Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 02:26
Behavioral task
behavioral1
Sample
258c2d91a6e413418824803653488a10_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
258c2d91a6e413418824803653488a10_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
258c2d91a6e413418824803653488a10_NeikiAnalytics.exe
-
Size
352KB
-
MD5
258c2d91a6e413418824803653488a10
-
SHA1
54d9b8a3b744329137897ff5e3cd1456a8446063
-
SHA256
a0092fcb7181fc55bb4014fe33b3a8b91deeed030d5378db84cd413de7d94239
-
SHA512
22622d27337ead546b642d61a9589fa2cf14d8a7487279893fa7b30cebf774b752eec4d9a1772a3fbde96fb799c7b0be402889fd8262ef82a3246bddf9b4c5b2
-
SSDEEP
6144:ycp0aV0aBq1giPF/8NkCpr1ItvLUErOU7amYBAYpd0ucyEWJrj1mKZHPSv/rpwMV:LGK40rCZYE6YYBHpd0uD319ZvSntnhpn
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Liplnc32.exeBdooajdc.exeBmpfojmp.exeJgojpjem.exeLpjdjmfp.exeLhbcfa32.exePflomnkb.exePomfkndo.exeClomqk32.exeGbijhg32.exeLcagpl32.exeMmldme32.exeFmmkcoap.exePmlmic32.exeCpceidcn.exeBaildokg.exeAbjebn32.exeAdnopfoj.exeHhehek32.exeMlcbenjb.exeAdhlaggp.exeHnagjbdf.exeAfiglkle.exeOnhgbmfb.exeEjhlgaeh.exeLanaiahq.exeJnkpbcjg.exeDkqbaecc.exePmccjbaf.exeDodonf32.exeHcifgjgc.exeMeagci32.exeOgblbo32.exeJgagfi32.exeApcfahio.exeEkhhadmk.exeAkmjfn32.exeAfnagk32.exeNnhkcj32.exeFbdqmghm.exeIpgbjl32.exeFjilieka.exeIkpjgkjq.exeAlhmjbhj.exeEeempocb.exeOqmmpd32.exeEqpgol32.exeMpjqiq32.exeHjhhocjj.exeMoiklogi.exeLgjfkk32.exeLibicbma.exeFadminnn.exeNpojdpef.exeQkkmqnck.exeAipddi32.exeFmbhok32.exeIcmlam32.exeJehkodcm.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liplnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdooajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmpfojmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgojpjem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpjdjmfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhbcfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pflomnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pomfkndo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clomqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbijhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcagpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmldme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmmkcoap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmlmic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpceidcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baildokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adnopfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhehek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlcbenjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adhlaggp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnagjbdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afiglkle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onhgbmfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejhlgaeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lanaiahq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgojpjem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnkpbcjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkqbaecc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmccjbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dodonf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcifgjgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meagci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogblbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgagfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apcfahio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhhadmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akmjfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afnagk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhkcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgagfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbdqmghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipgbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjilieka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcifgjgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikpjgkjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alhmjbhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eeempocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqmmpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqpgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpjqiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjhhocjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moiklogi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgjfkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Libicbma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fadminnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npojdpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qkkmqnck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aipddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmbhok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmldme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icmlam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jehkodcm.