Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/05/2024, 16:26
Behavioral task
behavioral1
Sample
efb6bf932ac2ee5b9d8640ad8fce0c20_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
efb6bf932ac2ee5b9d8640ad8fce0c20_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
efb6bf932ac2ee5b9d8640ad8fce0c20_NeikiAnalytics.exe
-
Size
227KB
-
MD5
efb6bf932ac2ee5b9d8640ad8fce0c20
-
SHA1
d373cf8622f1309b75bfcde6d44f8654b22e358a
-
SHA256
4e8ddb0e19cc70169f46085c6d0809e51eaa8888134c113b2deafda6e1f5eaa9
-
SHA512
4706cd77c1531905abcb698454811a1a4e36c53c26b0a1cc540e11a6318ed1a8e4d606e08522f78f464c2f7a78dcf2a08d145fb69d83493524a860c12b2e14ab
-
SSDEEP
6144:wJnSRizlOuklF1Ym7U5j2QE2+g24Id2jFHu:wUixiojj+Td20
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnkicn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djmicm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgmgmfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjpacfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Maedhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfqahgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dlgldibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgplkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Balkchpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbkmlh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mabgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndemjoae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbdjbaea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbcfadgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bioqclil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fllnlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhgdkjol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdcpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oqcpob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokcgmee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albjlcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Blkioa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkbam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlgpgef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnimnfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmbiipml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlcnda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oomjlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcibkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpdbloof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbfpik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdgjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhiffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iedkbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajecmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gljnej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgojpjem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bblogakg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moanaiie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkmhaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mamddf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aipddi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oalfhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aadloj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kegqdqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Migbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdlkiepd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chkmkacq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cclkfdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfmffhde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maedhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckiigmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmdjdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejmebq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohibdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eqgnokip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbkmlh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modkfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmbhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpekon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjnamh32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000c000000013a7c-8.dat family_berbew behavioral1/files/0x000800000001630b-25.dat family_berbew behavioral1/files/0x0007000000016572-33.dat family_berbew behavioral1/files/0x0007000000016843-47.dat family_berbew behavioral1/files/0x0006000000016e94-61.dat family_berbew behavioral1/files/0x0006000000017052-82.dat family_berbew behavioral1/files/0x00060000000173d8-88.dat family_berbew behavioral1/files/0x0006000000017456-102.dat family_berbew behavioral1/files/0x000600000001747d-118.dat family_berbew behavioral1/files/0x0031000000015f6d-131.dat family_berbew behavioral1/files/0x000900000001864e-149.dat family_berbew behavioral1/files/0x000500000001866d-162.dat family_berbew behavioral1/files/0x0006000000018c0a-176.dat family_berbew behavioral1/files/0x0006000000018f3a-198.dat family_berbew behavioral1/files/0x00060000000190b6-204.dat family_berbew behavioral1/files/0x00050000000191cd-221.dat family_berbew behavioral1/files/0x0005000000019215-236.dat family_berbew behavioral1/files/0x000500000001923d-249.dat family_berbew behavioral1/files/0x000500000001924a-257.dat family_berbew behavioral1/files/0x0005000000019270-269.dat family_berbew behavioral1/files/0x000500000001933a-279.dat family_berbew behavioral1/files/0x000500000001935d-294.dat family_berbew behavioral1/files/0x0005000000019389-304.dat family_berbew behavioral1/memory/828-317-0x0000000000450000-0x0000000000493000-memory.dmp family_berbew behavioral1/files/0x000500000001940a-314.dat family_berbew behavioral1/files/0x0005000000019426-332.dat family_berbew behavioral1/files/0x000500000001943c-341.dat family_berbew behavioral1/files/0x000500000001944f-353.dat family_berbew behavioral1/files/0x000500000001945a-364.dat family_berbew behavioral1/files/0x00050000000194b4-372.dat family_berbew behavioral1/files/0x00050000000194e9-382.dat family_berbew behavioral1/files/0x0005000000019616-394.dat family_berbew behavioral1/memory/2372-397-0x00000000002D0000-0x0000000000313000-memory.dmp family_berbew behavioral1/files/0x000500000001961f-404.dat family_berbew behavioral1/files/0x0005000000019798-415.dat family_berbew behavioral1/memory/2592-429-0x0000000000250000-0x0000000000293000-memory.dmp family_berbew behavioral1/files/0x0005000000019ae3-426.dat family_berbew behavioral1/files/0x0005000000019c41-440.dat family_berbew behavioral1/files/0x0005000000019c5c-451.dat family_berbew behavioral1/files/0x0005000000019d61-462.dat family_berbew behavioral1/files/0x0005000000019f43-472.dat family_berbew behavioral1/files/0x000500000001a049-483.dat family_berbew behavioral1/files/0x000500000001a2d6-496.dat family_berbew behavioral1/files/0x000500000001a40d-504.dat family_berbew behavioral1/files/0x000500000001a417-514.dat family_berbew behavioral1/files/0x000500000001a419-524.dat family_berbew behavioral1/files/0x000500000001a466-536.dat family_berbew behavioral1/files/0x000500000001a475-544.dat family_berbew behavioral1/files/0x000500000001a48c-555.dat family_berbew behavioral1/files/0x000500000001a497-564.dat family_berbew behavioral1/files/0x000500000001a49b-576.dat family_berbew behavioral1/files/0x000500000001a49d-587.dat family_berbew behavioral1/files/0x000500000001a4a6-601.dat family_berbew behavioral1/files/0x000500000001a4ae-611.dat