Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
10/05/2024, 21:51
Behavioral task
behavioral1
Sample
10c5b1dfe80dbc4aee5b0218f985bdb0_NeikiAnalytics.exe
Resource
win7-20240215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
10c5b1dfe80dbc4aee5b0218f985bdb0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
10c5b1dfe80dbc4aee5b0218f985bdb0_NeikiAnalytics.exe
-
Size
143KB
-
MD5
10c5b1dfe80dbc4aee5b0218f985bdb0
-
SHA1
18b9e9215f3cd027837f2d592fa7e1d4ac35fd93
-
SHA256
0aeaba709710e722d2b5221ed70b407ffb172bee91e5860b9eeb14fc764ed5d7
-
SHA512
93a266a62faa9bffbc682aafc4d586b74a4f4a08fb43f98626c616b08cf3f62505b73c8406af384460808cc5a90c9c6fdf531de7ddd721df00bfc4b3bd93c074
-
SSDEEP
3072:23Yqp6QHbSc2dHGReRRXIu5PR5idF3N93bsGfhv0vt3y:FE6QHbSc2dHGReh5P2dF3vLsGZv0vti
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clcflkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eecqjpee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epaogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpknlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgoacojo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkkmdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlgigdoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlnkmha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Labhkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mochnppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mohbip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbbfopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmqdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afdlhchf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkmmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlhaqogk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgclfje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cljcelan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddeaalpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbcicmpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Komfnnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebedndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eflgccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkihhhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlakpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmnbkinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pchpbded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cphlljge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndbcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfinoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Labhkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocomlemo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeempocb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndgggf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njgldmdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkihhhnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihoafpmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mabejlob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbhnaho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgfjbgmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecpgmhai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcplhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmgmjjdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqcagfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hejoiedd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbcicmpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcmgfkeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghkllmoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idceea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfaajlfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kipnfged.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kegnkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlgigdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doobajme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Facdeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpkjko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kikdkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kljqgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgoacojo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mohbip32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2220-0-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x000c00000001315b-5.dat family_berbew behavioral1/memory/2220-6-0x0000000000280000-0x00000000002C0000-memory.dmp family_berbew behavioral1/memory/2472-13-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0008000000013a30-19.dat family_berbew