Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 14:47
Behavioral task
behavioral1
Sample
6483126a8256a21daf9f4e3f23a64300_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6483126a8256a21daf9f4e3f23a64300_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
6483126a8256a21daf9f4e3f23a64300_NeikiAnalytics.exe
-
Size
109KB
-
MD5
6483126a8256a21daf9f4e3f23a64300
-
SHA1
099a9cc45c6239c673485d8c31c39763355e4070
-
SHA256
a1a79a40696fcbbd8e04fe408f458a4723178073e715ab37b2502a72f0c7ea2a
-
SHA512
0d1a7b3027e49acc01954852575b5dcff51c56f8d787941e967655c7267944b892c806d91ba86db52da12655532f8c90effab6b049a5ab01451ce3d7e32d887d
-
SSDEEP
3072:I/x93tZP+ApV3XLJ99LCqwzBu1DjHLMVDqqkSpR:yXOo7J9twtu1DjrFqhz
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jofiln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kafbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgqcmlgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnmehnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhpiojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Heglio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilcmjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkeelohh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chbjffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjdmmdnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckafbbph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkbcln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlnbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olmhdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjhknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egafleqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgmapfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdpjlajk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbidgeci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laegiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imfqjbli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolnad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfiale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkolkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkeelohh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boqbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhqbkhch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjdilgpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migbnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpeekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgemplap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mppepcfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbpgggol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndhipoob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdlkdkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhiffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cppkph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Leljop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnace32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icbimi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chnqkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echfaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfbkmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ginnnooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnpinc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mholen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqdipqbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcnngnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpgpkcpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gedbdlbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocgpappk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olpdjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqijej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhgmpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kocbkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmhdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmpgio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqijej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljmlbfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kafbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpigfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pimkpfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mapjmehi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aipddi32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2964-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2964-6-0x0000000000250000-0x0000000000294000-memory.dmp