Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 03:52
Behavioral task
behavioral1
Sample
181b6a13899ec15f78cfd79230bb4a70_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
181b6a13899ec15f78cfd79230bb4a70_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
181b6a13899ec15f78cfd79230bb4a70_NeikiAnalytics.exe
-
Size
143KB
-
MD5
181b6a13899ec15f78cfd79230bb4a70
-
SHA1
64f9e5b48cd49fd5113a447b00dcdc1117c9b417
-
SHA256
9e9671a977c6f79fa29694e92212878b308b5618f792d1603a46be41be92e3e3
-
SHA512
b37f5933695a8c1e22385548888b3787bd49c8806af6f08d2b58f227abd37a61c64e3ce7da3026d1b8b2df7bf34cc77bc1075a644c2cae00a108c9808920ede1
-
SSDEEP
1536:fS4pb0V66MEeAhbTtuZ4x0rGn0UQ5ziJE93isirBUBEVGBtVM2hZV03fca13y:bSVjeY3Rx0rGn03N93bsGfhv0vt3y
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdlblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egdilkbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkmbgdfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oenifh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofpfnqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmjejphb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fphafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbijhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankdiqih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cckace32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgfjbgmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpnhgge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cngcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiaiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fckjalhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aenbdoii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiaiqn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hellne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgmkmecg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enihne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fphafl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndbcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdopkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aljgfioc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boiccdnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abbbnchb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eflgccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpdhklkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emeopn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eajaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 181b6a13899ec15f78cfd79230bb4a70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bokphdld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgfjbgmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghlgdgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okfencna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faokjpfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghhofmql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phjelg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aljgfioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eajaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfgaiaci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecmkghcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckjalhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goddhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmgqnfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 181b6a13899ec15f78cfd79230bb4a70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adhlaggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alhjai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnilobkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffbicfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oicpfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocajbekl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddokpmfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Claifkkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgmglh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjilieka.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000b000000015d0f-9.dat family_berbew behavioral1/files/0x000800000001650c-26.dat family_berbew behavioral1/files/0x0008000000016be2-47.dat family_berbew behavioral1/files/0x0007000000016c7c-73.dat family_berbew behavioral1/files/0x0006000000016cb6-92.dat family_berbew behavioral1/files/0x0006000000016d1a-113.dat family_berbew behavioral1/memory/1968-120-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000016d51-134.dat family_berbew behavioral1/files/0x0006000000016fed-154.dat family_berbew behavioral1/files/0x000600000001737c-178.dat family_berbew behavioral1/files/0x0006000000017407-197.dat family_berbew behavioral1/memory/1156-215-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/1724-227-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000018bab-243.dat family_berbew behavioral1/memory/2348-258-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0005000000019185-275.dat family_berbew behavioral1/memory/2940-290-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x00050000000191ea-307.dat family_berbew behavioral1/memory/1560-323-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x00050000000193bd-372.dat family_berbew behavioral1/memory/1832-381-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/2724-403-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x00050000000195b5-438.dat family_berbew behavioral1/files/0x00050000000195be-447.dat family_berbew behavioral1/memory/1260-441-0x0000000000250000-0x0000000000290000-memory.dmp family_berbew behavioral1/files/0x000500000001972f-461.dat family_berbew behavioral1/files/0x0005000000019a82-470.dat family_berbew behavioral1/files/0x000500000001a271-536.dat family_berbew behavioral1/files/0x000500000001a43c-629.dat family_berbew behavioral1/files/0x000500000001a44b-653.dat family_berbew behavioral1/files/0x000500000001a458-674.dat family_berbew behavioral1/files/0x000500000001a468-714.dat family_berbew behavioral1/files/0x000500000001a46c-724.dat family_berbew behavioral1/files/0x000500000001a478-761.dat family_berbew behavioral1/files/0x000500000001a508-800.dat family_berbew behavioral1/files/0x000500000001ad53-826.dat family_berbew behavioral1/files/0x000500000001c64e-838.dat family_berbew behavioral1/files/0x000500000001c6fb-852.dat family_berbew behavioral1/files/0x000500000001c7d9-892.dat family_berbew behavioral1/files/0x000500000001c7e8-911.dat family_berbew behavioral1/files/0x000500000001c7f3-935.dat family_berbew behavioral1/files/0x000500000001c810-1008.dat family_berbew behavioral1/files/0x000400000001ca56-1212.dat family_berbew behavioral1/files/0x000400000001cae0-1243.dat family_berbew behavioral1/files/0x000400000001caf9-1264.dat family_berbew behavioral1/files/0x000400000001cb34-1310.dat family_berbew behavioral1/files/0x000400000001cb72-1350.dat family_berbew behavioral1/files/0x000400000001cb80-1369.dat family_berbew behavioral1/files/0x000400000001cb92-1395.dat family_berbew behavioral1/files/0x000400000001cc4e-1530.dat family_berbew behavioral1/files/0x000400000001ccaf-1546.dat family_berbew behavioral1/files/0x000400000001cce8-1558.dat family_berbew behavioral1/files/0x000400000001cd0e-1571.dat family_berbew behavioral1/files/0x000400000001cd3a-1583.dat family_berbew behavioral1/files/0x000400000001cd4b-1599.dat family_berbew behavioral1/files/0x000400000001ce5a-1624.dat family_berbew behavioral1/files/0x000400000001cf54-1649.dat family_berbew behavioral1/files/0x000400000001cf7f-1690.dat family_berbew behavioral1/files/0x000400000001d312-1756.dat family_berbew behavioral1/files/0x000400000001d31e-1773.dat family_berbew behavioral1/files/0x000400000001d322-1781.dat family_berbew behavioral1/files/0x000400000001d333-1797.dat family_berbew behavioral1/files/0x000400000001d348-1819.dat family_berbew behavioral1/files/0x000400000001d420-1868.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1640 Nbdnoo32.exe 2484 Nhnfkigh.exe 2512 Nkmbgdfl.exe 2600 Nccjhafn.exe 2908 Nbfjdn32.exe 1096 Odegpj32.exe 2436 Omloag32.exe 2944 Oojknblb.exe 1968 Obigjnkf.exe 960 Oicpfh32.exe 956 Okalbc32.exe 2504 Onphoo32.exe 1300 Oghlgdgk.exe 1812 Onbddoog.exe 2008 Obnqem32.exe 1156 Oelmai32.exe 1724 Okfencna.exe 1596 Omgaek32.exe 944 Oenifh32.exe 2348 Ocajbekl.exe 2960 Ofpfnqjp.exe 1368 Pminkk32.exe 2940 Paejki32.exe 2128 Pgobhcac.exe 2972 Pjmodopf.exe 1560 Pmlkpjpj.exe 2644 Ppjglfon.exe 2864 Pbiciana.exe 2024 Pjpkjond.exe 1660 Pmnhfjmg.exe 1832 Ppmdbe32.exe 1864 Pbkpna32.exe 2724 Peiljl32.exe 1060 Pmqdkj32.exe 1132 Ppoqge32.exe 1260 Pnbacbac.exe 1248 Pfiidobe.exe 708 Phjelg32.exe 792 Qnfjna32.exe 1448 Qhooggdn.exe 2216 Qjmkcbcb.exe 984 Qagcpljo.exe 1316 Adeplhib.exe 824 Afdlhchf.exe 2708 Ankdiqih.exe 2548 Amndem32.exe 2440 Aajpelhl.exe 2468 Adhlaggp.exe 1676 Ahchbf32.exe 1228 Ajbdna32.exe 2692 Ampqjm32.exe 2688 Aalmklfi.exe 768 Adjigg32.exe 2148 Afiecb32.exe 1912 Aigaon32.exe 2212 Ambmpmln.exe 1620 Alenki32.exe 2780 Admemg32.exe 3060 Abpfhcje.exe 1616 Aenbdoii.exe 1380 Amejeljk.exe 1792 Alhjai32.exe 1192 Aoffmd32.exe 3016 Abbbnchb.exe -