behavioral1/memory/2596-27-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0008000000013a72-33.dat family_berbew behavioral1/memory/2732-40-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x000900000001416a-52.dat family_berbew behavioral1/memory/2872-53-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000014662-59.dat family_berbew behavioral1/memory/2872-61-0x0000000000260000-0x00000000002A0000-memory.dmp family_berbew behavioral1/files/0x0006000000014702-72.dat family_berbew behavioral1/memory/2380-74-0x0000000000270000-0x00000000002B0000-memory.dmp family_berbew behavioral1/memory/2428-86-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/2428-88-0x0000000000250000-0x0000000000290000-memory.dmp family_berbew behavioral1/files/0x00060000000149e1-85.dat family_berbew behavioral1/memory/2428-98-0x0000000000250000-0x0000000000290000-memory.dmp family_berbew behavioral1/files/0x0006000000014b36-101.dat family_berbew behavioral1/memory/2676-108-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/2108-99-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000014dae-114.dat family_berbew behavioral1/files/0x000600000001502c-134.dat family_berbew behavioral1/files/0x00060000000153d9-148.dat family_berbew behavioral1/files/0x00060000000155f6-154.dat family_berbew behavioral1/memory/2320-162-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x000600000001564d-171.dat family_berbew behavioral1/files/0x0006000000015c6f-201.dat family_berbew behavioral1/memory/1868-215-0x00000000002D0000-0x0000000000310000-memory.dmp family_berbew behavioral1/memory/2280-237-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/3032-259-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000015e09-276.dat family_berbew behavioral1/memory/1472-269-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/296-283-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000015f3c-285.dat family_berbew behavioral1/memory/2268-305-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/3028-315-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x000600000001654a-318.dat family_berbew behavioral1/files/0x0006000000016813-331.dat family_berbew behavioral1/memory/2736-345-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000016c42-351.dat family_berbew behavioral1/memory/2492-356-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/1564-378-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000016d36-417.dat family_berbew behavioral1/files/0x0006000000016fe8-450.dat family_berbew behavioral1/memory/2836-459-0x0000000000250000-0x0000000000290000-memory.dmp family_berbew behavioral1/memory/1412-477-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x00060000000175b8-484.dat family_berbew behavioral1/files/0x00050000000186c1-504.dat family_berbew behavioral1/files/0x0005000000018700-515.dat family_berbew behavioral1/files/0x000500000001874c-528.dat family_berbew behavioral1/files/0x00050000000191eb-537.dat family_berbew behavioral1/files/0x0005000000019233-559.dat family_berbew behavioral1/files/0x0005000000019248-570.dat family_berbew behavioral1/files/0x0005000000019331-581.dat family_berbew behavioral1/files/0x000500000001935b-592.dat family_berbew behavioral1/files/0x0005000000019437-635.dat family_berbew behavioral1/files/0x000500000001948d-647.dat family_berbew behavioral1/files/0x0005000000019426-625.dat family_berbew behavioral1/files/0x0005000000019413-614.dat family_berbew behavioral1/files/0x00050000000193e2-605.dat family_berbew behavioral1/files/0x00050000000194c4-657.dat family_berbew behavioral1/files/0x0005000000019520-667.dat family_berbew behavioral1/files/0x0005000000019223-548.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2472 Jghknp32.exe 2596 Jmdcfg32.exe 2732 Kfmhol32.exe 2872 Kikdkh32.exe 2380 Kljqgc32.exe 2428 Kbcicmpj.exe 2108 Kfoedl32.exe 2676 Kinaqg32.exe 1556 Kllmmc32.exe 1992 Kfaajlfp.exe 2136 Kedaeh32.exe 2320 Kipnfged.exe 2792 Komfnnck.exe 2476 Kakbjibo.exe 1868 Kegnkh32.exe 480 Khekgc32.exe 2436 Klqfhbbe.exe 2280 Kjcgco32.exe 280 Koocdnai.exe 3032 Kanopipl.exe 1472 Keikqhhe.exe 296 Lkfciogm.exe 856 Lmdpejfq.exe 2268 Laplei32.exe 3028 Lekhfgfc.exe 2520 Lhjdbcef.exe 2568 Lmgmjjdn.exe 2736 Labhkh32.exe 2492 Lpeifeca.exe 2820 Lgoacojo.exe 1564 Lkkmdn32.exe 2556 Limmokib.exe 1032 Ldcamcih.exe 1584 Lganiohl.exe 2688 Lkmjin32.exe 2316 Llnfaffc.exe 2836 Lefkjkmc.exe 1600 Lmnbkinf.exe 2184 Llqcfe32.exe 1412 Loooca32.exe 908 Mgfgdn32.exe 2944 Midcpj32.exe 2192 Mhgclfje.exe 2196 Mlcple32.exe 300 Mpolmdkg.exe 928 Mcmhiojk.exe 2848 Mekdekin.exe 2904 Mhjpaf32.exe 2508 Mlelaeqk.exe 2480 Mochnppo.exe 2852 Mcodno32.exe 2824 Mabejlob.exe 2456 Mdqafgnf.exe 2352 Mhlmgf32.exe 2496 Mlgigdoh.exe 1372 Mkjica32.exe 2440 Mnieom32.exe 2392 Madapkmp.exe 868 Mepnpj32.exe 680 Mkmfhacp.exe 904 Mohbip32.exe 2700 Magnek32.exe 2748 Mpjoqhah.exe 584 Mhqfbebj.exe -
