Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
11-05-2024 15:49
Behavioral task
behavioral1
Sample
169cf9f1e8ad873263e42ae5e7bfae60_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
169cf9f1e8ad873263e42ae5e7bfae60_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
169cf9f1e8ad873263e42ae5e7bfae60_NeikiAnalytics.exe
-
Size
113KB
-
MD5
169cf9f1e8ad873263e42ae5e7bfae60
-
SHA1
d43c3501129671e97dd0a15cf92db514d371ae92
-
SHA256
77c6d970264d4ff4f85ad0d7efcba1f2b243317d2560f9bf089d8186f833111d
-
SHA512
fc92264de6e76b597f6ee82299c97f2f16bd225b8a6c4a153cbf9964386142d77c658c9920731311ac1c900900c5bf9c424ac8f50756ae4210271e0044175863
-
SSDEEP
1536:QpzubRWgpO1FnMoO617DWkZFfScD7SzCbHWrAW8wTWiliX:igMSoOuGkZFfFSebHWrH8wTW0
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Filldb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcaomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmoipopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebpkce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjijdadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clomqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdkqqa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leajdfnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njlockkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkdpanhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kblhgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Limfed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mggpgmof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nglfapnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balijo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffpmnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgnamk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnaocmmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmkmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbjbaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bldcpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofmbnkhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blbfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqdajkkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igdogl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcbllb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccngld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oobjaqaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjlhneio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhbcfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igihbknb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aidnohbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obcccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgodbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnccfpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfghif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohibdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooeggp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pflomnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnmehnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egjpkffe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkdmcdoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbqecg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojfaijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emkaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kifpdelo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgeefbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bemgilhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgidao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhphncm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpeekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebmgcohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bingpmnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekklaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnajilng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abjebn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoepcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bifgdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlnkmha.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/1632-0-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral1/memory/1632-6-0x0000000000290000-0x00000000002CD000-memory.dmp family_berbew behavioral1/files/0x000a000000015f7a-5.dat family_berbew behavioral1/memory/2204-14-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral1/files/0x0008000000016bfb-26.dat family_berbew behavioral1/memory/3000-28-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral1/files/0x0007000000016c51-34.dat family_berbew behavioral1/memory/3000-41-0x0000000000250000-0x000000000028D000-memory.dmp family_berbew behavioral1/memory/376-42-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral1/files/0x0008000000016ca5-48.dat family_berbew behavioral1/memory/2668-55-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral1/files/0x0007000000016d16-61.dat family_berbew behavioral1/memory/2448-68-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral1/files/0x0007000000016d3e-74.dat family_berbew behavioral1/memory/2464-81-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral1/files/0x0006000000016d57-87.dat family_berbew behavioral1/memory/2464-88-0x0000000000270000-0x00000000002AD000-memory.dmp family_berbew behavioral1/files/0x0006000000016e4a-100.dat family_berbew behavioral1/memory/2940-107-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral1/files/0x000600000001735a-113.dat family_berbew behavioral1/memory/1716-120-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral1/files/0x0006000000017374-126.dat family_berbew behavioral1/memory/1920-134-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral1/memory/1716-133-0x00000000005D0000-0x000000000060D000-memory.dmp family_berbew behavioral1/files/0x00060000000173f2-140.dat family_berbew behavioral1/memory/2184-147-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral1/files/0x0006000000017422-153.dat family_berbew behavioral1/memory/2428-160-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral1/files/0x00140000000185e9-166.dat family_berbew behavioral1/memory/2788-173-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral1/files/0x000500000001860c-179.dat family_berbew behavioral1/memory/2820-190-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral1/files/0x0006000000018ba1-192.dat family_berbew behavioral1/memory/2260-200-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral1/files/0x0006000000018ed8-205.dat family_berbew behavioral1/memory/768-213-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral1/files/0x0006000000019052-221.dat family_berbew behavioral1/memory/768-222-0x0000000000250000-0x000000000028D000-memory.dmp family_berbew behavioral1/memory/556-227-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral1/files/0x0005000000019159-229.dat family_berbew behavioral1/memory/612-232-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral1/files/0x00050000000191b0-239.dat family_berbew behavioral1/files/0x00050000000191da-246.dat family_berbew behavioral1/memory/852-249-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral1/memory/1112-262-0x0000000000260000-0x000000000029D000-memory.dmp family_berbew behavioral1/memory/1112-255-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral1/memory/2828-263-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral1/files/0x000500000001920d-269.dat family_berbew behavioral1/files/0x00050000000191e7-252.dat family_berbew behavioral1/memory/1552-274-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral1/memory/852-250-0x0000000000280000-0x00000000002BD000-memory.dmp family_berbew behavioral1/memory/1112-261-0x0000000000260000-0x000000000029D000-memory.dmp family_berbew behavioral1/files/0x0009000000016a29-282.dat family_berbew behavioral1/memory/276-284-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral1/files/0x00050000000192da-290.dat family_berbew behavioral1/memory/1084-304-0x0000000000260000-0x000000000029D000-memory.dmp family_berbew behavioral1/memory/1084-303-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral1/memory/276-299-0x0000000000250000-0x000000000028D000-memory.dmp family_berbew behavioral1/memory/2092-317-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral1/memory/2092-322-0x0000000000250000-0x000000000028D000-memory.dmp family_berbew behavioral1/memory/944-314-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral1/files/0x000500000001932a-311.dat family_berbew behavioral1/memory/276-298-0x0000000000250000-0x000000000028D000-memory.dmp family_berbew behavioral1/files/0x0005000000019305-293.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2204 Pbmmcq32.exe 3000 Phjelg32.exe 376 Pabjem32.exe 2668 Qhmbagfa.exe 2448 Qnfjna32.exe 2464 Qeqbkkej.exe 2436 Qljkhe32.exe 2940 Qmlgonbe.exe 1716 Adeplhib.exe 1920 Afdlhchf.exe 2184 Aajpelhl.exe 2428 Adhlaggp.exe 2788 Aiedjneg.exe 2820 Apomfh32.exe 2260 Afiecb32.exe 768 Ambmpmln.exe 556 Alenki32.exe 612 Afkbib32.exe 852 Amejeljk.exe 1112 Alhjai32.exe 2828 Apcfahio.exe 1552 Abbbnchb.exe 276 Aljgfioc.exe 1084 Bbdocc32.exe 944 Bebkpn32.exe 2092 Bingpmnl.exe 1216 Bhahlj32.exe 3044 Bdhhqk32.exe 2548 Bdhhqk32.exe 2588 Bhcdaibd.exe 2544 Balijo32.exe 2468 Bhfagipa.exe 2440 Bkdmcdoe.exe 2460 Bhhnli32.exe 1588 Bjijdadm.exe 2768 Bpcbqk32.exe 1680 Bcaomf32.exe 1956 Cngcjo32.exe 2696 Cpeofk32.exe 1656 Ccdlbf32.exe 2844 Cllpkl32.exe 2288 Cphlljge.exe 560 Cfeddafl.exe 2272 Clomqk32.exe 2408 Cpjiajeb.exe 2888 Cbkeib32.exe 1620 Cfgaiaci.exe 752 Chemfl32.exe 1096 Claifkkf.exe 2976 Copfbfjj.exe 2268 Cckace32.exe 2160 Cbnbobin.exe 2580 Cdlnkmha.exe 1324 Chhjkl32.exe 2708 Clcflkic.exe 2736 Cobbhfhg.exe 2804 Dbpodagk.exe 2492 Dgmglh32.exe 1416 Dkhcmgnl.exe 1528 Dngoibmo.exe 1912 Dqelenlc.exe 2808 Ddagfm32.exe 1916 Dgodbh32.exe 776 Dkkpbgli.exe -