Loads dropped DLL 64 IoCs
pid Process 2320 181b6a13899ec15f78cfd79230bb4a70_NeikiAnalytics.exe 2320 181b6a13899ec15f78cfd79230bb4a70_NeikiAnalytics.exe 1640 Nbdnoo32.exe 1640 Nbdnoo32.exe 2484 Nhnfkigh.exe 2484 Nhnfkigh.exe 2512 Nkmbgdfl.exe 2512 Nkmbgdfl.exe 2600 Nccjhafn.exe 2600 Nccjhafn.exe 2908 Nbfjdn32.exe 2908 Nbfjdn32.exe 1096 Odegpj32.exe 1096 Odegpj32.exe 2436 Omloag32.exe 2436 Omloag32.exe 2944 Oojknblb.exe 2944 Oojknblb.exe 1968 Obigjnkf.exe 1968 Obigjnkf.exe 960 Oicpfh32.exe 960 Oicpfh32.exe 956 Okalbc32.exe 956 Okalbc32.exe 2504 Onphoo32.exe 2504 Onphoo32.exe 1300 Oghlgdgk.exe 1300 Oghlgdgk.exe 1812 Onbddoog.exe 1812 Onbddoog.exe 2008 Obnqem32.exe 2008 Obnqem32.exe 1156 Oelmai32.exe 1156 Oelmai32.exe 1724 Okfencna.exe 1724 Okfencna.exe 1596 Omgaek32.exe 1596 Omgaek32.exe 944 Oenifh32.exe 944 Oenifh32.exe 2348 Ocajbekl.exe 2348 Ocajbekl.exe 2960 Ofpfnqjp.exe 2960 Ofpfnqjp.exe 1368 Pminkk32.exe 1368 Pminkk32.exe 2940 Paejki32.exe 2940 Paejki32.exe 2128 Pgobhcac.exe 2128 Pgobhcac.exe 2972 Pjmodopf.exe 2972 Pjmodopf.exe 1560 Pmlkpjpj.exe 1560 Pmlkpjpj.exe 2644 Ppjglfon.exe 2644 Ppjglfon.exe 2864 Pbiciana.exe 2864 Pbiciana.exe 2024 Pjpkjond.exe 2024 Pjpkjond.exe 1660 Pmnhfjmg.exe 1660 Pmnhfjmg.exe 1832 Ppmdbe32.exe 1832 Ppmdbe32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Adhlaggp.exe Aajpelhl.exe File created C:\Windows\SysWOW64\Eihfjo32.exe Dgfjbgmh.exe File created C:\Windows\SysWOW64\Fbgmbg32.exe Fphafl32.exe File opened for modification C:\Windows\SysWOW64\Hjhhocjj.exe Hellne32.exe File created C:\Windows\SysWOW64\Ifclcknc.dll Qhooggdn.exe File created C:\Windows\SysWOW64\Cgbdhd32.exe Ccfhhffh.exe File opened for modification C:\Windows\SysWOW64\Qjmkcbcb.exe Qhooggdn.exe File created C:\Windows\SysWOW64\Efncicpm.exe Ecpgmhai.exe File created C:\Windows\SysWOW64\Cabknqko.dll Hdhbam32.exe File created C:\Windows\SysWOW64\Edgoiebg.dll Ppoqge32.exe File opened for modification C:\Windows\SysWOW64\Fndldonj.dll Gaqcoc32.exe File created C:\Windows\SysWOW64\Fehjeo32.exe Ealnephf.exe File created C:\Windows\SysWOW64\Hjhhocjj.exe Hellne32.exe File created C:\Windows\SysWOW64\Liqebf32.dll Hpapln32.exe File created C:\Windows\SysWOW64\Ejdmpb32.dll Hlhaqogk.exe File opened for modification C:\Windows\SysWOW64\Dkhcmgnl.exe Dgmglh32.exe File created C:\Windows\SysWOW64\Dekpaqgc.dll Epdkli32.exe File opened for modification C:\Windows\SysWOW64\Faokjpfd.exe Fnpnndgp.exe File created C:\Windows\SysWOW64\Gphmeo32.exe Gaemjbcg.exe File opened for modification C:\Windows\SysWOW64\Hhmepp32.exe Hjjddchg.exe File created C:\Windows\SysWOW64\Gkgaje32.dll Nccjhafn.exe File opened for modification C:\Windows\SysWOW64\Fehjeo32.exe Ealnephf.exe File created C:\Windows\SysWOW64\Chhpdp32.dll Gkgkbipp.exe File created C:\Windows\SysWOW64\Ahcocb32.dll Glfhll32.exe File created C:\Windows\SysWOW64\Hodpgjha.exe Hpapln32.exe File created C:\Windows\SysWOW64\Hlhaqogk.exe Hhmepp32.exe File created C:\Windows\SysWOW64\Aajpelhl.exe Amndem32.exe File created C:\Windows\SysWOW64\Ecpgmhai.exe Epdkli32.exe File created C:\Windows\SysWOW64\Cbolpc32.dll Dkhcmgnl.exe File opened for modification C:\Windows\SysWOW64\Dnlidb32.exe Djpmccqq.exe File opened for modification C:\Windows\SysWOW64\Pmnhfjmg.exe Pjpkjond.exe File opened for modification C:\Windows\SysWOW64\Banepo32.exe Bkdmcdoe.exe File created C:\Windows\SysWOW64\Fckjalhj.exe Fehjeo32.exe File created C:\Windows\SysWOW64\Jondlhmp.dll Gacpdbej.exe File created C:\Windows\SysWOW64\Ipjchc32.dll Fbgmbg32.exe File opened for modification C:\Windows\SysWOW64\Globlmmj.exe Fmlapp32.exe File created C:\Windows\SysWOW64\Ldhebk32.dll Pfiidobe.exe File created C:\Windows\SysWOW64\Aiabof32.dll Cgmkmecg.exe File created C:\Windows\SysWOW64\Nbfjdn32.exe Nccjhafn.exe File created C:\Windows\SysWOW64\Fnnajckm.dll Ofpfnqjp.exe File opened for modification C:\Windows\SysWOW64\Hiqbndpb.exe Hgbebiao.exe File created C:\Windows\SysWOW64\Mhfkbo32.dll Hacmcfge.exe File created C:\Windows\SysWOW64\Cllpkl32.exe Cnippoha.exe File created C:\Windows\SysWOW64\Glaoalkh.exe Ghfbqn32.exe File created C:\Windows\SysWOW64\Omeope32.dll Chhjkl32.exe File created C:\Windows\SysWOW64\Efppoc32.exe Ebedndfa.exe File opened for modification C:\Windows\SysWOW64\Fmhheqje.exe