Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 02:23
Behavioral task
behavioral1
Sample
24f36923dcdd837116fbf08bb19e1120_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
24f36923dcdd837116fbf08bb19e1120_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
24f36923dcdd837116fbf08bb19e1120_NeikiAnalytics.exe
-
Size
366KB
-
MD5
24f36923dcdd837116fbf08bb19e1120
-
SHA1
f5e681c2ad3d47cf52b9c9765c5a281595b21927
-
SHA256
2d33591059e4cb871e035650ca4aa333d5a61051fceb3b1e4bc5aff26ca218d4
-
SHA512
85740eb71df9589fa590960f2e4f586eb0c11e3c192081d694c450b45912968f0ca61637ff2369d0394aa46d7edc988ad12f8829a05786934c67593b32b02987
-
SSDEEP
6144:foJlSosLnLcdpui6yYPaIGckjh/xaSfBJKFbhD7sYQpui6yYPaIGckvN4Ni:wEPcdpV6yYPMLnfBJKFbhDwBpV6yYPyd
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ambmpmln.exeDnilobkm.exeFfpmnf32.exeHlhaqogk.exeBkaqmeah.exeEalnephf.exePaggai32.exeQnfjna32.exeDdeaalpg.exeFphafl32.exeBdlblj32.exeClaifkkf.exeGphmeo32.exeLlnfaffc.exeKibjkgca.exeOgjimd32.exeAmndem32.exeEcpgmhai.exeKhekgc32.exeBgknheej.exeDhmcfkme.exeDqhhknjp.exeGbnccfpb.exeHcifgjgc.exeImbkadcl.exeIbapoj32.exeNnnojlpa.exeQaefjm32.exeBeehencq.exeOcajbekl.exeBbflib32.exeAljgfioc.exeFmjejphb.exeIoccco32.exeMigpeiag.exeNkaocp32.exeOdgcfijj.exePlcdgfbo.exeCphlljge.exeGlfhll32.exeIoagno32.exeOndajnme.exePpjglfon.exePnbacbac.exeCdakgibq.exeMpjoqhah.exeBkdmcdoe.exeIbocjk32.exeLgoacojo.exeDgmglh32.exeOmgaek32.exePpmdbe32.exeCkffgg32.exeHellne32.exeMaphdl32.exeOkalbc32.exeComimg32.exeDjnpnc32.exeEgamfkdh.exeChhjkl32.exeOelmai32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ambmpmln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnilobkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffpmnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhaqogk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkaqmeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ealnephf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paggai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnfjna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddeaalpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fphafl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdlblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Claifkkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llnfaffc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kibjkgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogjimd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amndem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecpgmhai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khekgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bgknheej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhmcfkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dqhhknjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnccfpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddeaalpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcifgjgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imbkadcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibapoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnnojlpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaefjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beehencq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocajbekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbflib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aljgfioc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmjejphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ioccco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migpeiag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkaocp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odgcfijj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aljgfioc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plcdgfbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cphlljge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glfhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ioagno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ondajnme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnbacbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdakgibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpjoqhah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkdmcdoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibocjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgoacojo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgmglh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgaek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppmdbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckffgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hellne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maphdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okalbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djnpnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egamfkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ondajnme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chhjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oelmai32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule behavioral1/memory/1720-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew \Windows\SysWOW64\Ioojhpdb.exe family_berbew behavioral1/memory/1720-6-0x00000000002D0000-0x0000000000314000-memory.dmp