Loads dropped DLL 64 IoCs
pid Process 1632 169cf9f1e8ad873263e42ae5e7bfae60_NeikiAnalytics.exe 1632 169cf9f1e8ad873263e42ae5e7bfae60_NeikiAnalytics.exe 2204 Pbmmcq32.exe 2204 Pbmmcq32.exe 3000 Phjelg32.exe 3000 Phjelg32.exe 376 Pabjem32.exe 376 Pabjem32.exe 2668 Qhmbagfa.exe 2668 Qhmbagfa.exe 2448 Qnfjna32.exe 2448 Qnfjna32.exe 2464 Qeqbkkej.exe 2464 Qeqbkkej.exe 2436 Qljkhe32.exe 2436 Qljkhe32.exe 2940 Qmlgonbe.exe 2940 Qmlgonbe.exe 1716 Adeplhib.exe 1716 Adeplhib.exe 1920 Afdlhchf.exe 1920 Afdlhchf.exe 2184 Aajpelhl.exe 2184 Aajpelhl.exe 2428 Adhlaggp.exe 2428 Adhlaggp.exe 2788 Aiedjneg.exe 2788 Aiedjneg.exe 2820 Apomfh32.exe 2820 Apomfh32.exe 2260 Afiecb32.exe 2260 Afiecb32.exe 768 Ambmpmln.exe 768 Ambmpmln.exe 556 Alenki32.exe 556 Alenki32.exe 612 Afkbib32.exe 612 Afkbib32.exe 852 Amejeljk.exe 852 Amejeljk.exe 1112 Alhjai32.exe 1112 Alhjai32.exe 2828 Apcfahio.exe 2828 Apcfahio.exe 1552 Abbbnchb.exe 1552 Abbbnchb.exe 276 Aljgfioc.exe 276 Aljgfioc.exe 1084 Bbdocc32.exe 1084 Bbdocc32.exe 944 Bebkpn32.exe 944 Bebkpn32.exe 2092 Bingpmnl.exe 2092 Bingpmnl.exe 1216 Bhahlj32.exe 1216 Bhahlj32.exe 3044 Bdhhqk32.exe 3044 Bdhhqk32.exe 2548 Bdhhqk32.exe 2548 Bdhhqk32.exe 2588 Bhcdaibd.exe 2588 Bhcdaibd.exe 2544 Balijo32.exe 2544 Balijo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bpgljfbl.exe Amhpnkch.exe File opened for modification C:\Windows\SysWOW64\Bcaomf32.exe Bpcbqk32.exe File opened for modification C:\Windows\SysWOW64\Claifkkf.exe Chemfl32.exe File created C:\Windows\SysWOW64\Egdilkbf.exe Eeempocb.exe File opened for modification C:\Windows\SysWOW64\Jqfffqpm.exe Jmjjea32.exe File opened for modification C:\Windows\SysWOW64\Mpfkqb32.exe Mmhodf32.exe File created C:\Windows\SysWOW64\Dcadac32.exe Doehqead.exe File created C:\Windows\SysWOW64\Epgnljad.dll Dcfdgiid.exe File created C:\Windows\SysWOW64\Jiiegafd.dll Ealnephf.exe File created C:\Windows\SysWOW64\Hkkalk32.exe Henidd32.exe File created C:\Windows\SysWOW64\Ngpolo32.exe Nceclqan.exe File created C:\Windows\SysWOW64\Kmccegik.dll Obafnlpn.exe File opened for modification C:\Windows\SysWOW64\Fmhheqje.exe Filldb32.exe File created C:\Windows\SysWOW64\Jnclnihj.exe Jkdpanhg.exe File opened for modification C:\Windows\SysWOW64\Llkbap32.exe Lhpfqama.exe File created C:\Windows\SysWOW64\Pnomcl32.exe Pjcabmga.exe File opened for modification C:\Windows\SysWOW64\Cafecmlj.exe Cohigamf.exe File created C:\Windows\SysWOW64\Mfacfkje.dll Djhphncm.exe File opened for modification C:\Windows\SysWOW64\Bpcbqk32.exe Bjijdadm.exe File opened for modification C:\Windows\SysWOW64\Kjjmbj32.exe Kgkafo32.exe File opened for modification C:\Windows\SysWOW64\Nhkbkc32.exe Npdjje32.exe File opened for modification C:\Windows\SysWOW64\Iaeiieeb.exe Hkkalk32.exe File opened for modification C:\Windows\SysWOW64\Ocgpappk.exe Oddpfc32.exe File created C:\Windows\SysWOW64\Chfpgj32.dll Ombapedi.exe File created C:\Windows\SysWOW64\Mclgfa32.dll Bbjbaa32.exe File created C:\Windows\SysWOW64\Clcflkic.exe Chhjkl32.exe File created C:\Windows\SysWOW64\Fncann32.dll Ddagfm32.exe File created C:\Windows\SysWOW64\Djnpnc32.exe Dkkpbgli.exe File created C:\Windows\SysWOW64\Lihmjejl.exe Lfjqnjkh.exe File opened for modification C:\Windows\SysWOW64\Pqhpdhcc.exe Pnjdhmdo.exe File opened for modification C:\Windows\SysWOW64\Bldcpf32.exe Bhigphio.exe File opened for modification C:\Windows\SysWOW64\Ejkima32.exe Egllae32.exe File created C:\Windows\SysWOW64\Feeiob32.exe Fbgmbg32.exe File created C:\Windows\SysWOW64\Cmbmkg32.dll Feeiob32.exe File opened for modification C:\Windows\SysWOW64\Iggkllpe.exe Idhopq32.exe File created C:\Windows\SysWOW64\Fidoim32.exe Fjaonpnn.exe File created C:\Windows\SysWOW64\Addnil32.dll Gicbeald.exe File created C:\Windows\SysWOW64\Fndldonj.dll Gbnccfpb.exe File created C:\Windows\SysWOW64\Nkgbbo32.exe Nglfapnl.exe File created C:\Windows\SysWOW64\Abmbhn32.exe Anafhopc.exe File opened for modification C:\Windows\SysWOW64\Eqpgol32.exe Ebmgcohn.exe File created C:\Windows\SysWOW64\Kifjcn32.dll Fbgmbg32.exe File opened for modification C:\Windows\SysWOW64\Fiaeoang.exe Feeiob32.exe File opened for modification C:\Windows\SysWOW64\Nncahjgl.exe Noqamn32.exe File created C:\Windows\SysWOW64\Fbbkkjih.dll Mgnfhlin.exe File opened for modification C:\Windows\SysWOW64\Pnlqnl32.exe Pkndaa32.exe File created C:\Windows\SysWOW64\Aipddi32.exe Qfahhm32.exe