Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
12/05/2024, 13:12
Behavioral task
behavioral1
Sample
130403dc2ba240df84ef7942e41971b0_NeikiAnalytics.exe
Resource
win7-20240419-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
130403dc2ba240df84ef7942e41971b0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
130403dc2ba240df84ef7942e41971b0_NeikiAnalytics.exe
-
Size
192KB
-
MD5
130403dc2ba240df84ef7942e41971b0
-
SHA1
034f0c7d35cf558488359fff8a64654b1d5fcdbc
-
SHA256
cdafdc796d9ae54f8d17269c05b8103e5489b94fe438cd6bda1aacccd907c489
-
SHA512
1cbbb91f57595d48e4610ec48c6e8c3bb4d8119b3702868d1e7deeab71b466a151adf55ccdbd29a2c72a56fb90001a52539bce4894afa24d82277952c560d26d
-
SSDEEP
3072:2DDromegPeqa3j/eCr4MKy3G7UEqMM6T9pui6yYPaI7DehizrVtNe8ohrQ3N:6DN/e7STndpui6yYPaIGckfruN
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alhjai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhcdaibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Labhkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajbdna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhlfmgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpknlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkjica32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplkfgoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cphlljge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankdiqih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjanolhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhggmchi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnfjna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebgacddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbkgnfbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlgefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgobhcac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhjgal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clcflkic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbehoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqcagfim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oenifh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnippoha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Comimg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgajhbkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiellh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmlgonbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oenifh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aigaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cckace32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkmmhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjdbnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgcabqic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ldcamcih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhlmgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmhheqje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpfdalii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijoeji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ldnhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npnhlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aigaon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbmmcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkihhhnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfiidobe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhqfbebj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpnhgge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmkio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijaapifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmgpkfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kebepion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddeaalpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebgacddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jilhldfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldnhad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlelaeqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qecoqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkodhe32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000a00000001211e-5.dat family_berbew behavioral1/files/0x00090000000134f5-25.dat family_berbew behavioral1/files/0x0008000000013a15-33.dat family_berbew behavioral1/files/0x0008000000013a85-53.dat family_berbew behavioral1/files/0x0006000000014525-60.dat family_berbew behavioral1/files/0x00060000000145d4-75.dat family_berbew behavioral1/files/0x0006000000014730-90.dat family_berbew behavioral1/files/0x000600000001475f-111.dat family_berbew behavioral1/files/0x0006000000014a29-118.dat