family_berbew C:\Windows\SysWOW64\Imbkadcl.exe family_berbew C:\Windows\SysWOW64\Ioagno32.exe family_berbew \Windows\SysWOW64\Ibocjk32.exe family_berbew behavioral1/memory/2588-54-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Ioccco32.exe family_berbew behavioral1/memory/2508-82-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew \Windows\SysWOW64\Jeplkf32.exe family_berbew C:\Windows\SysWOW64\Joepio32.exe family_berbew C:\Windows\SysWOW64\Jagmpg32.exe family_berbew C:\Windows\SysWOW64\Jklanp32.exe family_berbew behavioral1/memory/2228-164-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Jaiiff32.exe family_berbew C:\Windows\SysWOW64\Jcjbgaog.exe family_berbew behavioral1/memory/1608-183-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Jgenhp32.exe family_berbew behavioral1/memory/1640-206-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/328-243-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Kfmhol32.exe family_berbew behavioral1/memory/1896-285-0x0000000000350000-0x0000000000394000-memory.dmp family_berbew behavioral1/memory/1152-296-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Kinaqg32.exe family_berbew C:\Windows\SysWOW64\Kllmmc32.exe family_berbew behavioral1/memory/2480-351-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2640-374-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2712-394-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Loapim32.exe family_berbew C:\Windows\SysWOW64\Lhjdbcef.exe family_berbew C:\Windows\SysWOW64\Lkhpnnej.exe family_berbew C:\Windows\SysWOW64\Lgoacojo.exe family_berbew C:\Windows\SysWOW64\Limmokib.exe family_berbew C:\Windows\SysWOW64\Lipjejgp.exe family_berbew C:\Windows\SysWOW64\Llnfaffc.exe family_berbew C:\Windows\SysWOW64\Lmnbkinf.exe family_berbew C:\Windows\SysWOW64\Mcjkcplm.exe family_berbew C:\Windows\SysWOW64\Mpolmdkg.exe family_berbew C:\Windows\SysWOW64\Mochnppo.exe family_berbew C:\Windows\SysWOW64\Mnieom32.exe family_berbew C:\Windows\SysWOW64\Nnnojlpa.exe family_berbew C:\Windows\SysWOW64\Ndgggf32.exe family_berbew C:\Windows\SysWOW64\Naikkk32.exe family_berbew C:\Windows\SysWOW64\Nkaocp32.exe family_berbew C:\Windows\SysWOW64\Npnhlg32.exe family_berbew C:\Windows\SysWOW64\Njgldmdc.exe family_berbew C:\Windows\SysWOW64\Nleiqhcg.exe family_berbew C:\Windows\SysWOW64\Ngkmnacm.exe family_berbew C:\Windows\SysWOW64\Nlgefh32.exe family_berbew C:\Windows\SysWOW64\Nqcagfim.exe family_berbew C:\Windows\SysWOW64\Ncancbha.exe family_berbew C:\Windows\SysWOW64\Nkmbgdfl.exe family_berbew C:\Windows\SysWOW64\Nbfjdn32.exe family_berbew C:\Windows\SysWOW64\Obigjnkf.exe family_berbew C:\Windows\SysWOW64\Oicpfh32.exe family_berbew C:\Windows\SysWOW64\Oghlgdgk.exe family_berbew C:\Windows\SysWOW64\Obnqem32.exe family_berbew C:\Windows\SysWOW64\Oelmai32.exe family_berbew C:\Windows\SysWOW64\Ogjimd32.exe family_berbew C:\Windows\SysWOW64\Omgaek32.exe family_berbew C:\Windows\SysWOW64\Ocajbekl.exe family_berbew C:\Windows\SysWOW64\Ojkboo32.exe family_berbew C:\Windows\SysWOW64\Pccfge32.exe family_berbew C:\Windows\SysWOW64\Ppjglfon.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Ioojhpdb.exeImbkadcl.exeIoagno32.exeIbocjk32.exeIoccco32.exeIbapoj32.exeJeplkf32.exeJoepio32.exeJagmpg32.exeJinead32.exeJklanp32.exeJaiiff32.exeJcjbgaog.exeJgenhp32.exeJjdkdl32.exeJghknp32.exeJjfgjk32.exeJmdcfg32.exeKappfeln.exeKcolba32.exeKfmhol32.exeKikdkh32.exeKpemgbqf.exeKcahhq32.exeKebepion.exeKinaqg32.exeKllmmc32.exeKbfeimng.exeKomfnnck.exeKakbjibo.exeKibjkgca.exeKhekgc32.exeKjcgco32.exeKbkodl32.exeKanopipl.exeKeikqhhe.exeLhggmchi.exeLoapim32.exeLhjdbcef.exeLfmdnp32.exeLkhpnnej.exeLabhkh32.exeLdqegd32.exeLgoacojo.exeLimmokib.exeLpgele32.exeLdcamcih.exeLganiohl.exeLkmjin32.exeLipjejgp.exeLlnfaffc.exeLpjbad32.exeLdenbcge.exeLgdjnofi.exeLefkjkmc.exeLmnbkinf.exeLplogdmj.exeLoooca32.exeMcjkcplm.exeMeigpkka.exeMidcpj32.exeMhgclfje.exeMpolmdkg.exeMoalhq32.exepid process 1580 Ioojhpdb.exe 3068 Imbkadcl.exe 2572 Ioagno32.exe 2588 Ibocjk32.exe 2860 Ioccco32.exe 2508 Ibapoj32.exe 2872 Jeplkf32.exe 2460 Joepio32.exe 2512 Jagmpg32.exe 2668 Jinead32.exe 2432 Jklanp32.exe 2228 Jaiiff32.exe 1608 Jcjbgaog.exe 2076 Jgenhp32.exe 1640 Jjdkdl32.exe 784 Jghknp32.exe 1076 Jjfgjk32.exe 328 Jmdcfg32.exe 3040 Kappfeln.exe 2016 Kcolba32.exe 1896 Kfmhol32.exe 1428 Kikdkh32.exe 1152 Kpemgbqf.exe 2196 Kcahhq32.exe 2928 Kebepion.exe 1596 Kinaqg32.exe 2548 Kllmmc32.exe 2480 Kbfeimng.exe 2576 Komfnnck.exe 2640 Kakbjibo.exe 1324 Kibjkgca.exe 2712 Khekgc32.exe 2880 Kjcgco32.exe 2772 Kbkodl32.exe 944 Kanopipl.exe 2148 Keikqhhe.exe 2096 Lhggmchi.exe 576 Loapim32.exe 584 Lhjdbcef.exe 2260 Lfmdnp32.exe 1268 Lkhpnnej.exe 1168 Labhkh32.exe 2284 Ldqegd32.exe 2320 Lgoacojo.exe 2004 Limmokib.exe 2960 Lpgele32.exe 1624 Ldcamcih.exe 2964 Lganiohl.exe 2492 Lkmjin32.exe 3044 Lipjejgp.exe 2828 Llnfaffc.exe 2072 Lpjbad32.exe 2672 Ldenbcge.exe 2696 Lgdjnofi.exe 1808 Lefkjkmc.exe 2956 Lmnbkinf.exe 776 Lplogdmj.exe 2420 Loooca32.exe 2200 Mcjkcplm.exe 984 Meigpkka.exe 2428 Midcpj32.exe 2484 Mhgclfje.exe 2384 Mpolmdkg.exe 2268 Moalhq32.exe -
Loads dropped DLL 64 IoCs
Processes:
