Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 14:38
Behavioral task
behavioral1
Sample
611ac397be37155ff478f8b39878e8d0_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
611ac397be37155ff478f8b39878e8d0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
611ac397be37155ff478f8b39878e8d0_NeikiAnalytics.exe
-
Size
305KB
-
MD5
611ac397be37155ff478f8b39878e8d0
-
SHA1
378fb7eb0cb59c4897ebd2bc6fe0c175efed3a51
-
SHA256
4abd312fe756e881ad8e6fd4f507dc6e2b8e1c790461cbf842de18880e7ba96d
-
SHA512
7a5b3d21bbdbdcf329e71e8d2f688833d9301660cf789c4d4adbb653f65519f47cff9c3671bab8616ab4f98278ecf518dae9d4598544aae4a79e7038a61fadb0
-
SSDEEP
6144:fPWxXPEVEONxunXe8yhrtMsQBvli+RQFdq:fPWxMdvAO8qRMsrOQF
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aajpelhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faagpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khekgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgfgdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngkmnacm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ongnonkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jkjdhpea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppamme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cllpkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlakpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfbhnaho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpjiajeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghfbqn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ondajnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Paejki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppoqge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfgmhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcodno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffbicfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eiomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ichico32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbkpna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afkbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Baqbenep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maphdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngkmnacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chemfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hellne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifkojiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Maphdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fphafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggpimica.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hobcak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkobnqan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcfcmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pijbfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amejeljk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egdilkbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhhcgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbalnnam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbfahp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nofabc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Boiccdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iqljlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogfpbeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fphafl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbcicmpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgajhbkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peiljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Baildokg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcaomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fckjalhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jakfkfpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhjdbcef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npnhlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncmdhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Coklgg32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000a00000001211e-5.dat family_berbew behavioral1/files/0x00090000000134f5-18.dat family_berbew behavioral1/files/0x0008000000013a15-32.dat family_berbew behavioral1/files/0x0008000000013a85-45.dat family_berbew behavioral1/files/0x0006000000014525-58.dat family_berbew behavioral1/files/0x00060000000145d4-72.dat family_berbew behavioral1/files/0x0006000000014730-86.dat family_berbew behavioral1/files/0x000600000001475f-100.dat family_berbew