil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpphhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qldhkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fppaej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jabponba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjoofhgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dljkcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pohhna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Domccejd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kokjdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phqmgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdhdkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijcngenj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lohjnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmnclmoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfanmogq.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Gmjcblbb.exe family_berbew \Windows\SysWOW64\Hjqqap32.exe family_berbew \Windows\SysWOW64\Hfjnla32.exe family_berbew \Windows\SysWOW64\Iogoec32.exe family_berbew \Windows\SysWOW64\Idknoi32.exe family_berbew \Windows\SysWOW64\Jnfomn32.exe family_berbew \Windows\SysWOW64\Kopokehd.exe family_berbew \Windows\SysWOW64\Kbaglpee.exe family_berbew \Windows\SysWOW64\Kmobhmnn.exe family_berbew C:\Windows\SysWOW64\Lfjcfb32.exe family_berbew \Windows\SysWOW64\Lklejh32.exe family_berbew C:\Windows\SysWOW64\Makjho32.exe family_berbew \Windows\SysWOW64\Mpdqdkie.exe family_berbew \Windows\SysWOW64\Mfaefd32.exe family_berbew \Windows\SysWOW64\Noacef32.exe family_berbew C:\Windows\SysWOW64\Npgihn32.exe family_berbew C:\Windows\SysWOW64\Olbchn32.exe family_berbew C:\Windows\SysWOW64\Ooclji32.exe family_berbew C:\Windows\SysWOW64\Padeldeo.exe family_berbew C:\Windows\SysWOW64\Pkljdj32.exe family_berbew C:\Windows\SysWOW64\Pkofjijm.exe family_berbew C:\Windows\SysWOW64\Pdgkco32.exe family_berbew C:\Windows\SysWOW64\Pqnlhpfb.exe family_berbew C:\Windows\SysWOW64\Pcnejk32.exe family_berbew C:\Windows\SysWOW64\Qoeeolig.exe family_berbew behavioral1/memory/1700-314-0x00000000002D0000-0x0000000000304000-memory.dmp family_berbew C:\Windows\SysWOW64\Abfnpg32.exe family_berbew C:\Windows\SysWOW64\Akqpom32.exe family_berbew C:\Windows\SysWOW64\Aggpdnpj.exe family_berbew C:\Windows\SysWOW64\Aboaff32.exe family_berbew C:\Windows\SysWOW64\Ajjfkh32.exe family_berbew C:\Windows\SysWOW64\Bjoofhgc.exe family_berbew C:\Windows\SysWOW64\Bcgdom32.exe family_berbew behavioral1/memory/2416-387-0x0000000000220000-0x0000000000254000-memory.dmp family_berbew C:\Windows\SysWOW64\Bleeioil.exe family_berbew behavioral1/memory/2532-398-0x00000000002B0000-0x00000000002E4000-memory.dmp family_berbew C:\Windows\SysWOW64\Cpcnonob.exe family_berbew C:\Windows\SysWOW64\Cikbhc32.exe family_berbew C:\Windows\SysWOW64\Cmmhaf32.exe family_berbew C:\Windows\SysWOW64\Dpqnhadq.exe family_berbew C:\Windows\SysWOW64\Dmdnbecj.exe family_berbew C:\Windows\SysWOW64\Dljkcb32.exe family_berbew behavioral1/memory/1272-477-0x0000000000220000-0x0000000000254000-memory.dmp family_berbew C:\Windows\SysWOW64\Dojddmec.exe family_berbew C:\Windows\SysWOW64\Dkadjn32.exe family_berbew C:\Windows\SysWOW64\Eoompl32.exe family_berbew C:\Windows\SysWOW64\Eoajel32.exe family_berbew C:\Windows\SysWOW64\Ekhkjm32.exe family_berbew C:\Windows\SysWOW64\Edqocbkp.exe family_berbew C:\Windows\SysWOW64\Elldgehk.exe family_berbew C:\Windows\SysWOW64\Efdhpjok.exe family_berbew C:\Windows\SysWOW64\Fgcejm32.exe family_berbew C:\Windows\SysWOW64\Flqmbd32.exe family_berbew C:\Windows\SysWOW64\Fcjeon32.exe family_berbew C:\Windows\SysWOW64\Fcmben32.exe family_berbew C:\Windows\SysWOW64\Fmegncpp.exe family_berbew C:\Windows\SysWOW64\Fkjdopeh.exe family_berbew C:\Windows\SysWOW64\Fbdlkj32.exe family_berbew C:\Windows\SysWOW64\Fgadda32.exe family_berbew C:\Windows\SysWOW64\Gqnbhf32.exe family_berbew C:\Windows\SysWOW64\Gfmgelil.exe family_berbew C:\Windows\SysWOW64\Hebdfind.exe family_berbew C:\Windows\SysWOW64\Hnkion32.exe family_berbew C:\Windows\SysWOW64\Hloiib32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Gmjcblbb.exeHjqqap32.exeHfjnla32.exeIogoec32.exeIdknoi32.exeJnfomn32.exeKopokehd.exeKbaglpee.exeKmobhmnn.exeLfjcfb32.exeLklejh32.exeMakjho32.exeMpdqdkie.exeMfaefd32.exeNoacef32.exeNpgihn32.exeOlbchn32.exeOoclji32.exePadeldeo.exePkljdj32.exePkofjijm.exePdgkco32.exePqnlhpfb.exePcnejk32.exeQoeeolig.exeAbfnpg32.exeAkqpom32.exeAggpdnpj.exeAboaff32.exeAjjfkh32.exeBjoofhgc.exeBcgdom32.exeBleeioil.exeCpcnonob.exeCikbhc32.exeCmmhaf32.exeDpqnhadq.exeDmdnbecj.exeDljkcb32.exeDojddmec.exeDkadjn32.exeEoompl32.exeEoajel32.exeEkhkjm32.exeEdqocbkp.exeElldgehk.exeEfdhpjok.exeFgcejm32.exeFlqmbd32.exeFcjeon32.exeFcmben32.exeFmegncpp.exeFkjdopeh.exeFbdlkj32.exeFgadda32.exeGqnbhf32.exeGfmgelil.exeHebdfind.exeHnkion32.exeHloiib32.exeHibjbgbh.exeHeikgh32.exeHapklimq.exeHfmddp32.exepid process 2052 Gmjcblbb.exe 2688 Hjqqap32.exe 2528 Hfjnla32.exe 2580 Iogoec32.exe 2476 Idknoi32.exe 636 Jnfomn32.exe 596 Kopokehd.exe 1416 Kbaglpee.exe 2720 Kmobhmnn.exe 2304 Lfjcfb32.exe 2012 Lklejh32.exe 1920 Makjho32.exe 2472 Mpdqdkie.exe 1104 Mfaefd32.exe 2088 