24f36923dcdd837116fbf08bb19e1120_NeikiAnalytics.exeIoojhpdb.exeImbkadcl.exeIoagno32.exeIbocjk32.exeIoccco32.exeIbapoj32.exeJeplkf32.exeJoepio32.exeJagmpg32.exeJinead32.exeJklanp32.exeJaiiff32.exeJcjbgaog.exeJgenhp32.exeJjdkdl32.exeJghknp32.exeJjfgjk32.exeJmdcfg32.exeKappfeln.exeKcolba32.exeKfmhol32.exeKikdkh32.exeKpemgbqf.exeKcahhq32.exeKebepion.exeKinaqg32.exeKllmmc32.exeKbfeimng.exeKomfnnck.exeKakbjibo.exeKibjkgca.exepid process 1720 24f36923dcdd837116fbf08bb19e1120_NeikiAnalytics.exe 1720 24f36923dcdd837116fbf08bb19e1120_NeikiAnalytics.exe 1580 Ioojhpdb.exe 1580 Ioojhpdb.exe 3068 Imbkadcl.exe 3068 Imbkadcl.exe 2572 Ioagno32.exe 2572 Ioagno32.exe 2588 Ibocjk32.exe 2588 Ibocjk32.exe 2860 Ioccco32.exe 2860 Ioccco32.exe 2508 Ibapoj32.exe 2508 Ibapoj32.exe 2872 Jeplkf32.exe 2872 Jeplkf32.exe 2460 Joepio32.exe 2460 Joepio32.exe 2512 Jagmpg32.exe 2512 Jagmpg32.exe 2668 Jinead32.exe 2668 Jinead32.exe 2432 Jklanp32.exe 2432 Jklanp32.exe 2228 Jaiiff32.exe 2228 Jaiiff32.exe 1608 Jcjbgaog.exe 1608 Jcjbgaog.exe 2076 Jgenhp32.exe 2076 Jgenhp32.exe 1640 Jjdkdl32.exe 1640 Jjdkdl32.exe 784 Jghknp32.exe 784 Jghknp32.exe 1076 Jjfgjk32.exe 1076 Jjfgjk32.exe 328 Jmdcfg32.exe 328 Jmdcfg32.exe 3040 Kappfeln.exe 3040 Kappfeln.exe 2016 Kcolba32.exe 2016 Kcolba32.exe 1896 Kfmhol32.exe 1896 Kfmhol32.exe 1428 Kikdkh32.exe 1428 Kikdkh32.exe 1152 Kpemgbqf.exe 1152 Kpemgbqf.exe 2196 Kcahhq32.exe 2196 Kcahhq32.exe 2928 Kebepion.exe 2928 Kebepion.exe 1596 Kinaqg32.exe 1596 Kinaqg32.exe 2548 Kllmmc32.exe 2548 Kllmmc32.exe 2480 Kbfeimng.exe 2480 Kbfeimng.exe 2576 Komfnnck.exe 2576 Komfnnck.exe 2640 Kakbjibo.exe 2640 Kakbjibo.exe 1324 Kibjkgca.exe 1324 Kibjkgca.exe -
Drops file in System32 directory 64 IoCs
Processes:
Pphjgfqq.exeApcfahio.exeDnlidb32.exeEbbgid32.exeHdfflm32.exeLhggmchi.exeMgcgmb32.exeLlnfaffc.exeObigjnkf.exePmlkpjpj.exeAljgfioc.exeClomqk32.exeEloemi32.exeIoccco32.exeJghknp32.exeHlhaqogk.exeFmcoja32.exeGaemjbcg.exeDcknbh32.exeEalnephf.exeHiekid32.exeAnkdiqih.exeCjlgiqbk.exeDjnpnc32.exeOfbfdmeb.exeAiinen32.exeNkaocp32.exePccfge32.exeAplpai32.exeAmbmpmln.exeCfinoq32.exeEilpeooq.exeKfmhol32.exeLkmjin32.exeOgjimd32.exePijbfj32.exeQaefjm32.exeAilkjmpo.exeBpfcgg32.exeBghabf32.exeOhqbqhde.exeOghlgdgk.exeEjgcdb32.exeComimg32.exeDqjepm32.exeHgilchkf.exeHkkalk32.exeNdgggf32.exePlcdgfbo.exeEmcbkn32.exeGddifnbk.exeMochnppo.exeFjilieka.exeGmgdddmq.exeKpemgbqf.exeKbkodl32.exeNocemcbj.exeGogangdc.exeFdapak32.exeGbijhg32.exeMhjpaf32.exeDcknbh32.exeGkihhhnm.exedescription ioc process File created C:\Windows\SysWOW64\Ekchhcnp.dll Pphjgfqq.exe File created C:\Windows\SysWOW64\Aoffmd32.exe Apcfahio.exe File created C:\Windows\SysWOW64\Elbepj32.dll Dnlidb32.exe File created C:\Windows\SysWOW64\Lkojpojq.dll Ebbgid32.exe File opened for modification C:\Windows\SysWOW64\Hcifgjgc.exe Hdfflm32.exe File opened for modification C:\Windows\SysWOW64\Loapim32.exe Lhggmchi.exe File created C:\Windows\SysWOW64\Eaepofcm.dll Mgcgmb32.exe File created C:\Windows\SysWOW64\Jqckbobk.dll Llnfaffc.exe File created C:\Windows\SysWOW64\Glamna32.dll Obigjnkf.exe File created C:\Windows\SysWOW64\Fmnhkk32.dll Pmlkpjpj.exe File opened for modification C:\Windows\SysWOW64\Bpfcgg32.exe Aljgfioc.exe File created C:\Windows\SysWOW64\Hkfmal32.dll Clomqk32.exe File created C:\Windows\SysWOW64\Ejbfhfaj.exe Eloemi32.exe File opened for modification C:\Windows\SysWOW64\Ibapoj32.exe Ioccco32.exe File opened for modification C:\Windows\SysWOW64\Jjfgjk32.exe Jghknp32.exe File created C:\Windows\SysWOW64\Ejdmpb32.dll Hlhaqogk.exe File created C:\Windows\SysWOW64\Fejgko32.exe Fmcoja32.exe File created C:\Windows\SysWOW64\Jmmjdk32.dll Gaemjbcg.exe File opened for modification C:\Windows\SysWOW64\Pafagk32.dll Dcknbh32.exe File created C:\Windows\SysWOW64\Fckjalhj.exe Ealnephf.exe File created C:\Windows\SysWOW64\Fealjk32.dll Hdfflm32.exe File created C:\Windows\SysWOW64\Hnagjbdf.exe Hiekid32.exe File opened for modification C:\Windows\SysWOW64\Amndem32.exe Ankdiqih.exe File opened for modification C:\Windows\SysWOW64\Cngcjo32.exe Cjlgiqbk.exe File created C:\Windows\SysWOW64\Mdeced32.dll Djnpnc32.exe File opened for modification C:\Windows\SysWOW64\Ohqbqhde.exe Ofbfdmeb.exe File created C:\Windows\SysWOW64\Alhjai32.exe Aiinen32.exe File created C:\Windows\SysWOW64\Obneof32.dll Nkaocp32.exe File created C:\Windows\SysWOW64\Nofmgl32.dll Pccfge32.exe File created C:\Windows\SysWOW64\Ahchbf32.exe Aplpai32.exe File created C:\Windows\SysWOW64\Apajlhka.exe Ambmpmln.exe File created C:\Windows\SysWOW64\Chhjkl32.exe Cfinoq32.exe File created C:\Windows\SysWOW64\Emhlfmgj.exe Eilpeooq.exe File created C:\Windows\SysWOW64\Dlnqnenm.dll Kfmhol32.exe File created C:\Windows\SysWOW64\Lipjejgp.exe Lkmjin32.exe File created C:\Windows\SysWOW64\Ondajnme.exe Ogjimd32.exe File created C:\Windows\SysWOW64\Qlhnbf32.exe Pijbfj32.exe File created C:\Windows\SysWOW64\Elgpfqll.dll Qaefjm32.exe File created C:\Windows\SysWOW64\Aljgfioc.exe Ailkjmpo.exe File created C:\Windows\SysWOW64\Boiccdnf.exe Bpfcgg32.exe File opened for modification C:\Windows\SysWOW64\Bkdmcdoe.exe Bghabf32.exe File created C:\Windows\SysWOW64\Omloag32.exe Ohqbqhde.exe File created C:\Windows\SysWOW64\Okchhc32.exe Oghlgdgk.exe File created C:\Windows\SysWOW64\Eijcpoac.exe Ejgcdb32.exe File opened for modification C:\Windows\SysWOW64\Cciemedf.exe Comimg32.exe File created C:\Windows\SysWOW64\Ddeaalpg.exe Dqjepm32.exe File created C:\Windows\SysWOW64\Pljpdpao.dll Hgilchkf.exe File created C:\Windows\SysWOW64\Ojhcelga.dll Hkkalk32.exe File created C:\Windows\SysWOW64\Fonfbi32.dll Ndgggf32.exe File created C:\Windows\SysWOW64\Pnbacbac.exe Plcdgfbo.exe File created C:\Windows\SysWOW64\Cfeoofge.dll Emcbkn32.exe