Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 03:04
Behavioral task
behavioral1
Sample
2aa86e2159bdd7da23d50f9338167dd0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2aa86e2159bdd7da23d50f9338167dd0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
2aa86e2159bdd7da23d50f9338167dd0_NeikiAnalytics.exe
-
Size
135KB
-
MD5
2aa86e2159bdd7da23d50f9338167dd0
-
SHA1
2c5809d843de977b8f50798848708db301081e43
-
SHA256
5690622c29c670718ba188aa2887937cc8495af84302e53a0de4d6088b804ada
-
SHA512
5d5f68aadeca74c647c59c8a2d9d0c49b1010d696bd56f2c91c65889c05481791a999cc17135de318cb4e6191ba553a9f1cad753c59e5d9e9b88695d03b96df8
-
SSDEEP
3072:p9IOheJ/MI+6T8K8Qr5+ViKGe7Yfs0a0Uoi:puuehT8K9cViK4fs0l
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Cobbhfhg.exeIdfbkq32.exeMeccii32.exeGedbdlbb.exeMpmapm32.exeEgdilkbf.exeOkikfagn.exeHkhnle32.exeMmneda32.exeNgibaj32.exeEbbgid32.exeBidjnkdg.exeDfamcogo.exeInifnq32.exeKjljhjkl.exeFmbhok32.exeFnkjhb32.exeNplmop32.exeGlaoalkh.exeMkclhl32.exeGmdadnkh.exeMmldme32.exeBmkmdk32.exeFmlapp32.exeKqqboncb.exeNckjkl32.exeNlekia32.exe2aa86e2159bdd7da23d50f9338167dd0_NeikiAnalytics.exeFmcoja32.exeMonhhk32.exeFfhpbacb.exeGbaileio.exeFagjnn32.exeIblpjdpk.exeMdmmfa32.exeBfenbpec.exeCgejac32.exeFadminnn.exeJjjacf32.exeJmocpado.exePggbla32.exeAplifb32.exeAjhgmpfg.exeLpbefoai.exeLfpclh32.exePgioaa32.exeDcadac32.exeMlfojn32.exeJmmfkafa.exeEnhacojl.exeLapnnafn.exeMhhfdo32.exeEcqqpgli.exeKeednado.exeMppepcfg.exePedleg32.exeHpkjko32.exeHlfdkoin.exeLkppbl32.exeOnhgbmfb.exePogclp32.exeAbjebn32.exeGljnej32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cobbhfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idfbkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meccii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gedbdlbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpmapm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okikfagn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkhnle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmneda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngibaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bidjnkdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfamcogo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inifnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjljhjkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmbhok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnkjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nplmop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkclhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmdadnkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmldme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmkmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmlapp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqqboncb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckjkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlekia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 2aa86e2159bdd7da23d50f9338167dd0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmcoja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Monhhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffhpbacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbaileio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fagjnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iblpjdpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdmmfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfenbpec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgejac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fadminnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjjacf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmocpado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pggbla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aplifb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhgmpfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpbefoai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fadminnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfpclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgioaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcadac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlfojn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmmfkafa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhacojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lapnnafn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhhfdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecqqpgli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keednado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mppepcfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pedleg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkppbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onhgbmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pogclp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abjebn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gljnej32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Cfbhnaho.exe family_berbew \Windows\SysWOW64\Cgbdhd32.exe family_berbew \Windows\SysWOW64\Cfgaiaci.exe family_berbew C:\Windows\SysWOW64\Ckdjbh32.exe family_berbew \Windows\SysWOW64\Chhjkl32.exe