behavioral1/files/0x0006000000014a29-114.dat family_berbew behavioral1/files/0x0006000000014c0b-135.dat family_berbew behavioral1/files/0x0006000000014fac-142.dat family_berbew behavioral1/files/0x00060000000150aa-162.dat family_berbew behavioral1/files/0x000600000001543a-169.dat family_berbew behavioral1/files/0x0006000000015a15-183.dat family_berbew behavioral1/files/0x0006000000015b72-196.dat family_berbew behavioral1/files/0x0006000000015c91-216.dat family_berbew behavioral1/files/0x0006000000015ca9-226.dat family_berbew behavioral1/memory/768-233-0x00000000002E0000-0x0000000000323000-memory.dmp family_berbew behavioral1/memory/2228-239-0x0000000000250000-0x0000000000293000-memory.dmp family_berbew behavioral1/files/0x0006000000015cca-236.dat family_berbew behavioral1/files/0x0006000000015ce1-247.dat family_berbew behavioral1/memory/2328-258-0x0000000000250000-0x0000000000293000-memory.dmp family_berbew behavioral1/files/0x0006000000015cf5-259.dat family_berbew behavioral1/files/0x0006000000015d13-269.dat family_berbew behavioral1/memory/2408-273-0x0000000001FD0000-0x0000000002013000-memory.dmp family_berbew behavioral1/files/0x0006000000015d28-280.dat family_berbew behavioral1/files/0x0006000000015d99-291.dat family_berbew behavioral1/files/0x0006000000015fbb-302.dat family_berbew behavioral1/memory/1712-309-0x0000000000450000-0x0000000000493000-memory.dmp family_berbew behavioral1/files/0x0006000000016126-312.dat family_berbew behavioral1/files/0x000600000001640f-322.dat family_berbew behavioral1/files/0x0006000000016591-334.dat family_berbew behavioral1/files/0x0006000000016a3a-345.dat family_berbew behavioral1/files/0x0006000000016c57-357.dat family_berbew behavioral1/files/0x0006000000016ca1-367.dat family_berbew behavioral1/memory/2648-370-0x0000000000250000-0x0000000000293000-memory.dmp family_berbew behavioral1/files/0x0006000000016cf2-379.dat family_berbew behavioral1/files/0x0006000000016d10-389.dat family_berbew behavioral1/memory/1964-392-0x0000000000250000-0x0000000000293000-memory.dmp family_berbew behavioral1/files/0x0006000000016d21-400.dat family_berbew behavioral1/files/0x0006000000016d36-411.dat family_berbew behavioral1/files/0x0006000000016d46-423.dat family_berbew behavioral1/files/0x0006000000016d57-433.dat family_berbew behavioral1/files/0x0006000000016d73-444.dat family_berbew behavioral1/memory/112-459-0x00000000002E0000-0x0000000000323000-memory.dmp family_berbew behavioral1/files/0x0006000000016d7d-455.dat family_berbew behavioral1/files/0x000600000001708c-467.dat family_berbew behavioral1/files/0x000600000001738e-477.dat family_berbew behavioral1/files/0x00060000000173e2-489.dat family_berbew behavioral1/files/0x0006000000017436-497.dat family_berbew behavioral1/files/0x0006000000017577-509.dat family_berbew behavioral1/files/0x00060000000175fd-519.dat family_berbew behavioral1/files/0x000d000000018689-529.dat family_berbew behavioral1/files/0x000500000001870e-539.dat family_berbew behavioral1/files/0x0005000000018749-550.dat family_berbew behavioral1/files/0x000600000001902f-559.dat family_berbew behavioral1/files/0x000500000001925a-571.dat family_berbew behavioral1/files/0x000500000001927b-582.dat family_berbew behavioral1/files/0x000500000001937a-592.dat family_berbew behavioral1/files/0x00050000000193b6-603.dat family_berbew behavioral1/files/0x00050000000193d4-613.dat family_berbew behavioral1/files/0x00050000000193fd-626.dat family_berbew behavioral1/files/0x000500000001943a-636.dat family_berbew behavioral1/files/0x0005000000019539-639.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1736 Hdpplb32.exe 2404 Idblbb32.exe 2804 Ichico32.exe 2700 Iqljlb32.exe 2552 Imbkadcl.exe 2540 Ifkojiim.exe 2588 Jkjdhpea.exe 2900 Jbdlejmn.exe 2640 Jedefejo.exe 2856 Jakfkfpc.exe 2732 Jjfgjk32.exe 1872 Kbalnnam.exe 1444 Kbcicmpj.exe 1284 Kinaqg32.exe 2268 Kpjfba32.exe 768 Khekgc32.exe 2228 Lekhfgfc.exe 2340 Lhjdbcef.exe 2328 Ldqegd32.exe 2408 Lgoacojo.exe 1376 Lbfahp32.exe 1036 Lkmjin32.exe 1712 Lefkjkmc.exe 2024 Llqcfe32.exe 2356 Mgfgdn32.exe 888 Mpolmdkg.exe 1576 Maphdl32.exe 2832 Mcodno32.exe 2648 Mepnpj32.exe 2696 Mgajhbkg.exe 1964 Mnkbdlbd.exe 2576 Mkobnqan.exe 2524 Ndgggf32.exe 2484 Npnhlg32.exe 2928 Ncmdhb32.exe 3028 Ncoamb32.exe 112 Ngkmnacm.exe 1584 Nofabc32.exe 2864 Nccjhafn.exe 2100 Ohqbqhde.exe 2096 Obigjnkf.exe 2508 Ogfpbeim.exe 2056 Oomhcbjp.exe 628 Oghlgdgk.exe 1836 Onbddoog.exe 1364 Oelmai32.exe 2264 Ocomlemo.exe 1784 Okfencna.exe 1912 Ondajnme.exe 564 Ogmfbd32.exe 1764 Ongnonkb.exe 468 Paejki32.exe 2392 Pccfge32.exe 2120 Pjmodopf.exe 2956 Pmlkpjpj.exe 2796 Pcfcmd32.exe 3024 Pbiciana.exe 2596 Piblek32.exe 792 Plahag32.exe 1236 Pchpbded.exe 2468 Pbkpna32.exe 1432 Peiljl32.exe 2752 Ppoqge32.exe 1436 Pigeqkai.exe -