family_berbew behavioral1/files/0x0006000000014d0f-133.dat family_berbew behavioral1/files/0x003a000000013362-147.dat family_berbew behavioral1/files/0x00060000000150aa-162.dat family_berbew behavioral1/files/0x000600000001543a-177.dat family_berbew behavioral1/files/0x0006000000015a15-199.dat family_berbew behavioral1/files/0x0006000000015b72-207.dat family_berbew behavioral1/files/0x0006000000015c91-225.dat family_berbew behavioral1/files/0x0006000000015ca9-243.dat family_berbew behavioral1/files/0x0006000000015cca-252.dat family_berbew behavioral1/files/0x0006000000015ce1-266.dat family_berbew behavioral1/files/0x0006000000015cf5-275.dat family_berbew behavioral1/files/0x0006000000015d13-288.dat family_berbew behavioral1/files/0x0006000000015d28-297.dat family_berbew behavioral1/files/0x0006000000015d99-311.dat family_berbew behavioral1/files/0x0006000000015fbb-321.dat family_berbew behavioral1/files/0x0006000000016126-332.dat family_berbew behavioral1/files/0x000600000001640f-342.dat family_berbew behavioral1/files/0x0006000000016591-352.dat family_berbew behavioral1/files/0x0006000000016a3a-362.dat family_berbew behavioral1/files/0x0006000000016c57-375.dat family_berbew behavioral1/files/0x0006000000016ca1-384.dat family_berbew behavioral1/files/0x0006000000016cf2-394.dat family_berbew behavioral1/files/0x0006000000016d10-404.dat family_berbew behavioral1/files/0x0006000000016d21-417.dat family_berbew behavioral1/files/0x0006000000016d36-428.dat family_berbew behavioral1/files/0x0006000000016d46-438.dat family_berbew behavioral1/files/0x0006000000016d57-447.dat family_berbew behavioral1/files/0x0006000000016d73-458.dat family_berbew behavioral1/files/0x0006000000016d7d-467.dat family_berbew behavioral1/files/0x000600000001708c-480.dat family_berbew behavioral1/files/0x000600000001738e-489.dat family_berbew behavioral1/files/0x00060000000173e2-500.dat family_berbew behavioral1/files/0x0006000000017436-509.dat family_berbew behavioral1/files/0x0006000000017577-521.dat family_berbew behavioral1/files/0x00060000000175fd-530.dat family_berbew behavioral1/files/0x000d000000018689-541.dat family_berbew behavioral1/files/0x000500000001870e-552.dat family_berbew behavioral1/files/0x0005000000018749-565.dat family_berbew behavioral1/files/0x000600000001902f-573.dat family_berbew behavioral1/files/0x000500000001925a-585.dat family_berbew behavioral1/files/0x000500000001927b-596.dat family_berbew behavioral1/files/0x000500000001937a-607.dat family_berbew behavioral1/files/0x00050000000193b6-617.dat family_berbew behavioral1/files/0x00050000000193d4-626.dat family_berbew behavioral1/files/0x00050000000193fd-636.dat family_berbew behavioral1/files/0x000500000001943a-648.dat family_berbew behavioral1/files/0x0005000000019539-656.dat family_berbew behavioral1/files/0x0005000000019618-667.dat family_berbew behavioral1/files/0x000500000001961d-676.dat family_berbew behavioral1/files/0x0005000000019621-686.dat family_berbew behavioral1/files/0x0005000000019625-698.dat family_berbew behavioral1/files/0x0005000000019629-709.dat family_berbew behavioral1/files/0x000500000001962d-716.dat family_berbew behavioral1/files/0x0005000000019631-730.dat family_berbew behavioral1/files/0x0005000000019634-738.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1336 Hglocnmp.exe 1296 Hdpplb32.exe 2968 Inhdehbj.exe 1964 Ijoeji32.exe 2772 Ijaapifk.exe 2580 Ioojhpdb.exe 308 Iclcnnji.exe 2932 Imeggc32.exe 1976 Jilhldfn.exe 1916 Jagmpg32.exe 1156 Jjoailji.exe 1560 Jgcabqic.exe 2108 Jjanolhg.exe 756 Jclomamd.exe 476 Jghknp32.exe 1836 Kmgpkfab.exe 700 Kebepion.exe 292 Kllmmc32.exe 1860 Kbhbom32.exe 1852 Kakbjibo.exe 912 Kjcgco32.exe 2736 Lhggmchi.exe 2168 Laplei32.exe 1508 Ldnhad32.exe 1600 Labhkh32.exe 2208 Ldqegd32.exe 2956 Ladeqhjd.exe 2820 Ldcamcih.exe 2764 Lganiohl.exe 2552 Llnfaffc.exe 2528 Lefkjkmc.exe 2708 Loooca32.exe 1652 Mgfgdn32.exe 2568 Mpolmdkg.exe 2636 Mlelaeqk.exe 1876 Mochnppo.exe 112 Mabejlob.exe 1268 Mhlmgf32.exe 1592 Mkjica32.exe 2964 Mnieom32.exe 1692 Mdcnlglc.exe 2240 Mgajhbkg.exe 628 Magnek32.exe 1900 Mdejaf32.exe 2164 Mhqfbebj.exe 2408 Nnnojlpa.exe 1616 Nplkfgoe.exe 544 Ncjgbcoi.exe 2012 Njdpomfe.exe 540 Nlblkhei.exe 1760 Npnhlg32.exe 2496 Nghphaeo.exe 2392 Njgldmdc.exe 2784 Nleiqhcg.exe 1984 Nocemcbj.exe 2564 Ngkmnacm.exe 1848 Nlgefh32.exe 2560 Nqcagfim.exe 2836 Nbdnoo32.exe 2860 Nfpjomgd.exe 1796 Nkmbgdfl.exe 2592 Nohnhc32.exe 1628 Nbfjdn32.exe 1548 Ohqbqhde.exe -
Loads dropped DLL 64 IoCs