family_berbew behavioral1/files/0x000500000001a4b5-625.dat family_berbew behavioral1/files/0x000500000001a4b9-636.dat family_berbew behavioral1/files/0x000500000001a4bd-650.dat family_berbew behavioral1/files/0x000500000001a4c1-660.dat family_berbew behavioral1/files/0x000500000001a4c5-674.dat family_berbew behavioral1/files/0x000500000001a4c9-682.dat family_berbew behavioral1/files/0x000500000001a4cd-694.dat family_berbew behavioral1/files/0x000500000001a4d1-701.dat family_berbew behavioral1/files/0x000500000001a4d5-713.dat family_berbew behavioral1/files/0x000500000001a4d9-722.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2508 Ihankokm.exe 2708 Inngcfid.exe 864 Iqopea32.exe 2536 Icmlam32.exe 2156 Ifnechbj.exe 1660 Jfqahgpg.exe 2616 Jcdbbloa.exe 2576 Jokcgmee.exe 616 Jfghif32.exe 1912 Kkgmgmfd.exe 488 Keoapb32.exe 1104 Knjbnh32.exe 2188 Kjqccigf.exe 892 Lldlqakb.exe 2132 Lfjqnjkh.exe 1484 Lpdbloof.exe 2092 Lafndg32.exe 828 Llnofpcg.exe 948 Lmolnh32.exe 1012 Monhhk32.exe 1872 Mamddf32.exe 2220 Mdmmfa32.exe 2372 Mmfbogcn.exe 880 Meagci32.exe 1516 Mlkopcge.exe 2524 Nefpnhlc.exe 2556 Nhdlkdkg.exe 2424 Nlbeqb32.exe 2512 Ndmjedoi.exe 2404 Nhiffc32.exe 2916 Nnennj32.exe 2628 Njlockkm.exe 2592 Npfgpe32.exe 2376 Ojolhk32.exe 1900 Oddpfc32.exe 2204 Ocimgp32.exe 448 Ofhick32.exe 1564 Ohfeog32.exe 1456 Oqmmpd32.exe 2816 Ohibdf32.exe 2496 Okgnab32.exe 1072 Ocnfbo32.exe 3044 Odobjg32.exe 3028 Omfkke32.exe 1324 Onhgbmfb.exe 2240 Pgplkb32.exe 292 Pklhlael.exe 2168 Pbfpik32.exe 608 Pedleg32.exe 2956 Pgbhabjp.exe 2032 Pnlqnl32.exe 2704 Pgeefbhm.exe 2804 Pnomcl32.exe 2520 Pamiog32.exe 1212 Pclfkc32.exe 1844 Pfjbgnme.exe 2296 Pmdjdh32.exe 804 Ppbfpd32.exe 776 Pflomnkb.exe 540 Qmfgjh32.exe 576 Qcpofbjl.exe 1448 Qjjgclai.exe 1572 Qmicohqm.exe 1792 Qfahhm32.exe -
Loads dropped DLL 64 IoCs
pid Process 2044 efb6bf932ac2ee5b9d8640ad8fce0c20_NeikiAnalytics.exe 2044 efb6bf932ac2ee5b9d8640ad8fce0c20_NeikiAnalytics.exe 2508 Ihankokm.exe 2508 Ihankokm.exe 2708 Inngcfid.exe 2708 Inngcfid.exe 864 Iqopea32.exe 864 Iqopea32.exe 2536 Icmlam32.exe 2536 Icmlam32.exe 2156 Ifnechbj.exe 2156 Ifnechbj.exe 1660 Jfqahgpg.exe 1660 Jfqahgpg.exe 2616 Jcdbbloa.exe 2616 Jcdbbloa.exe 2576 Jokcgmee.exe 2576 Jokcgmee.exe 616 Jfghif32.exe 616 Jfghif32.exe 1912 Kkgmgmfd.exe 1912 Kkgmgmfd.exe 488 Keoapb32.exe 488 Keoapb32.exe 1104 Knjbnh32.exe 1104 Knjbnh32.exe 2188 Kjqccigf.exe 2188 Kjqccigf.exe 892 Lldlqakb.exe 892 Lldlqakb.exe 2132 Lfjqnjkh.exe 2132 Lfjqnjkh.exe 1484 Lpdbloof.exe 1484 Lpdbloof.exe 2092 Lafndg32.exe 2092 Lafndg32.exe 828 Llnofpcg.exe 828 Llnofpcg.exe 948 Lmolnh32.exe 948 Lmolnh32.exe 1012 Monhhk32.exe 1012 Monhhk32.exe 1872 Mamddf32.exe 1872 Mamddf32.exe 2220 Mdmmfa32.exe 2220 Mdmmfa32.exe 2372 Mmfbogcn.exe 2372 Mmfbogcn.exe 880 Meagci32.exe 880 Meagci32.exe 1516 Mlkopcge.exe 1516 Mlkopcge.exe 2524 Nefpnhlc.exe 2524 Nefpnhlc.exe 2556 Nhdlkdkg.exe 2556 Nhdlkdkg.exe 2424 Nlbeqb32.exe 2424 Nlbeqb32.exe 2512 Ndmjedoi.exe 2512 Ndmjedoi.exe 2404 Nhiffc32.exe 2404 Nhiffc32.exe 2916 Nnennj32.exe 2916 Nnennj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gljnej32.exe Gmgninie.exe File opened for modification C:\Windows\SysWOW64\Abjebn32.exe Aibajhdn.exe File created C:\Windows\SysWOW64\Kmefooki.exe Jghmfhmb.exe File created C:\Windows\SysWOW64\Pjldghjm.exe Ogmhkmki.exe File created C:\Windows\SysWOW64\Omfkke32.exe Odobjg32.exe File created C:\Windows\SysWOW64\Abmbhn32.exe Ajejgp32.exe File opened for modification C:\Windows\SysWOW64\Fllnlg32.exe Fbdjbaea.exe File created C:\Windows\SysWOW64\Jfdnjb32.dll Gifhnpea.exe File opened for modification C:\Windows\SysWOW64\Mdcpdp32.exe Maedhd32.exe File created C:\Windows\SysWOW64\Jbodgd32.dll Bajomhbl.exe File created C:\Windows\SysWOW64\Iqopea32.exe Inngcfid.exe File created