Loads dropped DLL 64 IoCs
pid Process 2220 10c5b1dfe80dbc4aee5b0218f985bdb0_NeikiAnalytics.exe 2220 10c5b1dfe80dbc4aee5b0218f985bdb0_NeikiAnalytics.exe 2472 Jghknp32.exe 2472 Jghknp32.exe 2596 Jmdcfg32.exe 2596 Jmdcfg32.exe 2732 Kfmhol32.exe 2732 Kfmhol32.exe 2872 Kikdkh32.exe 2872 Kikdkh32.exe 2380 Kljqgc32.exe 2380 Kljqgc32.exe 2428 Kbcicmpj.exe 2428 Kbcicmpj.exe 2108 Kfoedl32.exe 2108 Kfoedl32.exe 2676 Kinaqg32.exe 2676 Kinaqg32.exe 1556 Kllmmc32.exe 1556 Kllmmc32.exe 1992 Kfaajlfp.exe 1992 Kfaajlfp.exe 2136 Kedaeh32.exe 2136 Kedaeh32.exe 2320 Kipnfged.exe 2320 Kipnfged.exe 2792 Komfnnck.exe 2792 Komfnnck.exe 2476 Kakbjibo.exe 2476 Kakbjibo.exe 1868 Kegnkh32.exe 1868 Kegnkh32.exe 480 Khekgc32.exe 480 Khekgc32.exe 2436 Klqfhbbe.exe 2436 Klqfhbbe.exe 2280 Kjcgco32.exe 2280 Kjcgco32.exe 280 Koocdnai.exe 280 Koocdnai.exe 3032 Kanopipl.exe 3032 Kanopipl.exe 1472 Keikqhhe.exe 1472 Keikqhhe.exe 296 Lkfciogm.exe 296 Lkfciogm.exe 856 Lmdpejfq.exe 856 Lmdpejfq.exe 2268 Laplei32.exe 2268 Laplei32.exe 3028 Lekhfgfc.exe 3028 Lekhfgfc.exe 2520 Lhjdbcef.exe 2520 Lhjdbcef.exe 2568 Lmgmjjdn.exe 2568 Lmgmjjdn.exe 2736 Labhkh32.exe 2736 Labhkh32.exe 2492 Lpeifeca.exe 2492 Lpeifeca.exe 2820 Lgoacojo.exe 2820 Lgoacojo.exe 1564 Lkkmdn32.exe 1564 Lkkmdn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hlkljlhn.dll Lkfciogm.exe File created C:\Windows\SysWOW64\Madapkmp.exe Mnieom32.exe File opened for modification C:\Windows\SysWOW64\Mcodno32.exe Mochnppo.exe File created C:\Windows\SysWOW64\Mbjlmdgj.dll Ogfpbeim.exe File opened for modification C:\Windows\SysWOW64\Ckignd32.exe Bdooajdc.exe File opened for modification C:\Windows\SysWOW64\Claifkkf.exe Chemfl32.exe File created C:\Windows\SysWOW64\Qlidlf32.dll Flmefm32.exe File opened for modification C:\Windows\SysWOW64\Kanopipl.exe Koocdnai.exe File opened for modification C:\Windows\SysWOW64\Pelipl32.exe Pfiidobe.exe File opened for modification C:\Windows\SysWOW64\Ekklaj32.exe Eilpeooq.exe File created C:\Windows\SysWOW64\Mhgclfje.exe Midcpj32.exe File opened for modification C:\Windows\SysWOW64\Eilpeooq.exe Eeqdep32.exe File created C:\Windows\SysWOW64\Bfekgp32.dll Fddmgjpo.exe File created C:\Windows\SysWOW64\Pljpdpao.dll Hcnpbi32.exe File created C:\Windows\SysWOW64\Pfiidobe.exe Ppoqge32.exe File created C:\Windows\SysWOW64\Dchfknpg.dll Fhffaj32.exe File opened for modification C:\Windows\SysWOW64\Gkkemh32.exe Ghmiam32.exe File created C:\Windows\SysWOW64\Ndabhn32.dll Hlakpp32.exe File created C:\Windows\SysWOW64\Iijmmc32.dll Ngfcca32.exe File created C:\Windows\SysWOW64\Bhfbdd32.dll Abmibdlh.exe File created C:\Windows\SysWOW64\Ihomanac.dll Bommnc32.exe File created C:\Windows\SysWOW64\Fckjalhj.exe Ealnephf.exe File opened for modification C:\Windows\SysWOW64\Gfefiemq.exe Gonnhhln.exe File created C:\Windows\SysWOW64\Blnhfb32.dll Gelppaof.exe File created C:\Windows\SysWOW64\Klqfhbbe.exe Khekgc32.exe File created C:\Windows\SysWOW64\Iiciogbn.dll Cpeofk32.exe File created C:\Windows\SysWOW64\Hgmhlp32.dll Dqhhknjp.exe File opened for modification C:\Windows\SysWOW64\Dqjepm32.exe Dnlidb32.exe File created C:\Windows\SysWOW64\Cmbmkg32.dll Fbgmbg32.exe File created C:\Windows\SysWOW64\Cljcelan.exe Cjlgiqbk.exe File created C:\Windows\SysWOW64\Epafjqck.dll Emcbkn32.exe File created C:\Windows\SysWOW64\Jmloladn.dll Fjdbnf32.exe File opened for modification C:\Windows\SysWOW64\Apomfh32.exe Aiedjneg.exe File created C:\Windows\SysWOW64\Dngoibmo.exe Dgmglh32.exe File created C:\Windows\SysWOW64\Ddeaalpg.exe Dqjepm32.exe File created C:\Windows\SysWOW64\Ogjbla32.dll Egamfkdh.exe File opened for modification C:\Windows\SysWOW64\Lmnbkinf.exe Lefkjkmc.exe File opened for modification C:\Windows\SysWOW64\Mgfgdn32.exe Loooca32.exe File opened for modification C:\Windows\SysWOW64\Njgldmdc.exe Nghphaeo.exe File opened for modification C:\Windows\SysWOW64\Obkdonic.exe Oomhcbjp.exe File opened for modification C:\Windows\SysWOW64\Ghkllmoi.exe Gdopkn32.exe File created C:\Windows\SysWOW64\Geolea32.exe Gacpdbej.exe File opened for modification C:\Windows\SysWOW64\Pchpbded.exe Ppmdbe32.exe File opened for modification C:\Windows\SysWOW64\Dnlidb32.exe Dkmmhf32.exe File created C:\Windows\SysWOW64\Gpekfank.dll Gphmeo32.exe File opened for modification C:\Windows\SysWOW64\Lgoacojo.exe Lpeifeca.exe File opened for modification C:\Windows\SysWOW64\Mpolmdkg.exe Mlcple32.exe File created C:\Windows\SysWOW64\Dgmglh32.exe Ddokpmfo.exe File created C:\Windows\SysWOW64\Fiaeoang.exe Fbgmbg32.exe File created C:\Windows\SysWOW64\Aimkgn32.dll Gogangdc.exe File created