Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 13:04
Behavioral task
behavioral1
Sample
511062ac3dbed7da2dd1a608a840f8776b1da1de6c2d1e333b050e9c1ac0cc55_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
511062ac3dbed7da2dd1a608a840f8776b1da1de6c2d1e333b050e9c1ac0cc55_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
511062ac3dbed7da2dd1a608a840f8776b1da1de6c2d1e333b050e9c1ac0cc55_NeikiAnalytics.exe
-
Size
1.6MB
-
MD5
0d39fa68ffc0a62eac1344f8733bf0c0
-
SHA1
b6f7521faad03237346cbd1b961457db47ab7476
-
SHA256
511062ac3dbed7da2dd1a608a840f8776b1da1de6c2d1e333b050e9c1ac0cc55
-
SHA512
704eb03eca19cdb078af6c457c170f0efbbe1db1a6001063b364a1f4957168e0a5062e723446887a4b8049ff2254aece4392a2cfaacd1be3ec0b2739a614dc82
-
SSDEEP
24576:K7GFPASwwL2vzecI50+YNpsKv2EvZHp3oWB+:K73SwwL2vKcIKLXZ3+
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbkknojp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enihne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gopkmhjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjlgiqbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgqcmlgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piblek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebodiofk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfbkmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhbcfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlmlecec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alegac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcadac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbgbni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgjdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckdanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfjqnjkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfdpip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaaijdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekelld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kneicieh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankdiqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knjbnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgbggnhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeempocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfekcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nglfapnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohfeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pclfkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejhlgaeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 511062ac3dbed7da2dd1a608a840f8776b1da1de6c2d1e333b050e9c1ac0cc55_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bagpopmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkkalk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpphap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fidoim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qecoqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gejcjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhpiojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfdjhndl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppmdbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moiklogi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfiidobe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihqkagp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leonofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pikkiijf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnigda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcgogk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdeeqehb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfffnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfgpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpbheh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icbimi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kneicieh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefdpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blbfjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nocemcbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lefdpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miooigfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghjhp32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000c00000001228a-5.dat