Noacef32.exe 2784 Npgihn32.exe 2092 Olbchn32.exe 3004 Ooclji32.exe 2384 Padeldeo.exe 3020 Pkljdj32.exe 2060 Pkofjijm.exe 1148 Pdgkco32.exe 1624 Pqnlhpfb.exe 1700 Pcnejk32.exe 2212 Qoeeolig.exe 1748 Abfnpg32.exe 2912 Akqpom32.exe 2908 Aggpdnpj.exe 2536 Aboaff32.exe 2616 Ajjfkh32.exe 2416 Bjoofhgc.exe 2532 Bcgdom32.exe 2128 Bleeioil.exe 2024 Cpcnonob.exe 2064 Cikbhc32.exe 2712 Cmmhaf32.exe 2004 Dpqnhadq.exe 2256 Dmdnbecj.exe 1272 Dljkcb32.exe 1712 Dojddmec.exe 2072 Dkadjn32.exe 1632 Eoompl32.exe 2920 Eoajel32.exe 3040 Ekhkjm32.exe 2756 Edqocbkp.exe 2972 Elldgehk.exe 1812 Efdhpjok.exe 1544 Fgcejm32.exe 616 Flqmbd32.exe 1948 Fcjeon32.exe 1572 Fcmben32.exe 1364 Fmegncpp.exe 2632 Fkjdopeh.exe 2680 Fbdlkj32.exe 2596 Fgadda32.exe 2524 Gqnbhf32.exe 2852 Gfmgelil.exe 592 Hebdfind.exe 1956 Hnkion32.exe 2636 Hloiib32.exe 2856 Hibjbgbh.exe 1908 Heikgh32.exe 1764 Hapklimq.exe 1768 Hfmddp32.exe -
Loads dropped DLL 64 IoCs
Processes:
2071cafe260f2e117da11c9719029a40_NeikiAnalytics.exeGmjcblbb.exeHjqqap32.exeHfjnla32.exeIogoec32.exeIdknoi32.exeJnfomn32.exeKopokehd.exeKbaglpee.exeKmobhmnn.exeLfjcfb32.exeLklejh32.exeMakjho32.exeMpdqdkie.exeMfaefd32.exeNoacef32.exeNpgihn32.exeOlbchn32.exeOoclji32.exePadeldeo.exePkljdj32.exePkofjijm.exePdgkco32.exePqnlhpfb.exePcnejk32.exeQoeeolig.exeAbfnpg32.exeAkqpom32.exeAggpdnpj.exeAboaff32.exeAjjfkh32.exeBjoofhgc.exepid process 2660 2071cafe260f2e117da11c9719029a40_NeikiAnalytics.exe 2660 2071cafe260f2e117da11c9719029a40_NeikiAnalytics.exe 2052 Gmjcblbb.exe 2052 Gmjcblbb.exe 2688 Hjqqap32.exe 2688 Hjqqap32.exe 2528 Hfjnla32.exe 2528 Hfjnla32.exe 2580 Iogoec32.exe 2580 Iogoec32.exe 2476 Idknoi32.exe 2476 Idknoi32.exe 636 Jnfomn32.exe 636 Jnfomn32.exe 596 Kopokehd.exe 596 Kopokehd.exe 1416 Kbaglpee.exe 1416 Kbaglpee.exe 2720 Kmobhmnn.exe 2720 Kmobhmnn.exe 2304 Lfjcfb32.exe 2304 Lfjcfb32.exe 2012 Lklejh32.exe 2012 Lklejh32.exe 1920 Makjho32.exe 1920 Makjho32.exe 2472 Mpdqdkie.exe 2472 Mpdqdkie.exe 1104 Mfaefd32.exe 1104 Mfaefd32.exe 2088 Noacef32.exe 2088 Noacef32.exe 2784 Npgihn32.exe 2784 Npgihn32.exe 2092 Olbchn32.exe 2092 Olbchn32.exe 3004 Ooclji32.exe 3004 Ooclji32.exe 2384 Padeldeo.exe 2384 Padeldeo.exe 3020 Pkljdj32.exe 3020 Pkljdj32.exe 2060 Pkofjijm.exe 2060 Pkofjijm.exe 1148 Pdgkco32.exe 1148 Pdgkco32.exe 1624 Pqnlhpfb.exe 1624 Pqnlhpfb.exe 1700 Pcnejk32.exe 1700 Pcnejk32.exe 2212 Qoeeolig.exe 2212 Qoeeolig.exe 1748 Abfnpg32.exe 1748 Abfnpg32.exe 2912 Akqpom32.exe 2912 Akqpom32.exe 2908 Aggpdnpj.exe 2908 Aggpdnpj.exe 2536 Aboaff32.exe 2536 Aboaff32.exe 2616 Ajjfkh32.exe 2616 Ajjfkh32.exe 2416 Bjoofhgc.exe 2416 Bjoofhgc.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jkchmo32.exeKdklfe32.exeCinafkkd.exeDpeiligo.exeCkpckece.exeHpphhp32.exeIdicbbpi.exeGkalhgfd.exeFooembgb.exeCnnnnh32.exeLgehno32.exePhqmgg32.exeGghmmilh.exeBkpglbaj.exeEblelb32.exeNpgihn32.exePqnlhpfb.exeHomdhjai.exeCfckcoen.exeLpnopm32.exeMjkndb32.exeHbaaik32.exePleofj32.exeAeoijidl.exeAgeompfe.exeIogoec32.exeMjfnomde.exeFoolgh32.exeFhdmph32.exeDejbqb32.exePpnnai32.exeCfcijf32.exeOhncbdbd.exeBdhleh32.exeFdpgph32.exeJabponba.exeMfaefd32.exeOpnbbe32.exeAhpbkd32.exeLdpbpgoh.exeEkfpmf32.exeDgbeiiqe.exeFqdiga32.exeBkpeci32.exeDpklkgoj.exeIeponofk.exeKmobhmnn.exeJplkmgol.exePpddpd32.exeJefbnacn.exeLohjnf32.exeHcigco32.exeMdmkoepk.exeCepipm32.exeLnjcomcf.exePepcelel.exeCfoaho32.exeHnhgha32.exeHfhfhbce.exeOoclji32.exeEcnoijbd.exeAggiigmn.exedescription ioc process File created C:\Windows\SysWOW64\Kjoahnho.dll Jkchmo32.exe File created C:\Windows\SysWOW64\Giackg32.dll Kdklfe32.exe File created C:\Windows\SysWOW64\Hbocphim.dll Cinafkkd.exe File created C:\Windows\SysWOW64\Dmijfmfi.exe Dpeiligo.exe File created C:\Windows\SysWOW64\Cidddj32.exe Ckpckece.exe File opened for modification C:\Windows\SysWOW64\Hmdhad32.exe Hpphhp32.exe File created C:\Windows\SysWOW64\Jpbalb32.exe Idicbbpi.exe File opened for modification C:\Windows\SysWOW64\Gghmmilh.exe Gkalhgfd.exe File created C:\Windows\SysWOW64\Fppaej32.exe Fooembgb.exe File opened for modification C:\Windows\SysWOW64\Cpmjhk32.exe Cnnnnh32.exe File created C:\Windows\SysWOW64\Mmmjebjg.dll Lgehno32.exe File created C:\Windows\SysWOW64\Pgfjhcge.exe Phqmgg32.exe File created C:\Windows\SysWOW64\Jflomd32.dll Gghmmilh.exe File opened for modification C:\Windows\SysWOW64\Bdhleh32.exe Bkpglbaj.exe File created C:\Windows\SysWOW64\Cocajj32.dll Eblelb32.exe File created C:\Windows\SysWOW64\Olbchn32.exe Npgihn32.exe File opened for modification C:\Windows\SysWOW64\Pcnejk32.exe Pqnlhpfb.exe File created C:\Windows\SysWOW64\Hjgehgnh.exe Homdhjai.exe File opened for modification C:\Windows\SysWOW64\Ckpckece.exe Cfckcoen.exe File opened for modification C:\Windows\SysWOW64\Lhiddoph.exe Lpnopm32.exe File created C:\Windows\SysWOW64\Mlkjne32.exe Mjkndb32.exe File opened for modification C:\Windows\SysWOW64\Iliebpfc.exe Hbaaik32.exe File created C:\Windows\SysWOW64\Fbbnekdd.dll Pleofj32.exe File created C:\Windows\SysWOW64\Pcfahenq.dll Aeoijidl.exe File created C:\Windows\SysWOW64\Jqgaapqd.dll Ageompfe.exe File created C:\Windows\SysWOW64\Idknoi32.exe Iogoec32.exe File created C:\Windows\SysWOW64\Mcnbhb32.exe Mjfnomde.exe File created