File created C:\Windows\SysWOW64\Ghoegl32.exe Gddifnbk.exe File created C:\Windows\SysWOW64\Mdqafgnf.exe Mochnppo.exe File opened for modification C:\Windows\SysWOW64\Filldb32.exe Fjilieka.exe File created C:\Windows\SysWOW64\Gacpdbej.exe Gmgdddmq.exe File created C:\Windows\SysWOW64\Cemjkn32.dll Kpemgbqf.exe File created C:\Windows\SysWOW64\Kanopipl.exe Kbkodl32.exe File opened for modification C:\Windows\SysWOW64\Ngkmnacm.exe Nocemcbj.exe File opened for modification C:\Windows\SysWOW64\Gmjaic32.exe Gogangdc.exe File created C:\Windows\SysWOW64\Fbdqmghm.exe Fdapak32.exe File created C:\Windows\SysWOW64\Hghmjpap.dll Gbijhg32.exe File opened for modification C:\Windows\SysWOW64\Mlelaeqk.exe Mhjpaf32.exe File created C:\Windows\SysWOW64\Cgcmfjnn.dll Dcknbh32.exe File opened for modification C:\Windows\SysWOW64\Goddhg32.exe Gkihhhnm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process 5784 5760 WerFault.exe -
Modifies registry class 64 IoCs
Processes:
Bkaqmeah.exeGkgkbipp.exeGelppaof.exeIlknfn32.exeHlcgeo32.exeKbkodl32.exePfdpip32.exePpamme32.exeClcflkic.exeFlabbihl.exeGejcjbah.exeJjfgjk32.exeNkaocp32.exePiblek32.exeBpcbqk32.exeGmgdddmq.exeAigaon32.exeAlhjai32.exeEgdilkbf.exeFeeiob32.exeGonnhhln.exeHacmcfge.exeKhekgc32.exeLpjbad32.exeAbpfhcje.exeHmlnoc32.exeNaikkk32.exePminkk32.exeBnbjopoi.exeCfgaiaci.exeCkffgg32.exeGeolea32.exeOnphoo32.exeCgmkmecg.exeHicodd32.exeFjilieka.exeIdceea32.exeLdqegd32.exeLkmjin32.exeLdenbcge.exeMidcpj32.exeFioija32.exeMagnek32.exeEbbgid32.exeGbkgnfbd.exeGdamqndn.exeJaiiff32.exeOicpfh32.exeObnqem32.exeAdmemg32.exeBhhnli32.exeCfbhnaho.exeAjphib32.exeEnihne32.exeFfkcbgek.exeHlhaqogk.exeHkkalk32.exeNnbhek32.exeCjpqdp32.exeDdokpmfo.exeGhkllmoi.exeKllmmc32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjecnop.dll" Bkaqmeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebpge32.dll" Gelppaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll" Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll" Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbkodl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pfdpip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppamme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Clcflkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gejcjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjfgjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fonfbi32.dll" Nkaocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dialipcb.dll" Piblek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bpcbqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gmgdddmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aigaon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Alhjai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbjlbfp.dll" Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbmkg32.dll" Feeiob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnhje32.dll" Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gafpmhio.dll" Khekgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpjbad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Abpfhcje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmlnoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Naikkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhbjkfod.dll" Pminkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnbjopoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfgaiaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffihah32.dll" Ckffgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcfkhh32.dll" Onphoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll" Hicodd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fjilieka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll" Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ldqegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfecjakk.dll" Lkmjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ldenbcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Midcpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fioija32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Magnek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkojpojq.dll" Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll" Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqcdceo.dll" Jaiiff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiedkadc.dll" Oicpfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obnqem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknmbn32.dll" Admemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkkgcp32.dll" Bhhnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfbhnaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimcgn32.dll" Ajphib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Enihne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkoginch.dll" Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll" Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkkalk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nnbhek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhfilfi.dll" Cjpqdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddokpmfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll" Ghkllmoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kllmmc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