C:\Windows\SysWOW64\Nefpnhlc.exe Mlkopcge.exe File created C:\Windows\SysWOW64\Oddpfc32.exe Ojolhk32.exe File created C:\Windows\SysWOW64\Hgggfhdc.dll Okgnab32.exe File opened for modification C:\Windows\SysWOW64\Mdmmfa32.exe Mamddf32.exe File created C:\Windows\SysWOW64\Ohfeog32.exe Ofhick32.exe File created C:\Windows\SysWOW64\Igonafba.exe Hpefdl32.exe File opened for modification C:\Windows\SysWOW64\Illgimph.exe Igonafba.exe File created C:\Windows\SysWOW64\Ihclng32.dll Kkaiqk32.exe File opened for modification C:\Windows\SysWOW64\Pmccjbaf.exe Pdlkiepd.exe File created C:\Windows\SysWOW64\Lldlqakb.exe Kjqccigf.exe File created C:\Windows\SysWOW64\Dinhacjp.dll Ebodiofk.exe File opened for modification C:\Windows\SysWOW64\Fglipi32.exe Fenmdm32.exe File created C:\Windows\SysWOW64\Kneagg32.dll Fbdjbaea.exe File created C:\Windows\SysWOW64\Mhpeoj32.dll Ajbggjfq.exe File created C:\Windows\SysWOW64\Egjbkk32.dll Llnofpcg.exe File created C:\Windows\SysWOW64\Apmmjh32.dll Biamilfj.exe File created C:\Windows\SysWOW64\Dbkknojp.exe Dkqbaecc.exe File created C:\Windows\SysWOW64\Gmdadnkh.exe Gdllkhdg.exe File created C:\Windows\SysWOW64\Dhnook32.dll Balkchpi.exe File created C:\Windows\SysWOW64\Jfiilbkl.dll Dkqbaecc.exe File created C:\Windows\SysWOW64\Ofbhhkda.dll Pgpeal32.exe File opened for modification C:\Windows\SysWOW64\Mbkmlh32.exe Mlaeonld.exe File created C:\Windows\SysWOW64\Hjkbhikj.dll Qmfgjh32.exe File created C:\Windows\SysWOW64\Bidjnkdg.exe Bdgafdfp.exe File created C:\Windows\SysWOW64\Ejmmiihp.dll Cnmehnan.exe File opened for modification C:\Windows\SysWOW64\Eqgnokip.exe Ejmebq32.exe File opened for modification C:\Windows\SysWOW64\Hanlnp32.exe Hmbpmapf.exe File opened for modification C:\Windows\SysWOW64\Mecjiaic.dll Ikhjki32.exe File created C:\Windows\SysWOW64\Kjifhc32.exe Kbbngf32.exe File created C:\Windows\SysWOW64\Aeaceffc.dll Maedhd32.exe File opened for modification C:\Windows\SysWOW64\Dlgldibq.exe Dndlim32.exe File opened for modification C:\Windows\SysWOW64\Ecqqpgli.exe Ebodiofk.exe File created C:\Windows\SysWOW64\Emmcaafi.dll Mmfbogcn.exe File created C:\Windows\SysWOW64\Gokfbfnk.dll Nlbeqb32.exe File opened for modification C:\Windows\SysWOW64\Jabbhcfe.exe Jocflgga.exe File created C:\Windows\SysWOW64\Iimfgo32.dll Bfadgq32.exe File created C:\Windows\SysWOW64\Gifhnpea.exe Gakcimgf.exe File opened for modification C:\Windows\SysWOW64\Jmbiipml.exe Jjdmmdnh.exe File opened for modification C:\Windows\SysWOW64\Boplllob.exe Bjdplm32.exe File created C:\Windows\SysWOW64\Fpkeqmgm.dll Onhgbmfb.exe File opened for modification C:\Windows\SysWOW64\Abmbhn32.exe Ajejgp32.exe File opened for modification C:\Windows\SysWOW64\Idnaoohk.exe Iapebchh.exe File created C:\Windows\SysWOW64\Ccfcekqe.dll Jgagfi32.exe File created C:\Windows\SysWOW64\Hbappj32.dll Amcpie32.exe File created C:\Windows\SysWOW64\Idnmhkin.dll Hgjefg32.exe File opened for modification C:\Windows\SysWOW64\Apalea32.exe Amcpie32.exe File opened for modification C:\Windows\SysWOW64\Monhhk32.exe Lmolnh32.exe File opened for modification C:\Windows\SysWOW64\Qfahhm32.exe Qmicohqm.exe File created C:\Windows\SysWOW64\Qpmnhglp.dll Bblogakg.exe File created C:\Windows\SysWOW64\Jnmlhchd.exe Jkoplhip.exe File opened for modification C:\Windows\SysWOW64\Lfjqnjkh.exe Lldlqakb.exe File opened for modification C:\Windows\SysWOW64\Pgeefbhm.exe Pnlqnl32.exe File created C:\Windows\SysWOW64\Qjjgclai.exe Qcpofbjl.