Loads dropped DLL 64 IoCs
pid Process 2220 611ac397be37155ff478f8b39878e8d0_NeikiAnalytics.exe 2220 611ac397be37155ff478f8b39878e8d0_NeikiAnalytics.exe 1736 Hdpplb32.exe 1736 Hdpplb32.exe 2404 Idblbb32.exe 2404 Idblbb32.exe 2804 Ichico32.exe 2804 Ichico32.exe 2700 Iqljlb32.exe 2700 Iqljlb32.exe 2552 Imbkadcl.exe 2552 Imbkadcl.exe 2540 Ifkojiim.exe 2540 Ifkojiim.exe 2588 Jkjdhpea.exe 2588 Jkjdhpea.exe 2900 Jbdlejmn.exe 2900 Jbdlejmn.exe 2640 Jedefejo.exe 2640 Jedefejo.exe 2856 Jakfkfpc.exe 2856 Jakfkfpc.exe 2732 Jjfgjk32.exe 2732 Jjfgjk32.exe 1872 Kbalnnam.exe 1872 Kbalnnam.exe 1444 Kbcicmpj.exe 1444 Kbcicmpj.exe 1284 Kinaqg32.exe 1284 Kinaqg32.exe 2268 Kpjfba32.exe 2268 Kpjfba32.exe 768 Khekgc32.exe 768 Khekgc32.exe 2228 Lekhfgfc.exe 2228 Lekhfgfc.exe 2340 Lhjdbcef.exe 2340 Lhjdbcef.exe 2328 Ldqegd32.exe 2328 Ldqegd32.exe 2408 Lgoacojo.exe 2408 Lgoacojo.exe 1376 Lbfahp32.exe 1376 Lbfahp32.exe 1036 Lkmjin32.exe 1036 Lkmjin32.exe 1712 Lefkjkmc.exe 1712 Lefkjkmc.exe 2024 Llqcfe32.exe 2024 Llqcfe32.exe 2356 Mgfgdn32.exe 2356 Mgfgdn32.exe 888 Mpolmdkg.exe 888 Mpolmdkg.exe 1576 Maphdl32.exe 1576 Maphdl32.exe 2832 Mcodno32.exe 2832 Mcodno32.exe 2648 Mepnpj32.exe 2648 Mepnpj32.exe 2696 Mgajhbkg.exe 2696 Mgajhbkg.exe 1964 Mnkbdlbd.exe 1964 Mnkbdlbd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pljpdpao.dll Hobcak32.exe File opened for modification C:\Windows\SysWOW64\Kbalnnam.exe Jjfgjk32.exe File created C:\Windows\SysWOW64\Lekhfgfc.exe Khekgc32.exe File created C:\Windows\SysWOW64\Hjlanqkq.dll Cfbhnaho.exe File opened for modification C:\Windows\SysWOW64\Hobcak32.exe Hiekid32.exe File created C:\Windows\SysWOW64\Anllbdkl.dll Hgdbhi32.exe File opened for modification C:\Windows\SysWOW64\Pjmodopf.exe Pccfge32.exe File opened for modification C:\Windows\SysWOW64\Amejeljk.exe Aenbdoii.exe File created C:\Windows\SysWOW64\Jiiegafd.dll Ebinic32.exe File created C:\Windows\SysWOW64\Kjpfgi32.dll Gfefiemq.exe File created C:\Windows\SysWOW64\Bmeohn32.dll Baqbenep.exe File opened for modification C:\Windows\SysWOW64\Hggomh32.exe Hpmgqnfl.exe File created C:\Windows\SysWOW64\Hellne32.exe Hobcak32.exe File created C:\Windows\SysWOW64\Iddckpim.dll Pjmodopf.exe File opened for modification C:\Windows\SysWOW64\Ambmpmln.exe Abmibdlh.exe File created C:\Windows\SysWOW64\Alihbgdo.dll Bhhnli32.exe File created C:\Windows\SysWOW64\Gpekfank.dll Gphmeo32.exe File opened for modification C:\Windows\SysWOW64\Dmafennb.exe Dfgmhd32.exe File opened for modification C:\Windows\SysWOW64\Faagpp32.exe Fhhcgj32.exe File created C:\Windows\SysWOW64\Njgcpp32.dll Geolea32.exe File created C:\Windows\SysWOW64\Fealjk32.dll Hmlnoc32.exe File created C:\Windows\SysWOW64\Eemeeh32.dll Llqcfe32.exe File created C:\Windows\SysWOW64\Ncoamb32.exe Ncmdhb32.exe File created C:\Windows\SysWOW64\Obigjnkf.exe Ohqbqhde.exe File opened for modification C:\Windows\SysWOW64\Ahokfj32.exe Ailkjmpo.exe File opened for modification C:\Windows\SysWOW64\Epieghdk.exe Eiomkn32.exe File opened for modification C:\Windows\SysWOW64\Jakfkfpc.exe Jedefejo.exe File opened for modification C:\Windows\SysWOW64\Lkmjin32.exe Lbfahp32.exe File created C:\Windows\SysWOW64\Ppoqge32.exe Peiljl32.exe File created C:\Windows\SysWOW64\Pafagk32.dll Dmafennb.exe File opened for modification C:\Windows\SysWOW64\Ckffgg32.exe Cdlnkmha.exe File opened for modification C:\Windows\SysWOW64\Ghfbqn32.exe Gfefiemq.exe File created C:\Windows\SysWOW64\Hiqbndpb.exe Ghoegl32.exe File created C:\Windows\SysWOW64\Egdgmmje.dll Onbddoog.exe File created C:\Windows\SysWOW64\Mpmchlpl.dll Pbiciana.exe File created C:\Windows\SysWOW64\Mefagn32.dll Pijbfj32.exe File created C:\Windows\SysWOW64\Nlbodgap.dll Cckace32.exe File created C:\Windows\SysWOW64\Maphhihi.dll Eeqdep32.exe File created C:\Windows\SysWOW64\Dgogib32.dll Jakfkfpc.exe File created C:\Windows\SysWOW64\Dhnakg32.dll Lgoacojo.exe File created C:\Windows\SysWOW64\Ongnonkb.exe Ogmfbd32.exe File created C:\Windows\SysWOW64\Cbamcl32.dll Chemfl32.exe File created C:\Windows\SysWOW64\Omeope32.dll Cdlnkmha.exe File created C:\Windows\SysWOW64\Ahcfok32.dll Djnpnc32.exe File opened for modification C:\Windows\SysWOW64\Faokjpfd.exe Fjdbnf32.exe File opened for modification C:\Windows\SysWOW64\Gbnccfpb.exe Gkgkbipp.exe File created C:\Windows\SysWOW64\Maphdl32.exe Mpolmdkg.exe File created C:\Windows\SysWOW64\Bnebmi32.dll Ngkmnacm.exe File created C:\Windows\SysWOW64\Imhjppim.dll