family_berbew behavioral1/files/0x0008000000015cd8-18.dat family_berbew behavioral1/files/0x0007000000015cf5-32.dat family_berbew behavioral1/files/0x0009000000015d1e-51.dat family_berbew behavioral1/files/0x0006000000016c3a-58.dat family_berbew behavioral1/files/0x0006000000016c5b-78.dat family_berbew behavioral1/files/0x0006000000016d36-144.dat family_berbew behavioral1/files/0x0006000000016d73-189.dat family_berbew behavioral1/files/0x000500000001962d-461.dat family_berbew behavioral1/files/0x000500000001c8b7-1048.dat family_berbew behavioral1/files/0x000400000001ca96-1270.dat family_berbew behavioral1/files/0x000400000001cccc-1580.dat family_berbew behavioral1/files/0x000400000001cef2-1660.dat family_berbew behavioral1/files/0x000400000001d8bf-2036.dat family_berbew behavioral1/files/0x000400000001d9f3-2156.dat family_berbew behavioral1/files/0x000400000001da98-2383.dat family_berbew behavioral1/files/0x000400000001dbf5-2559.dat family_berbew behavioral1/files/0x000400000001dc6d-2663.dat family_berbew behavioral1/files/0x000400000001dd1b-2777.dat family_berbew behavioral1/files/0x000400000001de24-2905.dat family_berbew behavioral1/files/0x000400000001deaa-3041.dat family_berbew behavioral1/files/0x000400000001e04c-3330.dat family_berbew behavioral1/files/0x000400000001ea78-3698.dat family_berbew behavioral1/files/0x000300000001fe21-3786.dat family_berbew behavioral1/files/0x000300000001fe1d-3778.dat family_berbew behavioral1/files/0x000300000001fe0c-3770.dat family_berbew behavioral1/files/0x000300000001fe04-3762.dat family_berbew behavioral1/files/0x000300000001fd87-3754.dat family_berbew behavioral1/files/0x000300000001fd6a-3746.dat family_berbew behavioral1/files/0x000400000001ebe9-3738.dat family_berbew behavioral1/files/0x000400000001ebcd-3730.dat family_berbew behavioral1/files/0x000400000001eb8f-3722.dat family_berbew behavioral1/files/0x000400000001eb61-3714.dat family_berbew behavioral1/files/0x000400000001eab8-3706.dat family_berbew behavioral1/files/0x000400000001e9fe-3690.dat family_berbew behavioral1/files/0x000400000001e9d0-3682.dat family_berbew behavioral1/files/0x000400000001e98c-3674.dat family_berbew behavioral1/files/0x000400000001e943-3666.dat family_berbew behavioral1/files/0x000400000001e8e9-3658.dat family_berbew behavioral1/files/0x000400000001e8c8-3650.dat family_berbew behavioral1/files/0x000400000001e8bd-3642.dat family_berbew behavioral1/files/0x000400000001e8b1-3634.dat family_berbew behavioral1/files/0x000400000001e8a8-3626.dat family_berbew behavioral1/files/0x000400000001e8a6-3618.dat family_berbew behavioral1/files/0x000400000001e891-3610.dat family_berbew behavioral1/files/0x000400000001e88f-3602.dat family_berbew behavioral1/files/0x000400000001e888-3594.dat family_berbew behavioral1/files/0x000400000001e87f-3586.dat family_berbew behavioral1/files/0x000400000001e875-3578.dat family_berbew behavioral1/files/0x000400000001e873-3570.dat family_berbew behavioral1/files/0x000400000001e86b-3562.dat family_berbew behavioral1/files/0x000400000001e868-3554.dat family_berbew behavioral1/files/0x000400000001e863-3546.dat family_berbew behavioral1/files/0x000400000001e860-3538.dat family_berbew behavioral1/files/0x000400000001e85a-3530.dat family_berbew behavioral1/files/0x000400000001e850-3522.dat family_berbew behavioral1/files/0x000400000001e802-3514.dat family_berbew behavioral1/files/0x000400000001e7c9-3506.dat family_berbew behavioral1/files/0x000400000001e67b-3498.dat family_berbew behavioral1/files/0x000400000001e4f6-3490.dat family_berbew behavioral1/files/0x000400000001e3ef-3482.dat family_berbew behavioral1/files/0x000400000001e3b3-3474.dat family_berbew behavioral1/files/0x000400000001e3a4-3466.dat family_berbew behavioral1/files/0x000400000001e336-3458.