File opened for modification C:\Windows\SysWOW64\Ahdaee32.exe Aefeijle.exe File created C:\Windows\SysWOW64\Dookgcij.exe Dggcffhg.exe File created C:\Windows\SysWOW64\Gopkmhjk.exe Glaoalkh.exe File created C:\Windows\SysWOW64\Mfnekf32.dll Jifdebic.exe File created C:\Windows\SysWOW64\Nfcijc32.dll Kmopod32.exe File created C:\Windows\SysWOW64\Pgbhabjp.exe Pedleg32.exe File created C:\Windows\SysWOW64\Cdbdjhmp.exe Cadhnmnm.exe File created C:\Windows\SysWOW64\Ldfgebbe.exe Lecgje32.exe File created C:\Windows\SysWOW64\Kdkpbk32.dll Mamddf32.exe File created C:\Windows\SysWOW64\Omkepc32.dll Nceclqan.exe File opened for modification C:\Windows\SysWOW64\Ebmgcohn.exe Dookgcij.exe File opened for modification C:\Windows\SysWOW64\Efaibbij.exe Eccmffjf.exe File opened for modification C:\Windows\SysWOW64\Eibbcm32.exe Ejobhppq.exe File created C:\Windows\SysWOW64\Fjgoce32.exe Fhhcgj32.exe File created C:\Windows\SysWOW64\Gkgkbipp.exe Gldkfl32.exe File created C:\Windows\SysWOW64\Efhhaddp.dll Dliijipn.exe File created C:\Windows\SysWOW64\Qmfgjh32.exe Pjhknm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5976 5912 WerFault.exe 540 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgidao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbkpmm32.dll" Mlmlecec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 169cf9f1e8ad873263e42ae5e7bfae60_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfijnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacmbbii.dll" Ifcbodli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pefijfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efkdgmla.dll" Aehboi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekjajfei.dll" Bldcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dolnad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jamfqeie.dll" Epdkli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lckdanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flcnijgi.dll" Djbiicon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nocnbmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alenki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddeaalpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmoipopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpkceld.dll" Bingpmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnomcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nialog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhmbagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fglhobmg.dll" Dngoibmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnqphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehfcmhd.dll" Cnaocmmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgdqfpma.dll" Cllpkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpbaebdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nemacb32.dll" Ahlgfdeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amhpnkch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnclh32.dll" Dolnad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdacap32.dll" Eojnkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahpjhc32.dll" Gejcjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flmpfjke.dll" Kpkofpgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfojbj32.dll" Igkdgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfghif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcdnao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmopod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alenki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niifne32.dll" Cobbhfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djhmenjp.dll" Ocgpappk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfkjnkib.dll" Pfjbgnme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enfenplo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dngoibmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghkllmoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmhodf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjjdbdn.dll" Njlockkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdiejho.dll" Bemgilhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlfgbn32.dll" Iqopea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikbgmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inqcif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahgnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddeaalpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdhhqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cobbhfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flojhn32.dll" Cdbdjhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaemjbcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfahhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiekid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pimkpfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmkde32.dll" Gldkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabknqko.dll" Hdhbam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpkofpgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cojema32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1632 