C:\Windows\SysWOW64\Gmdecfpj.dll Bdjefj32.exe File created C:\Windows\SysWOW64\Ppoqge32.exe Plcdgfbo.exe File created C:\Windows\SysWOW64\Ankdiqih.exe Afdlhchf.exe File created C:\Windows\SysWOW64\Elmigj32.exe Egamfkdh.exe File opened for modification C:\Windows\SysWOW64\Elmigj32.exe Egamfkdh.exe File opened for modification C:\Windows\SysWOW64\Gicbeald.exe Gfefiemq.exe File opened for modification C:\Windows\SysWOW64\Hlfdkoin.exe Hjhhocjj.exe File opened for modification C:\Windows\SysWOW64\Pfiidobe.exe Ppoqge32.exe File opened for modification C:\Windows\SysWOW64\Ebinic32.exe Ejbfhfaj.exe File opened for modification C:\Windows\SysWOW64\Kjcgco32.exe Klqfhbbe.exe File opened for modification C:\Windows\SysWOW64\Clcflkic.exe Cdlnkmha.exe File created C:\Windows\SysWOW64\Gkihhhnm.exe Ghkllmoi.exe File opened for modification C:\Windows\SysWOW64\Inljnfkg.exe Iknnbklc.exe File created C:\Windows\SysWOW64\Bdhhqk32.exe Bbflib32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4148 4124 WerFault.exe 337 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlelaeqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afkbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll" Ghfbqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcocb32.dll" Ghkllmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgbdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doobajme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eecqjpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kegnkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kffbcfgd.dll" Oomhcbjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paejki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdcdhpk.dll" Bagpopmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll" Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcehqcli.dll" Lpeifeca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccfhhffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhjppim.dll" Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkamkfgh.dll" Fjilieka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahpjhc32.dll" Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll" Hacmcfge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oghlgdgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbjhdo32.dll" Qbbfopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgdmmgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jolfcj32.dll" Aigaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll" Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll" Hkpnhgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll" Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoflni32.dll" Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbolpc32.dll" Dgmglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojjljknn.dll" Kakbjibo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obigjnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcfgc32.dll" Aiedjneg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjndop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoffo32.dll" Jghknp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bagpopmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflhaaje.dll" Mcodno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eecqjpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiaiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kipnfged.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifdjp32.dll" Mcmhiojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdoqc32.dll" Pccfge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahakmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnbkddem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nocemcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajenen32.dll" Ppmdbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpij32.dll" Gkihhhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll" Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll" Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmgnnib.dll" Mabejlob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkpnhgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gajlmdcf.dll" Kikdkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pelipl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhnaid32.dll" Pabjem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Copfbfjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecmkghcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpjoqhah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkmbgdfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plfamfpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cckace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddokpmfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gogangdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgoacojo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2472 