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2992 Nocemcbj.exe 2608 Nccjhafn.exe 2616 Oghlgdgk.exe 2784 Ofpfnqjp.exe 2576 Pminkk32.exe 2540 Pphjgfqq.exe 2924 Pgobhcac.exe 1632 Paggai32.exe 1852 Pcfcmd32.exe 236 Pfdpip32.exe 1564 Piblek32.exe 2728 Ppmdbe32.exe 1496 Piehkkcl.exe 2916 Pnbacbac.exe 1820 Pfiidobe.exe 332 Plfamfpm.exe 2440 Pbpjiphi.exe 1176 Pijbfj32.exe 1688 Qaefjm32.exe 1292 Qhooggdn.exe 1004 Qnigda32.exe 2008 Qecoqk32.exe 2064 Ankdiqih.exe 2260 Adhlaggp.exe 1932 Aiedjneg.exe 1480 Adjigg32.exe 2780 Afiecb32.exe 2668 Ambmpmln.exe 2588 Afkbib32.exe 2792 Alhjai32.exe 2904 Afmonbqk.exe 1484 Aljgfioc.exe 1856 Bagpopmj.exe 352 Blmdlhmp.exe 1460 Bbflib32.exe 2220 Bhcdaibd.exe 1768 Bommnc32.exe 2084 Bdjefj32.exe 1280 Bkdmcdoe.exe 900 Banepo32.exe 2836 Bdlblj32.exe 1400 Bhhnli32.exe 1500 Bkfjhd32.exe 2612 Bnefdp32.exe 2760 Bpcbqk32.exe 2636 Cgmkmecg.exe 2388 Cjlgiqbk.exe 2268 Cpeofk32.exe 3112 Cdakgibq.exe 3160 Cfbhnaho.exe 3212 Cllpkl32.exe 3264 Coklgg32.exe 3316 Cfeddafl.exe 3368 Clomqk32.exe 3420 Cbkeib32.exe 3468 Cjbmjplb.exe 3520 Claifkkf.exe 3568 Cbnbobin.exe 3620 Cdlnkmha.exe 3676 Cobbhfhg.exe 3728 Dflkdp32.exe 3792 Dhjgal32.exe 3840 Dkhcmgnl.exe 3892 Dbbkja32.exe -
Loads dropped DLL 64 IoCs
pid Process 3020 511062ac3dbed7da2dd1a608a840f8776b1da1de6c2d1e333b050e9c1ac0cc55_NeikiAnalytics.exe 3020 511062ac3dbed7da2dd1a608a840f8776b1da1de6c2d1e333b050e9c1ac0cc55_NeikiAnalytics.exe 2992 Nocemcbj.exe 2992 Nocemcbj.exe 2608 Nccjhafn.exe 2608 Nccjhafn.exe 2616 Oghlgdgk.exe 2616 Oghlgdgk.exe 2784 Ofpfnqjp.exe 2784 Ofpfnqjp.exe 2576 Pminkk32.exe 2576 Pminkk32.exe 2540 Pphjgfqq.exe 2540 Pphjgfqq.exe 2924 Pgobhcac.exe 2924 Pgobhcac.exe 1632 Paggai32.exe 1632 Paggai32.exe 1852 Pcfcmd32.exe 1852 Pcfcmd32.exe 236 Pfdpip32.exe 236 Pfdpip32.exe 1564 Piblek32.exe 1564 Piblek32.exe 2728 Ppmdbe32.exe 2728 Ppmdbe32.exe 1496 Piehkkcl.exe 1496 Piehkkcl.exe 2916 Pnbacbac.exe 2916 Pnbacbac.exe 1820 Pfiidobe.exe 1820 Pfiidobe.exe 332 Plfamfpm.exe 332 Plfamfpm.exe 2440 Pbpjiphi.exe 2440 Pbpjiphi.exe 1176 Pijbfj32.exe 1176 Pijbfj32.exe 1688 Qaefjm32.exe 1688 Qaefjm32.exe 1292 Qhooggdn.exe 1292 Qhooggdn.exe 1004 Qnigda32.exe 1004 Qnigda32.exe 2008 Qecoqk32.exe 2008 Qecoqk32.exe 2064 Ankdiqih.exe 2064 Ankdiqih.exe 2260 Adhlaggp.exe 2260 Adhlaggp.exe 1932 Aiedjneg.exe 1932 Aiedjneg.exe 1480 Adjigg32.exe 1480 Adjigg32.exe 2780 Afiecb32.exe 2780 Afiecb32.exe 2668 Ambmpmln.exe 2668 Ambmpmln.exe 2588 Afkbib32.exe 2588 Afkbib32.exe 2792 Alhjai32.exe 2792 Alhjai32.exe 2904 Afmonbqk.exe 2904 Afmonbqk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dlmdloao.dll Pcfcmd32.exe File created C:\Windows\SysWOW64\Cfeddafl.exe Coklgg32.exe File created C:\Windows\SysWOW64\Lfjqnjkh.exe Lckdanld.exe File opened for modification C:\Windows\SysWOW64\Pnajilng.exe Pfjbgnme.exe File opened for modification C:\Windows\SysWOW64\Dcenlceh.exe Dknekeef.exe File created C:\Windows\SysWOW64\Hnempl32.dll Geolea32.exe File created C:\Windows\SysWOW64\Igihbknb.exe Idklfpon.exe File created C:\Windows\SysWOW64\Njmggi32.dll Ejhlgaeh.exe File created C:\Windows\SysWOW64\Obopfpji.dll Pminkk32.exe File opened for modification C:\Windows\SysWOW64\Clomqk32.exe Cfeddafl.exe File created C:\Windows\SysWOW64\Glaoalkh.exe Gicbeald.exe File created C:\Windows\SysWOW64\Apimacnn.exe Amkpegnj.exe File created C:\Windows\SysWOW64\Jjlnif32.exe Jgnamk32.exe File created C:\Windows\SysWOW64\Pnjdhmdo.exe Pklhlael.exe File created C:\Windows\SysWOW64\Cdgneh32.exe Ckoilb32.exe File created C:\Windows\SysWOW64\Bjidgghp.dll Dknekeef.exe File created C:\Windows\SysWOW64\Dlnbeh32.exe Ddgjdk32.exe File created C:\Windows\SysWOW64\Dhflmk32.dll Ddeaalpg.exe File created C:\Windows\SysWOW64\Ongbcmlc.dll Ffkcbgek.exe File created C:\Windows\SysWOW64\Elpbcapg.dll Gkihhhnm.exe File created C:\Windows\SysWOW64\Emmcaafi.dll Mdpjlajk.exe File created C:\Windows\SysWOW64\Dhhlgc32.dll Ekelld32.exe File created C:\Windows\SysWOW64\Jnmgmhmc.dll Fioija32.exe File created C:\Windows\SysWOW64\Dpbheh32.exe Dlgldibq.exe File opened for modification C:\Windows\SysWOW64\Aljgfioc.exe Afmonbqk.exe File created C:\Windows\SysWOW64\Inljnfkg.exe Ilknfn32.exe File