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Ppamme32.exe family_berbew C:\Windows\SysWOW64\Qjknnbed.exe family_berbew \Windows\SysWOW64\Qecoqk32.exe family_berbew behavioral1/memory/2296-40-0x0000000000250000-0x0000000000286000-memory.dmp family_berbew \Windows\SysWOW64\Adhlaggp.exe family_berbew \Windows\SysWOW64\Abmibdlh.exe family_berbew \Windows\SysWOW64\Aenbdoii.exe family_berbew \Windows\SysWOW64\Apcfahio.exe family_berbew \Windows\SysWOW64\Boiccdnf.exe family_berbew \Windows\SysWOW64\Bhahlj32.exe family_berbew C:\Windows\SysWOW64\Baildokg.exe family_berbew C:\Windows\SysWOW64\Bhfagipa.exe family_berbew \Windows\SysWOW64\Bnefdp32.exe family_berbew \Windows\SysWOW64\Bdooajdc.exe family_berbew behavioral1/memory/1528-171-0x0000000000250000-0x0000000000286000-memory.dmp family_berbew behavioral1/memory/2372-182-0x0000000000250000-0x0000000000286000-memory.dmp family_berbew C:\Windows\SysWOW64\Cnippoha.exe family_berbew C:\Windows\SysWOW64\Clomqk32.exe family_berbew \Windows\SysWOW64\Cciemedf.exe family_berbew C:\Windows\SysWOW64\Cfinoq32.exe family_berbew C:\Windows\SysWOW64\Cobbhfhg.exe family_berbew C:\Windows\SysWOW64\Dodonf32.exe family_berbew C:\Windows\SysWOW64\Dqelenlc.exe family_berbew C:\Windows\SysWOW64\Dgodbh32.exe family_berbew C:\Windows\SysWOW64\Ddcdkl32.exe family_berbew C:\Windows\SysWOW64\Dgaqgh32.exe family_berbew C:\Windows\SysWOW64\Ddeaalpg.exe family_berbew C:\Windows\SysWOW64\Dnneja32.exe family_berbew behavioral1/memory/608-316-0x0000000000250000-0x0000000000286000-memory.dmp family_berbew behavioral1/memory/608-315-0x0000000000250000-0x0000000000286000-memory.dmp family_berbew C:\Windows\SysWOW64\Dgfjbgmh.exe family_berbew C:\Windows\SysWOW64\Djefobmk.exe family_berbew C:\Windows\SysWOW64\Eflgccbp.exe family_berbew C:\Windows\SysWOW64\Eijcpoac.exe family_berbew behavioral1/memory/2352-358-0x0000000000250000-0x0000000000286000-memory.dmp family_berbew behavioral1/memory/2352-359-0x0000000000250000-0x0000000000286000-memory.dmp family_berbew behavioral1/memory/2776-369-0x0000000000320000-0x0000000000356000-memory.dmp family_berbew C:\Windows\SysWOW64\Eilpeooq.exe family_berbew behavioral1/memory/2660-384-0x0000000000280000-0x00000000002B6000-memory.dmp family_berbew behavioral1/memory/2660-380-0x0000000000280000-0x00000000002B6000-memory.dmp family_berbew C:\Windows\SysWOW64\Eecqjpee.exe family_berbew C:\Windows\SysWOW64\Eiomkn32.exe family_berbew behavioral1/memory/2820-391-0x0000000000250000-0x0000000000286000-memory.dmp family_berbew C:\Windows\SysWOW64\Eeempocb.exe family_berbew C:\Windows\SysWOW64\Fckjalhj.exe family_berbew C:\Windows\SysWOW64\Flabbihl.exe family_berbew C:\Windows\SysWOW64\Fmcoja32.exe family_berbew C:\Windows\SysWOW64\Fcmgfkeg.exe family_berbew C:\Windows\SysWOW64\Fjgoce32.exe family_berbew C:\Windows\SysWOW64\Fjilieka.exe family_berbew C:\Windows\SysWOW64\Fbdqmghm.exe family_berbew behavioral1/memory/2736-478-0x0000000000300000-0x0000000000336000-memory.dmp family_berbew C:\Windows\SysWOW64\Fioija32.exe family_berbew C:\Windows\SysWOW64\Fphafl32.exe family_berbew C:\Windows\SysWOW64\Fbgmbg32.exe family_berbew C:\Windows\SysWOW64\Globlmmj.exe family_berbew C:\Windows\SysWOW64\Gonnhhln.exe family_berbew C:\Windows\SysWOW64\Gbijhg32.exe family_berbew C:\Windows\SysWOW64\Ghfbqn32.exe family_berbew C:\Windows\SysWOW64\Gpmjak32.exe family_berbew C:\Windows\SysWOW64\Gangic32.exe family_berbew C:\Windows\SysWOW64\Gieojq32.exe family_berbew C:\Windows\SysWOW64\Gbnccfpb.exe family_berbew C:\Windows\SysWOW64\Gaqcoc32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Ppamme32.exeQjknnbed.exeQecoqk32.exeAdhlaggp.exeAbmibdlh.exeAenbdoii.exeApcfahio.exeBoiccdnf.exeBhahlj32.exeBaildokg.exeBhfagipa.exeBnefdp32.exeBdooajdc.exeCnippoha.exeClomqk32.exeCciemedf.exeCfinoq32.exeCobbhfhg.exeDodonf32.exeDqelenlc.exeDgodbh32.exeDdcdkl32.exeDgaqgh32.exeDdeaalpg.exeDnneja32.exeDgfjbgmh.exeDjefobmk.exeEflgccbp.exeEijcpoac.exeEilpeooq.exeEecqjpee.exeEiomkn32.exeEeempocb.exeFckjalhj.exeFlabbihl.exeFmcoja32.exeFcmgfkeg.exeFjgoce32.exeFjilieka.exeFbdqmghm.exeFioija32.exeFphafl32.exeFbgmbg32.exeGloblmmj.exeGonnhhln.exeGbijhg32.exeGhfbqn32.exeGpmjak32.exeGangic32.exeGieojq32.exeGbnccfpb.exeGaqcoc32.exeGlfhll32.exeGacpdbej.exeGdamqndn.exeGkkemh32.exeGphmeo32.exeHknach32.exeHmlnoc32.exeHpkjko32.exeHcifgjgc.exeHnojdcfi.exeHpmgqnfl.exeHggomh32.exepid process 2240 Ppamme32.exe 2296 Qjknnbed.exe 2860 Qecoqk32.exe 2912 Adhlaggp.exe 2228 Abmibdlh.exe 2520 Aenbdoii.exe 2300 Apcfahio.exe 2708 Boiccdnf.exe 2896 Bhahlj32.exe 1784 Baildokg.exe 1528 Bhfagipa.exe 2372 Bnefdp32.exe 2072 Bdooajdc.exe 2444 Cnippoha.exe 332 Clomqk32.exe 2396 Cciemedf.exe 1080 Cfinoq32.exe 1348 Cobbhfhg.exe 672 Dodonf32.exe 956 Dqelenlc.exe 328 Dgodbh32.exe 752 Ddcdkl32.exe 2172 Dgaqgh32.exe 608 Ddeaalpg.exe 1388 Dnneja32.exe 1812 Dgfjbgmh.exe 1736 Djefobmk.exe 2352 Eflgccbp.exe 2776 Eijcpoac.exe 2660 Eilpeooq.exe 2820 Eecqjpee.exe 2676 Eiomkn32.exe 2564 Eeempocb.exe 3012 Fckjalhj.exe 2796 Flabbihl.exe 1576 Fmcoja32.exe 2168 Fcmgfkeg.exe 2412 Fjgoce32.exe 2736 Fjilieka.exe 1732 Fbdqmghm.exe 2484 Fioija32.exe 2940 Fphafl32.exe 1040 Fbgmbg32.exe 808 Globlmmj.exe 1864 Gonnhhln.exe 2324 Gbijhg32.exe 1572 Ghfbqn32.exe 1292 Gpmjak32.exe 900 Gangic32.exe 1964 Gieojq32.exe 2316 Gbnccfpb.exe 760 Gaqcoc32.exe 1624 Glfhll32.exe 2900 Gacpdbej.exe 2804 Gdamqndn.exe 2812 Gkkemh32.exe 2620 Gphmeo32.exe 2624 Hknach32.exe 3000 Hmlnoc32.exe 1284 Hpkjko32.exe 2604 Hcifgjgc.exe 3004 Hnojdcfi.exe 1708 Hpmgqnfl.exe 2368 Hggomh32.exe -
Loads dropped DLL 64 IoCs
Processes:
258c2d91a6e413418824803653488a10_NeikiAnalytics.exePpamme32.exeQjknnbed.exeQecoqk32.exeAdhlaggp.exeAbmibdlh.exeAenbdoii.exeApcfahio.exeBoiccdnf.exeBhahlj32.exeBaildokg.exeBhfagipa.exeBnefdp32.exeBdooajdc.exeCnippoha.exeClomqk32.exeCciemedf.exeCfinoq32.exeCobbhfhg.exeDodonf32.exeDqelenlc.exeDgodbh32.exeDdcdkl32.exeDgaqgh32.exeDdeaalpg.exeDnneja32.exeDgfjbgmh.exeDjefobmk.exeEflgccbp.exeEijcpoac.exeEilpeooq.exeEecqjpee.exepid process 1936 258c2d91a6e413418824803653488a10_NeikiAnalytics.exe 1936 258c2d91a6e413418824803653488a10_NeikiAnalytics.exe 2240 Ppamme32.exe 2240 Ppamme32.exe 2296 Qjknnbed.exe 2296 Qjknnbed.exe 2860 Qecoqk32.exe 2860 Qecoqk32.exe 2912 Adhlaggp.exe 2912 Adhlaggp.exe 2228 Abmibdlh.exe 2228 Abmibdlh.exe 2520 Aenbdoii.exe 2520 Aenbdoii.exe 2300 Apcfahio.exe 2300 Apcfahio.exe 2708 Boiccdnf.exe 2708 Boiccdnf.exe 2896 Bhahlj32.exe 2896 Bhahlj32.exe 1784 Baildokg.exe 1784 Baildokg.exe 1528 Bhfagipa.exe 1528 Bhfagipa.exe 2372 Bnefdp32.exe 2372 Bnefdp32.exe 2072 Bdooajdc.exe 2072 Bdooajdc.exe 2444 Cnippoha.exe 2444 Cnippoha.exe 332 Clomqk32.exe 332 Clomqk32.exe 2396 Cciemedf.exe 2396 Cciemedf.exe 1080 Cfinoq32.exe 1080 Cfinoq32.exe 1348 Cobbhfhg.exe 1348 Cobbhfhg.exe 672 Dodonf32.exe 672 Dodonf32.exe 956 Dqelenlc.exe 956 Dqelenlc.exe 328 Dgodbh32.exe 328 Dgodbh32.exe 752 Ddcdkl32.exe 752 Ddcdkl32.exe 2172 Dgaqgh32.exe 2172 Dgaqgh32.exe 608 Ddeaalpg.exe 608 Ddeaalpg.exe 1388 Dnneja32.exe 1388 Dnneja32.exe 1812 Dgfjbgmh.exe 1812 Dgfjbgmh.exe 1736 Djefobmk.exe 1736 Djefobmk.exe 2352 Eflgccbp.exe 2352 Eflgccbp.exe 2776 Eijcpoac.exe 2776 Eijcpoac.exe 2660 Eilpeooq.exe 2660 Eilpeooq.exe 2820 Eecqjpee.exe 2820 Eecqjpee.exe -
Drops file in System32 directory 64 IoCs
Processes:
Cobbhfhg.exeIhankokm.exeEgafleqm.exeOcalkn32.exeFbdqmghm.exeKemejc32.exeKicmdo32.exeMlfojn32.exeEnfenplo.exeGbnccfpb.exeQmicohqm.exeBblogakg.exeDfamcogo.exeDkqbaecc.exeFglipi32.exeJocflgga.exeJnkpbcjg.exeHpmgqnfl.exeJbnhng32.exeNhkbkc32.exeObojhlbq.exeMlcbenjb.exePmojocel.exeGhfbqn32.exeKjfjbdle.exeHjhhocjj.exeInngcfid.exeNnhkcj32.exeCdbdjhmp.exeKeanebkb.exeKgbggnhc.exeMoiklogi.exeCpkbdiqb.exeLgjfkk32.exeKahojc32.exeNhfipcid.exeEchfaf32.exeKohkfj32.exeLanaiahq.exeMeijhc32.exeOdhfob32.exeLhmjkaoc.exePedleg32.exeGohjaf32.exeIhjnom32.exeLmolnh32.exeNeplhf32.exeAjbggjfq.exeClmbddgp.exeGacpdbej.exeDfdjhndl.exePmccjbaf.exeBlobjaba.exeIapebchh.exeInqcif32.exeKgpjanje.exeLflmci32.exeMihiih32.exeHabfipdj.exeAenbdoii.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Dodonf32.exe Cobbhfhg.exe File created C:\Windows\SysWOW64\Fkgecelp.dll Ihankokm.exe File opened for modification C:\Windows\SysWOW64\Eqijej32.exe Egafleqm.exe File created C:\Windows\SysWOW64\Pjldghjm.exe Ocalkn32.exe File created C:\Windows\SysWOW64\Ghqknigk.dll Fbdqmghm.exe File created C:\Windows\SysWOW64\Kneicieh.exe Kemejc32.exe File created C:\Windows\SysWOW64\Kkaiqk32.exe Kicmdo32.exe File created C:\Windows\SysWOW64\Mbpgggol.exe Mlfojn32.exe File created C:\Windows\SysWOW64\Emieil32.exe Enfenplo.exe File created C:\Windows\SysWOW64\Gaqcoc32.exe Gbnccfpb.exe File opened for modification C:\Windows\SysWOW64\Qfahhm32.exe Qmicohqm.exe File created C:\Windows\SysWOW64\Haloha32.dll Bblogakg.exe File created C:\Windows\SysWOW64\Ajfaqa32.dll Dfamcogo.exe File opened for modification C:\Windows\SysWOW64\Dbkknojp.exe Dkqbaecc.exe File opened for modification C:\Windows\SysWOW64\Flgeqgog.exe Fglipi32.exe File created C:\Windows\SysWOW64\Jfnnha32.exe Jocflgga.exe File created C:\Windows\SysWOW64\Jqilooij.exe Jnkpbcjg.exe File created C:\Windows\SysWOW64\Bhpdae32.dll Hpmgqnfl.exe File created C:\Windows\SysWOW64\Kemejc32.exe Jbnhng32.exe File opened for modification C:\Windows\SysWOW64\Nnhkcj32.exe Nhkbkc32.exe File opened for modification C:\Windows\SysWOW64\Ojfaijcc.exe Obojhlbq.exe File opened for modification C:\Windows\SysWOW64\Dlkepi32.exe Dfamcogo.exe File created C:\Windows\SysWOW64\Mbmjah32.exe Mlcbenjb.exe File opened for modification C:\Windows\SysWOW64\Pomfkndo.exe Pmojocel.exe File opened for modification C:\Windows\SysWOW64\Gpmjak32.exe Ghfbqn32.exe File created C:\Windows\SysWOW64\Kmefooki.exe Kjfjbdle.exe File created C:\Windows\SysWOW64\Liqebf32.dll Hjhhocjj.exe File created C:\Windows\SysWOW64\Ikpjgkjq.exe Ihankokm.exe File created C:\Windows\SysWOW64\Jobnme32.dll Inngcfid.exe File created C:\Windows\SysWOW64\Ndbcpd32.exe Nnhkcj32.exe File opened for modification C:\Windows\SysWOW64\Cklmgb32.exe Cdbdjhmp.exe File created C:\Windows\SysWOW64\Cddfocpb.dll Keanebkb.exe File created C:\Windows\SysWOW64\Kqgmkdbj.dll Kgbggnhc.exe File opened for modification C:\Windows\SysWOW64\Miooigfo.exe Moiklogi.exe File created C:\Windows\SysWOW64\Cgjcijfp.dll Cpkbdiqb.exe File created C:\Windows\SysWOW64\Ljibgg32.exe Lgjfkk32.exe File created C:\Windows\SysWOW64\Kgbggnhc.exe Kahojc32.exe File opened for modification C:\Windows\SysWOW64\Nncahjgl.exe Nhfipcid.exe File opened for modification C:\Windows\SysWOW64\Fjaonpnn.exe Echfaf32.exe File opened for modification C:\Windows\SysWOW64\Kfbcbd32.exe Kohkfj32.exe File opened for modification C:\Windows\SysWOW64\Llcefjgf.exe Lanaiahq.exe File created C:\Windows\SysWOW64\Mlcbenjb.exe Meijhc32.exe File opened for modification C:\Windows\SysWOW64\Oomjlk32.exe Odhfob32.exe File created C:\Windows\SysWOW64\Hkkdneid.dll Lhmjkaoc.exe File created C:\Windows\SysWOW64\Pgbhabjp.exe Pedleg32.exe File opened