24f36923dcdd837116fbf08bb19e1120_NeikiAnalytics.exeIoojhpdb.exeImbkadcl.exeIoagno32.exeIbocjk32.exeIoccco32.exeIbapoj32.exeJeplkf32.exeJoepio32.exeJagmpg32.exeJinead32.exeJklanp32.exeJaiiff32.exeJcjbgaog.exeJgenhp32.exeJjdkdl32.exedescription pid process target process PID 1720 wrote to memory of 1580 1720 24f36923dcdd837116fbf08bb19e1120_NeikiAnalytics.exe Ioojhpdb.exe PID 1720 wrote to memory of 1580 1720 24f36923dcdd837116fbf08bb19e1120_NeikiAnalytics.exe Ioojhpdb.exe PID 1720 wrote to memory of 1580 1720 24f36923dcdd837116fbf08bb19e1120_NeikiAnalytics.exe Ioojhpdb.exe PID 1720 wrote to memory of 1580 1720 24f36923dcdd837116fbf08bb19e1120_NeikiAnalytics.exe Ioojhpdb.exe PID 1580 wrote to memory of 3068 1580 Ioojhpdb.exe Imbkadcl.exe PID 1580 wrote to memory of 3068 1580 Ioojhpdb.exe Imbkadcl.exe PID 1580 wrote to memory of 3068 1580 Ioojhpdb.exe Imbkadcl.exe PID 1580 wrote to memory of 3068 1580 Ioojhpdb.exe Imbkadcl.exe PID 3068 wrote to memory of 2572 3068 Imbkadcl.exe Ioagno32.exe PID 3068 wrote to memory of 2572 3068 Imbkadcl.exe Ioagno32.exe PID 3068 wrote to memory of 2572 3068 Imbkadcl.exe Ioagno32.exe PID 3068 wrote to memory of 2572 3068 Imbkadcl.exe Ioagno32.exe PID 2572 wrote to memory of 2588 2572 Ioagno32.exe Ibocjk32.exe PID 2572 wrote to memory of 2588 2572 Ioagno32.exe Ibocjk32.exe PID 2572 wrote to memory of 2588 2572 Ioagno32.exe Ibocjk32.exe PID 2572 wrote to memory of 2588 2572 Ioagno32.exe Ibocjk32.exe PID 2588 wrote to memory of 2860 2588 Ibocjk32.exe Ioccco32.exe PID 2588 wrote to memory of 2860 2588 Ibocjk32.exe Ioccco32.exe PID 2588 wrote to memory of 2860 2588 Ibocjk32.exe Ioccco32.exe PID 2588 wrote to memory of 2860 2588 Ibocjk32.exe Ioccco32.exe PID 2860 wrote to memory of 2508 2860 Ioccco32.exe Ibapoj32.exe PID 2860 wrote to memory of 2508 2860 Ioccco32.exe Ibapoj32.exe PID 2860 wrote to memory of 2508 2860 Ioccco32.exe Ibapoj32.exe PID 2860 wrote to memory of 2508 2860 Ioccco32.exe Ibapoj32.exe PID 2508 wrote to memory of 2872 2508 Ibapoj32.exe Jeplkf32.exe PID 2508 wrote to memory of 2872 2508 Ibapoj32.exe Jeplkf32.exe PID 2508 wrote to memory of 2872 2508 Ibapoj32.exe Jeplkf32.exe PID 2508 wrote to memory of 2872 2508 Ibapoj32.exe Jeplkf32.exe PID 2872 wrote to memory of 2460 2872 Jeplkf32.exe Joepio32.exe PID 2872 wrote to memory of 2460 2872 Jeplkf32.exe Joepio32.exe PID 2872 wrote to memory of 2460 2872 Jeplkf32.exe Joepio32.exe PID 2872 wrote to memory of 2460 2872 Jeplkf32.exe Joepio32.exe PID 2460 wrote to memory of 2512 2460 Joepio32.exe Jagmpg32.exe PID 2460 wrote to memory of 2512 2460 Joepio32.exe Jagmpg32.exe PID 2460 wrote to memory of 2512 2460 Joepio32.exe Jagmpg32.exe PID 2460 wrote to memory of 2512 2460 Joepio32.exe Jagmpg32.exe PID 2512 wrote to memory of 2668 2512 Jagmpg32.exe Jinead32.exe PID 2512 wrote to memory of 2668 2512 Jagmpg32.exe Jinead32.exe PID 2512 wrote to memory of 2668 2512 Jagmpg32.exe Jinead32.exe PID 2512 wrote to memory of 2668 2512 Jagmpg32.exe Jinead32.exe PID 2668 wrote to memory of 2432 2668 Jinead32.exe Jklanp32.exe PID 2668 wrote to memory of 2432 2668 Jinead32.exe Jklanp32.exe PID 2668 wrote to memory of 2432 2668 Jinead32.exe Jklanp32.exe PID 2668 wrote to memory of 2432 2668 Jinead32.exe Jklanp32.exe PID 2432 wrote to memory of 2228 2432 Jklanp32.exe Jaiiff32.exe PID 2432 wrote to memory of 2228 2432 Jklanp32.exe Jaiiff32.exe PID 2432 wrote to memory of 2228 2432 Jklanp32.exe Jaiiff32.exe PID 2432 wrote to memory of 2228 2432 Jklanp32.exe Jaiiff32.exe PID 2228 wrote to memory of 1608 2228 Jaiiff32.exe Jcjbgaog.exe PID 2228 wrote to memory of 1608 2228 Jaiiff32.exe Jcjbgaog.exe PID 2228 wrote to memory of 1608 2228 Jaiiff32.exe Jcjbgaog.exe PID 2228 wrote to memory of 1608 2228 Jaiiff32.exe Jcjbgaog.exe PID 1608 wrote to memory of 2076 1608 Jcjbgaog.exe Jgenhp32.exe PID 1608 wrote to memory of 2076 1608 Jcjbgaog.exe Jgenhp32.exe PID 1608 wrote to memory of 2076 1608 Jcjbgaog.exe Jgenhp32.exe PID 1608 wrote to memory of 2076 1608 Jcjbgaog.exe Jgenhp32.exe PID 2076 wrote to memory of 1640 2076 Jgenhp32.exe Jjdkdl32.exe PID 2076 wrote to memory of 1640 2076 Jgenhp32.exe Jjdkdl32.exe PID 2076 wrote to memory of 1640 2076 Jgenhp32.exe Jjdkdl32.exe PID 2076 wrote to memory of 1640 2076 Jgenhp32.exe Jjdkdl32.exe PID 1640 wrote to memory of 784 1640 Jjdkdl32.exe Jghknp32.exe PID 1640 wrote to memory of 784 1640 Jjdkdl32.exe Jghknp32.exe PID 1640 wrote to memory of 784 1640 Jjdkdl32.exe Jghknp32.exe PID 1640 wrote to memory of 784 1640 Jjdkdl32.exe Jghknp32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\24f36923dcdd837116fbf08bb19e1120_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\24f36923dcdd837116fbf08bb19e1120_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Ioojhpdb.exeC:\Windows\system32\Ioojhpdb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Imbkadcl.exeC:\Windows\system32\Imbkadcl.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Ioagno32.exeC:\Windows\system32\Ioagno32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Ibocjk32.exeC:\Windows\system32\Ibocjk32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Ioccco32.exeC:\Windows\system32\Ioccco32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Ibapoj32.exeC:\Windows\system32\Ibapoj32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Jeplkf32.exeC:\Windows\system32\Jeplkf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Joepio32.exeC:\Windows\system32\Joepio32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Jagmpg32.exeC:\Windows\system32\Jagmpg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Jinead32.exeC:\Windows\system32\Jinead32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Jklanp32.exeC:\Windows\system32\Jklanp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Jcjbgaog.exeC:\Windows\system32\Jcjbgaog.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Jgenhp32.exeC:\Windows\system32\Jgenhp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Jjdkdl32.exeC:\Windows\system32\Jjdkdl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Jghknp32.exeC:\Windows\system32\Jghknp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:784 -