wrote to memory of 2204 1632 169cf9f1e8ad873263e42ae5e7bfae60_NeikiAnalytics.exe 28 PID 1632 wrote to memory of 2204 1632 169cf9f1e8ad873263e42ae5e7bfae60_NeikiAnalytics.exe 28 PID 1632 wrote to memory of 2204 1632 169cf9f1e8ad873263e42ae5e7bfae60_NeikiAnalytics.exe 28 PID 1632 wrote to memory of 2204 1632 169cf9f1e8ad873263e42ae5e7bfae60_NeikiAnalytics.exe 28 PID 2204 wrote to memory of 3000 2204 Pbmmcq32.exe 29 PID 2204 wrote to memory of 3000 2204 Pbmmcq32.exe 29 PID 2204 wrote to memory of 3000 2204 Pbmmcq32.exe 29 PID 2204 wrote to memory of 3000 2204 Pbmmcq32.exe 29 PID 3000 wrote to memory of 376 3000 Phjelg32.exe 30 PID 3000 wrote to memory of 376 3000 Phjelg32.exe 30 PID 3000 wrote to memory of 376 3000 Phjelg32.exe 30 PID 3000 wrote to memory of 376 3000 Phjelg32.exe 30 PID 376 wrote to memory of 2668 376 Pabjem32.exe 31 PID 376 wrote to memory of 2668 376 Pabjem32.exe 31 PID 376 wrote to memory of 2668 376 Pabjem32.exe 31 PID 376 wrote to memory of 2668 376 Pabjem32.exe 31 PID 2668 wrote to memory of 2448 2668 Qhmbagfa.exe 32 PID 2668 wrote to memory of 2448 2668 Qhmbagfa.exe 32 PID 2668 wrote to memory of 2448 2668 Qhmbagfa.exe 32 PID 2668 wrote to memory of 2448 2668 Qhmbagfa.exe 32 PID 2448 wrote to memory of 2464 2448 Qnfjna32.exe 33 PID 2448 wrote to memory of 2464 2448 Qnfjna32.exe 33 PID 2448 wrote to memory of 2464 2448 Qnfjna32.exe 33 PID 2448 wrote to memory of 2464 2448 Qnfjna32.exe 33 PID 2464 wrote to memory of 2436 2464 Qeqbkkej.exe 34 PID 2464 wrote to memory of 2436 2464 Qeqbkkej.exe 34 PID 2464 wrote to memory of 2436 2464 Qeqbkkej.exe 34 PID 2464 wrote to memory of 2436 2464 Qeqbkkej.exe 34 PID 2436 wrote to memory of 2940 2436 Qljkhe32.exe 35 PID 2436 wrote to memory of 2940 2436 Qljkhe32.exe 35 PID 2436 wrote to memory of 2940 2436 Qljkhe32.exe 35 PID 2436 wrote to memory of 2940 2436 Qljkhe32.exe 35 PID 2940 wrote to memory of 1716 2940 Qmlgonbe.exe 36 PID 2940 wrote to memory of 1716 2940 Qmlgonbe.exe 36 PID 2940 wrote to memory of 1716 2940 Qmlgonbe.exe 36 PID 2940 wrote to memory of 1716 2940 Qmlgonbe.exe 36 PID 1716 wrote to memory of 1920 1716 Adeplhib.exe 37 PID 1716 wrote to memory of 1920 1716 Adeplhib.exe 37 PID 1716 wrote to memory of 1920 1716 Adeplhib.exe 37 PID 1716 wrote to memory of 1920 1716 Adeplhib.exe 37 PID 1920 wrote to memory of 2184 1920 Afdlhchf.exe 38 PID 1920 wrote to memory of 2184 1920 Afdlhchf.exe 38 PID 1920 wrote to memory of 2184 1920 Afdlhchf.exe 38 PID 1920 wrote to memory of 2184 1920 Afdlhchf.exe 38 PID 2184 wrote to memory of 2428 2184 Aajpelhl.exe 39 PID 2184 wrote to memory of 2428 2184 Aajpelhl.exe 39 PID 2184 wrote to memory of 2428 2184 Aajpelhl.exe 39 PID 2184 wrote to memory of 2428 2184 Aajpelhl.exe 39 PID 2428 wrote to memory of 2788 2428 Adhlaggp.exe 40 PID 2428 wrote to memory of 2788 2428 Adhlaggp.exe 40 PID 2428 wrote to memory of 2788 2428 Adhlaggp.exe 40 PID 2428 wrote to memory of 2788 2428 Adhlaggp.exe 40 PID 2788 wrote to memory of 2820 2788 Aiedjneg.exe 41 PID 2788 wrote to memory of 2820 2788 Aiedjneg.exe 41 PID 2788 wrote to memory of 2820 2788 Aiedjneg.exe 41 PID 2788 wrote to memory of 2820 2788 Aiedjneg.exe 41 PID 2820 wrote to memory of 2260 2820 Apomfh32.exe 42 PID 2820 wrote to memory of 2260 2820 Apomfh32.exe 42 PID 2820 wrote to memory of 2260 2820 Apomfh32.exe 42 PID 2820 wrote to memory of 2260 2820 Apomfh32.exe 42 PID 2260 wrote to memory of 768 2260 Afiecb32.exe 43 PID 2260 wrote to memory of 768 2260 Afiecb32.exe 43 PID 2260 wrote to memory of 768 2260 Afiecb32.exe 43 PID 2260 wrote to memory of 768 2260 Afiecb32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\169cf9f1e8ad873263e42ae5e7bfae60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\169cf9f1e8ad873263e42ae5e7bfae60_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:768 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:556 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:612 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1112 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:276 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1084 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:944 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1216 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe33⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe35⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1588 