for modification C:\Windows\SysWOW64\Gebbnpfp.exe Gohjaf32.exe File created C:\Windows\SysWOW64\Cogbjdmj.dll Ihjnom32.exe File created C:\Windows\SysWOW64\Imfegi32.dll Jnkpbcjg.exe File created C:\Windows\SysWOW64\Gpdgnh32.dll Lmolnh32.exe File opened for modification C:\Windows\SysWOW64\Nkmdpm32.exe Neplhf32.exe File created C:\Windows\SysWOW64\Qofpoogh.dll Ajbggjfq.exe File created C:\Windows\SysWOW64\Cddjebgb.exe Clmbddgp.exe File opened for modification C:\Windows\SysWOW64\Gaqcoc32.exe Gbnccfpb.exe File opened for modification C:\Windows\SysWOW64\Gdamqndn.exe Gacpdbej.exe File created C:\Windows\SysWOW64\Ckgkkllh.dll Dfdjhndl.exe File created C:\Windows\SysWOW64\Lbbjgn32.dll Pmccjbaf.exe File created C:\Windows\SysWOW64\Abacpl32.dll Blobjaba.exe File created C:\Windows\SysWOW64\Ihjnom32.exe Iapebchh.exe File opened for modification C:\Windows\SysWOW64\Iqopea32.exe Inqcif32.exe File opened for modification C:\Windows\SysWOW64\Knjbnh32.exe Kgpjanje.exe File created C:\Windows\SysWOW64\Bhhognbb.dll Lflmci32.exe File created C:\Windows\SysWOW64\Qkophk32.dll Mihiih32.exe File created C:\Windows\SysWOW64\Iccbqh32.exe Habfipdj.exe File created C:\Windows\SysWOW64\Aofqfokm.dll Aenbdoii.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4844 4764 WerFault.exe Ceegmj32.exe -
Modifies registry class 64 IoCs
Processes:
Bhahlj32.exePedleg32.exeJnkpbcjg.exeBjdplm32.exeNncahjgl.exePgplkb32.exeFnhnbb32.exeHaiccald.exeQbbhgi32.exeBhfcpb32.exeQjknnbed.exeGkkemh32.exeKeoapb32.exeFmmkcoap.exeHbhomd32.exeBilmcf32.exeFmcoja32.exeChbjffad.exeJgojpjem.exeLnbbbffj.exeOebimf32.exeHgilchkf.exeNnhkcj32.exeGebbnpfp.exeOokmfk32.exeBfpnmj32.exeBbgnak32.exeAoepcn32.exeEjhlgaeh.exeFlgeqgog.exeGpncej32.exeMihiih32.exeBpiipf32.exeCdikkg32.exeDhdcji32.exeEndhhp32.exeEmieil32.exeEgoife32.exeHgjefg32.exeAenbdoii.exeIqmcpahh.exeKiqpop32.exeBlmfea32.exeCnippoha.exeOonafa32.exeOopfakpa.exePcfefmnk.exeBhhpeafc.exeEijcpoac.exeHogmmjfo.exeBhndldcn.exeJnicmdli.exeOancnfoe.exeBhigphio.exeIeidmbcc.exeLcagpl32.exe258c2d91a6e413418824803653488a10_NeikiAnalytics.exePkpagq32.exeCdbdjhmp.exeGlgaok32.exeBjlqhoba.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgdfmnkb.dll" Bhahlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pedleg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imfegi32.dll" Jnkpbcjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjdplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nncahjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbqpqcoj.dll" Pgplkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmkonce.dll" Fnhnbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Haiccald.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qbbhgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcopobi.dll" Bhfcpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qjknnbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll" Gkkemh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Keoapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebpopmpp.dll" Fmmkcoap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbhomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momeefin.dll" Bilmcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmcoja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chbjffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgojpjem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pikhak32.dll" Lnbbbffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icdleb32.dll" Oebimf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhecef.dll" Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnhkcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gebbnpfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnalpimd.dll" Ookmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll" Bfpnmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbgnak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejhlgaeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flgeqgog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icdepo32.dll" Gpncej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mihiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpiipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnghjbjl.dll" Cdikkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhdcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dinhacjp.dll" Endhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emieil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egoife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgegdo32.dll" Hgjefg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oebimf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aenbdoii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iqmcpahh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kiqpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehieciqq.dll" Blmfea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnippoha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oonafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aliolp32.dll" Oopfakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbkakib.dll" Pcfefmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll" Bhhpeafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnippoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll" Hogmmjfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhndldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkfeekif.dll" Gebbnpfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnicmdli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oancnfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekjajfei.dll" Bhigphio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ieidmbcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnecbc32.dll" Lcagpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jadhjcfk.dll" 258c2d91a6e413418824803653488a10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijfoo32.dll" Pkpagq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olkbjhpi.dll" Cdbdjhmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glgaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiaej32.dll" Bjlqhoba.