C:\Windows\SysWOW64\Gjpehnpj.dll Foolgh32.exe File opened for modification C:\Windows\SysWOW64\Fooembgb.exe Fhdmph32.exe File opened for modification C:\Windows\SysWOW64\Demofaol.exe Dejbqb32.exe File opened for modification C:\Windows\SysWOW64\Pleofj32.exe Ppnnai32.exe File created C:\Windows\SysWOW64\Hadlijdb.dll Cfcijf32.exe File created C:\Windows\SysWOW64\Okhdnm32.dll Ohncbdbd.exe File created C:\Windows\SysWOW64\Bqolji32.exe Bdhleh32.exe File created C:\Windows\SysWOW64\Qbceme32.dll Fdpgph32.exe File created C:\Windows\SysWOW64\Mebgijei.dll Jabponba.exe File created C:\Windows\SysWOW64\Hcabof32.dll Iogoec32.exe File created C:\Windows\SysWOW64\Noacef32.exe Mfaefd32.exe File opened for modification C:\Windows\SysWOW64\Ohiffh32.exe Opnbbe32.exe File opened for modification C:\Windows\SysWOW64\Apkgpf32.exe Ahpbkd32.exe File created C:\Windows\SysWOW64\Lnhgim32.exe Ldpbpgoh.exe File created C:\Windows\SysWOW64\Bljhgm32.dll Ekfpmf32.exe File created C:\Windows\SysWOW64\Ldfkhk32.dll Dgbeiiqe.exe File opened for modification C:\Windows\SysWOW64\Fgnadkic.exe Fqdiga32.exe File created C:\Windows\SysWOW64\Jclnhnji.dll Bkpeci32.exe File opened for modification C:\Windows\SysWOW64\Eakhdj32.exe Dpklkgoj.exe File opened for modification C:\Windows\SysWOW64\Inhdgdmk.exe Ieponofk.exe File created C:\Windows\SysWOW64\Fhioaa32.dll Kmobhmnn.exe File created C:\Windows\SysWOW64\Clakmm32.dll Jplkmgol.exe File created C:\Windows\SysWOW64\Nldhfnkd.dll Ppddpd32.exe File created C:\Windows\SysWOW64\Blbjlj32.dll Jefbnacn.exe File opened for modification C:\Windows\SysWOW64\Ljnnko32.exe Lohjnf32.exe File created C:\Windows\SysWOW64\Hpphhp32.exe Hcigco32.exe File created C:\Windows\SysWOW64\Mdogedmh.exe Mdmkoepk.exe File created C:\Windows\SysWOW64\Ohiffh32.exe Opnbbe32.exe File created C:\Windows\SysWOW64\Cnimiblo.exe Cepipm32.exe File opened for modification C:\Windows\SysWOW64\Lgchgb32.exe Lnjcomcf.exe File opened for modification C:\Windows\SysWOW64\Pohhna32.exe Pepcelel.exe File created C:\Windows\SysWOW64\Cmhjdiap.exe Cfoaho32.exe File created C:\Windows\SysWOW64\Hcepqh32.exe Hnhgha32.exe File created C:\Windows\SysWOW64\Ekdjjm32.dll Hfhfhbce.exe File created C:\Windows\SysWOW64\Padeldeo.exe Ooclji32.exe File created C:\Windows\SysWOW64\Elilld32.dll Ecnoijbd.exe File created C:\Windows\SysWOW64\Aobnniji.exe Aggiigmn.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2000 2220 WerFault.exe Lepaccmo.exe -
Modifies registry class 64 IoCs
Processes:
Jofejpmc.exeLjnnko32.exeBcpgdhpp.exeJpigma32.exeBdhleh32.exeAkqpom32.exeEoajel32.exeFbdlkj32.exeIliebpfc.exeKjokokha.exeEbklic32.exeOoclji32.exeDojddmec.exeBoidnh32.exeDcdkef32.exeNallalep.exeAgeompfe.exeDfhdnn32.exeAggiigmn.exeCpmjhk32.exeIdicbbpi.exeLnjcomcf.exePadeldeo.exeFcjeon32.exeImnbbi32.exeHidcef32.exeCocphf32.exeHjgehgnh.exeOijjka32.exeElkmmodo.exeEaheeecg.exeGdcjpncm.exeIjphofem.exeMdmkoepk.exePehcij32.exeBcgdom32.exeCpcnonob.exeKnbhlkkc.exeAognbnkm.exeGcgqgd32.exeApppkekc.exeGlpepj32.exeKgcnahoo.exeKncaojfb.exePohhna32.exeBkegah32.exeMokilo32.exeMpdqdkie.exeJpbalb32.exeLnhgim32.exeDahifbpk.exeEkfpmf32.exeLohjnf32.exeMeoell32.exeDemofaol.exePpnnai32.exeNknimnap.exeLjghjpfe.exeLkfddc32.exeNmnclmoj.exeCjlheehe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jofejpmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljnnko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcpgdhpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpigma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obgmpo32.dll" Bdhleh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akqpom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoajel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbdlkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iliebpfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjokokha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okqcnknc.dll" Ebklic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooclji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elemhgkf.dll" Dojddmec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boidnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lepiko32.dll" Dcdkef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkkcoogp.dll" Nallalep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqgaapqd.dll" Ageompfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfhdnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aggiigmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpmjhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbjdnlob.dll" Idicbbpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnjcomcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefejmjq.dll" Padeldeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcjeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imnbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hidcef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cocphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkbjj32.dll" Hjgehgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcohnaep.dll" Oijjka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffhlolm.dll" Elkmmodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofphfof.dll" Eaheeecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fameoj32.dll" Gdcjpncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdcjpncm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijphofem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchdgl32.dll" Mdmkoepk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pehcij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcgdom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpcnonob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqbbglbj.dll" Knbhlkkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aognbnkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcgqgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apppkekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glpepj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgcnahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kncaojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pohhna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdeje32.dll" Bkegah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mokilo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpdqdkie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpbalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojcqog32.dll" Lnhgim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dahifbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekfpmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lomlhpoi.dll" Lohjnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llpenogi.dll" Meoell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Demofaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahlae32.dll" Jpigma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pohhna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbjim32.dll" Ppnnai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nekkhdgo.dll" Nknimnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndpojd32.dll" Ljghjpfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkfddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alenfc32.dll" Nmnclmoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjlheehe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2071cafe260f2e117da11c9719029a40_NeikiAnalytics.exeGmjcblbb.exeHjqqap32.exeHfjnla32.exeIogoec32.exeIdknoi32.exeJnfomn32.exeKopokehd.exeKbaglpee.exeKmobhmnn.exeLfjcfb32.exeLklejh32.exeMakjho32.exeMpdqdkie.exeMfaefd32.exeNoacef32.exedescription pid process target process PID 2660 wrote to memory of 2052 2660 2071cafe260f2e117da11c9719029a40_NeikiAnalytics.exe Gmjcblbb.exe PID 2660 wrote to memory of 2052 2660 2071cafe260f2e117da11c9719029a40_NeikiAnalytics.exe Gmjcblbb.exe PID 2660 wrote to memory of 2052 2660 2071cafe260f2e117da11c9719029a40_NeikiAnalytics.exe Gmjcblbb.exe PID 2660 wrote to memory of 2052 2660 2071cafe260f2e117da11c9719029a40_NeikiAnalytics.exe Gmjcblbb.exe PID 2052 wrote to memory of 2688 2052 Gmjcblbb.exe Hjqqap32.exe PID 2052 wrote to memory of 2688 2052 Gmjcblbb.exe Hjqqap32.exe PID 2052 wrote to memory of 2688 2052 Gmjcblbb.exe Hjqqap32.exe PID 2052 wrote to memory of 2688 2052 Gmjcblbb.exe Hjqqap32.exe PID 2688 wrote to memory of 2528 2688 Hjqqap32.exe Hfjnla32.exe PID 2688 wrote to memory of 2528 2688 Hjqqap32.exe Hfjnla32.exe PID 2688 wrote to memory of 2528 2688 Hjqqap32.exe Hfjnla32.exe PID 2688 wrote to memory of 2528 2688 Hjqqap32.exe Hfjnla32.exe PID 2528 wrote to memory of 2580 2528 Hfjnla32.exe Iogoec32.exe PID 2528 wrote to memory of 2580 2528 Hfjnla32.exe Iogoec32.exe PID 2528 wrote to memory of 2580 2528 Hfjnla32.exe Iogoec32.exe PID 2528 wrote to memory of 2580 2528 Hfjnla32.exe Iogoec32.exe PID 2580 wrote to memory of 2476 2580 Iogoec32.exe Idknoi32.exe PID 2580 wrote to memory of 2476 2580 Iogoec32.exe Idknoi32.exe PID 2580 wrote to memory of 2476 2580 Iogoec32.exe Idknoi32.exe PID 2580 wrote to memory of 2476 2580 Iogoec32.exe Idknoi32.exe PID 2476 wrote to memory of 636 2476 Idknoi32.exe Jnfomn32.exe PID 2476 wrote to memory of 636 2476 Idknoi32.exe Jnfomn32.exe PID 2476 wrote to memory of 636 2476 Idknoi32.exe Jnfomn32.exe PID 2476 wrote to memory of 636 2476 Idknoi32.exe Jnfomn32.exe PID 636 wrote to memory of 596 636 Jnfomn32.exe Kopokehd.exe PID 636 wrote to memory of 596 636 Jnfomn32.exe Kopokehd.exe PID 636 wrote to memory of 596 636 Jnfomn32.exe Kopokehd.exe PID 636 wrote to memory of 596 636 Jnfomn32.exe Kopokehd.exe PID 596 wrote to memory of 1416 596 Kopokehd.exe Kbaglpee.exe PID 596 wrote to memory of 1416 596 Kopokehd.exe Kbaglpee.exe PID 596 wrote to memory of 1416 596 Kopokehd.exe Kbaglpee.exe PID 596 wrote to memory of 1416 596 Kopokehd.exe Kbaglpee.exe PID 1416 wrote to memory of 2720 1416 Kbaglpee.exe Kmobhmnn.exe PID 1416 wrote to memory of 2720 1416 Kbaglpee.exe Kmobhmnn.exe PID 1416 wrote to memory of 2720 1416 Kbaglpee.exe Kmobhmnn.exe PID 1416 wrote to memory of 2720 1416 Kbaglpee.exe Kmobhmnn.exe PID 2720 wrote to memory of 2304 2720 Kmobhmnn.exe Lfjcfb32.exe PID 2720 wrote to memory of 2304 2720 Kmobhmnn.exe Lfjcfb32.exe PID 2720 wrote to memory of 2304 2720 Kmobhmnn.exe Lfjcfb32.exe PID 2720 wrote to memory of 2304 2720 Kmobhmnn.exe