Filldb32.exe File created C:\Windows\SysWOW64\Gcaciakh.dll Gmjaic32.exe File created C:\Windows\SysWOW64\Pjmodopf.exe Pgobhcac.exe File opened for modification C:\Windows\SysWOW64\Afiecb32.exe Adjigg32.exe File opened for modification C:\Windows\SysWOW64\Abpfhcje.exe Admemg32.exe File created C:\Windows\SysWOW64\Ajlppdeb.dll Fckjalhj.exe File created C:\Windows\SysWOW64\Hacmcfge.exe Hodpgjha.exe File created C:\Windows\SysWOW64\Iddckpim.dll Pjmodopf.exe File created C:\Windows\SysWOW64\Phjelg32.exe Pfiidobe.exe File opened for modification C:\Windows\SysWOW64\Phjelg32.exe Pfiidobe.exe File created C:\Windows\SysWOW64\Ffbicfoc.exe Fbgmbg32.exe File created C:\Windows\SysWOW64\Bdjefj32.exe Begeknan.exe File created C:\Windows\SysWOW64\Dgfjbgmh.exe Dnneja32.exe File created C:\Windows\SysWOW64\Oelmai32.exe Obnqem32.exe File created C:\Windows\SysWOW64\Cckace32.exe Ckdjbh32.exe File created C:\Windows\SysWOW64\Eijcpoac.exe Eijcpoac.exe File opened for modification C:\Windows\SysWOW64\Alenki32.exe Ambmpmln.exe File opened for modification C:\Windows\SysWOW64\Cdakgibq.exe Cngcjo32.exe -
Program crash 1 IoCs
pid pid_target Process 3652 3452 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgknheej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afiecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ennaieib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbmkg32.dll" Feeiob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gclcefmh.dll" Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecmkghcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onphoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppmdbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adeplhib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adjigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfcfmmpb.dll" Aepojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanfmb32.dll" Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfbhnaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhmcfkme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqpdnop.dll" Fmlapp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 181b6a13899ec15f78cfd79230bb4a70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdlblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccfhhffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfeddafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gobgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpojo32.dll" Pmlkpjpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aigaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enihne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll" Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chhjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiomkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gegfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkmbgdfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faokjpfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alhjai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkaggelk.dll" Dnneja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambcae32.dll" Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaemjbcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ennaieib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghmjpap.dll" Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll" Inljnfkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epdkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljpdpao.dll" Hcnpbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hellne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll" Hacmcfge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhnfkigh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fckjalhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll" Gddifnbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aenbdoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmddhkao.dll" Bagpopmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdcdhpk.dll" Bingpmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjjddchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll" Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okfencna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknmbn32.dll" Admemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blmdlhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgpgce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffpmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emcbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hellne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomkin32.dll" Ppjglfon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddokpmfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enihne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maphhihi.dll" Emhlfmgj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2320 