pid Process 1044 130403dc2ba240df84ef7942e41971b0_NeikiAnalytics.exe 1044 130403dc2ba240df84ef7942e41971b0_NeikiAnalytics.exe 1336 Hglocnmp.exe 1336 Hglocnmp.exe 1296 Hdpplb32.exe 1296 Hdpplb32.exe 2968 Inhdehbj.exe 2968 Inhdehbj.exe 1964 Ijoeji32.exe 1964 Ijoeji32.exe 2772 Ijaapifk.exe 2772 Ijaapifk.exe 2580 Ioojhpdb.exe 2580 Ioojhpdb.exe 308 Iclcnnji.exe 308 Iclcnnji.exe 2932 Imeggc32.exe 2932 Imeggc32.exe 1976 Jilhldfn.exe 1976 Jilhldfn.exe 1916 Jagmpg32.exe 1916 Jagmpg32.exe 1156 Jjoailji.exe 1156 Jjoailji.exe 1560 Jgcabqic.exe 1560 Jgcabqic.exe 2108 Jjanolhg.exe 2108 Jjanolhg.exe 756 Jclomamd.exe 756 Jclomamd.exe 476 Jghknp32.exe 476 Jghknp32.exe 1836 Kmgpkfab.exe 1836 Kmgpkfab.exe 700 Kebepion.exe 700 Kebepion.exe 292 Kllmmc32.exe 292 Kllmmc32.exe 1860 Kbhbom32.exe 1860 Kbhbom32.exe 1852 Kakbjibo.exe 1852 Kakbjibo.exe 912 Kjcgco32.exe 912 Kjcgco32.exe 2736 Lhggmchi.exe 2736 Lhggmchi.exe 2168 Laplei32.exe 2168 Laplei32.exe 1508 Ldnhad32.exe 1508 Ldnhad32.exe 1600 Labhkh32.exe 1600 Labhkh32.exe 2208 Ldqegd32.exe 2208 Ldqegd32.exe 2956 Ladeqhjd.exe 2956 Ladeqhjd.exe 2820 Ldcamcih.exe 2820 Ldcamcih.exe 2764 Lganiohl.exe 2764 Lganiohl.exe 2552 Llnfaffc.exe 2552 Llnfaffc.exe 2528 Lefkjkmc.exe 2528 Lefkjkmc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Haobqm32.dll Mgajhbkg.exe File created C:\Windows\SysWOW64\Pminkk32.exe Ongnonkb.exe File created C:\Windows\SysWOW64\Boiccdnf.exe Bpfcgg32.exe File created C:\Windows\SysWOW64\Fdoclk32.exe Fnbkddem.exe File created C:\Windows\SysWOW64\Gpekfank.dll Gaemjbcg.exe File created C:\Windows\SysWOW64\Polebcgg.dll Hcplhi32.exe File created C:\Windows\SysWOW64\Oomhcbjp.exe Ogfpbeim.exe File created C:\Windows\SysWOW64\Hidlihfb.dll Ijaapifk.exe File created C:\Windows\SysWOW64\Cpeofk32.exe Cngcjo32.exe File created C:\Windows\SysWOW64\Dgdmmgpj.exe Ddeaalpg.exe File created C:\Windows\SysWOW64\Icbimi32.exe Hkkalk32.exe File created C:\Windows\SysWOW64\Dbkgmd32.dll Jagmpg32.exe File opened for modification C:\Windows\SysWOW64\Nleiqhcg.exe Njgldmdc.exe File created C:\Windows\SysWOW64\Dbdijd32.dll Qdccfh32.exe File opened for modification C:\Windows\SysWOW64\Ahchbf32.exe Aajpelhl.exe File created C:\Windows\SysWOW64\Aajpelhl.exe Ankdiqih.exe File created C:\Windows\SysWOW64\Chcqpmep.exe Cjpqdp32.exe File created C:\Windows\SysWOW64\Nlbodgap.dll Cfinoq32.exe File opened for modification C:\Windows\SysWOW64\Ioijbj32.exe Iknnbklc.exe File created C:\Windows\SysWOW64\Hgpdcgoc.dll Hnojdcfi.exe File created C:\Windows\SysWOW64\Mcjhfahg.dll Ijoeji32.exe File created C:\Windows\SysWOW64\Ahchbf32.exe Aajpelhl.exe File created C:\Windows\SysWOW64\Ljenlcfa.dll Emcbkn32.exe File opened for modification C:\Windows\SysWOW64\Ejgcdb32.exe Ebpkce32.exe File opened for modification C:\Windows\SysWOW64\Kebepion.exe Kmgpkfab.exe File opened for modification C:\Windows\SysWOW64\Mnieom32.exe Mkjica32.exe File opened for modification C:\Windows\SysWOW64\Alenki32.exe Aigaon32.exe File created C:\Windows\SysWOW64\Pheafa32.dll Cfgaiaci.exe File opened for modification C:\Windows\SysWOW64\Bommnc32.exe Bhcdaibd.exe File created C:\Windows\SysWOW64\Bihebmne.dll Ioojhpdb.exe File created C:\Windows\SysWOW64\Elgpfqll.dll Qaefjm32.exe File created C:\Windows\SysWOW64\Afmonbqk.exe Apcfahio.exe File created C:\Windows\SysWOW64\Mdejaf32.exe Magnek32.exe File created C:\Windows\SysWOW64\Qmlgonbe.exe Qnigda32.exe File created C:\Windows\SysWOW64\Oeeonk32.dll Cpeofk32.exe File created C:\Windows\SysWOW64\Jagmpg32.exe Jilhldfn.exe File opened for modification C:\Windows\SysWOW64\Aenbdoii.exe Abpfhcje.exe File created C:\Windows\SysWOW64\Gncffdfn.dll Balijo32.exe File created C:\Windows\SysWOW64\Ghoegl32.exe Gaemjbcg.exe File created C:\Windows\SysWOW64\Leghhgkf.dll Laplei32.exe File created C:\Windows\SysWOW64\Hhbabqdh.dll Njgldmdc.exe File created C:\Windows\SysWOW64\Ohqbqhde.exe Nbfjdn32.exe File created C:\Windows\SysWOW64\Pafagk32.dll Dmafennb.exe File created C:\Windows\SysWOW64\Hpocfncj.exe Hnagjbdf.exe File created C:\Windows\SysWOW64\Pffgja32.dll Hgdbhi32.exe File opened for modification C:\Windows\SysWOW64\Nqcagfim.exe Nlgefh32.exe File created C:\Windows\SysWOW64\Fbgmbg32.exe Fmjejphb.exe File opened for modification C:\Windows\SysWOW64\Clcflkic.exe Cdlnkmha.exe File opened for modification C:\Windows\SysWOW64\Fckjalhj.exe Ealnephf.exe File created C:\Windows\SysWOW64\Hnojdcfi.exe Hkpnhgge.exe File created C:\Windows\SysWOW64\Cojiha32.dll Qlhnbf32.exe File opened for modification C:\Windows\SysWOW64\Mpolmdkg.exe Mgfgdn32.exe File created C:\Windows\SysWOW64\Pfbccp32.exe Pgobhcac.exe File created C:\Windows\SysWOW64\Moealbej.dll Qhooggdn.exe File opened for modification C:\Windows\SysWOW64\Aajpelhl.exe Ankdiqih.exe File created C:\Windows\SysWOW64\Fncann32.dll Dhmcfkme.exe File opened for modification C:\Windows\SysWOW64\Henidd32.exe Hcplhi32.exe File created