Lfjcfb32.exe PID 2304 wrote to memory of 2012 2304 Lfjcfb32.exe Lklejh32.exe PID 2304 wrote to memory of 2012 2304 Lfjcfb32.exe Lklejh32.exe PID 2304 wrote to memory of 2012 2304 Lfjcfb32.exe Lklejh32.exe PID 2304 wrote to memory of 2012 2304 Lfjcfb32.exe Lklejh32.exe PID 2012 wrote to memory of 1920 2012 Lklejh32.exe Makjho32.exe PID 2012 wrote to memory of 1920 2012 Lklejh32.exe Makjho32.exe PID 2012 wrote to memory of 1920 2012 Lklejh32.exe Makjho32.exe PID 2012 wrote to memory of 1920 2012 Lklejh32.exe Makjho32.exe PID 1920 wrote to memory of 2472 1920 Makjho32.exe Mpdqdkie.exe PID 1920 wrote to memory of 2472 1920 Makjho32.exe Mpdqdkie.exe PID 1920 wrote to memory of 2472 1920 Makjho32.exe Mpdqdkie.exe PID 1920 wrote to memory of 2472 1920 Makjho32.exe Mpdqdkie.exe PID 2472 wrote to memory of 1104 2472 Mpdqdkie.exe Mfaefd32.exe PID 2472 wrote to memory of 1104 2472 Mpdqdkie.exe Mfaefd32.exe PID 2472 wrote to memory of 1104 2472 Mpdqdkie.exe Mfaefd32.exe PID 2472 wrote to memory of 1104 2472 Mpdqdkie.exe Mfaefd32.exe PID 1104 wrote to memory of 2088 1104 Mfaefd32.exe Noacef32.exe PID 1104 wrote to memory of 2088 1104 Mfaefd32.exe Noacef32.exe PID 1104 wrote to memory of 2088 1104 Mfaefd32.exe Noacef32.exe PID 1104 wrote to memory of 2088 1104 Mfaefd32.exe Noacef32.exe PID 2088 wrote to memory of 2784 2088 Noacef32.exe Npgihn32.exe PID 2088 wrote to memory of 2784 2088 Noacef32.exe Npgihn32.exe PID 2088 wrote to memory of 2784 2088 Noacef32.exe Npgihn32.exe PID 2088 wrote to memory of 2784 2088 Noacef32.exe Npgihn32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2071cafe260f2e117da11c9719029a40_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2071cafe260f2e117da11c9719029a40_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Hjqqap32.exeC:\Windows\system32\Hjqqap32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Hfjnla32.exeC:\Windows\system32\Hfjnla32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Iogoec32.exeC:\Windows\system32\Iogoec32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Jnfomn32.exeC:\Windows\system32\Jnfomn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Kopokehd.exeC:\Windows\system32\Kopokehd.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\SysWOW64\Kbaglpee.exeC:\Windows\system32\Kbaglpee.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Kmobhmnn.exeC:\Windows\system32\Kmobhmnn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Lklejh32.exeC:\Windows\system32\Lklejh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Makjho32.exeC:\Windows\system32\Makjho32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Mpdqdkie.exeC:\Windows\system32\Mpdqdkie.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Mfaefd32.exeC:\Windows\system32\Mfaefd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Noacef32.exeC:\Windows\system32\Noacef32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Pkofjijm.exeC:\Windows\system32\Pkofjijm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Pdgkco32.exeC:\Windows\system32\Pdgkco32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1148 -
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Pcnejk32.exeC:\Windows\system32\Pcnejk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\Qoeeolig.exeC:\Windows\system32\Qoeeolig.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Abfnpg32.exeC:\Windows\system32\Abfnpg32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Akqpom32.exeC:\Windows\system32\Akqpom32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Aggpdnpj.exeC:\Windows\system32\Aggpdnpj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Ajjfkh32.exeC:\Windows\system32\Ajjfkh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2416 -
C:\Windows\SysWOW64\Bcgdom32.exeC:\Windows\system32\Bcgdom32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Bleeioil.exeC:\Windows\system32\Bleeioil.exe34⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Cpcnonob.exeC:\Windows\system32\Cpcnonob.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe36⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Cmmhaf32.exeC:\Windows\system32\Cmmhaf32.exe37⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe38⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Dljkcb32.exeC:\Windows\system32\Dljkcb32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Dojddmec.exeC:\Windows\system32\Dojddmec.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Dkadjn32.exeC:\Windows\system32\Dkadjn32.exe42⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Eoompl32.exeC:\Windows\system32\Eoompl32.exe43⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Ekhkjm32.exeC:\Windows\system32\Ekhkjm32.exe45⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Edqocbkp.exeC:\Windows\system32\Edqocbkp.exe46⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe47⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Efdhpjok.exeC:\Windows\system32\Efdhpjok.exe48⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe49⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe50⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Fcmben32.exeC:\Windows\system32\Fcmben32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe53⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe54⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe56⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe57⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Hebdfind.exeC:\Windows\system32\Hebdfind.exe59⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe61⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Hibjbgbh.exeC:\Windows\system32\Hibjbgbh.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe63⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe64⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe65⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe66⤵PID:3048
