Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
12-05-2024 18:46
Behavioral task
behavioral1
Sample
414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe
Resource
win7-20240215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe
-
Size
199KB
-
MD5
414d4cf562af0c9eaca881230ccdb370
-
SHA1
4ce444f4a2adcbddd5d866091875bca5804c164b
-
SHA256
f9b1401504ad4ad03638674eba71f8a1ff969ba8fbea6eda845c943c5102baf8
-
SHA512
7c81be802e59b36fefe51558b25c6d9a2538c8b98aaa140991acc36e4df57bf495bfa487364f4d20850dec9f58bd3497794fb6daa4ebdf1cfb9ee597bee8b590
-
SSDEEP
6144:3jXH4JJc9AySZSCZj81+jq4peBK034YOmFz1h:37im9IZSCG1+jheBbOmFxh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Claifkkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Penfelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bloqah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebedndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmjejphb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ailkjmpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjndop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddokpmfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnpnndgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacpdbej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiqbndpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfdpip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccfhhffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgodbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpfdalii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlapp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaeiieeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ennaieib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aplpai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eihfjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emcbkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnbkddem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmjaic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjdbnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flabbihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faokjpfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hellne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Penfelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cciemedf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgdmmgpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hicodd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piblek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pelipl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdccfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkodhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cobbhfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dodonf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dchali32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgkbipp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpmjak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbiciana.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhmbagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcfdgiid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjjddchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlnkmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hacmcfge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknnbklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiinen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpcbqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elmigj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmgfkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihoafpmp.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000b0000000160cc-5.dat family_berbew behavioral1/files/0x0007000000016c42-19.dat family_berbew behavioral1/files/0x0007000000016cb2-39.dat family_berbew behavioral1/files/0x0009000000016cfd-52.dat family_berbew behavioral1/files/0x00060000000175ac-79.dat family_berbew behavioral1/files/0x00050000000186c1-114.dat family_berbew behavioral1/files/0x0005000000018700-133.dat family_berbew behavioral1/files/0x0005000000019223-174.dat family_berbew behavioral1/files/0x0005000000019233-188.dat family_berbew behavioral1/files/0x0005000000019331-215.dat family_berbew behavioral1/files/0x0005000000019413-249.dat family_berbew behavioral1/files/0x000500000001948d-286.dat family_berbew behavioral1/files/0x00050000000195f5-356.dat family_berbew behavioral1/files/0x000500000001a40e-487.dat family_berbew behavioral1/files/0x000500000001a453-510.dat family_berbew behavioral1/files/0x000500000001a482-532.dat family_berbew behavioral1/files/0x000500000001a4a9-576.dat family_berbew behavioral1/files/0x000500000001a4b9-617.dat family_berbew behavioral1/files/0x000500000001a4ca-666.dat family_berbew behavioral1/files/0x000500000001a4ce-676.dat family_berbew behavioral1/files/0x000500000001a4d7-696.dat family_berbew behavioral1/files/0x000500000001a4e4-718.dat family_berbew behavioral1/files/0x000500000001a4fc-729.dat family_berbew behavioral1/files/0x000500000001ad63-753.dat family_berbew behavioral1/files/0x000500000001c744-779.dat family_berbew behavioral1/files/0x000500000001c758-796.dat family_berbew behavioral1/files/0x000500000001c83e-809.dat family_berbew behavioral1/files/0x000500000001c846-831.dat family_berbew behavioral1/files/0x000500000001c85e-871.dat family_berbew behavioral1/files/0x000500000001c888-906.dat family_berbew behavioral1/files/0x000500000001c891-929.dat family_berbew behavioral1/files/0x000500000001c89c-958.dat family_berbew behavioral1/files/0x000500000001c8a6-981.dat family_berbew behavioral1/files/0x000500000001c8ae-1009.dat family_berbew behavioral1/files/0x000500000001c8b6-1036.dat family_berbew behavioral1/files/0x000500000001c8be-1059.dat family_berbew behavioral1/files/0x000500000001c8c6-1087.dat family_berbew behavioral1/files/0x000400000001c9d7-1113.dat family_berbew behavioral1/files/0x000400000001cb58-1193.dat family_berbew behavioral1/files/0x000400000001cb67-1204.dat family_berbew behavioral1/files/0x000400000001cb7c-1240.dat family_berbew behavioral1/files/0x000400000001cbaf-1286.dat family_berbew behavioral1/files/0x000400000001cbba-1300.dat family_berbew behavioral1/files/0x000400000001cbd9-1318.dat family_berbew behavioral1/files/0x000400000001cc08-1360.dat family_berbew behavioral1/files/0x000400000001cc6d-1381.dat family_berbew behavioral1/files/0x000400000001cc75-1402.dat family_berbew behavioral1/files/0x000400000001cc7f-1429.dat family_berbew behavioral1/files/0x000400000001cc88-1453.dat family_berbew behavioral1/files/0x000400000001cc92-1480.dat family_berbew behavioral1/files/0x000400000001cd40-1502.dat family_berbew behavioral1/files/0x000400000001cd8d-1527.dat family_berbew behavioral1/files/0x000400000001ce3f-1555.dat family_berbew behavioral1/files/0x000400000001ceb6-1583.dat family_berbew behavioral1/files/0x000400000001cf52-1608.dat family_berbew behavioral1/files/0x000400000001cfcf-1635.dat family_berbew behavioral1/files/0x000400000001cfdb-1660.dat family_berbew behavioral1/files/0x000400000001d11b-1690.dat family_berbew behavioral1/files/0x000400000001d199-1706.dat family_berbew behavioral1/files/0x000400000001d322-1730.dat family_berbew behavioral1/files/0x000400000001d382-1754.dat family_berbew behavioral1/files/0x000400000001d39d-1778.dat family_berbew behavioral1/files/0x000400000001d3a6-1794.dat family_berbew behavioral1/files/0x000400000001d3ae-1808.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1548 Pipopl32.exe 3056 Pcfcmd32.exe 2660 Pbiciana.exe 2296 Pfdpip32.exe 2940 Piblek32.exe 1656 Pmnhfjmg.exe 2956 Ppmdbe32.exe 2792 Pfflopdh.exe 2980 Piehkkcl.exe 2752 Plcdgfbo.exe 2520 Pnbacbac.exe 2488 Pelipl32.exe 2760 Plfamfpm.exe 1268 Pndniaop.exe 2284 Penfelgm.exe 2896 Qhmbagfa.exe 884 Qlhnbf32.exe 3052 Qjknnbed.exe 1856 Qaefjm32.exe 1356 Qdccfh32.exe 788 Qhooggdn.exe 1616 Qnigda32.exe 1028 Qagcpljo.exe 1316 Qecoqk32.exe 1980 Aajpelhl.exe 1608 Aplpai32.exe 2576 Affhncfc.exe 2592 Ampqjm32.exe 2496 Apomfh32.exe 2856 Abmibdlh.exe 2692 Ajdadamj.exe 1592 Ambmpmln.exe 2688 Apajlhka.exe 628 Abpfhcje.exe 500 Afkbib32.exe 2116 Aiinen32.exe 1108 Alhjai32.exe 844 Aoffmd32.exe 1140 Afmonbqk.exe 1048 Ailkjmpo.exe 2676 Bpfcgg32.exe 2516 Boiccdnf.exe 2228 Bagpopmj.exe 3020 Bebkpn32.exe 1844 Bhahlj32.exe 2428 Bkodhe32.exe 1912 Bbflib32.exe 2640 Beehencq.exe 2884 Bdhhqk32.exe 1632 Bloqah32.exe 2444 Bkaqmeah.exe 2000 Bnpmipql.exe 2816 Balijo32.exe 1628 Bdjefj32.exe 1416 Bhfagipa.exe 1036 Bopicc32.exe 2508 Bnbjopoi.exe 672 Bpafkknm.exe 2032 Bdlblj32.exe 2064 Bgknheej.exe 2564 Bjijdadm.exe 2108 Bnefdp32.exe 3068 Bpcbqk32.exe 2548 Bcaomf32.exe -