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe39⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe40⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe41⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe43⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe44⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe46⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe47⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe48⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:752 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe50⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe51⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe52⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe53⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1324 -
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe56⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe58⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe59⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe60⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:776 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe66⤵PID:1464
-
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe67⤵PID:576
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe68⤵PID:1032
-
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe69⤵
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe70⤵PID:2264
-
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe71⤵PID:3048
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe72⤵PID:1600
-
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe74⤵
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe75⤵PID:2504
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe76⤵
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe77⤵PID:1960
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe78⤵PID:1948
-
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe79⤵PID:2528
-
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe80⤵PID:1652
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe81⤵
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe82⤵PID:696
-
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe83⤵PID:1764
-
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe84⤵PID:2052
-
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1928 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe86⤵PID:1188
-
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe87⤵PID:2152
-
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe88⤵PID:2112
-
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe89⤵
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe90⤵PID:2480
-
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe91⤵PID:2512
-
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3020 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe93⤵PID:2620
-
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2000 -
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe95⤵PID:2784
-
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe96⤵PID:2832
-
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe97⤵PID:1020
-
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe98⤵PID:2136
-
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe99⤵
- Drops file in System32 directory
PID:1064 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe100⤵PID:1612
-
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe101⤵PID:2904
-
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe102⤵PID:1232
-
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe103⤵PID:2644
-
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe104⤵
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe105⤵PID:2148
-
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe106⤵PID:1492
-
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe107⤵PID:1436
-
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe108⤵PID:2624
-
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe109⤵PID:580
-
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe110⤵
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe111⤵PID:408
-
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe112⤵PID:2068
-
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe113⤵PID:2396
-
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe114⤵PID:2564
-
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe116⤵PID:1968
-
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe117⤵PID:1660
-
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe118⤵PID:2616
-
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:584 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2880 -
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe121⤵PID:1876
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-