-
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe67⤵PID:2976
-
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe68⤵PID:3024
-
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe69⤵
- Modifies registry class
PID:1840 -
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe70⤵PID:2236
-
C:\Windows\SysWOW64\Ipokcdjn.exeC:\Windows\system32\Ipokcdjn.exe71⤵PID:2200
-
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe72⤵PID:2220
-
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe73⤵PID:2988
-
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe74⤵PID:2664
-
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe75⤵
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2548 -
C:\Windows\SysWOW64\Jkpbdq32.exeC:\Windows\system32\Jkpbdq32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2876 -
C:\Windows\SysWOW64\Jplkmgol.exeC:\Windows\system32\Jplkmgol.exe78⤵
- Drops file in System32 directory
PID:528 -
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe79⤵PID:2480
-
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe80⤵
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe81⤵PID:1680
-
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe82⤵PID:1588
-
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe83⤵PID:2000
-
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe84⤵PID:2100
-
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1636 -
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe86⤵PID:1664
-
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe87⤵PID:1892
-
C:\Windows\SysWOW64\Ljghjpfe.exeC:\Windows\system32\Ljghjpfe.exe88⤵
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe89⤵
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe90⤵PID:268
-
C:\Windows\SysWOW64\Lfpeeqig.exeC:\Windows\system32\Lfpeeqig.exe91⤵PID:2240
-
C:\Windows\SysWOW64\Lohjnf32.exeC:\Windows\system32\Lohjnf32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe93⤵
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2520 -
C:\Windows\SysWOW64\Mmogmjmn.exeC:\Windows\system32\Mmogmjmn.exe95⤵PID:2584
-
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe96⤵PID:2436
-
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe97⤵PID:1264
-
C:\Windows\SysWOW64\Mihdgkpp.exeC:\Windows\system32\Mihdgkpp.exe98⤵PID:340
-
C:\Windows\SysWOW64\Meoell32.exeC:\Windows\system32\Meoell32.exe99⤵
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe100⤵
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Mlkjne32.exeC:\Windows\system32\Mlkjne32.exe101⤵PID:1052
-
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe102⤵PID:1532
-
C:\Windows\SysWOW64\Nmnclmoj.exeC:\Windows\system32\Nmnclmoj.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe104⤵PID:1548
-
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe105⤵
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe106⤵PID:2344
-
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe107⤵PID:2496
-
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe108⤵PID:2832
-
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe109⤵PID:2564
-
C:\Windows\SysWOW64\Obgkpb32.exeC:\Windows\system32\Obgkpb32.exe110⤵PID:2848
-
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe111⤵PID:1200
-
C:\Windows\SysWOW64\Omcifpnp.exeC:\Windows\system32\Omcifpnp.exe112⤵PID:2716
-
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe113⤵PID:3028
-
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe114⤵
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2204 -
C:\Windows\SysWOW64\Qngopb32.exeC:\Windows\system32\Qngopb32.exe116⤵PID:2996
-
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe117⤵PID:2904
-
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe118⤵PID:908
-
C:\Windows\SysWOW64\Aknlofim.exeC:\Windows\system32\Aknlofim.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2108 -
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe120⤵PID:1776
-
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe122⤵PID:2640
-
C:\Windows\SysWOW64\Amfognic.exeC:\Windows\system32\Amfognic.exe123⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2940 -
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe124⤵
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe125⤵PID:2708
-
C:\Windows\SysWOW64\Bfqpecma.exeC:\Windows\system32\Bfqpecma.exe126⤵PID:1952
-
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe127⤵
- Modifies registry class
PID:1128 -
C:\Windows\SysWOW64\Bajqfq32.exeC:\Windows\system32\Bajqfq32.exe128⤵PID:1704
-