created C:\Windows\SysWOW64\Bmamfo32.dll Lefdpe32.exe File created C:\Windows\SysWOW64\Adhlaggp.exe Ankdiqih.exe File created C:\Windows\SysWOW64\Gkgkbipp.exe Gieojq32.exe File opened for modification C:\Windows\SysWOW64\Lefdpe32.exe Lmolnh32.exe File opened for modification C:\Windows\SysWOW64\Blpjegfm.exe Biamilfj.exe File created C:\Windows\SysWOW64\Dfoqmo32.exe Dcadac32.exe File opened for modification C:\Windows\SysWOW64\Dbfabp32.exe Dogefd32.exe File created C:\Windows\SysWOW64\Ppmdbe32.exe Piblek32.exe File created C:\Windows\SysWOW64\Bdjefj32.exe Bommnc32.exe File created C:\Windows\SysWOW64\Enkece32.exe Epieghdk.exe File created C:\Windows\SysWOW64\Cfahajeg.dll Ijgdngmf.exe File opened for modification C:\Windows\SysWOW64\Lbeknj32.exe Lkncmmle.exe File created C:\Windows\SysWOW64\Bhcdaibd.exe Bbflib32.exe File created C:\Windows\SysWOW64\Cdakgibq.exe Cpeofk32.exe File opened for modification C:\Windows\SysWOW64\Fhffaj32.exe Ebinic32.exe File created C:\Windows\SysWOW64\Gopkmhjk.exe Glaoalkh.exe File created C:\Windows\SysWOW64\Dliijipn.exe Dhnmij32.exe File created C:\Windows\SysWOW64\Gogcek32.dll Ebmgcohn.exe File created C:\Windows\SysWOW64\Aljgfioc.exe Afmonbqk.exe File opened for modification C:\Windows\SysWOW64\Cdlnkmha.exe Cbnbobin.exe File created C:\Windows\SysWOW64\Hggomh32.exe Hckcmjep.exe File opened for modification C:\Windows\SysWOW64\Hhjhkq32.exe Hellne32.exe File created C:\Windows\SysWOW64\Pefijfii.exe Pbhmnkjf.exe File created C:\Windows\SysWOW64\Gokkjm32.dll Lkncmmle.exe File created C:\Windows\SysWOW64\Ngpolo32.exe Npfgpe32.exe File created C:\Windows\SysWOW64\Ahoanjcc.dll Emnndlod.exe File opened for modification C:\Windows\SysWOW64\Dkcofe32.exe Dhdcji32.exe File opened for modification C:\Windows\SysWOW64\Jnemdecl.exe Ifnechbj.exe File created C:\Windows\SysWOW64\Keanebkb.exe Kafbec32.exe File created C:\Windows\SysWOW64\Ohkgmi32.dll Mkgfckcj.exe File created C:\Windows\SysWOW64\Blpjegfm.exe Biamilfj.exe File opened for modification C:\Windows\SysWOW64\Biicik32.exe Baakhm32.exe File created C:\Windows\SysWOW64\Ckqfeoma.dll Lfjqnjkh.exe File opened for modification C:\Windows\SysWOW64\Cdikkg32.exe Caknol32.exe File opened for modification C:\Windows\SysWOW64\Ankdiqih.exe Qecoqk32.exe File opened for modification C:\Windows\SysWOW64\Bagpopmj.exe Aljgfioc.exe File created C:\Windows\SysWOW64\Hejoiedd.exe Hggomh32.exe File created C:\Windows\SysWOW64\Kcbakpdo.exe Kaceodek.exe -
Program crash 1 IoCs
pid pid_target Process 4392 4204 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joifam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckqfeoma.dll" Lfjqnjkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkbnm32.dll" Fpdhklkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhmepp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knjbnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbfpg32.dll" Pklhlael.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbelgood.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnclnihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nblnkb32.dll" Ofjfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gonahjjd.dll" Ndkmpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnhkcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnjdhmdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebodiofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll" Gphmeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdafiei.dll" Ppbfpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bagpopmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljpdpao.dll" Hcnpbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lecgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oddpfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbfabp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dknekeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clomqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cobbhfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enihne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcmfoi32.dll" Jnqphi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cghggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 