Loads dropped DLL 64 IoCs
pid Process 2924 414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe 2924 414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe 1548 Pipopl32.exe 1548 Pipopl32.exe 3056 Pcfcmd32.exe 3056 Pcfcmd32.exe 2660 Pbiciana.exe 2660 Pbiciana.exe 2296 Pfdpip32.exe 2296 Pfdpip32.exe 2940 Piblek32.exe 2940 Piblek32.exe 1656 Pmnhfjmg.exe 1656 Pmnhfjmg.exe 2956 Ppmdbe32.exe 2956 Ppmdbe32.exe 2792 Pfflopdh.exe 2792 Pfflopdh.exe 2980 Piehkkcl.exe 2980 Piehkkcl.exe 2752 Plcdgfbo.exe 2752 Plcdgfbo.exe 2520 Pnbacbac.exe 2520 Pnbacbac.exe 2488 Pelipl32.exe 2488 Pelipl32.exe 2760 Plfamfpm.exe 2760 Plfamfpm.exe 1268 Pndniaop.exe 1268 Pndniaop.exe 2284 Penfelgm.exe 2284 Penfelgm.exe 2896 Qhmbagfa.exe 2896 Qhmbagfa.exe 884 Qlhnbf32.exe 884 Qlhnbf32.exe 3052 Qjknnbed.exe 3052 Qjknnbed.exe 1856 Qaefjm32.exe 1856 Qaefjm32.exe 1356 Qdccfh32.exe 1356 Qdccfh32.exe 788 Qhooggdn.exe 788 Qhooggdn.exe 1616 Qnigda32.exe 1616 Qnigda32.exe 1028 Qagcpljo.exe 1028 Qagcpljo.exe 1316 Qecoqk32.exe 1316 Qecoqk32.exe 1980 Aajpelhl.exe 1980 Aajpelhl.exe 1608 Aplpai32.exe 1608 Aplpai32.exe 2576 Affhncfc.exe 2576 Affhncfc.exe 2592 Ampqjm32.exe 2592 Ampqjm32.exe 2496 Apomfh32.exe 2496 Apomfh32.exe 2856 Abmibdlh.exe 2856 Abmibdlh.exe 2692 Ajdadamj.exe 2692 Ajdadamj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jeahel32.dll Aiinen32.exe File created C:\Windows\SysWOW64\Cnkajfop.dll Hcifgjgc.exe File created C:\Windows\SysWOW64\Qhooggdn.exe Qdccfh32.exe File created C:\Windows\SysWOW64\Bpcbqk32.exe Bnefdp32.exe File opened for modification C:\Windows\SysWOW64\Cdakgibq.exe Cngcjo32.exe File created C:\Windows\SysWOW64\Ffnphf32.exe Fdoclk32.exe File created C:\Windows\SysWOW64\Qahefm32.dll Gopkmhjk.exe File opened for modification C:\Windows\SysWOW64\Coklgg32.exe Cllpkl32.exe File created C:\Windows\SysWOW64\Fejgko32.exe Faokjpfd.exe File created C:\Windows\SysWOW64\Fddmgjpo.exe Fphafl32.exe File created C:\Windows\SysWOW64\Fmlapp32.exe Fiaeoang.exe File created C:\Windows\SysWOW64\Hjhhocjj.exe Hellne32.exe File created C:\Windows\SysWOW64\Fmcqoe32.dll Ppmdbe32.exe File opened for modification C:\Windows\SysWOW64\Chcqpmep.exe Cjpqdp32.exe File created C:\Windows\SysWOW64\Ndkakief.dll Efncicpm.exe File created C:\Windows\SysWOW64\Fdapak32.exe Fpfdalii.exe File opened for modification C:\Windows\SysWOW64\Aplpai32.exe Aajpelhl.exe File created C:\Windows\SysWOW64\Cakqnc32.dll Fjlhneio.exe File created C:\Windows\SysWOW64\Hicodd32.exe Hgdbhi32.exe File opened for modification C:\Windows\SysWOW64\Iknnbklc.exe Ilknfn32.exe File opened for modification C:\Windows\SysWOW64\Gonnhhln.exe Globlmmj.exe File created C:\Windows\SysWOW64\Kodppf32.dll Penfelgm.exe File created C:\Windows\SysWOW64\Ndejjf32.dll Aajpelhl.exe File created C:\Windows\SysWOW64\Accikb32.dll Bcaomf32.exe File created C:\Windows\SysWOW64\Dkhcmgnl.exe Dgmglh32.exe File created C:\Windows\SysWOW64\Memeaofm.dll Dkhcmgnl.exe File created C:\Windows\SysWOW64\Djpmccqq.exe Dcfdgiid.exe File created C:\Windows\SysWOW64\Jkamkfgh.dll Filldb32.exe File opened for modification C:\Windows\SysWOW64\Hlakpp32.exe Hnojdcfi.exe File created C:\Windows\SysWOW64\Ppmdbe32.exe Pmnhfjmg.exe File opened for modification C:\Windows\SysWOW64\Cjpqdp32.exe Cgbdhd32.exe File opened for modification C:\Windows\SysWOW64\Ffnphf32.exe Fdoclk32.exe File opened for modification C:\Windows\SysWOW64\Gelppaof.exe Gaqcoc32.exe File created C:\Windows\SysWOW64\Hnojdcfi.exe Hicodd32.exe File created C:\Windows\SysWOW64\Hlfdkoin.exe Hhjhkq32.exe File opened for modification C:\Windows\SysWOW64\Dkhcmgnl.exe Dgmglh32.exe File opened for modification C:\Windows\SysWOW64\Anapbp32.dll Ddcdkl32.exe File created C:\Windows\SysWOW64\Dnneja32.exe Dfgmhd32.exe File created C:\Windows\SysWOW64\Pinfim32.dll Ennaieib.exe File created C:\Windows\SysWOW64\Hkkmeglp.dll Hgdbhi32.exe File created C:\Windows\SysWOW64\Gkkemh32.exe Ggpimica.exe File created C:\Windows\SysWOW64\Ojdngl32.dll Bkodhe32.exe File created C:\Windows\SysWOW64\Mghjoa32.dll Dgodbh32.exe File created C:\Windows\SysWOW64\Eihfjo32.exe Dfijnd32.exe File opened for modification C:\Windows\SysWOW64\Ebpkce32.exe Epaogi32.exe File opened for modification C:\Windows\SysWOW64\Ejgcdb32.exe Eflgccbp.exe File created C:\Windows\SysWOW64\Faokjpfd.exe Fnpnndgp.exe File opened for modification C:\Windows\SysWOW64\Faagpp32.exe Fmekoalh.exe File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe Inljnfkg.exe File created C:\Windows\SysWOW64\Iklefg32.dll Abmibdlh.exe File opened for modification C:\Windows\SysWOW64\Bdjefj32.exe Balijo32.exe File created C:\Windows\SysWOW64\Bopicc32.exe Bhfagipa.exe File created C:\Windows\SysWOW64\Fphafl32.exe Flmefm32.exe File created C:\Windows\SysWOW64\Jdnaob32.dll Iknnbklc.exe File created C:\Windows\SysWOW64\Fabnbook.dll Ambmpmln.exe File created C:\Windows\SysWOW64\Elmigj32.exe Eiomkn32.exe File opened for modification C:\Windows\SysWOW64\Ejbfhfaj.exe Egdilkbf.exe File created C:\Windows\SysWOW64\Dcdooi32.dll Fbdqmghm.exe File created C:\Windows\SysWOW64\Fjlhneio.exe Ffpmnf32.exe File created C:\Windows\SysWOW64\Jbelkc32.dll Flmefm32.exe File created C:\Windows\SysWOW64\Hknach32.exe Hgbebiao.exe File created C:\Windows\SysWOW64\Hkkalk32.exe Hlhaqogk.exe File created C:\Windows\SysWOW64\Dlmdloao.dll Pbiciana.exe File opened for modification C:\Windows\SysWOW64\Bhahlj32.exe Bebkpn32.exe -
Program crash 1 IoCs
pid pid_target Process 3640 3304 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnpnndgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll" Gbnccfpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbepi32.dll" Facdeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afkbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbeccf32.dll" Aoffmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Balijo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iklgpmjo.dll" Cjlgiqbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbcpgjj.dll" Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dngoibmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdanej32.dll" Fhhcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll" Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndabhn32.dll" Hpmgqnfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlfdkoin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ampqjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icplghmh.dll" Bagpopmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbodgap.dll" Cfinoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fckjalhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll" Gkkemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll" Hlakpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bopicc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgdmei32.dll" Gpmjak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gogangdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hknach32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aiinen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoffmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkkemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll" Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Henidd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdjefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmjejphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll" Gegfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opanhd32.dll" Bloqah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmeohn32.dll" Bpcbqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbnccfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaqcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmcqoe32.dll" Ppmdbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moealbej.dll" Qhooggdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbflib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjecnop.dll" Bkaqmeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghkllmoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdhbam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhjhkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdccfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlblm32.dll" Qagcpljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnpmipql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fckjalhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaqcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll" Iaeiieeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfbhnaho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiaiqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcnpbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjjddchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcmgfkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbkdjjal.dll" Pipopl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2924 