family_berbew behavioral1/files/0x000a00000001227e-5.dat family_berbew behavioral1/files/0x0007000000016dda-18.dat family_berbew behavioral1/memory/2856-39-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0007000000016de7-38.dat family_berbew behavioral1/memory/2596-31-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0009000000017477-45.dat family_berbew behavioral1/memory/2628-57-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2856-51-0x0000000000280000-0x00000000002C4000-memory.dmp family_berbew behavioral1/files/0x0006000000018bf0-65.dat family_berbew behavioral1/memory/2516-66-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x000500000001923b-75.dat family_berbew behavioral1/files/0x0005000000019260-90.dat family_berbew behavioral1/memory/2952-100-0x0000000000250000-0x0000000000294000-memory.dmp family_berbew behavioral1/files/0x0005000000019277-98.dat family_berbew behavioral1/memory/2952-97-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2540-91-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2652-106-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x000500000001933a-119.dat family_berbew behavioral1/memory/2652-114-0x0000000000250000-0x0000000000294000-memory.dmp family_berbew behavioral1/files/0x000500000001939f-125.dat family_berbew behavioral1/memory/1872-145-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x00050000000193b1-144.dat family_berbew behavioral1/memory/1624-137-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x000500000001943e-156.dat family_berbew behavioral1/memory/320-164-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0005000000019462-167.dat family_berbew behavioral1/memory/816-172-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x00050000000194a8-178.dat family_berbew behavioral1/memory/316-200-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x00050000000194eb-201.dat family_berbew behavioral1/memory/1732-191-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/816-185-0x0000000002030000-0x0000000002074000-memory.dmp family_berbew behavioral1/memory/816-182-0x0000000002030000-0x0000000002074000-memory.dmp family_berbew behavioral1/files/0x0005000000019501-206.dat family_berbew behavioral1/memory/316-207-0x0000000000250000-0x0000000000294000-memory.dmp family_berbew behavioral1/memory/2036-215-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x000500000001954b-223.dat family_berbew behavioral1/memory/408-224-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0035000000016d65-230.dat family_berbew behavioral1/memory/1356-246-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x00050000000195e3-241.dat family_berbew behavioral1/memory/2424-238-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x000500000001961c-252.dat family_berbew behavioral1/memory/1964-268-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/1116-265-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x000500000001961f-260.dat family_berbew behavioral1/files/0x0005000000019622-274.dat family_berbew behavioral1/files/0x0005000000019626-286.dat family_berbew behavioral1/memory/1608-293-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2412-284-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/1368-300-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/1608-299-0x00000000002E0000-0x0000000000324000-memory.dmp family_berbew behavioral1/files/0x0005000000019638-296.dat family_berbew behavioral1/memory/1716-312-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x00050000000196bd-307.dat family_berbew behavioral1/files/0x00050000000199b8-318.dat family_berbew behavioral1/memory/1724-334-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0005000000019c54-329.dat family_berbew behavioral1/memory/1548-327-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/1716-326-0x0000000000280000-0x00000000002C4000-memory.dmp family_berbew behavioral1/memory/1716-325-0x0000000000280000-0x00000000002C4000-memory.dmp family_berbew behavioral1/files/0x0005000000019c71-341.