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
258c2d91a6e413418824803653488a10_NeikiAnalytics.exePpamme32.exeQjknnbed.exeQecoqk32.exeAdhlaggp.exeAbmibdlh.exeAenbdoii.exeApcfahio.exeBoiccdnf.exeBhahlj32.exeBaildokg.exeBhfagipa.exeBnefdp32.exeBdooajdc.exeCnippoha.exeClomqk32.exedescription pid process target process PID 1936 wrote to memory of 2240 1936 258c2d91a6e413418824803653488a10_NeikiAnalytics.exe Ppamme32.exe PID 1936 wrote to memory of 2240 1936 258c2d91a6e413418824803653488a10_NeikiAnalytics.exe Ppamme32.exe PID 1936 wrote to memory of 2240 1936 258c2d91a6e413418824803653488a10_NeikiAnalytics.exe Ppamme32.exe PID 1936 wrote to memory of 2240 1936 258c2d91a6e413418824803653488a10_NeikiAnalytics.exe Ppamme32.exe PID 2240 wrote to memory of 2296 2240 Ppamme32.exe Qjknnbed.exe PID 2240 wrote to memory of 2296 2240 Ppamme32.exe Qjknnbed.exe PID 2240 wrote to memory of 2296 2240 Ppamme32.exe Qjknnbed.exe PID 2240 wrote to memory of 2296 2240 Ppamme32.exe Qjknnbed.exe PID 2296 wrote to memory of 2860 2296 Qjknnbed.exe Qecoqk32.exe PID 2296 wrote to memory of 2860 2296 Qjknnbed.exe Qecoqk32.exe PID 2296 wrote to memory of 2860 2296 Qjknnbed.exe Qecoqk32.exe PID 2296 wrote to memory of 2860 2296 Qjknnbed.exe Qecoqk32.exe PID 2860 wrote to memory of 2912 2860 Qecoqk32.exe Adhlaggp.exe PID 2860 wrote to memory of 2912 2860 Qecoqk32.exe Adhlaggp.exe PID 2860 wrote to memory of 2912 2860 Qecoqk32.exe Adhlaggp.exe PID 2860 wrote to memory of 2912 2860 Qecoqk32.exe Adhlaggp.exe PID 2912 wrote to memory of 2228 2912 Adhlaggp.exe Abmibdlh.exe PID 2912 wrote to memory of 2228 2912 Adhlaggp.exe Abmibdlh.exe PID 2912 wrote to memory of 2228 2912 Adhlaggp.exe Abmibdlh.exe PID 2912 wrote to memory of 2228 2912 Adhlaggp.exe Abmibdlh.exe PID 2228 wrote to memory of 2520 2228 Abmibdlh.exe Aenbdoii.exe PID 2228 wrote to memory of 2520 2228 Abmibdlh.exe Aenbdoii.exe PID 2228 wrote to memory of 2520 2228 Abmibdlh.exe Aenbdoii.exe PID 2228 wrote to memory of 2520 2228 Abmibdlh.exe Aenbdoii.exe PID 2520 wrote to memory of 2300 2520 Aenbdoii.exe Apcfahio.exe PID 2520 wrote to memory of 2300 2520 Aenbdoii.exe Apcfahio.exe PID 2520 wrote to memory of 2300 2520 Aenbdoii.exe Apcfahio.exe PID 2520 wrote to memory of 2300 2520 Aenbdoii.exe Apcfahio.exe PID 2300 wrote to memory of 2708 2300 Apcfahio.exe Boiccdnf.exe PID 2300 wrote to memory of 2708 2300 Apcfahio.exe Boiccdnf.exe PID 2300 wrote to memory of 2708 2300 Apcfahio.exe Boiccdnf.exe PID 2300 wrote to memory of 2708 2300 Apcfahio.exe Boiccdnf.exe PID 2708 wrote to memory of 2896 2708 Boiccdnf.exe Bhahlj32.exe PID 2708 wrote to memory of 2896 2708 Boiccdnf.exe Bhahlj32.exe PID 2708 wrote to memory of 2896 2708 Boiccdnf.exe Bhahlj32.exe PID 2708 wrote to memory of 2896 2708 Boiccdnf.exe Bhahlj32.exe PID 2896 wrote to memory of 1784 2896 Bhahlj32.exe Baildokg.exe PID 2896 wrote to memory of 1784 2896 Bhahlj32.exe Baildokg.exe PID 2896 wrote to memory of 1784 2896 Bhahlj32.exe Baildokg.exe PID 2896 wrote to memory of 1784 2896 Bhahlj32.exe Baildokg.exe PID 1784 wrote to memory of 1528 1784 Baildokg.exe Bhfagipa.exe PID 1784 wrote to memory of 1528 1784 Baildokg.exe Bhfagipa.exe PID 1784 wrote to memory of 1528 1784 Baildokg.exe Bhfagipa.exe PID 1784 wrote to memory of 1528 1784 Baildokg.exe Bhfagipa.exe PID 1528 wrote to memory of 2372 1528 Bhfagipa.exe Bnefdp32.exe PID 1528 wrote to memory of 2372 1528 Bhfagipa.exe Bnefdp32.exe PID 1528 wrote to memory of 2372 1528 Bhfagipa.exe Bnefdp32.exe PID 1528 wrote to memory of 2372 1528 Bhfagipa.exe Bnefdp32.exe PID 2372 wrote to memory of 2072 2372 Bnefdp32.exe Bdooajdc.exe PID 2372 wrote to memory of 2072 2372 Bnefdp32.exe Bdooajdc.exe PID 2372 wrote to memory of 2072 2372 Bnefdp32.exe Bdooajdc.exe PID 2372 wrote to memory of 2072 2372 Bnefdp32.exe Bdooajdc.exe PID 2072 wrote to memory of 2444 2072 Bdooajdc.exe Cnippoha.exe PID 2072 wrote to memory of 2444 2072 Bdooajdc.exe Cnippoha.exe PID 2072 wrote to memory of 2444 2072 Bdooajdc.exe Cnippoha.exe PID 2072 wrote to memory of 2444 2072 Bdooajdc.exe Cnippoha.exe PID 2444 wrote to memory of 332 2444 Cnippoha.exe Clomqk32.exe PID 2444 wrote to memory of 332 2444 Cnippoha.exe Clomqk32.exe PID 2444 wrote to memory of 332 2444 Cnippoha.exe Clomqk32.exe PID 2444 wrote to memory of 332 2444 Cnippoha.exe Clomqk32.exe PID 332 wrote to memory of 2396 332 Clomqk32.exe Cciemedf.exe PID 332 wrote to memory of 2396 332 Clomqk32.exe Cciemedf.exe PID 332 wrote to memory of 2396 332 Clomqk32.exe Cciemedf.exe PID 332 wrote to memory of 2396 332 Clomqk32.exe