family_berbew \Windows\SysWOW64\Cobbhfhg.exe family_berbew \Windows\SysWOW64\Dkhcmgnl.exe family_berbew \Windows\SysWOW64\Dqelenlc.exe family_berbew \Windows\SysWOW64\Dbehoa32.exe family_berbew C:\Windows\SysWOW64\Dcfdgiid.exe family_berbew \Windows\SysWOW64\Dqjepm32.exe family_berbew \Windows\SysWOW64\Dnneja32.exe family_berbew \Windows\SysWOW64\Dfijnd32.exe family_berbew \Windows\SysWOW64\Eqonkmdh.exe family_berbew \Windows\SysWOW64\Ejgcdb32.exe family_berbew \Windows\SysWOW64\Ebbgid32.exe family_berbew C:\Windows\SysWOW64\Emhlfmgj.exe family_berbew C:\Windows\SysWOW64\Enihne32.exe family_berbew C:\Windows\SysWOW64\Eiomkn32.exe family_berbew C:\Windows\SysWOW64\Eiaiqn32.exe family_berbew C:\Windows\SysWOW64\Egdilkbf.exe family_berbew C:\Windows\SysWOW64\Ebinic32.exe family_berbew C:\Windows\SysWOW64\Fmcoja32.exe family_berbew C:\Windows\SysWOW64\Fejgko32.exe family_berbew C:\Windows\SysWOW64\Fdoclk32.exe family_berbew C:\Windows\SysWOW64\Fmhheqje.exe family_berbew C:\Windows\SysWOW64\Ffpmnf32.exe family_berbew C:\Windows\SysWOW64\Fioija32.exe family_berbew C:\Windows\SysWOW64\Feeiob32.exe family_berbew C:\Windows\SysWOW64\Fmlapp32.exe family_berbew C:\Windows\SysWOW64\Glaoalkh.exe family_berbew behavioral1/memory/2600-376-0x0000000000290000-0x00000000002D2000-memory.dmp family_berbew behavioral1/memory/2600-372-0x0000000000290000-0x00000000002D2000-memory.dmp family_berbew C:\Windows\SysWOW64\Gbkgnfbd.exe family_berbew C:\Windows\SysWOW64\Ghhofmql.exe family_berbew C:\Windows\SysWOW64\Gelppaof.exe family_berbew C:\Windows\SysWOW64\Goddhg32.exe family_berbew behavioral1/memory/2960-415-0x00000000002F0000-0x0000000000332000-memory.dmp family_berbew C:\Windows\SysWOW64\Gkkemh32.exe family_berbew behavioral1/memory/2936-426-0x0000000000250000-0x0000000000292000-memory.dmp family_berbew C:\Windows\SysWOW64\Gphmeo32.exe family_berbew C:\Windows\SysWOW64\Hiqbndpb.exe family_berbew C:\Windows\SysWOW64\Hpkjko32.exe family_berbew C:\Windows\SysWOW64\Hpmgqnfl.exe family_berbew behavioral1/memory/2784-471-0x0000000000450000-0x0000000000492000-memory.dmp family_berbew C:\Windows\SysWOW64\Hckcmjep.exe family_berbew C:\Windows\SysWOW64\Hlcgeo32.exe family_berbew C:\Windows\SysWOW64\Hcnpbi32.exe family_berbew C:\Windows\SysWOW64\Hlfdkoin.exe family_berbew C:\Windows\SysWOW64\Hcplhi32.exe family_berbew C:\Windows\SysWOW64\Hjjddchg.exe family_berbew C:\Windows\SysWOW64\Hhmepp32.exe family_berbew C:\Windows\SysWOW64\Icbimi32.exe family_berbew C:\Windows\SysWOW64\Ieqeidnl.exe family_berbew C:\Windows\SysWOW64\Ilknfn32.exe family_berbew C:\Windows\SysWOW64\Inljnfkg.exe family_berbew C:\Windows\SysWOW64\Idfbkq32.exe family_berbew C:\Windows\SysWOW64\Ikpjgkjq.exe family_berbew C:\Windows\SysWOW64\Iqmcpahh.exe family_berbew C:\Windows\SysWOW64\Ihdkao32.exe family_berbew C:\Windows\SysWOW64\Ikbgmj32.exe family_berbew C:\Windows\SysWOW64\Iblpjdpk.exe family_berbew C:\Windows\SysWOW64\Idklfpon.exe family_berbew C:\Windows\SysWOW64\Ikddbj32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Cfbhnaho.exeCgbdhd32.exeCfgaiaci.exeCkdjbh32.exeChhjkl32.exeCobbhfhg.exeDkhcmgnl.exeDqelenlc.exeDbehoa32.exeDcfdgiid.exeDqjepm32.exeDnneja32.exeDfijnd32.exeEqonkmdh.exeEjgcdb32.exeEbbgid32.exeEmhlfmgj.exeEnihne32.exeEiomkn32.exeEiaiqn32.exeEgdilkbf.exeEbinic32.exeFmcoja32.exeFejgko32.exeFdoclk32.exeFmhheqje.exeFfpmnf32.exeFioija32.exeFeeiob32.exeFmlapp32.exeGlaoalkh.exeGbkgnfbd.exeGhhofmql.exeGelppaof.exeGoddhg32.exeGkkemh32.exeGphmeo32.exeHiqbndpb.exeHpkjko32.exeHpmgqnfl.exeHckcmjep.exeHlcgeo32.exeHcnpbi32.exeHlfdkoin.exeHcplhi32.exeHjjddchg.exeHhmepp32.exeIcbimi32.exeIeqeidnl.exeIlknfn32.exeInljnfkg.exeIdfbkq32.exeIkpjgkjq.exeIqmcpahh.exeIhdkao32.exeIkbgmj32.exeIblpjdpk.exeIdklfpon.exeIkddbj32.exeIqalka32.exeIcpigm32.exeJjjacf32.exeJmhmpb32.exeJcbellac.exepid process 1988 Cfbhnaho.exe 2128 Cgbdhd32.exe 2668 Cfgaiaci.exe 1236 Ckdjbh32.exe 2812 Chhjkl32.exe 2440 Cobbhfhg.exe 2496 Dkhcmgnl.exe 2792 Dqelenlc.exe 2984 Dbehoa32.exe 1944 Dcfdgiid.exe 1512 Dqjepm32.exe 2548 Dnneja32.exe 2788 Dfijnd32.exe 1292 Eqonkmdh.exe 2068 Ejgcdb32.exe 1252 Ebbgid32.exe 552 Emhlfmgj.exe 688 Enihne32.exe 2032 Eiomkn32.exe 1772 Eiaiqn32.exe 1360 Egdilkbf.exe 384 Ebinic32.exe 2880 Fmcoja32.exe 2208 Fejgko32.exe 2404 Fdoclk32.exe 2908 Fmhheqje.exe 1564 Ffpmnf32.exe 2164 Fioija32.exe 1628 Feeiob32.exe 2600 Fmlapp32.exe 2452 Glaoalkh.exe 2612 Gbkgnfbd.exe 2560 Ghhofmql.exe 2960 Gelppaof.exe 2936 Goddhg32.exe 2924 Gkkemh32.exe 2388 Gphmeo32.exe 2432 Hiqbndpb.exe 2784 Hpkjko32.exe 2796 Hpmgqnfl.exe 1308 Hckcmjep.exe 2072 Hlcgeo32.exe 2424 Hcnpbi32.exe 1864 Hlfdkoin.exe 1120 Hcplhi32.exe 452 Hjjddchg.exe 1524 Hhmepp32.exe 320 Icbimi32.exe 656 Ieqeidnl.exe 1300 Ilknfn32.exe 1752 Inljnfkg.exe 3068 Idfbkq32.exe 2024 Ikpjgkjq.exe 2732 Iqmcpahh.exe 2580 Ihdkao32.exe 2848 Ikbgmj32.exe 2464 Iblpjdpk.exe 2948 Idklfpon.exe 2616 Ikddbj32.exe 2968 Iqalka32.exe 3000 Icpigm32.exe 760 Jjjacf32.exe 1872 Jmhmpb32.exe 2764 Jcbellac.exe -
Loads dropped DLL 64 IoCs
Processes:
2aa86e2159bdd7da23d50f9338167dd0_NeikiAnalytics.exeCfbhnaho.exeCgbdhd32.exeCfgaiaci.exeCkdjbh32.exeChhjkl32.exeCobbhfhg.exeDkhcmgnl.exeDqelenlc.exeDbehoa32.exeDcfdgiid.exeDqjepm32.exeDnneja32.exeDfijnd32.exeEqonkmdh.exeEjgcdb32.exeEbbgid32.exeEmhlfmgj.exeEnihne32.exeEiomkn32.exeEiaiqn32.exeEgdilkbf.exeEbinic32.exeFmcoja32.exeFejgko32.exeFdoclk32.exeFmhheqje.exeFfpmnf32.exeFioija32.exeFeeiob32.exeFmlapp32.exeGlaoalkh.exepid process 2336 2aa86e2159bdd7da23d50f9338167dd0_NeikiAnalytics.exe 2336 2aa86e2159bdd7da23d50f9338167dd0_NeikiAnalytics.exe 1988 Cfbhnaho.exe 1988 Cfbhnaho.exe 2128 Cgbdhd32.exe 2128 Cgbdhd32.exe 2668 Cfgaiaci.exe 2668 Cfgaiaci.exe 1236 Ckdjbh32.exe 1236 Ckdjbh32.exe 2812 Chhjkl32.exe 2812 Chhjkl32.exe 2440 Cobbhfhg.exe 2440 Cobbhfhg.exe 2496 Dkhcmgnl.exe 2496 Dkhcmgnl.exe 2792 Dqelenlc.exe 2792 Dqelenlc.exe 2984 Dbehoa32.exe 2984 Dbehoa32.exe 1944 Dcfdgiid.exe 1944 Dcfdgiid.exe 1512 Dqjepm32.exe 1512 Dqjepm32.exe 2548 Dnneja32.exe 2548 Dnneja32.exe 2788 Dfijnd32.exe 2788 Dfijnd32.exe 1292 Eqonkmdh.exe 1292 Eqonkmdh.exe 2068 Ejgcdb32.exe 2068 Ejgcdb32.exe 1252 Ebbgid32.exe 1252 Ebbgid32.exe 552 Emhlfmgj.exe 552 Emhlfmgj.exe 688 Enihne32.exe 688 Enihne32.exe 2032 Eiomkn32.exe 2032 Eiomkn32.exe 1772 Eiaiqn32.exe 1772 Eiaiqn32.exe 1360 Egdilkbf.exe 1360 Egdilkbf.exe 384 Ebinic32.exe 384 Ebinic32.exe 2880 Fmcoja32.exe 2880 Fmcoja32.exe 2208 Fejgko32.exe 2208 Fejgko32.exe 2404 Fdoclk32.exe 2404 Fdoclk32.exe 2908 Fmhheqje.exe 2908 Fmhheqje.exe 1564 Ffpmnf32.exe 1564 Ffpmnf32.exe 2164 Fioija32.exe 2164 Fioija32.exe 1628 Feeiob32.exe 1628 Feeiob32.exe 2600 Fmlapp32.exe 2600 Fmlapp32.exe 2452 Glaoalkh.exe 2452 Glaoalkh.exe -
Drops file in System32 directory 64 IoCs
Processes:
Nkiogn32.exeFmpkjkma.exeLnbbbffj.exeJokcgmee.exeJbllihbf.exeLojomkdn.exeFadminnn.exeFfpmnf32.exeKkgmgmfd.exeFpqdkf32.exeAipddi32.exeBlpjegfm.exeHdqbekcm.exeEqonkmdh.exeGphmeo32.exeOnjgiiad.exeHabfipdj.exeKfpgmdog.exeAhlgfdeq.exeEdpmjj32.exeMaedhd32.exeIleiplhn.exeKifpdelo.exePogclp32.exeAmhpnkch.exeNhdlkdkg.exeEbjglbml.exeChpmpg32.exeDkqbaecc.exeFmbhok32.exeNgdifkpi.exeMgimmm32.exeMmceigep.exeAlnqqd32.exeAhikqd32.exeGelppaof.exeLkppbl32.exeLefdpe32.exeDndlim32.exeGpncej32.exeNplmop32.exeAnojbobe.exeFllnlg32.exeLapnnafn.exeDqelenlc.exeMlmlecec.exePimkpfeh.exeCclkfdnc.exeDbfabp32.exeEqbddk32.exeJgcdki32.exeFeeiob32.exeOjcecjee.exeAekodi32.exeAibajhdn.exeBpiipf32.exeLcagpl32.exeBoqbfb32.exeEmieil32.exeJcjdpj32.exeIhdkao32.exeJfqahgpg.exedescription ioc process File created C:\Windows\SysWOW64\Lfnbefhd.dll Nkiogn32.exe File created C:\Windows\SysWOW64\Iohmol32.dll Fmpkjkma.exe File created C:\Windows\SysWOW64\Pikhak32.dll Lnbbbffj.exe File opened for modification C:\Windows\SysWOW64\Jehkodcm.exe Jokcgmee.exe File created C:\Windows\SysWOW64\Biapcobb.dll Jbllihbf.exe File created C:\Windows\SysWOW64\Minceo32.dll Lojomkdn.exe File created C:\Windows\SysWOW64\Qmbbdq32.dll Fadminnn.exe File created C:\Windows\SysWOW64\Fioija32.exe Ffpmnf32.exe File created C:\Windows\SysWOW64\Ldlimbcf.dll Kkgmgmfd.exe File created C:\Windows\SysWOW64\Lhefhd32.dll Fpqdkf32.exe File created C:\Windows\SysWOW64\Bllbijej.dll Aipddi32.exe File opened for modification C:\Windows\SysWOW64\Bdgafdfp.exe Blpjegfm.exe File created C:\Windows\SysWOW64\Iodahd32.dll Hdqbekcm.exe File created C:\Windows\SysWOW64\Ejgcdb32.exe Eqonkmdh.exe File created C:\Windows\SysWOW64\Omabcb32.dll Gphmeo32.exe File opened for modification C:\Windows\SysWOW64\Oddpfc32.exe Onjgiiad.exe File created C:\Windows\SysWOW64\Hdqbekcm.exe Habfipdj.exe File created C:\Windows\SysWOW64\Kincipnk.exe Kfpgmdog.exe File created C:\Windows\SysWOW64\Knhfdmdo.dll Ahlgfdeq.exe File created C:\Windows\SysWOW64\Lbadbn32.dll Edpmjj32.exe File created C:\Windows\SysWOW64\Aeaceffc.dll Maedhd32.exe File opened for modification C:\Windows\SysWOW64\Jocflgga.exe Ileiplhn.exe File opened for modification C:\Windows\SysWOW64\Lldlqakb.exe Kifpdelo.exe File created C:\Windows\SysWOW64\Pogclp32.exe Pogclp32.exe File opened for modification C:\Windows\SysWOW64\Bpgljfbl.exe Amhpnkch.exe File opened for modification C:\Windows\SysWOW64\Nkbhgojk.exe Nhdlkdkg.exe File opened for modification C:\Windows\SysWOW64\Fjaonpnn.exe Ebjglbml.exe File opened for modification C:\Windows\SysWOW64\Fcjcfe32.exe Fmpkjkma.exe File created C:\Windows\SysWOW64\Ckoilb32.exe Chpmpg32.exe File created C:\Windows\SysWOW64\Dfffnn32.exe Dkqbaecc.exe File opened for modification C:\Windows\SysWOW64\Fpqdkf32.exe Fmbhok32.exe File created C:\Windows\SysWOW64\Gbdalp32.dll Ngdifkpi.exe File created C:\Windows\SysWOW64\Mihiih32.exe Mgimmm32.exe File opened for modification C:\Windows\SysWOW64\Mdmmfa32.exe Mmceigep.exe File opened for modification C:\Windows\SysWOW64\Anlmmp32.exe Alnqqd32.exe File opened for modification C:\Windows\SysWOW64\Ajhgmpfg.exe Ahikqd32.exe File created C:\Windows\SysWOW64\Goddhg32.exe Gelppaof.exe File created C:\Windows\SysWOW64\Egjbkk32.dll Lkppbl32.exe File created C:\Windows\SysWOW64\Ijqnib32.dll Lefdpe32.exe File opened for modification C:\Windows\SysWOW64\Dpbheh32.exe Dndlim32.exe File created C:\Windows\SysWOW64\Epfbghho.dll Gpncej32.exe File created C:\Windows\SysWOW64\Nckjkl32.exe Nplmop32.exe File created C:\Windows\SysWOW64\Abjebn32.exe Anojbobe.exe File created C:\Windows\SysWOW64\Bmdcpnkh.dll Fllnlg32.exe File opened for modification C:\Windows\SysWOW64\Pikhak32.dll Lapnnafn.exe File created C:\Windows\SysWOW64\Dbehoa32.exe Dqelenlc.exe File opened for modification C:\Windows\SysWOW64\Ncgdbmmp.exe Mlmlecec.exe File created C:\Windows\SysWOW64\Pbqpqcoj.dll Pimkpfeh.exe File opened for