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3580 5096 WerFault.exe 373 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khjjpi32.dll" Bocolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfojbj32.dll" Icmlam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nneloe32.dll" Npfgpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiemmk32.dll" Jabbhcfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kocbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Maedhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naaffn32.dll" Ajpjakhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpipp32.dll" Lpdbloof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdbhke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eplkpgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fenmdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmefooki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjjndgdk.dll" Jfghif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ceaadk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jnkpbcjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlhkpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjdib32.dll" Amelne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjqccigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjbkk32.dll" Llnofpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igmdobgi.dll" Bafidiio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hpefdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbkakib.dll" Pcfefmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Amcpie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pbfpik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amfcikek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Blpjegfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llcefjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadlcdpk.dll" Linphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmdic32.dll" Qbplbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpdbloof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ioolqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohjlnjk.dll" Oqacic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceobl32.dll" Pnimnfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Picnndmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefmgahq.dll" Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeieqod.dll" Kegqdqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebodiofk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hlqdei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmhnm32.dll" Hmbpmapf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ichllgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kocbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mabgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeejnlhc.dll" Ngfflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkahecm.dll" Pbnoliap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aekodi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hlqdei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nofdklgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ookmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icmqhn32.dll" Aniimjbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajhgmpfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Blkioa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndemjoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pnimnfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Efcfga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jghmfhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjldghjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obojmk32.dll" Hhehek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Igonafba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mdcpdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jfqahgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Baakhm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2044 wrote to memory of 2508 2044 efb6bf932ac2ee5b9d8640ad8fce0c20_NeikiAnalytics.exe 28 PID 2044 wrote to memory