C:\Windows\SysWOW64\Jjfgjk32.exeC:\Windows\system32\Jjfgjk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:328 -
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Kcolba32.exeC:\Windows\system32\Kcolba32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016 -
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1896 -
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1428 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Kcahhq32.exeC:\Windows\system32\Kcahhq32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Kllmmc32.exeC:\Windows\system32\Kllmmc32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Kbfeimng.exeC:\Windows\system32\Kbfeimng.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2480 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1324 -
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe34⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe36⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe37⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe39⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe40⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe41⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe42⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe43⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe46⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe47⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe48⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe49⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe51⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe55⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe56⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe57⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe58⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe59⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe60⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe61⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe63⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe64⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe65⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe66⤵PID:356
-
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1860 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1092 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe69⤵
- Drops file in System32 directory
PID:892 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe70⤵PID:1516
-
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe71⤵
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe72⤵PID:3024
-
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe73⤵PID:2716
-
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe74⤵PID:1256
-
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe75⤵PID:2676
-
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe76⤵PID:2244
-
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe77⤵PID:2372
-
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe78⤵PID:2224
-
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe79⤵PID:3056
-
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe80⤵PID:1452
-
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe81⤵
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3000 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe83⤵
- Drops file in System32 directory
PID:856 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe84⤵PID:1620
-
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:848 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe86⤵
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe87⤵
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe88⤵
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1876 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe90⤵PID:912
-
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe91⤵PID:2500
-
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe92⤵PID:2628
-
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe93⤵PID:2136
-
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe94⤵PID:2052
-
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe95⤵
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe96⤵PID:2488
-
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe97⤵
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe98⤵PID:1712
-
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe99⤵PID:1496
-
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe100⤵PID:684
-
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe101⤵PID:1940
-
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe102⤵PID:2060
-
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe103⤵PID:1440
-
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe104⤵PID:1704
-
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe105⤵PID:940