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2160 Icbimi32.exe 2596 Idceea32.exe 2856 Ioijbj32.exe 2628 Igdogl32.exe 2516 Iokfhi32.exe 2540 Iqmcpahh.exe 2952 Ihdkao32.exe 2652 Ijeghgoh.exe 1296 Icmlam32.exe 1624 Imfqjbli.exe 1872 Icpigm32.exe 320 Jnemdecl.exe 816 Jqdipqbp.exe 1732 Jofiln32.exe 316 Jmjjea32.exe 2036 Jfcnngnd.exe 408 Jkpgfn32.exe 2424 Jehkodcm.exe 1356 Jkbcln32.exe 1116 Jnclnihj.exe 1964 Jbnhng32.exe 2412 Kkgmgmfd.exe 1608 Kneicieh.exe 1368 Kaceodek.exe 1716 Kkijmm32.exe 1548 Kafbec32.exe 1724 Kfbkmk32.exe 2736 Kjqccigf.exe 2660 Kaklpcoc.exe 2496 Kifpdelo.exe 2520 Kmaled32.exe 1288 Lmcijcbe.exe 2764 Llfifq32.exe 2568 Lhmjkaoc.exe 1948 Lliflp32.exe 1864 Lhpfqama.exe 1320 Lkncmmle.exe 1000 Lahkigca.exe 1476 Llnofpcg.exe 764 Lollckbk.exe 616 Mggpgmof.exe 1820 Mamddf32.exe 1092 Mppepcfg.exe 1924 Mhgmapfi.exe 1984 Mkeimlfm.exe 1600 Mihiih32.exe 964 Maoajf32.exe 2108 Mbpnanch.exe 1720 Mkgfckcj.exe 3008 Mijfnh32.exe 2256 Mlibjc32.exe 2668 Mdpjlajk.exe 2592 Mcbjgn32.exe 2760 Mimbdhhb.exe 2640 Mpfkqb32.exe 2480 Mgqcmlgl.exe 2768 Miooigfo.exe 2196 Mhbped32.exe 1256 Mpigfa32.exe 1592 Ncgdbmmp.exe 484 Najdnj32.exe 804 Nialog32.exe 272 Nhdlkdkg.exe 1212 Nkbhgojk.exe -
Loads dropped DLL 64 IoCs
pid Process 2964 6483126a8256a21daf9f4e3f23a64300_NeikiAnalytics.exe 2964 6483126a8256a21daf9f4e3f23a64300_NeikiAnalytics.exe 2160 Icbimi32.exe 2160 Icbimi32.exe 2596 Idceea32.exe 2596 Idceea32.exe 2856 Ioijbj32.exe 2856 Ioijbj32.exe 2628 Igdogl32.exe 2628 Igdogl32.exe 2516 Iokfhi32.exe 2516 Iokfhi32.exe 2540 Iqmcpahh.exe 2540 Iqmcpahh.exe 2952 Ihdkao32.exe 2952 Ihdkao32.exe 2652 Ijeghgoh.exe 2652 Ijeghgoh.exe 1296 Icmlam32.exe 1296 Icmlam32.exe 1624 Imfqjbli.exe 1624 Imfqjbli.exe 1872 Icpigm32.exe 1872 Icpigm32.exe 320 Jnemdecl.exe 320 Jnemdecl.exe 816 Jqdipqbp.exe 816 Jqdipqbp.exe 1732 Jofiln32.exe 1732 Jofiln32.exe 316 Jmjjea32.exe 316 Jmjjea32.exe 2036 Jfcnngnd.exe 2036 Jfcnngnd.exe 408 Jkpgfn32.exe 408 Jkpgfn32.exe 2424 Jehkodcm.exe 2424 Jehkodcm.exe 1356 Jkbcln32.exe 1356 Jkbcln32.exe 1116 Jnclnihj.exe 1116 Jnclnihj.exe 1964 Jbnhng32.exe 1964 Jbnhng32.exe 2412 Kkgmgmfd.exe 2412 Kkgmgmfd.exe 1608 Kneicieh.exe 1608 Kneicieh.exe 1368 Kaceodek.exe 1368 Kaceodek.exe 1716 Kkijmm32.exe 1716 Kkijmm32.exe 1548 Kafbec32.exe 1548 Kafbec32.exe 1724 Kfbkmk32.exe 1724 Kfbkmk32.exe 2736 Kjqccigf.exe 2736 Kjqccigf.exe 2660 Kaklpcoc.exe 2660 Kaklpcoc.exe 2496 Kifpdelo.exe 2496 Kifpdelo.exe 2520 Kmaled32.exe 2520 Kmaled32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ndhipoob.exe Naimccpo.exe File created C:\Windows\SysWOW64\Nhiffc32.exe Nncahjgl.exe File created C:\Windows\SysWOW64\Ncdbcl32.dll Aoepcn32.exe File opened for modification C:\Windows\SysWOW64\Bidjnkdg.exe Bfenbpec.exe File created C:\Windows\SysWOW64\Ghelfg32.exe Gpncej32.exe File created C:\Windows\SysWOW64\Bkfeekif.dll Gebbnpfp.exe File created C:\Windows\SysWOW64\Cinekb32.dll Iedkbc32.exe File created C:\Windows\SysWOW64\Ijdqna32.exe Ieidmbcc.exe File created C:\Windows\SysWOW64\Mggpgmof.exe Lollckbk.exe File opened for modification C:\Windows\SysWOW64\Qmfgjh32.exe Pjhknm32.exe File created C:\Windows\SysWOW64\Cppkph32.exe Cldooj32.exe File created C:\Windows\SysWOW64\Fkcpip32.dll Fmbhok32.exe File opened for modification C:\Windows\SysWOW64\Ifkacb32.exe Icmegf32.exe File opened for modification C:\Windows\SysWOW64\Mooaljkh.exe Mpmapm32.exe File created C:\Windows\SysWOW64\Mdpjlajk.exe Mlibjc32.exe File created C:\Windows\SysWOW64\Ilcbjpbn.dll Bdbhke32.exe File opened for modification C:\Windows\SysWOW64\Bblogakg.exe Boqbfb32.exe File created C:\Windows\SysWOW64\Njabih32.dll Boqbfb32.exe File created C:\Windows\SysWOW64\Bhigphio.exe Bekkcljk.exe File created C:\Windows\SysWOW64\Dgnijonn.dll Idceea32.exe File created C:\Windows\SysWOW64\Nadddkfi.dll