Ccdlbf32.exe File created C:\Windows\SysWOW64\Ckffgg32.exe Cdlnkmha.exe File created C:\Windows\SysWOW64\Lhcecp32.dll Ampqjm32.exe File opened for modification C:\Windows\SysWOW64\Bingpmnl.exe Bbdocc32.exe File created C:\Windows\SysWOW64\Dfgmhd32.exe Dgdmmgpj.exe File created C:\Windows\SysWOW64\Ddbkoipg.dll Ogmfbd32.exe File created C:\Windows\SysWOW64\Niifne32.dll Ckffgg32.exe File created C:\Windows\SysWOW64\Dmoipopd.exe Djpmccqq.exe File created C:\Windows\SysWOW64\Hpapln32.exe Hellne32.exe File opened for modification C:\Windows\SysWOW64\Ondajnme.exe Okfencna.exe File opened for modification C:\Windows\SysWOW64\Ddokpmfo.exe Dbpodagk.exe File created C:\Windows\SysWOW64\Dcdooi32.dll Fmhheqje.exe File opened for modification C:\Windows\SysWOW64\Hmlnoc32.exe Hiqbndpb.exe File opened for modification C:\Windows\SysWOW64\Bokphdld.exe Blmdlhmp.exe File created C:\Windows\SysWOW64\Dbnkge32.dll Gmgdddmq.exe File created C:\Windows\SysWOW64\Jmmjdk32.dll Gogangdc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2912 2496 WerFault.exe 215 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ppoqge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hokefmej.dll" Affhncfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Andkhh32.dll" Abmibdlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll" Hiqbndpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hcplhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Idblbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckignd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maphhihi.dll" Eeqdep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncmdhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ampqjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ekklaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 611ac397be37155ff478f8b39878e8d0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafagk32.dll" Dmafennb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dmafennb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkdol32.dll" Comimg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ocomlemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjmodopf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qjknnbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhjppim.dll" Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhjfhhen.dll" Ohqbqhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jolfcj32.dll" Ambmpmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekpaqgc.dll" Ekholjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ekholjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poaljn32.dll" Obigjnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbkoipg.dll" Ogmfbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pigeqkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqddgc32.dll" Ahchbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghoegl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbdlejmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idblbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nccjhafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Peiljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pccobp32.dll" Ailkjmpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bcaomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnkge32.dll" Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjcpefo.dll" Hdpplb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdgmmje.dll" Onbddoog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahakmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdljffa.dll" Dbpodagk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dgdmmgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdjcnn32.dll" 611ac397be37155ff478f8b39878e8d0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pbiciana.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qjknnbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pmlkpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhljm32.dll" Qagcpljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bingpmnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bhhnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooahdmkl.dll" Bjijdadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfgaiaci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 