511062ac3dbed7da2dd1a608a840f8776b1da1de6c2d1e333b050e9c1ac0cc55_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfqpfb32.dll" Adhlaggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll" Hcplhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahlgfdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cllpkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqonkmdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmcoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpioaoic.dll" Qjjgclai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjiphda.dll" Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdgneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdcbnc32.dll" Oghlgdgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbeccf32.dll" Alhjai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iggkllpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caknol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bommnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkkalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bakbapml.dll" Ncjqhmkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdakgibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll" Gkkemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadkgl32.dll" Ebinic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jooclokl.dll" Knjbnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kblhgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egahmk32.dll" Okikfagn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onhgbmfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blgpef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paggai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdlblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkdneid.dll" Lhmjkaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmahdggc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anccmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehgppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldmndi32.dll" Nccjhafn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oghlgdgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkgmgmfd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3020 wrote to memory of 2992 3020 511062ac3dbed7da2dd1a608a840f8776b1da1de6c2d1e333b050e9c1ac0cc55_NeikiAnalytics.exe 28 PID 3020 wrote to memory of 2992 3020 511062ac3dbed7da2dd1a608a840f8776b1da1de6c2d1e333b050e9c1ac0cc55_NeikiAnalytics.exe 28 PID 3020 wrote to memory of 2992 3020 511062ac3dbed7da2dd1a608a840f8776b1da1de6c2d1e333b050e9c1ac0cc55_NeikiAnalytics.exe 28 PID 3020 wrote to memory of 2992 3020 511062ac3dbed7da2dd1a608a840f8776b1da1de6c2d1e333b050e9c1ac0cc55_NeikiAnalytics.exe 28 PID 2992 wrote to memory of 2608 2992 Nocemcbj.exe 29 PID 2992 wrote to memory of 2608 2992 Nocemcbj.exe 29 PID 2992 wrote to memory of 2608 2992 Nocemcbj.exe 29 PID 2992 wrote to memory of 2608 2992 Nocemcbj.exe 29 PID 2608 wrote to memory of 2616 2608 Nccjhafn.exe 30 PID 2608 wrote to memory of 2616 2608 Nccjhafn.exe 30 PID 2608 wrote to memory of 2616 2608 Nccjhafn.exe 30 PID 2608 wrote to memory of 2616 2608 Nccjhafn.exe 30 PID 2616 wrote to memory of 2784 2616 Oghlgdgk.exe 31 PID 2616 wrote to memory of 2784 2616 Oghlgdgk.exe 31 PID 2616 wrote to memory of 2784 2616 Oghlgdgk.exe 31 PID 2616 wrote to memory of 2784 2616 Oghlgdgk.exe 31 PID 2784 wrote to memory of 2576 2784 Ofpfnqjp.exe 32 PID 2784 wrote to memory of 2576 2784 Ofpfnqjp.exe 32 PID 2784 wrote to memory of 2576 2784 Ofpfnqjp.exe 32 PID 2784 wrote to memory of 2576 2784 Ofpfnqjp.exe 32 PID 2576 wrote to memory of 2540 2576 Pminkk32.exe 33 PID 2576 wrote to memory of 2540 2576 Pminkk32.exe 33 PID 2576 wrote to memory of 2540 2576 Pminkk32.exe 33 PID 2576 wrote to memory of 2540 2576 Pminkk32.exe 33 PID 2540 wrote to memory of 2924 2540 Pphjgfqq.exe 34 PID 2540 wrote to memory of 2924 2540 Pphjgfqq.exe 34 PID 2540 wrote to memory of 2924 2540 Pphjgfqq.exe 34 PID 2540 wrote to memory of 2924 2540 