wrote to memory of 1548 2924 414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe 28 PID 2924 wrote to memory of 1548 2924 414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe 28 PID 2924 wrote to memory of 1548 2924 414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe 28 PID 2924 wrote to memory of 1548 2924 414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe 28 PID 1548 wrote to memory of 3056 1548 Pipopl32.exe 29 PID 1548 wrote to memory of 3056 1548 Pipopl32.exe 29 PID 1548 wrote to memory of 3056 1548 Pipopl32.exe 29 PID 1548 wrote to memory of 3056 1548 Pipopl32.exe 29 PID 3056 wrote to memory of 2660 3056 Pcfcmd32.exe 30 PID 3056 wrote to memory of 2660 3056 Pcfcmd32.exe 30 PID 3056 wrote to memory of 2660 3056 Pcfcmd32.exe 30 PID 3056 wrote to memory of 2660 3056 Pcfcmd32.exe 30 PID 2660 wrote to memory of 2296 2660 Pbiciana.exe 31 PID 2660 wrote to memory of 2296 2660 Pbiciana.exe 31 PID 2660 wrote to memory of 2296 2660 Pbiciana.exe 31 PID 2660 wrote to memory of 2296 2660 Pbiciana.exe 31 PID 2296 wrote to memory of 2940 2296 Pfdpip32.exe 32 PID 2296 wrote to memory of 2940 2296 Pfdpip32.exe 32 PID 2296 wrote to memory of 2940 2296 Pfdpip32.exe 32 PID 2296 wrote to memory of 2940 2296 Pfdpip32.exe 32 PID 2940 wrote to memory of 1656 2940 Piblek32.exe 33 PID 2940 wrote to memory of 1656 2940 Piblek32.exe 33 PID 2940 wrote to memory of 1656 2940 Piblek32.exe 33 PID 2940 wrote to memory of 1656 2940 Piblek32.exe 33 PID 1656 wrote to memory of 2956 1656 Pmnhfjmg.exe 34 PID 1656 wrote to memory of 2956 1656 Pmnhfjmg.exe 34 PID 1656 wrote to memory of 2956 1656 Pmnhfjmg.exe 34 PID 1656 wrote to memory of 2956 1656 Pmnhfjmg.exe 34 PID 2956 wrote to memory of 2792 2956 Ppmdbe32.exe 35 PID 2956 wrote to memory of 2792 2956 Ppmdbe32.exe 35 PID 2956 wrote to memory of 2792 2956 Ppmdbe32.exe 35 PID 2956 wrote to memory of 2792 2956 Ppmdbe32.exe 35 PID 2792 wrote to memory of 2980 2792 Pfflopdh.exe 36 PID 2792 wrote to memory of 2980 2792 Pfflopdh.exe 36 PID 2792 wrote to memory of 2980 2792 Pfflopdh.exe 36 PID 2792 wrote to memory of 2980 2792 Pfflopdh.exe 36 PID 2980 wrote to memory of 2752 2980 Piehkkcl.exe 37 PID 2980 wrote to memory of 2752 2980 Piehkkcl.exe 37 PID 2980 wrote to memory of 2752 2980 Piehkkcl.exe 37 PID 2980 wrote to memory of 2752 2980 Piehkkcl.exe 37 PID 2752 wrote to memory of 2520 2752 Plcdgfbo.exe 38 PID 2752 wrote to memory of 2520 2752 Plcdgfbo.exe 38 PID 2752 wrote to memory of 2520 2752 Plcdgfbo.exe 38 PID 2752 wrote to memory of 2520 2752 Plcdgfbo.exe 38 PID 2520 wrote to memory of 2488 2520 Pnbacbac.exe 39 PID 2520 wrote to memory of 2488 2520 Pnbacbac.exe 39 PID 2520 wrote to memory of 2488 2520 Pnbacbac.exe 39 PID 2520 wrote to memory of 2488 2520 Pnbacbac.exe 39 PID 2488 wrote to memory of 2760 2488 Pelipl32.exe 40 PID 2488 wrote to memory of 2760 2488 Pelipl32.exe 40 PID 2488 wrote to memory of 2760 2488 Pelipl32.exe 40 PID 2488 wrote to memory of 2760 2488 Pelipl32.exe 40 PID 2760 wrote to memory of 1268 2760 Plfamfpm.exe 41 PID 2760 wrote to memory of 1268 2760 Plfamfpm.exe 41 PID 2760 wrote to memory of 1268 2760 Plfamfpm.exe 41 PID 2760 wrote to memory of 1268 2760 Plfamfpm.exe 41 PID 1268 wrote to memory of 2284 1268 Pndniaop.exe 42 PID 1268 wrote to memory of 2284 1268 Pndniaop.exe 42 PID 1268 wrote to memory of 2284 1268 Pndniaop.exe 42 PID 1268 wrote to memory of 2284 1268 Pndniaop.exe 42 PID 2284 wrote to memory of 2896 2284 Penfelgm.exe 43 PID 2284 wrote to memory of 2896 2284 Penfelgm.exe 43 PID 2284 wrote to memory of 2896 2284 Penfelgm.exe 43 PID 2284 wrote to memory of 2896 2284 Penfelgm.