Olmhdf32.exe File opened for modification C:\Windows\SysWOW64\Dgjclbdi.exe Ccngld32.exe File created C:\Windows\SysWOW64\Fkeemhpn.dll Mpigfa32.exe File opened for modification C:\Windows\SysWOW64\Enhacojl.exe Eccmffjf.exe File opened for modification C:\Windows\SysWOW64\Ikkjbe32.exe Iccbqh32.exe File created C:\Windows\SysWOW64\Opfdll32.dll Ckafbbph.exe File created C:\Windows\SysWOW64\Dmkmmi32.dll Echfaf32.exe File created C:\Windows\SysWOW64\Kbkameaf.exe Kjdilgpc.exe File created C:\Windows\SysWOW64\Lollckbk.exe Llnofpcg.exe File created C:\Windows\SysWOW64\Pjenhm32.exe Pggbla32.exe File opened for modification C:\Windows\SysWOW64\Gdgcpi32.exe Gedbdlbb.exe File opened for modification C:\Windows\SysWOW64\Jnkpbcjg.exe Jjpcbe32.exe File opened for modification C:\Windows\SysWOW64\Jghmfhmb.exe Joaeeklp.exe File opened for modification C:\Windows\SysWOW64\Nmnace32.exe Nkpegi32.exe File opened for modification C:\Windows\SysWOW64\Kebgia32.exe Kfpgmdog.exe File created C:\Windows\SysWOW64\Ijeghgoh.exe Ihdkao32.exe File created C:\Windows\SysWOW64\Kneicieh.exe Kkgmgmfd.exe File created C:\Windows\SysWOW64\Pgeefbhm.exe Pqkmjh32.exe File created C:\Windows\SysWOW64\Bidjnkdg.exe Bfenbpec.exe File created C:\Windows\SysWOW64\Boqbfb32.exe Blbfjg32.exe File created C:\Windows\SysWOW64\Ganpomec.exe Gmbdnn32.exe File created C:\Windows\SysWOW64\Ggeiabkc.dll Ganpomec.exe File created C:\Windows\SysWOW64\Ojchmpcd.dll Jmjjea32.exe File created C:\Windows\SysWOW64\Fbbecd32.dll Naajoinb.exe File opened for modification C:\Windows\SysWOW64\Aoepcn32.exe Ajjcbpdd.exe File created C:\Windows\SysWOW64\Biddmpnf.dll Heglio32.exe File created C:\Windows\SysWOW64\Leljop32.exe Lapnnafn.exe File opened for modification C:\Windows\SysWOW64\Mkeimlfm.exe Mhgmapfi.exe File created C:\Windows\SysWOW64\Eaklqfem.dll Dfamcogo.exe File opened for modification C:\Windows\SysWOW64\Mppepcfg.exe Mamddf32.exe File opened for modification C:\Windows\SysWOW64\Caknol32.exe Ckafbbph.exe File opened for modification C:\Windows\SysWOW64\Gmpgio32.exe Gjakmc32.exe File created C:\Windows\SysWOW64\Gjdhbc32.exe Ghelfg32.exe File opened for modification C:\Windows\SysWOW64\Olmhdf32.exe Ojolhk32.exe File created C:\Windows\SysWOW64\Ogdafiei.dll Papfegmk.exe File opened for modification C:\Windows\SysWOW64\Homclekn.exe Hlngpjlj.exe File opened for modification C:\Windows\SysWOW64\Leimip32.exe Kbkameaf.exe File created C:\Windows\SysWOW64\Acmmle32.dll Aibajhdn.exe File created C:\Windows\SysWOW64\Aoladf32.dll Fnfamcoj.exe File created C:\Windows\SysWOW64\Mfbnag32.dll Haiccald.exe File created C:\Windows\SysWOW64\Ibebkc32.dll Kgemplap.exe File created C:\Windows\SysWOW64\Nhllob32.exe Nenobfak.exe File created C:\Windows\SysWOW64\Kmaled32.exe Kifpdelo.exe File opened for modification C:\Windows\SysWOW64\Mhbped32.exe Miooigfo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4340 4240 WerFault.exe 438 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecbia32.dll" Chnqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll" Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jddnncch.dll" Miooigfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eqpgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifiacd32.dll" Fpqdkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kicmdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncmfqkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imfqjbli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjjndgdk.dll" Jbnhng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbcjffka.dll" Mkeimlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgbhabjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhehek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijigk32.dll" Hhjapjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diaagb32.dll" Mpmapm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kaklpcoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmaled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mapjmehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nigome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemkjqde.dll" Lhmjkaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icfofg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkncmmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jicdaj32.dll" Qlkdkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecenlqh.dll" Bkommo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebodiofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kqqboncb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgcpjmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqdipqbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeoliecf.dll" Jkpgfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndpfkdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfidj32.dll" Ecqqpgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbopgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlhkpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfimidmd.dll" Kaklpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mimbdhhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmbhok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gikaio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpgmpikn.dll" Homclekn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipgbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnndn32.dll" Jkjfah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ombapedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfadgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjhknm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qjjgclai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmgocb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbfpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dljnnb32.dll" Icfofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjppa32.dll" Ffklhqao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nookinfk.dll" Icmegf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikhjki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjhknm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Endhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kohkfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mponel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbplnnk.dll" Mapjmehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npojdpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Haiccald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Joaeeklp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnkjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Higeofeq.dll" Gdgcpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Keednado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfdmggnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfkjnkib.dll" Pggbla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blbfjg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2964 wrote to memory of 2160 2964 6483126a8256a21daf9f4e3f23a64300_NeikiAnalytics.exe 28 PID 2964 wrote to memory of 2160 2964 6483126a8256a21daf9f4e3f23a64300_NeikiAnalytics.exe 28 PID 2964 wrote to memory of 2160 2964 6483126a8256a21daf9f4e3f23a64300_NeikiAnalytics.exe 28 PID 2964 wrote to memory of 2160 2964 6483126a8256a21daf9f4e3f23a64300_NeikiAnalytics.exe 28 PID 2160 wrote to memory of 2596 2160 Icbimi32.exe 29 PID 2160 wrote to memory of 2596 2160 Icbimi32.exe 29 PID 2160 wrote to memory of 2596 2160 Icbimi32.exe 29 PID 2160 wrote to memory of 2596 2160 Icbimi32.exe 29 PID 2596 wrote to memory of 2856 2596 Idceea32.exe 30 PID 2596 wrote to memory of 2856 2596 Idceea32.exe 30 PID 2596 wrote to memory of 2856 2596 Idceea32.exe 30 PID 2596 wrote to memory of 2856 2596 Idceea32.exe 30 PID 2856 wrote to memory of 2628 2856 Ioijbj32.exe 31 PID 2856 wrote to memory of 2628 2856 Ioijbj32.exe 31 PID 2856 wrote to memory of 2628 2856 Ioijbj32.exe 31 PID 2856 wrote to memory of 2628 2856 Ioijbj32.exe 31 PID 2628 wrote to memory of 2516 2628 Igdogl32.exe 32 PID 2628 wrote to memory of 2516 2628 Igdogl32.exe 32 PID 2628 wrote to memory of 2516 2628 Igdogl32.exe 32 PID 2628 wrote to memory of 2516 2628 Igdogl32.exe 32 PID 2516 wrote to memory of 2540 2516 Iokfhi32.exe 33 PID 2516 wrote to memory of 2540 2516 Iokfhi32.exe 33 PID 