Pphjgfqq.exe 34 PID 2924 wrote to memory of 1632 2924 Pgobhcac.exe 35 PID 2924 wrote to memory of 1632 2924 Pgobhcac.exe 35 PID 2924 wrote to memory of 1632 2924 Pgobhcac.exe 35 PID 2924 wrote to memory of 1632 2924 Pgobhcac.exe 35 PID 1632 wrote to memory of 1852 1632 Paggai32.exe 36 PID 1632 wrote to memory of 1852 1632 Paggai32.exe 36 PID 1632 wrote to memory of 1852 1632 Paggai32.exe 36 PID 1632 wrote to memory of 1852 1632 Paggai32.exe 36 PID 1852 wrote to memory of 236 1852 Pcfcmd32.exe 37 PID 1852 wrote to memory of 236 1852 Pcfcmd32.exe 37 PID 1852 wrote to memory of 236 1852 Pcfcmd32.exe 37 PID 1852 wrote to memory of 236 1852 Pcfcmd32.exe 37 PID 236 wrote to memory of 1564 236 Pfdpip32.exe 38 PID 236 wrote to memory of 1564 236 Pfdpip32.exe 38 PID 236 wrote to memory of 1564 236 Pfdpip32.exe 38 PID 236 wrote to memory of 1564 236 Pfdpip32.exe 38 PID 1564 wrote to memory of 2728 1564 Piblek32.exe 39 PID 1564 wrote to memory of 2728 1564 Piblek32.exe 39 PID 1564 wrote to memory of 2728 1564 Piblek32.exe 39 PID 1564 wrote to memory of 2728 1564 Piblek32.exe 39 PID 2728 wrote to memory of 1496 2728 Ppmdbe32.exe 40 PID 2728 wrote to memory of 1496 2728 Ppmdbe32.exe 40 PID 2728 wrote to memory of 1496 2728 Ppmdbe32.exe 40 PID 2728 wrote to memory of 1496 2728 Ppmdbe32.exe 40 PID 1496 wrote to memory of 2916 1496 Piehkkcl.exe 41 PID 1496 wrote to memory of 2916 1496 Piehkkcl.exe 41 PID 1496 wrote to memory of 2916 1496 Piehkkcl.exe 41 PID 1496 wrote to memory of 2916 1496 Piehkkcl.exe 41 PID 2916 wrote to memory of 1820 2916 Pnbacbac.exe 42 PID 2916 wrote to memory of 1820 2916 Pnbacbac.exe 42 PID 2916 wrote to memory of 1820 2916 Pnbacbac.exe 42 PID 2916 wrote to memory of 1820 2916 Pnbacbac.exe 42 PID 1820 wrote to memory of 332 1820 Pfiidobe.exe 43 PID 1820 wrote to memory of 332 1820 Pfiidobe.exe 43 PID 1820 wrote to memory of 332 1820 Pfiidobe.exe 43 PID 1820 wrote to memory of 332 1820 Pfiidobe.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\511062ac3dbed7da2dd1a608a840f8776b1da1de6c2d1e333b050e9c1ac0cc55_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\511062ac3dbed7da2dd1a608a840f8776b1da1de6c2d1e333b050e9c1ac0cc55_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:332 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1176 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1004 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe35⤵
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1460 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe37⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe39⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe40⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe41⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe43⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe44⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe45⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe46⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe47⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:3112 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe51⤵
- Executes dropped EXE
PID:3160 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:3212 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3264 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3316 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:3368 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe56⤵
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe57⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe58⤵
- Executes dropped EXE
PID:3520 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3568 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe60⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:3676 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe62⤵
- Executes dropped EXE
PID:3728 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3792 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe64⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe65⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe66⤵PID:3948
-