Cciemedf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\258c2d91a6e413418824803653488a10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\258c2d91a6e413418824803653488a10_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1080 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1348 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:672 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:328 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:752 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2172 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:608 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1388 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe33⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe35⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe36⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe38⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe39⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe42⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe43⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe44⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe45⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe46⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe49⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe50⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe51⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe53⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe54⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe56⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe58⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe59⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe60⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe61⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe63⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe65⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2936 -
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe67⤵PID:592
-
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe68⤵
- Modifies registry class
PID:296 -
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1132 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe70⤵PID:1836
-
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe71⤵PID:1968
-
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe72⤵PID:2908
-
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe73⤵
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe74⤵PID:2128
-
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe75⤵PID:2596
-
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe76⤵PID:2656
-
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe77⤵PID:2528
-
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe78⤵
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2740 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe80⤵
- Drops file in System32 directory
PID:300 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe81⤵
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe82⤵
- Drops file in System32 directory
PID:852 -
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe83⤵PID:2320
-
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1956 -
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe85⤵PID:1108
-
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe86⤵PID:2988
-
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe87⤵PID:1796
-
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe88⤵PID:1628
-
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe89⤵PID:2032
-
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe90⤵PID:1440
-
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe91⤵PID:1992
-
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe92⤵PID:2636
-
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe93⤵PID:2880
-
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe94⤵PID:2544
-
C:\Windows\SysWOW64\Jbjochdi.exeC:\Windows\system32\Jbjochdi.exe95⤵PID:2716
-
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2696 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe97⤵PID:2712
-
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe98⤵PID:2932
-
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe99⤵PID:1316
-
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe100⤵PID:1532
-
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe101⤵
- Drops file in System32 directory
PID:484 -
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe102⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe103⤵PID:1052
-
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe104⤵
- Modifies registry class
PID:444 -
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe105⤵PID:1124
-
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe106⤵PID:2948
-
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe107⤵
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe108⤵
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe109⤵PID:2816
-
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe110⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe111⤵
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe112⤵PID:2972
-
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe113⤵PID:1456
-
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe114⤵PID:1984
-
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe115⤵PID:984
-
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe116⤵PID:1448