C:\Windows\SysWOW64\Bkpeci32.exeC:\Windows\system32\Bkpeci32.exe129⤵
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe130⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1496 -
C:\Windows\SysWOW64\Bjebdfnn.exeC:\Windows\system32\Bjebdfnn.exe131⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:868 -
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe132⤵PID:2208
-
C:\Windows\SysWOW64\Cjjkpe32.exeC:\Windows\system32\Cjjkpe32.exe133⤵PID:2040
-
C:\Windows\SysWOW64\Cjlheehe.exeC:\Windows\system32\Cjlheehe.exe134⤵
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Cfcijf32.exeC:\Windows\system32\Cfcijf32.exe135⤵
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Cnnnnh32.exeC:\Windows\system32\Cnnnnh32.exe136⤵
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe137⤵
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe138⤵
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Demofaol.exeC:\Windows\system32\Demofaol.exe139⤵
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Dkigoimd.exeC:\Windows\system32\Dkigoimd.exe140⤵PID:2216
-
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe141⤵PID:1468
-
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe142⤵PID:1524
-
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe143⤵
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe144⤵
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe145⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2836 -
C:\Windows\SysWOW64\Eejopecj.exeC:\Windows\system32\Eejopecj.exe146⤵PID:1828
-
C:\Windows\SysWOW64\Ecnoijbd.exeC:\Windows\system32\Ecnoijbd.exe147⤵
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe148⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1740 -
C:\Windows\SysWOW64\Ecploipa.exeC:\Windows\system32\Ecploipa.exe149⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2668 -
C:\Windows\SysWOW64\Ecbhdi32.exeC:\Windows\system32\Ecbhdi32.exe150⤵PID:2700
-
C:\Windows\SysWOW64\Elkmmodo.exeC:\Windows\system32\Elkmmodo.exe151⤵
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Eaheeecg.exeC:\Windows\system32\Eaheeecg.exe152⤵
- Modifies registry class
PID:372 -
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe153⤵PID:240
-
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe154⤵PID:1996
-
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe155⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2792 -
C:\Windows\SysWOW64\Fjhcegll.exeC:\Windows\system32\Fjhcegll.exe156⤵PID:1488
-
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe157⤵PID:1684
-
C:\Windows\SysWOW64\Ffodjh32.exeC:\Windows\system32\Ffodjh32.exe158⤵PID:1320
-
C:\Windows\SysWOW64\Fqdiga32.exeC:\Windows\system32\Fqdiga32.exe159⤵
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe160⤵PID:2672
-
C:\Windows\SysWOW64\Fmkilb32.exeC:\Windows\system32\Fmkilb32.exe161⤵PID:1960
-
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe162⤵PID:1844
-
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe163⤵PID:2952
-
C:\Windows\SysWOW64\Gfhgpg32.exeC:\Windows\system32\Gfhgpg32.exe164⤵PID:2900
-
C:\Windows\SysWOW64\Gkephn32.exeC:\Windows\system32\Gkephn32.exe165⤵PID:1744
-
C:\Windows\SysWOW64\Gqahqd32.exeC:\Windows\system32\Gqahqd32.exe166⤵PID:2192
-
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe167⤵PID:1384
-
C:\Windows\SysWOW64\Ggnmbn32.exeC:\Windows\system32\Ggnmbn32.exe168⤵PID:1088
-
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe169⤵PID:1752
-
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe170⤵PID:1168
-
C:\Windows\SysWOW64\Hidcef32.exeC:\Windows\system32\Hidcef32.exe171⤵
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe172⤵
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Hpphhp32.exeC:\Windows\system32\Hpphhp32.exe173⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1428 -
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe174⤵PID:2276
-
C:\Windows\SysWOW64\Hbaaik32.exeC:\Windows\system32\Hbaaik32.exe175⤵
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe176⤵
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Idicbbpi.exeC:\Windows\system32\Idicbbpi.exe177⤵
- Drops file in System32 directory
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Jpbalb32.exeC:\Windows\system32\Jpbalb32.exe178⤵
- Modifies registry class
PID:488 -
C:\Windows\SysWOW64\Jmfafgbd.exeC:\Windows\system32\Jmfafgbd.exe179⤵PID:1600
-
C:\Windows\SysWOW64\Jpgjgboe.exeC:\Windows\system32\Jpgjgboe.exe180⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1912 -
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe181⤵
- Modifies registry class
PID:440 -
C:\Windows\SysWOW64\Jkchmo32.exeC:\Windows\system32\Jkchmo32.exe182⤵
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Kdklfe32.exeC:\Windows\system32\Kdklfe32.exe183⤵
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\Kncaojfb.exeC:\Windows\system32\Kncaojfb.exe184⤵
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Kocmim32.exeC:\Windows\system32\Kocmim32.exe185⤵PID:3012
-
C:\Windows\SysWOW64\Knhjjj32.exeC:\Windows\system32\Knhjjj32.exe186⤵PID:2152
-
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe187⤵
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Kffldlne.exeC:\Windows\system32\Kffldlne.exe188⤵PID:1120