C:\Windows\SysWOW64\Nofmgl32.dll Pgobhcac.exe File created C:\Windows\SysWOW64\Eiomkn32.exe Eecqjpee.exe File opened for modification C:\Windows\SysWOW64\Hpocfncj.exe Hnagjbdf.exe File created C:\Windows\SysWOW64\Iagfoe32.exe Ioijbj32.exe File created C:\Windows\SysWOW64\Mbjlmdgj.dll Ogfpbeim.exe File created C:\Windows\SysWOW64\Dhmcfkme.exe Dqelenlc.exe File created C:\Windows\SysWOW64\Labhkh32.exe Ldnhad32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3792 3740 WerFault.exe 294 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Filldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Alenki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llnfaffc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ojieip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igghmf32.dll" 130403dc2ba240df84ef7942e41971b0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbifnpmn.dll" Lhggmchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chcphm32.dll" Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmihgeia.dll" Nnnojlpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nghphaeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qnfjna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qhooggdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cobbhfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Emhlfmgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ealnephf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopljni.dll" Mnieom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdehna32.dll" Nqcagfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebgacddo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fhkpmjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgcabqic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nofmgl32.dll" Pgobhcac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gaemjbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djefobmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkodhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njqaac32.dll" Ebpkce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jilhldfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bebkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkjjld32.dll" Pijbfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojiha32.dll" Qlhnbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Affhncfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddokpmfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebgacddo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mgfgdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Obkdonic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Epfhbign.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ioijbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlblkhei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Okfencna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcfkhh32.dll" Obkdonic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aofqfokm.dll" Alhjai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ecmkghcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfliqila.dll" Mlelaeqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njdpomfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncjgbcoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfecaop.dll" Nghphaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmljjm32.dll" Ccfhhffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fioija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ladeqhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icplghmh.dll" Bagpopmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkddnkjk.dll" Aigaon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bpfcgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pchpbded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqddgc32.dll" Ahchbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll" Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Begeknan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cdlnkmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nohnhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pijbfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlblm32.dll" Qmlgonbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nllkkc32.dll" Ladeqhjd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1044 wrote to memory of 1336 1044 130403dc2ba240df84ef7942e41971b0_NeikiAnalytics.exe 28 PID 1044 wrote to memory of 1336 1044 130403dc2ba240df84ef7942e41971b0_NeikiAnalytics.exe 28 PID 1044 wrote to memory of 1336 1044 130403dc2ba240df84ef7942e41971b0_NeikiAnalytics.exe 28 PID 1044 wrote to memory of 1336 1044 130403dc2ba240df84ef7942e41971b0_NeikiAnalytics.exe 