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1856 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:788 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1316 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1608 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe34⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe35⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:500 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe38⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe40⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe42⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe43⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe46⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe49⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe50⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1416 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe58⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe59⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe60⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe61⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe62⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe66⤵PID:1640
-
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe67⤵
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe68⤵
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe69⤵PID:1492
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe70⤵
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2912 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe72⤵
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe73⤵
- Modifies registry class
PID:1196 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1568 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe75⤵
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe76⤵
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe77⤵PID:2656
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe78⤵PID:1808
-
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2204 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe80⤵PID:2776
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe81⤵PID:2888
-
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2836 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe83⤵PID:1060
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe84⤵PID:3008
-
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe85⤵
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2708 -
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe87⤵PID:2404
-
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2408 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe89⤵PID:2768
-
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe90⤵PID:3000
-
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2672 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe92⤵
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe93⤵
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1484 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe95⤵
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe96⤵PID:272
-
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe98⤵PID:2852
-
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe99⤵PID:1008
-
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe101⤵
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe102⤵PID:2872
-
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe104⤵PID:268
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe105⤵PID:1088
-
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe106⤵PID:1580
-
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2560 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:832 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe109⤵
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe110⤵PID:1516
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe111⤵PID:2076
-
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe112⤵PID:2468
-
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe113⤵PID:1768
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe114⤵PID:1772
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe115⤵
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2928 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:592 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe118⤵
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe119⤵PID:2968
-
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe120⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe121⤵PID:1756
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-