2516 wrote to memory of 2540 2516 Iokfhi32.exe 33 PID 2516 wrote to memory of 2540 2516 Iokfhi32.exe 33 PID 2540 wrote to memory of 2952 2540 Iqmcpahh.exe 34 PID 2540 wrote to memory of 2952 2540 Iqmcpahh.exe 34 PID 2540 wrote to memory of 2952 2540 Iqmcpahh.exe 34 PID 2540 wrote to memory of 2952 2540 Iqmcpahh.exe 34 PID 2952 wrote to memory of 2652 2952 Ihdkao32.exe 35 PID 2952 wrote to memory of 2652 2952 Ihdkao32.exe 35 PID 2952 wrote to memory of 2652 2952 Ihdkao32.exe 35 PID 2952 wrote to memory of 2652 2952 Ihdkao32.exe 35 PID 2652 wrote to memory of 1296 2652 Ijeghgoh.exe 36 PID 2652 wrote to memory of 1296 2652 Ijeghgoh.exe 36 PID 2652 wrote to memory of 1296 2652 Ijeghgoh.exe 36 PID 2652 wrote to memory of 1296 2652 Ijeghgoh.exe 36 PID 1296 wrote to memory of 1624 1296 Icmlam32.exe 37 PID 1296 wrote to memory of 1624 1296 Icmlam32.exe 37 PID 1296 wrote to memory of 1624 1296 Icmlam32.exe 37 PID 1296 wrote to memory of 1624 1296 Icmlam32.exe 37 PID 1624 wrote to memory of 1872 1624 Imfqjbli.exe 38 PID 1624 wrote to memory of 1872 1624 Imfqjbli.exe 38 PID 1624 wrote to memory of 1872 1624 Imfqjbli.exe 38 PID 1624 wrote to memory of 1872 1624 Imfqjbli.exe 38 PID 1872 wrote to memory of 320 1872 Icpigm32.exe 39 PID 1872 wrote to memory of 320 1872 Icpigm32.exe 39 PID 1872 wrote to memory of 320 1872 Icpigm32.exe 39 PID 1872 wrote to memory of 320 1872 Icpigm32.exe 39 PID 320 wrote to memory of 816 320 Jnemdecl.exe 40 PID 320 wrote to memory of 816 320 Jnemdecl.exe 40 PID 320 wrote to memory of 816 320 Jnemdecl.exe 40 PID 320 wrote to memory of 816 320 Jnemdecl.exe 40 PID 816 wrote to memory of 1732 816 Jqdipqbp.exe 41 PID 816 wrote to memory of 1732 816 Jqdipqbp.exe 41 PID 816 wrote to memory of 1732 816 Jqdipqbp.exe 41 PID 816 wrote to memory of 1732 816 Jqdipqbp.exe 41 PID 1732 wrote to memory of 316 1732 Jofiln32.exe 42 PID 1732 wrote to memory of 316 1732 Jofiln32.exe 42 PID 1732 wrote to memory of 316 1732 Jofiln32.exe 42 PID 1732 wrote to memory of 316 1732 Jofiln32.exe 42 PID 316 wrote to memory of 2036 316 Jmjjea32.exe 43 PID 316 wrote to memory of 2036 316 Jmjjea32.exe 43 PID 316 wrote to memory of 2036 316 Jmjjea32.exe 43 PID 316 wrote to memory of 2036 316 Jmjjea32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\6483126a8256a21daf9f4e3f23a64300_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6483126a8256a21daf9f4e3f23a64300_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:408 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1116 -
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1368 -
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Kmaled32.exeC:\Windows\system32\Kmaled32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Lmcijcbe.exeC:\Windows\system32\Lmcijcbe.exe33⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe34⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe36⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe37⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe39⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:764 -
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe42⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1924 -
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe47⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe48⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe49⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe50⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe51⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe54⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Mpfkqb32.exeC:\Windows\system32\Mpfkqb32.exe56⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe59⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1256 -
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe61⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe62⤵
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe63⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:272 -
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe65⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe66⤵PID:2340
-
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe67⤵PID:1568