modification C:\Windows\SysWOW64\Cjfccn32.exe Cclkfdnc.exe File opened for modification C:\Windows\SysWOW64\Dfamcogo.exe Dbfabp32.exe File created C:\Windows\SysWOW64\Ecqqpgli.exe Eqbddk32.exe File created C:\Windows\SysWOW64\Cogbjdmj.dll Ileiplhn.exe File created C:\Windows\SysWOW64\Qkhgoi32.dll Jgcdki32.exe File opened for modification C:\Windows\SysWOW64\Fmlapp32.exe Feeiob32.exe File created C:\Windows\SysWOW64\Fgefik32.dll Ojcecjee.exe File created C:\Windows\SysWOW64\Igdaoinc.dll Aekodi32.exe File created C:\Windows\SysWOW64\Hojgbclk.dll Aibajhdn.exe File created C:\Windows\SysWOW64\Bfcampgf.exe Bpiipf32.exe File created C:\Windows\SysWOW64\Hnecbc32.dll Lcagpl32.exe File created C:\Windows\SysWOW64\Qpmnhglp.dll Boqbfb32.exe File opened for modification C:\Windows\SysWOW64\Edpmjj32.exe Emieil32.exe File created C:\Windows\SysWOW64\Dkqmaqbm.dll Jcjdpj32.exe File created C:\Windows\SysWOW64\Ikbgmj32.exe Ihdkao32.exe File opened for modification C:\Windows\SysWOW64\Jiondcpk.exe Jfqahgpg.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4252 4176 WerFault.exe Nlhgoqhh.exe -
Modifies registry class 64 IoCs
Processes:
Ilknfn32.exeBhkdeggl.exeCkoilb32.exeEgjpkffe.exeKfpgmdog.exeLdidkbpb.exeNcjqhmkm.exePnajilng.exeHlqdei32.exeMoanaiie.exeCcahbp32.exeGjdhbc32.exeHdqbekcm.exeIgchlf32.exeIoaifhid.exeLihmjejl.exeLflmci32.exeAoepcn32.exeCclkfdnc.exeMofglh32.exeEmkaol32.exeNkbalifo.exeMcbjgn32.exeAipddi32.exeFmpkjkma.exeKgbggnhc.exeNdmjedoi.exeAjejgp32.exeMkmhaj32.exeMpjqiq32.exeIefhhbef.exeIlqpdm32.exeKincipnk.exeGhhofmql.exeLkppbl32.exeAlnqqd32.exeEcqqpgli.exeGpqpjj32.exeNiikceid.exeJjpcbe32.exeLnbbbffj.exeAjhgmpfg.exeJhljdm32.exeHeglio32.exeEgdilkbf.exeFdoclk32.exeEbjglbml.exeGdgcpi32.exeNgibaj32.exeMppepcfg.exeNhdlkdkg.exeGbomfe32.exeIgakgfpn.exeIcjhagdp.exeJmbiipml.exeDbehoa32.exeHckcmjep.exeIhdkao32.exeCafecmlj.exeJfiale32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnaob32.dll" Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhkdeggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejmmiihp.dll" Ckoilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egjpkffe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfpgmdog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldidkbpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncjqhmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimpgolj.dll" Pnajilng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlqdei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moanaiie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhokkp32.dll" Ccahbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjhjhkh.dll" Gjdhbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdqbekcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igchlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aedeic32.dll" Ioaifhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lihmjejl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lflmci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fahgfoih.dll" Cclkfdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Macalohk.dll" Mofglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonghnnp.dll" Ncjqhmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgicjg32.dll" Emkaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkbalifo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcbjgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aipddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmpkjkma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgbggnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndmjedoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajejgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkmhaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpjqiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iianmb32.dll" Iefhhbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbldmm32.dll" Ilqpdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kincipnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabakh32.dll" Ghhofmql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkppbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alnqqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecqqpgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpqpjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mofglh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niikceid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccfcekqe.dll" Jjpcbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnbbbffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jneohcll.dll" Ajhgmpfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhljdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Heglio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdoclk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebjglbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Higeofeq.dll" Gdgcpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moanaiie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngibaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mppepcfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngogde32.dll" Nhdlkdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbomfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igakgfpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhqpo32.dll" Icjhagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmbiipml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkahhbbj.dll" Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll" Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihdkao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gellaqbd.dll" Cafecmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bedolome.dll" Jfiale32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2aa86e2159bdd7da23d50f9338167dd0_NeikiAnalytics.exeCfbhnaho.exeCgbdhd32.exeCfgaiaci.exeCkdjbh32.exeChhjkl32.exeCobbhfhg.exeDkhcmgnl.exeDqelenlc.exeDbehoa32.exeDcfdgiid.exeDqjepm32.exeDnneja32.exeDfijnd32.exeEqonkmdh.exeEjgcdb32.exedescription