of 2508 2044 efb6bf932ac2ee5b9d8640ad8fce0c20_NeikiAnalytics.exe 28 PID 2044 wrote to memory of 2508 2044 efb6bf932ac2ee5b9d8640ad8fce0c20_NeikiAnalytics.exe 28 PID 2044 wrote to memory of 2508 2044 efb6bf932ac2ee5b9d8640ad8fce0c20_NeikiAnalytics.exe 28 PID 2508 wrote to memory of 2708 2508 Ihankokm.exe 29 PID 2508 wrote to memory of 2708 2508 Ihankokm.exe 29 PID 2508 wrote to memory of 2708 2508 Ihankokm.exe 29 PID 2508 wrote to memory of 2708 2508 Ihankokm.exe 29 PID 2708 wrote to memory of 864 2708 Inngcfid.exe 30 PID 2708 wrote to memory of 864 2708 Inngcfid.exe 30 PID 2708 wrote to memory of 864 2708 Inngcfid.exe 30 PID 2708 wrote to memory of 864 2708 Inngcfid.exe 30 PID 864 wrote to memory of 2536 864 Iqopea32.exe 31 PID 864 wrote to memory of 2536 864 Iqopea32.exe 31 PID 864 wrote to memory of 2536 864 Iqopea32.exe 31 PID 864 wrote to memory of 2536 864 Iqopea32.exe 31 PID 2536 wrote to memory of 2156 2536 Icmlam32.exe 32 PID 2536 wrote to memory of 2156 2536 Icmlam32.exe 32 PID 2536 wrote to memory of 2156 2536 Icmlam32.exe 32 PID 2536 wrote to memory of 2156 2536 Icmlam32.exe 32 PID 2156 wrote to memory of 1660 2156 Ifnechbj.exe 33 PID 2156 wrote to memory of 1660 2156 Ifnechbj.exe 33 PID 2156 wrote to memory of 1660 2156 Ifnechbj.exe 33 PID 2156 wrote to memory of 1660 2156 Ifnechbj.exe 33 PID 1660 wrote to memory of 2616 1660 Jfqahgpg.exe 34 PID 1660 wrote to memory of 2616 1660 Jfqahgpg.exe 34 PID 1660 wrote to memory of 2616 1660 Jfqahgpg.exe 34 PID 1660 wrote to memory of 2616 1660 Jfqahgpg.exe 34 PID 2616 wrote to memory of 2576 2616 Jcdbbloa.exe 35 PID 2616 wrote to memory of 2576 2616 Jcdbbloa.exe 35 PID 2616 wrote to memory of 2576 2616 Jcdbbloa.exe 35 PID 2616 wrote to memory of 2576 2616 Jcdbbloa.exe 35 PID 2576 wrote to memory of 616 2576 Jokcgmee.exe 36 PID 2576 wrote to memory of 616 2576 Jokcgmee.exe 36 PID 2576 wrote to memory of 616 2576 Jokcgmee.exe 36 PID 2576 wrote to memory of 616 2576 Jokcgmee.exe 36 PID 616 wrote to memory of 1912 616 Jfghif32.exe 37 PID 616 wrote to memory of 1912 616 Jfghif32.exe 37 PID 616 wrote to memory of 1912 616 Jfghif32.exe 37 PID 616 wrote to memory of 1912 616 Jfghif32.exe 37 PID 1912 wrote to memory of 488 1912 Kkgmgmfd.exe 38 PID 1912 wrote to memory of 488 1912 Kkgmgmfd.exe 38 PID 1912 wrote to memory of 488 1912 Kkgmgmfd.exe 38 PID 1912 wrote to memory of 488 1912 Kkgmgmfd.exe 38 PID 488 wrote to memory of 1104 488 Keoapb32.exe 39 PID 488 wrote to memory of 1104 488 Keoapb32.exe 39 PID 488 wrote to memory of 1104 488 Keoapb32.exe 39 PID 488 wrote to memory of 1104 488 Keoapb32.exe 39 PID 1104 wrote to memory of 2188 1104 Knjbnh32.exe 40 PID 1104 wrote to memory of 2188 1104 Knjbnh32.exe 40 PID 1104 wrote to memory of 2188 1104 Knjbnh32.exe 40 PID 1104 wrote to memory of 2188 1104 Knjbnh32.exe 40 PID 2188 wrote to memory of 892 2188 Kjqccigf.exe 41 PID 2188 wrote to memory of 892 2188 Kjqccigf.exe 41 PID 2188 wrote to memory of 892 2188 Kjqccigf.exe 41 PID 2188 wrote to memory of 892 2188 Kjqccigf.exe 41 PID 892 wrote to memory of 2132 892 Lldlqakb.exe 42 PID 892 wrote to memory of 2132 892 Lldlqakb.exe 42 PID 892 wrote to memory of 2132 892 Lldlqakb.exe 42 PID 892 wrote to memory of 2132 892 Lldlqakb.exe 42 PID 2132 wrote to memory of 1484 2132 Lfjqnjkh.exe 43 PID 2132 wrote to memory of 1484 2132 Lfjqnjkh.exe 43 PID 2132 wrote to memory of 1484 2132 Lfjqnjkh.exe 43 PID 2132 wrote to memory of 1484 2132 Lfjqnjkh.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\efb6bf932ac2ee5b9d8640ad8fce0c20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\efb6bf932ac2ee5b9d8640ad8fce0c20_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Lafndg32.exeC:\Windows\system32\Lafndg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:828 -