-
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe117⤵PID:1168
-
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe118⤵PID:1660
-
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe119⤵PID:308
-
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe120⤵
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe121⤵PID:1944
-
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe122⤵
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe123⤵PID:2752
-
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe124⤵PID:1308
-
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe125⤵PID:2464
-
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe126⤵PID:880
-
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe127⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1860 -
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe128⤵
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe129⤵PID:2420
-
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe130⤵PID:1564
-
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe131⤵PID:1764
-
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe132⤵PID:2272
-
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe133⤵
- Drops file in System32 directory
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Mpbaebdd.exeC:\Windows\system32\Mpbaebdd.exe134⤵PID:2724
-
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe135⤵PID:2560
-
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe136⤵PID:2872
-
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe137⤵PID:584
-
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe138⤵PID:2468
-
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe139⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2960 -
C:\Windows\SysWOW64\Mmhodf32.exeC:\Windows\system32\Mmhodf32.exe140⤵PID:2952
-
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe142⤵PID:2772
-
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe143⤵PID:2548
-
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe144⤵PID:2500
-
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe145⤵PID:1320
-
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe146⤵PID:536
-
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe147⤵PID:2904
-
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe148⤵
- Drops file in System32 directory
PID:272 -
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe149⤵
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe150⤵PID:2840
-
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe151⤵PID:2664
-
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe152⤵PID:2856
-
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe153⤵
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Nnhkcj32.exeC:\Windows\system32\Nnhkcj32.exe154⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe155⤵PID:1096
-
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe156⤵PID:1600
-
C:\Windows\SysWOW64\Oqideepg.exeC:\Windows\system32\Oqideepg.exe157⤵PID:2308
-
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe158⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1536 -
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe159⤵PID:1520
-
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe160⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe161⤵PID:668
-
C:\Windows\SysWOW64\Oqmmpd32.exeC:\Windows\system32\Oqmmpd32.exe162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2336 -
C:\Windows\SysWOW64\Obojhlbq.exeC:\Windows\system32\Obojhlbq.exe163⤵
- Drops file in System32 directory
PID:1304 -
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe164⤵PID:1724
-
C:\Windows\SysWOW64\Okgnab32.exeC:\Windows\system32\Okgnab32.exe165⤵PID:1616
-
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe166⤵PID:3016
-
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe167⤵PID:2572
-
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe168⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1916 -
C:\Windows\SysWOW64\Pgplkb32.exeC:\Windows\system32\Pgplkb32.exe169⤵
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe170⤵PID:2084
-
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe171⤵
- Drops file in System32 directory
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe172⤵PID:1252
-
C:\Windows\SysWOW64\Pqkmjh32.exeC:\Windows\system32\Pqkmjh32.exe173⤵PID:1360
-
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe174⤵
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Pmanoifd.exeC:\Windows\system32\Pmanoifd.exe175⤵PID:692
-
C:\Windows\SysWOW64\Pamiog32.exeC:\Windows\system32\Pamiog32.exe176⤵PID:2384
-
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe177⤵PID:2700
-
C:\Windows\SysWOW64\Pflomnkb.exeC:\Windows\system32\Pflomnkb.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:352 -
C:\Windows\SysWOW64\Qabcjgkh.exeC:\Windows\system32\Qabcjgkh.exe179⤵PID:1180
-
C:\Windows\SysWOW64\Qcpofbjl.exeC:\Windows\system32\Qcpofbjl.exe180⤵PID:2144
-
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe181⤵PID:2864
-
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe182⤵
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Qfahhm32.exeC:\Windows\system32\Qfahhm32.exe183⤵PID:1656
-
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe184⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1512 -
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe185⤵PID:1960
-