pid process target process PID 2336 wrote to memory of 1988 2336 2aa86e2159bdd7da23d50f9338167dd0_NeikiAnalytics.exe Cfbhnaho.exe PID 2336 wrote to memory of 1988 2336 2aa86e2159bdd7da23d50f9338167dd0_NeikiAnalytics.exe Cfbhnaho.exe PID 2336 wrote to memory of 1988 2336 2aa86e2159bdd7da23d50f9338167dd0_NeikiAnalytics.exe Cfbhnaho.exe PID 2336 wrote to memory of 1988 2336 2aa86e2159bdd7da23d50f9338167dd0_NeikiAnalytics.exe Cfbhnaho.exe PID 1988 wrote to memory of 2128 1988 Cfbhnaho.exe Cgbdhd32.exe PID 1988 wrote to memory of 2128 1988 Cfbhnaho.exe Cgbdhd32.exe PID 1988 wrote to memory of 2128 1988 Cfbhnaho.exe Cgbdhd32.exe PID 1988 wrote to memory of 2128 1988 Cfbhnaho.exe Cgbdhd32.exe PID 2128 wrote to memory of 2668 2128 Cgbdhd32.exe Cfgaiaci.exe PID 2128 wrote to memory of 2668 2128 Cgbdhd32.exe Cfgaiaci.exe PID 2128 wrote to memory of 2668 2128 Cgbdhd32.exe Cfgaiaci.exe PID 2128 wrote to memory of 2668 2128 Cgbdhd32.exe Cfgaiaci.exe PID 2668 wrote to memory of 1236 2668 Cfgaiaci.exe Ckdjbh32.exe PID 2668 wrote to memory of 1236 2668 Cfgaiaci.exe Ckdjbh32.exe PID 2668 wrote to memory of 1236 2668 Cfgaiaci.exe Ckdjbh32.exe PID 2668 wrote to memory of 1236 2668 Cfgaiaci.exe Ckdjbh32.exe PID 1236 wrote to memory of 2812 1236 Ckdjbh32.exe Chhjkl32.exe PID 1236 wrote to memory of 2812 1236 Ckdjbh32.exe Chhjkl32.exe PID 1236 wrote to memory of 2812 1236 Ckdjbh32.exe Chhjkl32.exe PID 1236 wrote to memory of 2812 1236 Ckdjbh32.exe Chhjkl32.exe PID 2812 wrote to memory of 2440 2812 Chhjkl32.exe Cobbhfhg.exe PID 2812 wrote to memory of 2440 2812 Chhjkl32.exe Cobbhfhg.exe PID 2812 wrote to memory of 2440 2812 Chhjkl32.exe Cobbhfhg.exe PID 2812 wrote to memory of 2440 2812 Chhjkl32.exe Cobbhfhg.exe PID 2440 wrote to memory of 2496 2440 Cobbhfhg.exe Dkhcmgnl.exe PID 2440 wrote to memory of 2496 2440 Cobbhfhg.exe Dkhcmgnl.exe PID 2440 wrote to memory of 2496 2440 Cobbhfhg.exe Dkhcmgnl.exe PID 2440 wrote to memory of 2496 2440 Cobbhfhg.exe Dkhcmgnl.exe PID 2496 wrote to memory of 2792 2496 Dkhcmgnl.exe Dqelenlc.exe PID 2496 wrote to memory of 2792 2496 Dkhcmgnl.exe Dqelenlc.exe PID 2496 wrote to memory of 2792 2496 Dkhcmgnl.exe Dqelenlc.exe PID 2496 wrote to memory of 2792 2496 Dkhcmgnl.exe Dqelenlc.exe PID 2792 wrote to memory of 2984 2792 Dqelenlc.exe Dbehoa32.exe PID 2792 wrote to memory of 2984 2792 Dqelenlc.exe Dbehoa32.exe PID 2792 wrote to memory of 2984 2792 Dqelenlc.exe Dbehoa32.exe PID 2792 wrote to memory of 2984 2792 Dqelenlc.exe Dbehoa32.exe PID 2984 wrote to memory of 1944 2984 Dbehoa32.exe Dcfdgiid.exe PID 2984 wrote to memory of 1944 2984 Dbehoa32.exe Dcfdgiid.exe PID 2984 wrote to memory of 1944 2984 Dbehoa32.exe Dcfdgiid.exe PID 2984 wrote to memory of 1944 2984 Dbehoa32.exe Dcfdgiid.exe PID 1944 wrote to memory of 1512 1944 Dcfdgiid.exe Dqjepm32.exe PID 1944 wrote to memory of 1512 1944 Dcfdgiid.exe Dqjepm32.exe PID 1944 wrote to memory of 1512 1944 Dcfdgiid.exe Dqjepm32.exe PID 1944 wrote to memory of 1512 1944 Dcfdgiid.exe Dqjepm32.exe PID 1512 wrote to memory of 2548 1512 Dqjepm32.exe Dnneja32.exe PID 1512 wrote to memory of 2548 1512 Dqjepm32.exe Dnneja32.exe PID 1512 wrote to memory of 2548 1512 Dqjepm32.exe Dnneja32.exe PID 1512 wrote to memory of 2548 1512 Dqjepm32.exe Dnneja32.exe PID 2548 wrote to memory of 2788 2548 Dnneja32.exe Dfijnd32.exe PID 2548 wrote to memory of 2788 2548 Dnneja32.exe Dfijnd32.exe PID 2548 wrote to memory of 2788 2548 Dnneja32.exe Dfijnd32.exe PID 2548 wrote to memory of 2788 2548 Dnneja32.exe Dfijnd32.exe PID 2788 wrote to memory of 1292 2788 Dfijnd32.exe Eqonkmdh.exe PID 2788 wrote to memory of 1292 2788 Dfijnd32.exe Eqonkmdh.exe PID 2788 wrote to memory of 1292 2788 Dfijnd32.exe Eqonkmdh.exe PID 2788 wrote to memory of 1292 2788 Dfijnd32.exe Eqonkmdh.exe PID 1292 wrote to memory of 2068 1292 Eqonkmdh.exe Ejgcdb32.exe PID 1292 wrote to memory of 2068 1292 Eqonkmdh.exe Ejgcdb32.exe PID 1292 wrote to memory of 2068 1292 Eqonkmdh.exe Ejgcdb32.exe PID 1292 wrote to memory of 2068 1292 Eqonkmdh.exe Ejgcdb32.exe PID 2068 wrote to memory of 1252 2068 Ejgcdb32.exe Ebbgid32.exe PID 2068 wrote to memory of 1252 2068 Ejgcdb32.exe Ebbgid32.exe PID 2068 wrote to memory of 1252 2068 Ejgcdb32.exe Ebbgid32.exe PID 2068 wrote to memory of 1252 2068 Ejgcdb32.exe Ebbgid32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2aa86e2159bdd7da23d50f9338167dd0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2aa86e2159bdd7da23d50f9338167dd0_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1252 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:552 