wrote to memory of 1640 2320 181b6a13899ec15f78cfd79230bb4a70_NeikiAnalytics.exe 28 PID 2320 wrote to memory of 1640 2320 181b6a13899ec15f78cfd79230bb4a70_NeikiAnalytics.exe 28 PID 2320 wrote to memory of 1640 2320 181b6a13899ec15f78cfd79230bb4a70_NeikiAnalytics.exe 28 PID 2320 wrote to memory of 1640 2320 181b6a13899ec15f78cfd79230bb4a70_NeikiAnalytics.exe 28 PID 1640 wrote to memory of 2484 1640 Nbdnoo32.exe 29 PID 1640 wrote to memory of 2484 1640 Nbdnoo32.exe 29 PID 1640 wrote to memory of 2484 1640 Nbdnoo32.exe 29 PID 1640 wrote to memory of 2484 1640 Nbdnoo32.exe 29 PID 2484 wrote to memory of 2512 2484 Nhnfkigh.exe 30 PID 2484 wrote to memory of 2512 2484 Nhnfkigh.exe 30 PID 2484 wrote to memory of 2512 2484 Nhnfkigh.exe 30 PID 2484 wrote to memory of 2512 2484 Nhnfkigh.exe 30 PID 2512 wrote to memory of 2600 2512 Nkmbgdfl.exe 31 PID 2512 wrote to memory of 2600 2512 Nkmbgdfl.exe 31 PID 2512 wrote to memory of 2600 2512 Nkmbgdfl.exe 31 PID 2512 wrote to memory of 2600 2512 Nkmbgdfl.exe 31 PID 2600 wrote to memory of 2908 2600 Nccjhafn.exe 32 PID 2600 wrote to memory of 2908 2600 Nccjhafn.exe 32 PID 2600 wrote to memory of 2908 2600 Nccjhafn.exe 32 PID 2600 wrote to memory of 2908 2600 Nccjhafn.exe 32 PID 2908 wrote to memory of 1096 2908 Nbfjdn32.exe 33 PID 2908 wrote to memory of 1096 2908 Nbfjdn32.exe 33 PID 2908 wrote to memory of 1096 2908 Nbfjdn32.exe 33 PID 2908 wrote to memory of 1096 2908 Nbfjdn32.exe 33 PID 1096 wrote to memory of 2436 1096 Odegpj32.exe 34 PID 1096 wrote to memory of 2436 1096 Odegpj32.exe 34 PID 1096 wrote to memory of 2436 1096 Odegpj32.exe 34 PID 1096 wrote to memory of 2436 1096 Odegpj32.exe 34 PID 2436 wrote to memory of 2944 2436 Omloag32.exe 35 PID 2436 wrote to memory of 2944 2436 Omloag32.exe 35 PID 2436 wrote to memory of 2944 2436 Omloag32.exe 35 PID 2436 wrote to memory of 2944 2436 Omloag32.exe 35 PID 2944 wrote to memory of 1968 2944 Oojknblb.exe 36 PID 2944 wrote to memory of 1968 2944 Oojknblb.exe 36 PID 2944 wrote to memory of 1968 2944 Oojknblb.exe 36 PID 2944 wrote to memory of 1968 2944 Oojknblb.exe 36 PID 1968 wrote to memory of 960 1968 Obigjnkf.exe 37 PID 1968 wrote to memory of 960 1968 Obigjnkf.exe 37 PID 1968 wrote to memory of 960 1968 Obigjnkf.exe 37 PID 1968 wrote to memory of 960 1968 Obigjnkf.exe 37 PID 960 wrote to memory of 956 960 Oicpfh32.exe 38 PID 960 wrote to memory of 956 960 Oicpfh32.exe 38 PID 960 wrote to memory of 956 960 Oicpfh32.exe 38 PID 960 wrote to memory of 956 960 Oicpfh32.exe 38 PID 956 wrote to memory of 2504 956 Okalbc32.exe 39 PID 956 wrote to memory of 2504 956 Okalbc32.exe 39 PID 956 wrote to memory of 2504 956 Okalbc32.exe 39 PID 956 wrote to memory of 2504 956 Okalbc32.exe 39 PID 2504 wrote to memory of 1300 2504 Onphoo32.exe 40 PID 2504 wrote to memory of 1300 2504 Onphoo32.exe 40 PID 2504 wrote to memory of 1300 2504 Onphoo32.exe 40 PID 2504 wrote to memory of 1300 2504 Onphoo32.exe 40 PID 1300 wrote to memory of 1812 1300 Oghlgdgk.exe 41 PID 1300 wrote to memory of 1812 1300 Oghlgdgk.exe 41 PID 1300 wrote to memory of 1812 1300 Oghlgdgk.exe 41 PID 1300 wrote to memory of 1812 1300 Oghlgdgk.exe 41 PID 1812 wrote to memory of 2008 1812 Onbddoog.exe 42 PID 1812 wrote to memory of 2008 1812 Onbddoog.exe 42 PID 1812 wrote to memory of 2008 1812 Onbddoog.exe 42 PID 1812 wrote to memory of 2008 1812 Onbddoog.exe 42 PID 2008 wrote to memory of 1156 2008 Obnqem32.exe 43 PID 2008 wrote to memory of 1156 2008 Obnqem32.exe 43 PID 2008 wrote to memory of 1156 2008 Obnqem32.exe 43 PID 2008 wrote to memory of 1156 2008 Obnqem32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\181b6a13899ec15f78cfd79230bb4a70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\181b6a13899ec15f78cfd79230bb4a70_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1156 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:944 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1368 