-
C:\Windows\SysWOW64\Lgehno32.exeC:\Windows\system32\Lgehno32.exe189⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1180 -
C:\Windows\SysWOW64\Lboiol32.exeC:\Windows\system32\Lboiol32.exe190⤵PID:572
-
C:\Windows\SysWOW64\Lhiakf32.exeC:\Windows\system32\Lhiakf32.exe191⤵PID:584
-
C:\Windows\SysWOW64\Ldpbpgoh.exeC:\Windows\system32\Ldpbpgoh.exe192⤵
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\Lnhgim32.exeC:\Windows\system32\Lnhgim32.exe193⤵
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Lnjcomcf.exeC:\Windows\system32\Lnjcomcf.exe194⤵
- Drops file in System32 directory
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Lgchgb32.exeC:\Windows\system32\Lgchgb32.exe195⤵PID:2412
-
C:\Windows\SysWOW64\Mjcaimgg.exeC:\Windows\system32\Mjcaimgg.exe196⤵PID:2120
-
C:\Windows\SysWOW64\Mjfnomde.exeC:\Windows\system32\Mjfnomde.exe197⤵
- Drops file in System32 directory
PID:1136 -
C:\Windows\SysWOW64\Mcnbhb32.exeC:\Windows\system32\Mcnbhb32.exe198⤵PID:2648
-
C:\Windows\SysWOW64\Mqbbagjo.exeC:\Windows\system32\Mqbbagjo.exe199⤵PID:2116
-
C:\Windows\SysWOW64\Mimgeigj.exeC:\Windows\system32\Mimgeigj.exe200⤵PID:3080
-
C:\Windows\SysWOW64\Nbflno32.exeC:\Windows\system32\Nbflno32.exe201⤵PID:3120
-
C:\Windows\SysWOW64\Nbhhdnlh.exeC:\Windows\system32\Nbhhdnlh.exe202⤵PID:3164
-
C:\Windows\SysWOW64\Nbjeinje.exeC:\Windows\system32\Nbjeinje.exe203⤵PID:3204
-
C:\Windows\SysWOW64\Neknki32.exeC:\Windows\system32\Neknki32.exe204⤵PID:3244
-
C:\Windows\SysWOW64\Nncbdomg.exeC:\Windows\system32\Nncbdomg.exe205⤵PID:3284
-
C:\Windows\SysWOW64\Omioekbo.exeC:\Windows\system32\Omioekbo.exe206⤵PID:3324
-
C:\Windows\SysWOW64\Ohncbdbd.exeC:\Windows\system32\Ohncbdbd.exe207⤵
- Drops file in System32 directory
PID:3364 -
C:\Windows\SysWOW64\Ofcqcp32.exeC:\Windows\system32\Ofcqcp32.exe208⤵PID:3404
-
C:\Windows\SysWOW64\Objaha32.exeC:\Windows\system32\Objaha32.exe209⤵PID:3444
-
C:\Windows\SysWOW64\Opnbbe32.exeC:\Windows\system32\Opnbbe32.exe210⤵
- Drops file in System32 directory
PID:3484 -
C:\Windows\SysWOW64\Ohiffh32.exeC:\Windows\system32\Ohiffh32.exe211⤵PID:3524
-
C:\Windows\SysWOW64\Oemgplgo.exeC:\Windows\system32\Oemgplgo.exe212⤵PID:3564
-
C:\Windows\SysWOW64\Pepcelel.exeC:\Windows\system32\Pepcelel.exe213⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3608 -
C:\Windows\SysWOW64\Pohhna32.exeC:\Windows\system32\Pohhna32.exe214⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3648 -
C:\Windows\SysWOW64\Phqmgg32.exeC:\Windows\system32\Phqmgg32.exe215⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3688 -
C:\Windows\SysWOW64\Pgfjhcge.exeC:\Windows\system32\Pgfjhcge.exe216⤵PID:3728
-
C:\Windows\SysWOW64\Ppnnai32.exeC:\Windows\system32\Ppnnai32.exe217⤵
- Drops file in System32 directory
- Modifies registry class
PID:3768 -
C:\Windows\SysWOW64\Pleofj32.exeC:\Windows\system32\Pleofj32.exe218⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3808 -
C:\Windows\SysWOW64\Qlgkki32.exeC:\Windows\system32\Qlgkki32.exe219⤵PID:3848
-
C:\Windows\SysWOW64\Alihaioe.exeC:\Windows\system32\Alihaioe.exe220⤵PID:3888
-
C:\Windows\SysWOW64\Agolnbok.exeC:\Windows\system32\Agolnbok.exe221⤵PID:3928
-
C:\Windows\SysWOW64\Allefimb.exeC:\Windows\system32\Allefimb.exe222⤵PID:3968
-
C:\Windows\SysWOW64\Aaimopli.exeC:\Windows\system32\Aaimopli.exe223⤵PID:4008
-
C:\Windows\SysWOW64\Aakjdo32.exeC:\Windows\system32\Aakjdo32.exe224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4048 -
C:\Windows\SysWOW64\Aoojnc32.exeC:\Windows\system32\Aoojnc32.exe225⤵PID:4088
-
C:\Windows\SysWOW64\Abpcooea.exeC:\Windows\system32\Abpcooea.exe226⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3108 -
C:\Windows\SysWOW64\Bceibfgj.exeC:\Windows\system32\Bceibfgj.exe227⤵PID:3200
-
C:\Windows\SysWOW64\Bmnnkl32.exeC:\Windows\system32\Bmnnkl32.exe228⤵PID:3260
-
C:\Windows\SysWOW64\Bjbndpmd.exeC:\Windows\system32\Bjbndpmd.exe229⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3296 -
C:\Windows\SysWOW64\Bqlfaj32.exeC:\Windows\system32\Bqlfaj32.exe230⤵PID:3352
-
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe231⤵PID:3436
-
C:\Windows\SysWOW64\Bkegah32.exeC:\Windows\system32\Bkegah32.exe232⤵
- Modifies registry class
PID:3500 -
C:\Windows\SysWOW64\Cbppnbhm.exeC:\Windows\system32\Cbppnbhm.exe233⤵PID:3536
-
C:\Windows\SysWOW64\Cocphf32.exeC:\Windows\system32\Cocphf32.exe234⤵
- Modifies registry class
PID:3604 -
C:\Windows\SysWOW64\Cepipm32.exeC:\Windows\system32\Cepipm32.exe235⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3620 -
C:\Windows\SysWOW64\Cnimiblo.exeC:\Windows\system32\Cnimiblo.exe236⤵PID:3704
-
C:\Windows\SysWOW64\Cinafkkd.exeC:\Windows\system32\Cinafkkd.exe237⤵
- Drops file in System32 directory
PID:3764 -
C:\Windows\SysWOW64\Cbffoabe.exeC:\Windows\system32\Cbffoabe.exe238⤵PID:3800
-
C:\Windows\SysWOW64\Cgcnghpl.exeC:\Windows\system32\Cgcnghpl.exe239⤵PID:3868
-
C:\Windows\SysWOW64\Dhhhbg32.exeC:\Windows\system32\Dhhhbg32.exe240⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3916 -
C:\Windows\SysWOW64\Dbaice32.exeC:\Windows\system32\Dbaice32.exe241⤵PID:3964
-
C:\Windows\SysWOW64\Dpeiligo.exeC:\Windows\system32\Dpeiligo.exe242⤵
- Drops file in System32 directory
PID:3980