28 PID 1336 wrote to memory of 1296 1336 Hglocnmp.exe 29 PID 1336 wrote to memory of 1296 1336 Hglocnmp.exe 29 PID 1336 wrote to memory of 1296 1336 Hglocnmp.exe 29 PID 1336 wrote to memory of 1296 1336 Hglocnmp.exe 29 PID 1296 wrote to memory of 2968 1296 Hdpplb32.exe 30 PID 1296 wrote to memory of 2968 1296 Hdpplb32.exe 30 PID 1296 wrote to memory of 2968 1296 Hdpplb32.exe 30 PID 1296 wrote to memory of 2968 1296 Hdpplb32.exe 30 PID 2968 wrote to memory of 1964 2968 Inhdehbj.exe 31 PID 2968 wrote to memory of 1964 2968 Inhdehbj.exe 31 PID 2968 wrote to memory of 1964 2968 Inhdehbj.exe 31 PID 2968 wrote to memory of 1964 2968 Inhdehbj.exe 31 PID 1964 wrote to memory of 2772 1964 Ijoeji32.exe 32 PID 1964 wrote to memory of 2772 1964 Ijoeji32.exe 32 PID 1964 wrote to memory of 2772 1964 Ijoeji32.exe 32 PID 1964 wrote to memory of 2772 1964 Ijoeji32.exe 32 PID 2772 wrote to memory of 2580 2772 Ijaapifk.exe 33 PID 2772 wrote to memory of 2580 2772 Ijaapifk.exe 33 PID 2772 wrote to memory of 2580 2772 Ijaapifk.exe 33 PID 2772 wrote to memory of 2580 2772 Ijaapifk.exe 33 PID 2580 wrote to memory of 308 2580 Ioojhpdb.exe 34 PID 2580 wrote to memory of 308 2580 Ioojhpdb.exe 34 PID 2580 wrote to memory of 308 2580 Ioojhpdb.exe 34 PID 2580 wrote to memory of 308 2580 Ioojhpdb.exe 34 PID 308 wrote to memory of 2932 308 Iclcnnji.exe 35 PID 308 wrote to memory of 2932 308 Iclcnnji.exe 35 PID 308 wrote to memory of 2932 308 Iclcnnji.exe 35 PID 308 wrote to memory of 2932 308 Iclcnnji.exe 35 PID 2932 wrote to memory of 1976 2932 Imeggc32.exe 36 PID 2932 wrote to memory of 1976 2932 Imeggc32.exe 36 PID 2932 wrote to memory of 1976 2932 Imeggc32.exe 36 PID 2932 wrote to memory of 1976 2932 Imeggc32.exe 36 PID 1976 wrote to memory of 1916 1976 Jilhldfn.exe 37 PID 1976 wrote to memory of 1916 1976 Jilhldfn.exe 37 PID 1976 wrote to memory of 1916 1976 Jilhldfn.exe 37 PID 1976 wrote to memory of 1916 1976 Jilhldfn.exe 37 PID 1916 wrote to memory of 1156 1916 Jagmpg32.exe 38 PID 1916 wrote to memory of 1156 1916 Jagmpg32.exe 38 PID 1916 wrote to memory of 1156 1916 Jagmpg32.exe 38 PID 1916 wrote to memory of 1156 1916 Jagmpg32.exe 38 PID 1156 wrote to memory of 1560 1156 Jjoailji.exe 39 PID 1156 wrote to memory of 1560 1156 Jjoailji.exe 39 PID 1156 wrote to memory of 1560 1156 Jjoailji.exe 39 PID 1156 wrote to memory of 1560 1156 Jjoailji.exe 39 PID 1560 wrote to memory of 2108 1560 Jgcabqic.exe 40 PID 1560 wrote to memory of 2108 1560 Jgcabqic.exe 40 PID 1560 wrote to memory of 2108 1560 Jgcabqic.exe 40 PID 1560 wrote to memory of 2108 1560 Jgcabqic.exe 40 PID 2108 wrote to memory of 756 2108 Jjanolhg.exe 41 PID 2108 wrote to memory of 756 2108 Jjanolhg.exe 41 PID 2108 wrote to memory of 756 2108 Jjanolhg.exe 41 PID 2108 wrote to memory of 756 2108 Jjanolhg.exe 41 PID 756 wrote to memory of 476 756 Jclomamd.exe 42 PID 756 wrote to memory of 476 756 Jclomamd.exe 42 PID 756 wrote to memory of 476 756 Jclomamd.exe 42 PID 756 wrote to memory of 476 756 Jclomamd.exe 42 PID 476 wrote to memory of 1836 476 Jghknp32.exe 43 PID 476 wrote to memory of 1836 476 Jghknp32.exe 43 PID 476 wrote to memory of 1836 476 Jghknp32.exe 43 PID 476 wrote to memory of 1836 476 Jghknp32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\130403dc2ba240df84ef7942e41971b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\130403dc2ba240df84ef7942e41971b0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Hglocnmp.exeC:\Windows\system32\Hglocnmp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Hdpplb32.exeC:\Windows\system32\Hdpplb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Inhdehbj.exeC:\Windows\system32\Inhdehbj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Ijoeji32.exeC:\Windows\system32\Ijoeji32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Ijaapifk.exeC:\Windows\system32\Ijaapifk.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Ioojhpdb.exeC:\Windows\system32\Ioojhpdb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Iclcnnji.exeC:\Windows\system32\Iclcnnji.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\Imeggc32.exeC:\Windows\system32\Imeggc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Jagmpg32.exeC:\Windows\system32\Jagmpg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Jjoailji.exeC:\Windows\system32\Jjoailji.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Jgcabqic.exeC:\Windows\system32\Jgcabqic.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Jjanolhg.exeC:\Windows\system32\Jjanolhg.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Jghknp32.exeC:\Windows\system32\Jghknp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:476 -