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe67⤵PID:4012
-
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe68⤵PID:4076
-
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe69⤵PID:2200
-
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe70⤵PID:2276
-
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe71⤵
- Drops file in System32 directory
PID:988 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe72⤵PID:1240
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe73⤵PID:2644
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe74⤵PID:2528
-
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe75⤵PID:1544
-
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe76⤵PID:2116
-
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe77⤵PID:3148
-
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe78⤵
- Modifies registry class
PID:3208 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe79⤵PID:3280
-
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe80⤵PID:3340
-
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe81⤵PID:3392
-
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe82⤵PID:3488
-
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe83⤵PID:3508
-
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe84⤵PID:3632
-
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3700 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3712 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe87⤵PID:3860
-
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe88⤵
- Drops file in System32 directory
PID:3924 -
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe89⤵PID:3988
-
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1396 -
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe91⤵PID:4072
-
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe93⤵PID:2756
-
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe94⤵PID:2448
-
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe95⤵
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe96⤵PID:2920
-
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe97⤵
- Drops file in System32 directory
PID:1772 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2060 -
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe99⤵
- Modifies registry class
PID:3180 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe100⤵PID:3296
-
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe101⤵PID:3388
-
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe102⤵PID:3460
-
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe103⤵PID:2844
-
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe104⤵PID:3656
-
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe105⤵
- Drops file in System32 directory
PID:3768 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3720 -
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe107⤵PID:3960
-
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe108⤵PID:1068
-
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe109⤵PID:3996
-
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe110⤵PID:4044
-
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe111⤵PID:4128
-
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe112⤵
- Drops file in System32 directory
PID:4172 -
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe113⤵
- Drops file in System32 directory
PID:4220 -
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4268 -
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4320 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe116⤵
- Drops file in System32 directory
PID:4364 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe117⤵PID:4416
-
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe118⤵PID:4468
-
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe119⤵PID:4528
-
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe120⤵
- Drops file in System32 directory
PID:4604 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe121⤵PID:4672
-
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe122⤵
- Drops file in System32 directory
PID:4728
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-