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe33⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe34⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe35⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1132 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe37⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1248 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe40⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe42⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe43⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe45⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe50⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe51⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe52⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe53⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe58⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe60⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe62⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe64⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe66⤵
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe67⤵PID:448
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2896 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1508 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe70⤵
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe71⤵
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe72⤵
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2456 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe74⤵PID:2160
-
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe75⤵PID:856
-
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe76⤵PID:2716
-
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe77⤵PID:1404
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe78⤵PID:1628
-
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe79⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe80⤵PID:2192
-
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe81⤵PID:1524
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe82⤵
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe83⤵PID:2740
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe85⤵
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe86⤵PID:1544
-
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe87⤵PID:580
-
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe88⤵PID:2760
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe89⤵PID:1208
-
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe90⤵PID:1764
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1396 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe92⤵PID:1824
-
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe93⤵PID:1588
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:488 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe95⤵PID:2840
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe96⤵
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe97⤵
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe98⤵
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe99⤵
- Drops file in System32 directory
PID:1052 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe100⤵PID:804
-
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe101⤵PID:2056
-
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe103⤵PID:1284
-
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe104⤵
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe105⤵PID:1872
-
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe106⤵PID:2772
-
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe107⤵PID:2540
-
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe108⤵PID:2388
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:812 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe110⤵PID:2488
-
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2412 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe112⤵
- Drops file in System32 directory
PID:616 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1144 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe114⤵PID:1656
-
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:772 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe116⤵PID:2640
-
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2832 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe118⤵PID:2616
-
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe121⤵
- Drops file in System32 directory
PID:844 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe122⤵PID:2376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-