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:700 -
C:\Windows\SysWOW64\Kllmmc32.exeC:\Windows\system32\Kllmmc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:292 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1852 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:912 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1508 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe33⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe35⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe37⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe38⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe42⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:628 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe45⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:544 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:540 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe55⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe56⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe57⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1848 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe60⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe61⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe62⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe65⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe66⤵PID:2508
-
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2760 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe68⤵PID:988
-
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe69⤵
- Drops file in System32 directory
PID:1480 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe70⤵PID:1988
-
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe71⤵
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe72⤵PID:604
-
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:356 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe74⤵PID:2144
-
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe75⤵PID:2460
-
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe76⤵
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe77⤵
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe78⤵PID:2332
-
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2672 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe80⤵PID:2628
-
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe81⤵
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe82⤵PID:2256
-
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe84⤵PID:2516
-
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe85⤵PID:2036
-
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe86⤵PID:2180
-
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe87⤵PID:620
-
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe88⤵PID:2112
-
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe89⤵PID:1756
-
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe90⤵PID:332
-
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe91⤵
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe92⤵PID:1364
-
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe93⤵PID:1784
-
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1036 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1764 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe96⤵PID:1816
-
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe97⤵PID:888
-
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe98⤵PID:1740
-
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe99⤵PID:1224
-
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe100⤵
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe103⤵
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe104⤵
- Drops file in System32 directory
PID:1272 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe106⤵
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:696 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2080 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe109⤵PID:1136
-
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe110⤵PID:1352
-
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe112⤵
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe113⤵
- Modifies registry class
PID:892 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe114⤵
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2824 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe116⤵PID:2692
-
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe117⤵PID:2544
-
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe118⤵PID:1236
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe120⤵
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe121⤵PID:1960
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-