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:948 -
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1012 -
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2220 -
C:\Windows\SysWOW64\Mmfbogcn.exeC:\Windows\system32\Mmfbogcn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880 -
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2512 -
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Njlockkm.exeC:\Windows\system32\Njlockkm.exe33⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe36⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe37⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:448 -
C:\Windows\SysWOW64\Ohfeog32.exeC:\Windows\system32\Ohfeog32.exe39⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Oqmmpd32.exeC:\Windows\system32\Oqmmpd32.exe40⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Okgnab32.exeC:\Windows\system32\Okgnab32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Ocnfbo32.exeC:\Windows\system32\Ocnfbo32.exe43⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Odobjg32.exeC:\Windows\system32\Odobjg32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Omfkke32.exeC:\Windows\system32\Omfkke32.exe45⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1324 -
C:\Windows\SysWOW64\Pgplkb32.exeC:\Windows\system32\Pgplkb32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe48⤵
- Executes dropped EXE
PID:292 -
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe50⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe51⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe53⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe54⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Pamiog32.exeC:\Windows\system32\Pamiog32.exe55⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Pclfkc32.exeC:\Windows\system32\Pclfkc32.exe56⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Pfjbgnme.exeC:\Windows\system32\Pfjbgnme.exe57⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Ppbfpd32.exeC:\Windows\system32\Ppbfpd32.exe59⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Pflomnkb.exeC:\Windows\system32\Pflomnkb.exe60⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:540 -
C:\Windows\SysWOW64\Qcpofbjl.exeC:\Windows\system32\Qcpofbjl.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:576 -
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe63⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Qfahhm32.exeC:\Windows\system32\Qfahhm32.exe65⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1136 -
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe67⤵PID:2784
-
C:\Windows\SysWOW64\Anlmmp32.exeC:\Windows\system32\Anlmmp32.exe68⤵PID:928
-
C:\Windows\SysWOW64\Abhimnma.exeC:\Windows\system32\Abhimnma.exe69⤵PID:2284
-
C:\Windows\SysWOW64\Aibajhdn.exeC:\Windows\system32\Aibajhdn.exe70⤵
- Drops file in System32 directory
PID:564 -
C:\Windows\SysWOW64\Abjebn32.exeC:\Windows\system32\Abjebn32.exe71⤵PID:2968
-
C:\Windows\SysWOW64\Aidnohbk.exeC:\Windows\system32\Aidnohbk.exe72⤵PID:2732
-
C:\Windows\SysWOW64\Albjlcao.exeC:\Windows\system32\Albjlcao.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1540 -
C:\Windows\SysWOW64\Ajejgp32.exeC:\Windows\system32\Ajejgp32.exe74⤵
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Abmbhn32.exeC:\Windows\system32\Abmbhn32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2564 -
C:\Windows\SysWOW64\Aekodi32.exeC:\Windows\system32\Aekodi32.exe76⤵
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe77⤵
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Amfcikek.exeC:\Windows\system32\Amfcikek.exe78⤵
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Adpkee32.exeC:\Windows\system32\Adpkee32.exe79⤵PID:2288
-
C:\Windows\SysWOW64\Ahlgfdeq.exeC:\Windows\system32\Ahlgfdeq.exe80⤵PID:1552
-