C:\Windows\SysWOW64\Anlmmp32.exeC:\Windows\system32\Anlmmp32.exe186⤵PID:264
-
C:\Windows\SysWOW64\Aplifb32.exeC:\Windows\system32\Aplifb32.exe187⤵PID:2568
-
C:\Windows\SysWOW64\Abjebn32.exeC:\Windows\system32\Abjebn32.exe188⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2404 -
C:\Windows\SysWOW64\Aidnohbk.exeC:\Windows\system32\Aidnohbk.exe189⤵PID:2648
-
C:\Windows\SysWOW64\Ahgnke32.exeC:\Windows\system32\Ahgnke32.exe190⤵PID:1556
-
C:\Windows\SysWOW64\Abmbhn32.exeC:\Windows\system32\Abmbhn32.exe191⤵PID:3068
-
C:\Windows\SysWOW64\Adnopfoj.exeC:\Windows\system32\Adnopfoj.exe192⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2884 -
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe193⤵PID:568
-
C:\Windows\SysWOW64\Amfcikek.exeC:\Windows\system32\Amfcikek.exe194⤵PID:1920
-
C:\Windows\SysWOW64\Ajjcbpdd.exeC:\Windows\system32\Ajjcbpdd.exe195⤵PID:1544
-
C:\Windows\SysWOW64\Aoepcn32.exeC:\Windows\system32\Aoepcn32.exe196⤵
- Modifies registry class
PID:3076 -
C:\Windows\SysWOW64\Bhndldcn.exeC:\Windows\system32\Bhndldcn.exe197⤵
- Modifies registry class
PID:3116 -
C:\Windows\SysWOW64\Bjlqhoba.exeC:\Windows\system32\Bjlqhoba.exe198⤵
- Modifies registry class
PID:3156 -
C:\Windows\SysWOW64\Bpiipf32.exeC:\Windows\system32\Bpiipf32.exe199⤵
- Modifies registry class
PID:3196 -
C:\Windows\SysWOW64\Bfcampgf.exeC:\Windows\system32\Bfcampgf.exe200⤵PID:3236
-
C:\Windows\SysWOW64\Bmmiij32.exeC:\Windows\system32\Bmmiij32.exe201⤵PID:3276
-
C:\Windows\SysWOW64\Bdgafdfp.exeC:\Windows\system32\Bdgafdfp.exe202⤵PID:3316
-
C:\Windows\SysWOW64\Behnnm32.exeC:\Windows\system32\Behnnm32.exe203⤵PID:3356
-
C:\Windows\SysWOW64\Bmpfojmp.exeC:\Windows\system32\Bmpfojmp.exe204⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3396 -
C:\Windows\SysWOW64\Bblogakg.exeC:\Windows\system32\Bblogakg.exe205⤵
- Drops file in System32 directory
PID:3436 -
C:\Windows\SysWOW64\Bhigphio.exeC:\Windows\system32\Bhigphio.exe206⤵
- Modifies registry class
PID:3476 -
C:\Windows\SysWOW64\Bbokmqie.exeC:\Windows\system32\Bbokmqie.exe207⤵PID:3516
-
C:\Windows\SysWOW64\Biicik32.exeC:\Windows\system32\Biicik32.exe208⤵PID:3556
-
C:\Windows\SysWOW64\Coelaaoi.exeC:\Windows\system32\Coelaaoi.exe209⤵PID:3596
-
C:\Windows\SysWOW64\Cdbdjhmp.exeC:\Windows\system32\Cdbdjhmp.exe210⤵
- Drops file in System32 directory
- Modifies registry class
PID:3636 -
C:\Windows\SysWOW64\Cklmgb32.exeC:\Windows\system32\Cklmgb32.exe211⤵PID:3676
-
C:\Windows\SysWOW64\Cnkicn32.exeC:\Windows\system32\Cnkicn32.exe212⤵PID:3716
-
C:\Windows\SysWOW64\Chpmpg32.exeC:\Windows\system32\Chpmpg32.exe213⤵PID:3756
-
C:\Windows\SysWOW64\Cojema32.exeC:\Windows\system32\Cojema32.exe214⤵PID:3796
-
C:\Windows\SysWOW64\Cpkbdiqb.exeC:\Windows\system32\Cpkbdiqb.exe215⤵
- Drops file in System32 directory
PID:3836 -
C:\Windows\SysWOW64\Chbjffad.exeC:\Windows\system32\Chbjffad.exe216⤵
- Modifies registry class
PID:3876 -
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe217⤵PID:3916
-
C:\Windows\SysWOW64\Cdikkg32.exeC:\Windows\system32\Cdikkg32.exe218⤵
- Modifies registry class
PID:3956 -
C:\Windows\SysWOW64\Cghggc32.exeC:\Windows\system32\Cghggc32.exe219⤵PID:3996
-
C:\Windows\SysWOW64\Cnaocmmi.exeC:\Windows\system32\Cnaocmmi.exe220⤵PID:4040
-
C:\Windows\SysWOW64\Dgjclbdi.exeC:\Windows\system32\Dgjclbdi.exe221⤵PID:4080
-
C:\Windows\SysWOW64\Djhphncm.exeC:\Windows\system32\Djhphncm.exe222⤵PID:3092
-
C:\Windows\SysWOW64\Dlgldibq.exeC:\Windows\system32\Dlgldibq.exe223⤵PID:3152
-
C:\Windows\SysWOW64\Doehqead.exeC:\Windows\system32\Doehqead.exe224⤵PID:3184
-
C:\Windows\SysWOW64\Djklnnaj.exeC:\Windows\system32\Djklnnaj.exe225⤵PID:3244
-
C:\Windows\SysWOW64\Dpeekh32.exeC:\Windows\system32\Dpeekh32.exe226⤵PID:3288
-
C:\Windows\SysWOW64\Dfamcogo.exeC:\Windows\system32\Dfamcogo.exe227⤵
- Drops file in System32 directory
PID:3328 -
C:\Windows\SysWOW64\Dlkepi32.exeC:\Windows\system32\Dlkepi32.exe228⤵PID:3388
-
C:\Windows\SysWOW64\Dfdjhndl.exeC:\Windows\system32\Dfdjhndl.exe229⤵
- Drops file in System32 directory
PID:3432 -
C:\Windows\SysWOW64\Dkqbaecc.exeC:\Windows\system32\Dkqbaecc.exe230⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3496 -
C:\Windows\SysWOW64\Dbkknojp.exeC:\Windows\system32\Dbkknojp.exe231⤵PID:3552
-
C:\Windows\SysWOW64\Dhdcji32.exeC:\Windows\system32\Dhdcji32.exe232⤵
- Modifies registry class
PID:3584 -
C:\Windows\SysWOW64\Enakbp32.exeC:\Windows\system32\Enakbp32.exe233⤵PID:3620
-
C:\Windows\SysWOW64\Eqpgol32.exeC:\Windows\system32\Eqpgol32.exe234⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3696 -
C:\Windows\SysWOW64\Ejhlgaeh.exeC:\Windows\system32\Ejhlgaeh.exe235⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3728 -
C:\Windows\SysWOW64\Endhhp32.exeC:\Windows\system32\Endhhp32.exe236⤵
- Modifies registry class
PID:3768 -
C:\Windows\SysWOW64\Ecqqpgli.exeC:\Windows\system32\Ecqqpgli.exe237⤵PID:3820
-
C:\Windows\SysWOW64\Ekhhadmk.exeC:\Windows\system32\Ekhhadmk.exe238⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3864 -
C:\Windows\SysWOW64\Enfenplo.exeC:\Windows\system32\Enfenplo.exe239⤵
- Drops file in System32 directory
PID:3924 -
C:\Windows\SysWOW64\Emieil32.exeC:\Windows\system32\Emieil32.exe240⤵
- Modifies registry class
PID:3976 -
C:\Windows\SysWOW64\Egoife32.exeC:\Windows\system32\Egoife32.exe241⤵
- Modifies registry class
PID:4024 -
C:\Windows\SysWOW64\Enhacojl.exeC:\Windows\system32\Enhacojl.exe242⤵PID:4072