-
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe106⤵PID:604
-
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe107⤵
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe108⤵
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe109⤵PID:2856
-
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe110⤵PID:2344
-
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe111⤵PID:572
-
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe112⤵
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1756 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe114⤵
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1588 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe116⤵
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe117⤵PID:2728
-
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe118⤵PID:1372
-
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe119⤵
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe120⤵PID:2332
-
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe121⤵
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2008 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe123⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe124⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2600 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe125⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2972 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe126⤵PID:2192
-
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe127⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1188 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe128⤵PID:2304
-
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe129⤵PID:1552
-
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe130⤵
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe131⤵PID:2280
-
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe132⤵
- Drops file in System32 directory
PID:276 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe133⤵
- Drops file in System32 directory
PID:1196 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe134⤵PID:980
-
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe135⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe136⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:636 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe137⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1448 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe138⤵PID:620
-
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe139⤵
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe140⤵
- Modifies registry class
PID:112 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe141⤵PID:2968
-
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe142⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2940 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe143⤵PID:1744
-
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe144⤵PID:3004
-
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe145⤵PID:2536
-
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe146⤵PID:2764
-
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe147⤵PID:2012
-
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe148⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1868 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe149⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:560 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe150⤵PID:2560
-
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe151⤵PID:1036
-
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe152⤵PID:1656
-
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe153⤵PID:700
-
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe154⤵
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe155⤵PID:1344
-
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe156⤵PID:2604
-
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe157⤵PID:816
-
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe158⤵
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe159⤵PID:2632
-
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe160⤵PID:2608
-
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe161⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1652 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe162⤵PID:1572
-
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe163⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1304 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe164⤵PID:2732
-
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe165⤵PID:1272
-
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe166⤵PID:1544
-
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe167⤵PID:2996
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe168⤵PID:2748
-
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe169⤵PID:2296
-
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe170⤵PID:2316
-
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe171⤵
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe172⤵
- Drops file in System32 directory
PID:268 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe173⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3100 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe174⤵PID:3144
-
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe175⤵
- Drops file in System32 directory
PID:3184 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe176⤵PID:3224