611ac397be37155ff478f8b39878e8d0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghgobd32.dll" Khekgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpolmdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncoamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjghmm32.dll" Ifkojiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmaibnf.dll" Cjpqdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djpmccqq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfgmhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Faagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Faagpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffbicfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecghfh32.dll" Iqljlb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2220 wrote to memory of 1736 2220 611ac397be37155ff478f8b39878e8d0_NeikiAnalytics.exe 28 PID 2220 wrote to memory of 1736 2220 611ac397be37155ff478f8b39878e8d0_NeikiAnalytics.exe 28 PID 2220 wrote to memory of 1736 2220 611ac397be37155ff478f8b39878e8d0_NeikiAnalytics.exe 28 PID 2220 wrote to memory of 1736 2220 611ac397be37155ff478f8b39878e8d0_NeikiAnalytics.exe 28 PID 1736 wrote to memory of 2404 1736 Hdpplb32.exe 29 PID 1736 wrote to memory of 2404 1736 Hdpplb32.exe 29 PID 1736 wrote to memory of 2404 1736 Hdpplb32.exe 29 PID 1736 wrote to memory of 2404 1736 Hdpplb32.exe 29 PID 2404 wrote to memory of 2804 2404 Idblbb32.exe 30 PID 2404 wrote to memory of 2804 2404 Idblbb32.exe 30 PID 2404 wrote to memory of 2804 2404 Idblbb32.exe 30 PID 2404 wrote to memory of 2804 2404 Idblbb32.exe 30 PID 2804 wrote to memory of 2700 2804 Ichico32.exe 31 PID 2804 wrote to memory of 2700 2804 Ichico32.exe 31 PID 2804 wrote to memory of 2700 2804 Ichico32.exe 31 PID 2804 wrote to memory of 2700 2804 Ichico32.exe 31 PID 2700 wrote to memory of 2552 2700 Iqljlb32.exe 32 PID 2700 wrote to memory of 2552 2700 Iqljlb32.exe 32 PID 2700 wrote to memory of 2552 2700 Iqljlb32.exe 32 PID 2700 wrote to memory of 2552 2700 Iqljlb32.exe 32 PID 2552 wrote to memory of 2540 2552 Imbkadcl.exe 33 PID 2552 wrote to memory of 2540 2552 Imbkadcl.exe 33 PID 2552 wrote to memory of 2540 2552 Imbkadcl.exe 33 PID 2552 wrote to memory of 2540 2552 Imbkadcl.exe 33 PID 2540 wrote to memory of 2588 2540 Ifkojiim.exe 34 PID 2540 wrote to memory of 2588 2540 Ifkojiim.exe 34 PID 2540 wrote to memory of 2588 2540 Ifkojiim.exe 34 PID 2540 wrote to memory of 2588 2540 Ifkojiim.exe 34 PID 2588 wrote to memory of 2900 2588 Jkjdhpea.exe 35 PID 2588 wrote to memory of 2900 2588 Jkjdhpea.exe 35 PID 2588 wrote to memory of 2900 2588 Jkjdhpea.exe 35 PID 2588 wrote to memory of 2900 2588 Jkjdhpea.exe 35 PID 2900 wrote to memory of 2640 2900 Jbdlejmn.exe 36 PID 2900 wrote to memory of 2640 2900 Jbdlejmn.exe 36 PID 2900 wrote to memory of 2640 2900 Jbdlejmn.exe 36 PID 2900 wrote to memory of 2640 2900 Jbdlejmn.exe 36 PID 2640 wrote to memory of 2856 2640 Jedefejo.exe 37 PID 2640 wrote to memory of 2856 2640 Jedefejo.exe 37 PID 2640 wrote to memory of 2856 2640 Jedefejo.exe 37 PID 2640 wrote to memory of 2856 2640 Jedefejo.exe 37 PID 2856 wrote to memory of 2732 2856 Jakfkfpc.exe 38 PID 2856 wrote to memory of 2732 2856 Jakfkfpc.exe 38 PID 2856 wrote to memory of 2732 2856 Jakfkfpc.exe 38 PID 2856 wrote to memory of 2732 2856 Jakfkfpc.exe 38 PID 2732 wrote to memory of 1872 2732 Jjfgjk32.exe 39 PID 2732 wrote to memory of 1872 2732 Jjfgjk32.exe 39 PID 2732 wrote to memory of 1872 2732 Jjfgjk32.exe 39 PID 2732 wrote to memory of 1872 2732 Jjfgjk32.exe 39 PID 1872 wrote to memory of 1444 1872 Kbalnnam.exe 40 PID 1872 wrote to memory of 1444 1872 Kbalnnam.exe 40 PID 1872 wrote to memory of 1444 1872 Kbalnnam.exe 40 PID 1872 wrote to memory of 1444 1872 Kbalnnam.exe 40 PID 1444 wrote to memory of 1284 1444 Kbcicmpj.exe 41 PID 1444 wrote to memory of 1284 1444 Kbcicmpj.exe 41 PID 1444 wrote to memory of 1284 1444 Kbcicmpj.exe 41 PID 1444 wrote to memory of 1284 1444 Kbcicmpj.exe 41 PID 1284 wrote to memory of 2268 1284 Kinaqg32.exe 42 PID 1284 wrote to memory of 2268 1284 Kinaqg32.exe 42 PID 1284 wrote to memory of 2268 1284 Kinaqg32.exe 42 PID 1284 wrote to memory of 2268 1284 Kinaqg32.exe 42 PID 2268 wrote to memory of 768 2268 Kpjfba32.exe 43 PID 2268 wrote to memory of 768 2268 Kpjfba32.exe 43 PID 2268 wrote to memory of 768 2268 Kpjfba32.exe 43 PID 2268 wrote to memory of 768 2268 Kpjfba32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\611ac397be37155ff478f8b39878e8d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\611ac397be37155ff478f8b39878e8d0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Hdpplb32.exeC:\Windows\system32\Hdpplb32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Idblbb32.exeC:\Windows\system32\Idblbb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Ichico32.exeC:\Windows\system32\Ichico32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Iqljlb32.exeC:\Windows\system32\Iqljlb32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Imbkadcl.exeC:\Windows\system32\Imbkadcl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Jkjdhpea.exeC:\Windows\system32\Jkjdhpea.