2220 10c5b1dfe80dbc4aee5b0218f985bdb0_NeikiAnalytics.exe 28 PID 2220 wrote to memory of 2472 2220 10c5b1dfe80dbc4aee5b0218f985bdb0_NeikiAnalytics.exe 28 PID 2220 wrote to memory of 2472 2220 10c5b1dfe80dbc4aee5b0218f985bdb0_NeikiAnalytics.exe 28 PID 2220 wrote to memory of 2472 2220 10c5b1dfe80dbc4aee5b0218f985bdb0_NeikiAnalytics.exe 28 PID 2472 wrote to memory of 2596 2472 Jghknp32.exe 29 PID 2472 wrote to memory of 2596 2472 Jghknp32.exe 29 PID 2472 wrote to memory of 2596 2472 Jghknp32.exe 29 PID 2472 wrote to memory of 2596 2472 Jghknp32.exe 29 PID 2596 wrote to memory of 2732 2596 Jmdcfg32.exe 30 PID 2596 wrote to memory of 2732 2596 Jmdcfg32.exe 30 PID 2596 wrote to memory of 2732 2596 Jmdcfg32.exe 30 PID 2596 wrote to memory of 2732 2596 Jmdcfg32.exe 30 PID 2732 wrote to memory of 2872 2732 Kfmhol32.exe 31 PID 2732 wrote to memory of 2872 2732 Kfmhol32.exe 31 PID 2732 wrote to memory of 2872 2732 Kfmhol32.exe 31 PID 2732 wrote to memory of 2872 2732 Kfmhol32.exe 31 PID 2872 wrote to memory of 2380 2872 Kikdkh32.exe 32 PID 2872 wrote to memory of 2380 2872 Kikdkh32.exe 32 PID 2872 wrote to memory of 2380 2872 Kikdkh32.exe 32 PID 2872 wrote to memory of 2380 2872 Kikdkh32.exe 32 PID 2380 wrote to memory of 2428 2380 Kljqgc32.exe 33 PID 2380 wrote to memory of 2428 2380 Kljqgc32.exe 33 PID 2380 wrote to memory of 2428 2380 Kljqgc32.exe 33 PID 2380 wrote to memory of 2428 2380 Kljqgc32.exe 33 PID 2428 wrote to memory of 2108 2428 Kbcicmpj.exe 34 PID 2428 wrote to memory of 2108 2428 Kbcicmpj.exe 34 PID 2428 wrote to memory of 2108 2428 Kbcicmpj.exe 34 PID 2428 wrote to memory of 2108 2428 Kbcicmpj.exe 34 PID 2108 wrote to memory of 2676 2108 Kfoedl32.exe 35 PID 2108 wrote to memory of 2676 2108 Kfoedl32.exe 35 PID 2108 wrote to memory of 2676 2108 Kfoedl32.exe 35 PID 2108 wrote to memory of 2676 2108 Kfoedl32.exe 35 PID 2676 wrote to memory of 1556 2676 Kinaqg32.exe 36 PID 2676 wrote to memory of 1556 2676 Kinaqg32.exe 36 PID 2676 wrote to memory of 1556 2676 Kinaqg32.exe 36 PID 2676 wrote to memory of 1556 2676 Kinaqg32.exe 36 PID 1556 wrote to memory of 1992 1556 Kllmmc32.exe 37 PID 1556 wrote to memory of 1992 1556 Kllmmc32.exe 37 PID 1556 wrote to memory of 1992 1556 Kllmmc32.exe 37 PID 1556 wrote to memory of 1992 1556 Kllmmc32.exe 37 PID 1992 wrote to memory of 2136 1992 Kfaajlfp.exe 38 PID 1992 wrote to memory of 2136 1992 Kfaajlfp.exe 38 PID 1992 wrote to memory of 2136 1992 Kfaajlfp.exe 38 PID 1992 wrote to memory of 2136 1992 Kfaajlfp.exe 38 PID 2136 wrote to memory of 2320 2136 Kedaeh32.exe 39 PID 2136 wrote to memory of 2320 2136 Kedaeh32.exe 39 PID 2136 wrote to memory of 2320 2136 Kedaeh32.exe 39 PID 2136 wrote to memory of 2320 2136 Kedaeh32.exe 39 PID 2320 wrote to memory of 2792 2320 Kipnfged.exe 40 PID 2320 wrote to memory of 2792 2320 Kipnfged.exe 40 PID 2320 wrote to memory of 2792 2320 Kipnfged.exe 40 PID 2320 wrote to memory of 2792 2320 Kipnfged.exe 40 PID 2792 wrote to memory of 2476 2792 Komfnnck.exe 41 PID 2792 wrote to memory of 2476 2792 Komfnnck.exe 41 PID 2792 wrote to memory of 2476 2792 Komfnnck.exe 41 PID 2792 wrote to memory of 2476 2792 Komfnnck.exe 41 PID 2476 wrote to memory of 1868 2476 Kakbjibo.exe 42 PID 2476 wrote to memory of 1868 2476 Kakbjibo.exe 42 PID 2476 wrote to memory of 1868 2476 Kakbjibo.exe 42 PID 2476 wrote to memory of 1868 2476 Kakbjibo.exe 42 PID 1868 wrote to memory of 480 1868 Kegnkh32.exe 43 PID 1868 wrote to memory of 480 1868 Kegnkh32.exe 43 PID 1868 wrote to memory of 480 1868 Kegnkh32.exe 43 PID 1868 wrote to memory of 480 1868 Kegnkh32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\10c5b1dfe80dbc4aee5b0218f985bdb0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\10c5b1dfe80dbc4aee5b0218f985bdb0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Jghknp32.exeC:\Windows\system32\Jghknp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Kbcicmpj.exeC:\Windows\system32\Kbcicmpj.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Kllmmc32.exeC:\Windows\system32\Kllmmc32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:480 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:280 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1472 -
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:296 -