-
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe177⤵PID:3264
-
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe178⤵PID:3304
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe179⤵PID:3344
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe180⤵PID:3384
-
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe181⤵PID:3424
-
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe182⤵PID:3464
-
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe183⤵PID:3504
-
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe184⤵PID:3544
-
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe185⤵PID:3584
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe186⤵
- Modifies registry class
PID:3624 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe187⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3664 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe188⤵PID:3704
-
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe189⤵
- Modifies registry class
PID:3744 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe190⤵
- Modifies registry class
PID:3784 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe191⤵PID:3824
-
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe192⤵
- Drops file in System32 directory
PID:3864 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe193⤵
- Modifies registry class
PID:3904 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe194⤵
- Drops file in System32 directory
PID:3944 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe195⤵PID:3984
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe196⤵PID:4024
-
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe197⤵PID:4064
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe198⤵PID:3076
-
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe199⤵
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe200⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3136 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe201⤵
- Drops file in System32 directory
PID:3192 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe202⤵PID:3232
-
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe203⤵PID:3280
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe204⤵PID:2236
-
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe205⤵PID:3372
-
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe206⤵PID:3420
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe207⤵PID:3484
-
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe208⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3532 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe209⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3580 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe210⤵PID:3644
-
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe211⤵PID:1696
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe212⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3740 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe213⤵PID:3792
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe214⤵PID:3080
-
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe215⤵PID:3892
-
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe216⤵
- Drops file in System32 directory
PID:3936 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe217⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4000 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe218⤵PID:4052
-
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe219⤵
- Modifies registry class
PID:3088 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe220⤵PID:3524
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe221⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3172 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe222⤵
- Modifies registry class
PID:3216 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe223⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:452 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe224⤵PID:3336
-
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe225⤵PID:3412
-
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe226⤵PID:3488
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe227⤵
- Modifies registry class
PID:3540 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe228⤵PID:3600
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe229⤵
- Modifies registry class
PID:3656 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe230⤵
- Drops file in System32 directory
PID:3760 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe231⤵PID:1864
-
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe232⤵PID:3836
-
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe233⤵PID:3872
-
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe234⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3940 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe235⤵PID:4032
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe236⤵
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe237⤵PID:1996
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe238⤵PID:3180
-
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe239⤵PID:3240
-
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe240⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3328 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe241⤵PID:3436
-
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe242⤵PID:3520