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Jbdlejmn.exeC:\Windows\system32\Jbdlejmn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Jedefejo.exeC:\Windows\system32\Jedefejo.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Jakfkfpc.exeC:\Windows\system32\Jakfkfpc.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Jjfgjk32.exeC:\Windows\system32\Jjfgjk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Kbcicmpj.exeC:\Windows\system32\Kbcicmpj.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Kpjfba32.exeC:\Windows\system32\Kpjfba32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1376 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe34⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:112 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe44⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe45⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe47⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:564 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe59⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe60⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe61⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1432 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1436 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2092 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe67⤵PID:2492
-
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe69⤵
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe70⤵PID:1992
-
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe71⤵PID:1852
-
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe72⤵PID:2388
-
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe73⤵
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe74⤵
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe75⤵PID:1600
-
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2800 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe77⤵PID:2528
-
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe78⤵
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe79⤵
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe82⤵
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe83⤵PID:1960
-
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1756 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe85⤵
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1840 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe87⤵PID:2604
-
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe88⤵PID:1556
-
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe90⤵PID:2168
-
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:540 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe92⤵
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe93⤵
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe94⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe95⤵PID:2548
-
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2584 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe97⤵PID:2788
-
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe98⤵PID:1044
-
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe100⤵
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe103⤵
- Modifies registry class
PID:1088 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe104⤵PID:2164
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:984 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2428 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2148 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe109⤵PID:2952
-
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe110⤵
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:304 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe112⤵
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe113⤵
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe115⤵PID:696
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe116⤵
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe117⤵
- Drops file in System32 directory
PID:836 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe118⤵
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe120⤵PID:1812
-
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe121⤵PID:2816
-
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe122⤵PID:2892
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-