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:688 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1360 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:384 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe33⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe36⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe37⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe39⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe41⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1308 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe43⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe44⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe46⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe47⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe48⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe49⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe50⤵
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe52⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe54⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe55⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe57⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe59⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe60⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe61⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe62⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe64⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe65⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe66⤵
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe67⤵PID:2740
-
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe68⤵PID:1064
-
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe69⤵PID:2988
-
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe70⤵PID:1516
-
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2380 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe72⤵
- Drops file in System32 directory
PID:1796 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe73⤵PID:608
-
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2836 -
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe75⤵
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe76⤵PID:2712
-
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe77⤵PID:2476
-
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe78⤵PID:748
-
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe79⤵PID:2932
-
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe80⤵
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe81⤵PID:2324
-
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe82⤵PID:2260
-
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1712 -
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe84⤵PID:412
-
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe85⤵PID:2276
-
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe86⤵
- Modifies registry class
PID:1336 -
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe87⤵PID:572
-
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe88⤵PID:864
-
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe89⤵PID:2156
-
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe90⤵PID:2636
-
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe91⤵
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe92⤵PID:2480
-
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe93⤵PID:2964
-
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe94⤵PID:2124
-
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe95⤵
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2760 -
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe97⤵
- Modifies registry class
PID:1412 -
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe98⤵PID:2044
-
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe99⤵PID:2868
-
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe100⤵PID:1532
-
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe101⤵PID:1344
-
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe102⤵
- Drops file in System32 directory
PID:780 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe103⤵PID:1876
-
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe104⤵PID:1692
-
C:\Windows\SysWOW64\Lkppbl32.exeC:\Windows\system32\Lkppbl32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:312 -
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe106⤵PID:1696
-
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe107⤵
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe108⤵
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2648 -
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1588 -
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe111⤵PID:2652
-
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1188 -
C:\Windows\SysWOW64\Mgimmm32.exeC:\Windows\system32\Mgimmm32.exe113⤵
- Drops file in System32 directory
PID:540 -
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe114⤵PID:2008
-
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe115⤵
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:304 -
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe117⤵PID:3012
-
C:\Windows\SysWOW64\Mmfbogcn.exeC:\Windows\system32\Mmfbogcn.exe118⤵PID:1148
-
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe119⤵PID:1820
-
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe120⤵