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:856 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1564 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe33⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe34⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe35⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe36⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe37⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe40⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1412 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe42⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe46⤵
- Executes dropped EXE
PID:300 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:928 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe48⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe49⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe54⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe55⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe57⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe59⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe60⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe61⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe63⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe65⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe66⤵PID:2924
-
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe67⤵PID:2336
-
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1932 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe69⤵
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe70⤵PID:2608
-
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe71⤵PID:1012
-
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe72⤵PID:1428
-
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe73⤵
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2420 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe75⤵PID:1560
-
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe76⤵
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe77⤵PID:2672
-
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe78⤵PID:1184
-
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2912 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe80⤵PID:1204
-
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe81⤵PID:592
-
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe82⤵PID:3064
-
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe83⤵
- Modifies registry class
PID:572 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe84⤵PID:832
-
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe85⤵PID:1260
-
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe86⤵PID:1324
-
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe87⤵PID:2516
-
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe88⤵PID:1788
-
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe89⤵
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe90⤵PID:2040
-
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe91⤵PID:2036
-
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe92⤵
- Drops file in System32 directory
PID:448 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe94⤵PID:1952
-
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe95⤵PID:284
-
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe96⤵
- Modifies registry class
PID:108 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe97⤵PID:2412
-
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe98⤵PID:2684
-
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe99⤵PID:828
-
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2828 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe101⤵PID:1612
-
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe102⤵PID:2404
-
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe103⤵PID:2052
-
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe104⤵PID:2308
-
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe105⤵
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe106⤵
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe107⤵PID:1772
-
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe108⤵PID:2956
-
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe109⤵PID:800
-
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe110⤵PID:2532
-
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1544 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe113⤵PID:2044
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1580 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe115⤵
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe116⤵
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe117⤵
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe118⤵
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe119⤵PID:912
-
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe120⤵
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe121⤵
- Modifies registry class
PID:2620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-