-
C:\Windows\SysWOW64\Nkeelohh.exeC:\Windows\system32\Nkeelohh.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2084 -
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe69⤵
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2548 -
C:\Windows\SysWOW64\Nocnbmoo.exeC:\Windows\system32\Nocnbmoo.exe71⤵PID:2376
-
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe72⤵
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Ndpfkdmf.exeC:\Windows\system32\Ndpfkdmf.exe73⤵
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe74⤵PID:2464
-
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe75⤵PID:2004
-
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe76⤵PID:2840
-
C:\Windows\SysWOW64\Nceclqan.exeC:\Windows\system32\Nceclqan.exe77⤵PID:1200
-
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe78⤵
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1336 -
C:\Windows\SysWOW64\Ocgpappk.exeC:\Windows\system32\Ocgpappk.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:112 -
C:\Windows\SysWOW64\Ofelmloo.exeC:\Windows\system32\Ofelmloo.exe81⤵PID:1104
-
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2968 -
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe83⤵PID:1048
-
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe84⤵PID:1988
-
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe85⤵
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe86⤵PID:2312
-
C:\Windows\SysWOW64\Obojhlbq.exeC:\Windows\system32\Obojhlbq.exe87⤵PID:3048
-
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe88⤵PID:2240
-
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe89⤵PID:2384
-
C:\Windows\SysWOW64\Ocnfbo32.exeC:\Windows\system32\Ocnfbo32.exe90⤵PID:2472
-
C:\Windows\SysWOW64\Ofmbnkhg.exeC:\Windows\system32\Ofmbnkhg.exe91⤵PID:2136
-
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe92⤵PID:2956
-
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe93⤵PID:1324
-
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe94⤵PID:1648
-
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1632 -
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe96⤵PID:1280
-
C:\Windows\SysWOW64\Pnjdhmdo.exeC:\Windows\system32\Pnjdhmdo.exe97⤵PID:1524
-
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe98⤵
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Piphee32.exeC:\Windows\system32\Piphee32.exe99⤵PID:1096
-
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe100⤵
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe101⤵PID:900
-
C:\Windows\SysWOW64\Pqkmjh32.exeC:\Windows\system32\Pqkmjh32.exe102⤵
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe103⤵PID:2560
-
C:\Windows\SysWOW64\Pjcabmga.exeC:\Windows\system32\Pjcabmga.exe104⤵PID:2684
-
C:\Windows\SysWOW64\Pmanoifd.exeC:\Windows\system32\Pmanoifd.exe105⤵PID:2468
-
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe107⤵PID:2792
-
C:\Windows\SysWOW64\Pnajilng.exeC:\Windows\system32\Pnajilng.exe108⤵PID:2188
-
C:\Windows\SysWOW64\Papfegmk.exeC:\Windows\system32\Papfegmk.exe109⤵
- Drops file in System32 directory
PID:572 -
C:\Windows\SysWOW64\Pgioaa32.exeC:\Windows\system32\Pgioaa32.exe110⤵PID:2436
-
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:376 -
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe112⤵PID:2276
-
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe113⤵PID:956
-
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe114⤵PID:2000
-
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe115⤵
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe116⤵
- Modifies registry class
PID:848 -
C:\Windows\SysWOW64\Qpgpkcpp.exeC:\Windows\system32\Qpgpkcpp.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2632 -
C:\Windows\SysWOW64\Qedhdjnh.exeC:\Windows\system32\Qedhdjnh.exe118⤵PID:2944
-
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1824 -
C:\Windows\SysWOW64\Anlmmp32.exeC:\Windows\system32\Anlmmp32.exe120⤵PID:2208
-
C:\Windows\SysWOW64\Afcenm32.exeC:\Windows\system32\Afcenm32.exe121⤵PID:2372
-
C:\Windows\SysWOW64\Aibajhdn.exeC:\Windows\system32\Aibajhdn.exe122⤵
- Drops file in System32 directory
PID:2360
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-