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Mmhodf32.exeC:\Windows\system32\Mmhodf32.exe121⤵PID:2940
-
C:\Windows\SysWOW64\Mpfkqb32.exeC:\Windows\system32\Mpfkqb32.exe122⤵PID:2980
-
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe123⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1296 -
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe124⤵
- Drops file in System32 directory
PID:1156 -
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe125⤵PID:2220
-
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe126⤵PID:1332
-
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe127⤵
- Drops file in System32 directory
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe128⤵PID:3056
-
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe129⤵
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe130⤵PID:348
-
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe131⤵PID:2824
-
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe132⤵PID:300
-
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe133⤵
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Nocnbmoo.exeC:\Windows\system32\Nocnbmoo.exe134⤵PID:1700
-
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe135⤵PID:1720
-
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe136⤵
- Drops file in System32 directory
PID:1284 -
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe137⤵PID:2284
-
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe138⤵PID:1624
-
C:\Windows\SysWOW64\Onjgiiad.exeC:\Windows\system32\Onjgiiad.exe139⤵
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe140⤵PID:2372
-
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe141⤵PID:2704
-
C:\Windows\SysWOW64\Ojcecjee.exeC:\Windows\system32\Ojcecjee.exe142⤵
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe143⤵PID:1648
-
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe144⤵PID:2928
-
C:\Windows\SysWOW64\Ofjfhk32.exeC:\Windows\system32\Ofjfhk32.exe145⤵PID:1484
-
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe146⤵PID:1956
-
C:\Windows\SysWOW64\Ocnfbo32.exeC:\Windows\system32\Ocnfbo32.exe147⤵PID:2856
-
C:\Windows\SysWOW64\Odobjg32.exeC:\Windows\system32\Odobjg32.exe148⤵PID:868
-
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe149⤵PID:2148
-
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe150⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:976 -
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2184 -
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe152⤵PID:2564
-
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe153⤵
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe154⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe155⤵PID:2428
-
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3020 -
C:\Windows\SysWOW64\Piphee32.exeC:\Windows\system32\Piphee32.exe157⤵PID:2876
-
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe158⤵PID:824
-
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe159⤵PID:3048
-
C:\Windows\SysWOW64\Pefijfii.exeC:\Windows\system32\Pefijfii.exe160⤵PID:2552
-
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe161⤵PID:1684
-
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe162⤵PID:2588
-
C:\Windows\SysWOW64\Pmanoifd.exeC:\Windows\system32\Pmanoifd.exe163⤵PID:1488
-
C:\Windows\SysWOW64\Peiepfgg.exeC:\Windows\system32\Peiepfgg.exe164⤵PID:2804
-
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe165⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2108 -
C:\Windows\SysWOW64\Pnajilng.exeC:\Windows\system32\Pnajilng.exe166⤵
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Papfegmk.exeC:\Windows\system32\Papfegmk.exe167⤵PID:2340
-
C:\Windows\SysWOW64\Pgioaa32.exeC:\Windows\system32\Pgioaa32.exe168⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2860 -
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe169⤵PID:2916
-
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe170⤵PID:2920
-
C:\Windows\SysWOW64\Qabcjgkh.exeC:\Windows\system32\Qabcjgkh.exe171⤵PID:2316
-
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe172⤵PID:1672
-
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe173⤵PID:1788
-
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe174⤵PID:2064
-
C:\Windows\SysWOW64\Qpgpkcpp.exeC:\Windows\system32\Qpgpkcpp.exe175⤵PID:1016
-
C:\Windows\SysWOW64\Qfahhm32.exeC:\Windows\system32\Qfahhm32.exe176⤵PID:2112
-
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe177⤵
- Drops file in System32 directory
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe178⤵
- Drops file in System32 directory
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Anlmmp32.exeC:\Windows\system32\Anlmmp32.exe179⤵PID:2212
-
C:\Windows\SysWOW64\Abhimnma.exeC:\Windows\system32\Abhimnma.exe180⤵PID:1964
-
C:\Windows\SysWOW64\Aibajhdn.exeC:\Windows\system32\Aibajhdn.exe181⤵
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Aplifb32.exeC:\Windows\system32\Aplifb32.exe182⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:884 -
C:\Windows\SysWOW64\Anojbobe.exeC:\Windows\system32\Anojbobe.exe183⤵
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Abjebn32.exeC:\Windows\system32\Abjebn32.exe184⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2472 -
C:\Windows\SysWOW64\Aidnohbk.exeC:\Windows\system32\Aidnohbk.exe185⤵PID:2412