C:\Windows\SysWOW64\Ajjcbpdd.exeC:\Windows\system32\Ajjcbpdd.exe81⤵PID:1972
-
C:\Windows\SysWOW64\Aadloj32.exeC:\Windows\system32\Aadloj32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1520 -
C:\Windows\SysWOW64\Bdbhke32.exeC:\Windows\system32\Bdbhke32.exe83⤵
- Modifies registry class
PID:588 -
C:\Windows\SysWOW64\Bfadgq32.exeC:\Windows\system32\Bfadgq32.exe84⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1276 -
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe86⤵
- Modifies registry class
PID:820 -
C:\Windows\SysWOW64\Bbhela32.exeC:\Windows\system32\Bbhela32.exe87⤵PID:1228
-
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe88⤵
- Drops file in System32 directory
PID:992 -
C:\Windows\SysWOW64\Blpjegfm.exeC:\Windows\system32\Blpjegfm.exe89⤵
- Modifies registry class
PID:1068 -
C:\Windows\SysWOW64\Bdgafdfp.exeC:\Windows\system32\Bdgafdfp.exe90⤵
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Bidjnkdg.exeC:\Windows\system32\Bidjnkdg.exe91⤵PID:2040
-
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe92⤵PID:2984
-
C:\Windows\SysWOW64\Bblogakg.exeC:\Windows\system32\Bblogakg.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Bekkcljk.exeC:\Windows\system32\Bekkcljk.exe94⤵PID:2216
-
C:\Windows\SysWOW64\Bhigphio.exeC:\Windows\system32\Bhigphio.exe95⤵PID:760
-
C:\Windows\SysWOW64\Bocolb32.exeC:\Windows\system32\Bocolb32.exe96⤵
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Baakhm32.exeC:\Windows\system32\Baakhm32.exe97⤵
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Biicik32.exeC:\Windows\system32\Biicik32.exe98⤵PID:1884
-
C:\Windows\SysWOW64\Ckjpacfp.exeC:\Windows\system32\Ckjpacfp.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:268 -
C:\Windows\SysWOW64\Coelaaoi.exeC:\Windows\system32\Coelaaoi.exe100⤵PID:1408
-
C:\Windows\SysWOW64\Cdbdjhmp.exeC:\Windows\system32\Cdbdjhmp.exe101⤵PID:596
-
C:\Windows\SysWOW64\Clilkfnb.exeC:\Windows\system32\Clilkfnb.exe102⤵PID:2832
-
C:\Windows\SysWOW64\Cnkicn32.exeC:\Windows\system32\Cnkicn32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2236 -
C:\Windows\SysWOW64\Ceaadk32.exeC:\Windows\system32\Ceaadk32.exe104⤵
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Cnmehnan.exeC:\Windows\system32\Cnmehnan.exe105⤵
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Cahail32.exeC:\Windows\system32\Cahail32.exe106⤵PID:280
-
C:\Windows\SysWOW64\Chbjffad.exeC:\Windows\system32\Chbjffad.exe107⤵PID:2480
-
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1376 -
C:\Windows\SysWOW64\Cclkfdnc.exeC:\Windows\system32\Cclkfdnc.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2552 -
C:\Windows\SysWOW64\Ckccgane.exeC:\Windows\system32\Ckccgane.exe110⤵PID:2560
-
C:\Windows\SysWOW64\Cdlgpgef.exeC:\Windows\system32\Cdlgpgef.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2476 -
C:\Windows\SysWOW64\Dgjclbdi.exeC:\Windows\system32\Dgjclbdi.exe112⤵PID:1616
-
C:\Windows\SysWOW64\Dndlim32.exeC:\Windows\system32\Dndlim32.exe113⤵
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Dlgldibq.exeC:\Windows\system32\Dlgldibq.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2292 -
C:\Windows\SysWOW64\Dpbheh32.exeC:\Windows\system32\Dpbheh32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:112 -
C:\Windows\SysWOW64\Dcadac32.exeC:\Windows\system32\Dcadac32.exe116⤵PID:2028
-
C:\Windows\SysWOW64\Dhnmij32.exeC:\Windows\system32\Dhnmij32.exe117⤵PID:1116
-
C:\Windows\SysWOW64\Dpeekh32.exeC:\Windows\system32\Dpeekh32.exe118⤵PID:2280
-
C:\Windows\SysWOW64\Dfamcogo.exeC:\Windows\system32\Dfamcogo.exe119⤵PID:2260
-
C:\Windows\SysWOW64\Djmicm32.exeC:\Windows\system32\Djmicm32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2020 -
C:\Windows\SysWOW64\Dlkepi32.exeC:\Windows\system32\Dlkepi32.exe121⤵PID:2528
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-