-
C:\Windows\SysWOW64\Ajejgp32.exeC:\Windows\system32\Ajejgp32.exe186⤵
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Abmbhn32.exeC:\Windows\system32\Abmbhn32.exe187⤵PID:2520
-
C:\Windows\SysWOW64\Aekodi32.exeC:\Windows\system32\Aekodi32.exe188⤵
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Ahikqd32.exeC:\Windows\system32\Ahikqd32.exe189⤵
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe190⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:472 -
C:\Windows\SysWOW64\Amfcikek.exeC:\Windows\system32\Amfcikek.exe191⤵PID:2688
-
C:\Windows\SysWOW64\Aemkjiem.exeC:\Windows\system32\Aemkjiem.exe192⤵PID:2188
-
C:\Windows\SysWOW64\Ahlgfdeq.exeC:\Windows\system32\Ahlgfdeq.exe193⤵
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Aoepcn32.exeC:\Windows\system32\Aoepcn32.exe194⤵
- Modifies registry class
PID:3096 -
C:\Windows\SysWOW64\Amhpnkch.exeC:\Windows\system32\Amhpnkch.exe195⤵
- Drops file in System32 directory
PID:3136 -
C:\Windows\SysWOW64\Bpgljfbl.exeC:\Windows\system32\Bpgljfbl.exe196⤵PID:3176
-
C:\Windows\SysWOW64\Bdbhke32.exeC:\Windows\system32\Bdbhke32.exe197⤵PID:3216
-
C:\Windows\SysWOW64\Bmkmdk32.exeC:\Windows\system32\Bmkmdk32.exe198⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3256 -
C:\Windows\SysWOW64\Bpiipf32.exeC:\Windows\system32\Bpiipf32.exe199⤵
- Drops file in System32 directory
PID:3296 -
C:\Windows\SysWOW64\Bfcampgf.exeC:\Windows\system32\Bfcampgf.exe200⤵PID:3336
-
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe201⤵PID:3376
-
C:\Windows\SysWOW64\Blpjegfm.exeC:\Windows\system32\Blpjegfm.exe202⤵
- Drops file in System32 directory
PID:3420 -
C:\Windows\SysWOW64\Bdgafdfp.exeC:\Windows\system32\Bdgafdfp.exe203⤵PID:3460
-
C:\Windows\SysWOW64\Bfenbpec.exeC:\Windows\system32\Bfenbpec.exe204⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3500 -
C:\Windows\SysWOW64\Bidjnkdg.exeC:\Windows\system32\Bidjnkdg.exe205⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3540 -
C:\Windows\SysWOW64\Bpnbkeld.exeC:\Windows\system32\Bpnbkeld.exe206⤵PID:3580
-
C:\Windows\SysWOW64\Boqbfb32.exeC:\Windows\system32\Boqbfb32.exe207⤵
- Drops file in System32 directory
PID:3620 -
C:\Windows\SysWOW64\Bekkcljk.exeC:\Windows\system32\Bekkcljk.exe208⤵PID:3660
-
C:\Windows\SysWOW64\Bifgdk32.exeC:\Windows\system32\Bifgdk32.exe209⤵PID:3700
-
C:\Windows\SysWOW64\Bppoqeja.exeC:\Windows\system32\Bppoqeja.exe210⤵PID:3740
-
C:\Windows\SysWOW64\Baakhm32.exeC:\Windows\system32\Baakhm32.exe211⤵PID:3780
-
C:\Windows\SysWOW64\Bhkdeggl.exeC:\Windows\system32\Bhkdeggl.exe212⤵
- Modifies registry class
PID:3820 -
C:\Windows\SysWOW64\Blgpef32.exeC:\Windows\system32\Blgpef32.exe213⤵PID:3860
-
C:\Windows\SysWOW64\Ccahbp32.exeC:\Windows\system32\Ccahbp32.exe214⤵
- Modifies registry class
PID:3900 -
C:\Windows\SysWOW64\Ceodnl32.exeC:\Windows\system32\Ceodnl32.exe215⤵PID:3940
-
C:\Windows\SysWOW64\Clilkfnb.exeC:\Windows\system32\Clilkfnb.exe216⤵PID:3980
-
C:\Windows\SysWOW64\Cohigamf.exeC:\Windows\system32\Cohigamf.exe217⤵PID:4020
-
C:\Windows\SysWOW64\Cafecmlj.exeC:\Windows\system32\Cafecmlj.exe218⤵
- Modifies registry class
PID:4060 -
C:\Windows\SysWOW64\Ceaadk32.exeC:\Windows\system32\Ceaadk32.exe219⤵PID:2628
-
C:\Windows\SysWOW64\Chpmpg32.exeC:\Windows\system32\Chpmpg32.exe220⤵
- Drops file in System32 directory
PID:3112 -
C:\Windows\SysWOW64\Ckoilb32.exeC:\Windows\system32\Ckoilb32.exe221⤵
- Modifies registry class
PID:3160 -
C:\Windows\SysWOW64\Cahail32.exeC:\Windows\system32\Cahail32.exe222⤵PID:3148
-
C:\Windows\SysWOW64\Chbjffad.exeC:\Windows\system32\Chbjffad.exe223⤵PID:3264
-
C:\Windows\SysWOW64\Cgejac32.exeC:\Windows\system32\Cgejac32.exe224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3272 -
C:\Windows\SysWOW64\Cjdfmo32.exeC:\Windows\system32\Cjdfmo32.exe225⤵PID:3372
-
C:\Windows\SysWOW64\Cpnojioo.exeC:\Windows\system32\Cpnojioo.exe226⤵PID:3416
-
C:\Windows\SysWOW64\Cclkfdnc.exeC:\Windows\system32\Cclkfdnc.exe227⤵
- Drops file in System32 directory
- Modifies registry class
PID:3476 -
C:\Windows\SysWOW64\Cjfccn32.exeC:\Windows\system32\Cjfccn32.exe228⤵PID:3516
-
C:\Windows\SysWOW64\Cldooj32.exeC:\Windows\system32\Cldooj32.exe229⤵PID:3552
-
C:\Windows\SysWOW64\Ccngld32.exeC:\Windows\system32\Ccngld32.exe230⤵PID:3616
-
C:\Windows\SysWOW64\Dfmdho32.exeC:\Windows\system32\Dfmdho32.exe231⤵PID:3632
-
C:\Windows\SysWOW64\Dndlim32.exeC:\Windows\system32\Dndlim32.exe232⤵
- Drops file in System32 directory
PID:3672 -
C:\Windows\SysWOW64\Dpbheh32.exeC:\Windows\system32\Dpbheh32.exe233⤵PID:3772
-
C:\Windows\SysWOW64\Doehqead.exeC:\Windows\system32\Doehqead.exe234⤵PID:3812
-
C:\Windows\SysWOW64\Dcadac32.exeC:\Windows\system32\Dcadac32.exe235⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3876 -
C:\Windows\SysWOW64\Dglpbbbg.exeC:\Windows\system32\Dglpbbbg.exe236⤵PID:3916
-
C:\Windows\SysWOW64\Djklnnaj.exeC:\Windows\system32\Djklnnaj.exe237⤵PID:3976
-
C:\Windows\SysWOW64\Dliijipn.exeC:\Windows\system32\Dliijipn.exe238⤵PID:4016
-
C:\Windows\SysWOW64\Dpeekh32.exeC:\Windows\system32\Dpeekh32.exe239⤵PID:4032
-
C:\Windows\SysWOW64\Dogefd32.exeC:\Windows\system32\Dogefd32.exe240⤵PID:4080
-
C:\Windows\SysWOW64\Dccagcgk.exeC:\Windows\system32\Dccagcgk.exe241⤵PID:3192
-
C:\Windows\SysWOW64\Dbfabp32.exeC:\Windows\system32\Dbfabp32.exe242⤵
- Drops file in System32 directory
PID:3212