Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 13:21
Behavioral task
behavioral1
Sample
31e00efda5730a285dd5f396ed99a720_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
31e00efda5730a285dd5f396ed99a720_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
31e00efda5730a285dd5f396ed99a720_NeikiAnalytics.exe
-
Size
276KB
-
MD5
31e00efda5730a285dd5f396ed99a720
-
SHA1
456c032dc97749f2f9b5a20c3ae40e4e511789bd
-
SHA256
18469ee1605b6a8e5c1337cc393572327e84609b0f72cb41abb2cc0361ba0765
-
SHA512
0fea73715f95a192109ab253765f26b24a2c3bfb41230da0658c24597505872e1aed462f55ac62724fd9cfc912c57ccd192877d32a5ac96a03966b329d8f43a1
-
SSDEEP
3072:Xr/VycXY0tMgbDd1AZoUBW3FJeRuaWNXmgu+tAcrbFAJc+RsUi1aVDkOvhJjvJuP:XrBfMgfdWZHEFJ7aWN1rtMsQBOSGaF+
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oidiekdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hklhae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoompl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpcqnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llbqfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpaom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehdan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddfebnoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjdldd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnbejb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jeadap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blkjkflb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igqhpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgnkci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cffljlpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbhlek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnbejb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcdlhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dppigchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfhfab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcaiiejc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhomkcoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamdkfnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbhlek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmijfmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fodebh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdhcli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpoolael.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfmndn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjaimn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhafhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijehdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Debadpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnaggcej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Halbai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jimbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnkjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjakccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qhilkege.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeadap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alihaioe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gonale32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iipejmko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edcnakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkfbfjdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khgkpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Koaclfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akkoig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcbankf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qqfkln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jabponba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdjmcpnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkfbfjdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgmahg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjofdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iflmjihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glnhjjml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmdgipkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbnljqic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogknoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emagacdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flapkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhhgpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccnifd32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000d0000000122d1-5.dat family_berbew behavioral1/files/0x000900000001267d-20.dat family_berbew behavioral1/files/0x00080000000126c7-33.dat family_berbew behavioral1/files/0x00090000000139d6-47.dat family_berbew behavioral1/files/0x0006000000014e3d-59.dat family_berbew behavioral1/files/0x001a000000012300-73.dat family_berbew behavioral1/files/0x0006000000015264-95.dat family_berbew behavioral1/files/0x00060000000155d4-104.dat family_berbew behavioral1/files/0x00060000000155e2-120.dat family_berbew behavioral1/files/0x0006000000015a2d-136.dat family_berbew behavioral1/memory/2336-112-0x0000000000220000-0x0000000000262000-memory.dmp family_berbew behavioral1/files/0x0006000000015c0d-150.dat family_berbew behavioral1/files/0x0006000000015c2f-163.dat family_berbew behavioral1/files/0x0006000000015c52-190.dat family_berbew behavioral1/memory/2040-189-0x0000000000220000-0x0000000000262000-memory.dmp family_berbew behavioral1/files/0x0006000000015c69-198.dat family_berbew behavioral1/files/0x0006000000015c87-214.dat family_berbew behavioral1/files/0x0006000000015d88-231.dat family_berbew behavioral1/memory/628-249-0x00000000003B0000-0x00000000003F2000-memory.dmp family_berbew behavioral1/files/0x0006000000015e02-243.dat family_berbew behavioral1/files/0x0006000000015e5b-260.dat family_berbew behavioral1/files/0x0006000000015e7c-271.dat family_berbew behavioral1/files/0x0006000000015ec0-284.dat family_berbew behavioral1/files/0x000600000001604b-293.dat family_berbew behavioral1/files/0x0006000000016332-305.dat family_berbew behavioral1/files/0x00060000000165ae-315.dat family_berbew behavioral1/files/0x00060000000167db-325.dat family_berbew behavioral1/files/0x0006000000016b96-335.dat family_berbew behavioral1/files/0x0006000000016c1a-346.dat family_berbew behavioral1/files/0x0006000000016c90-356.dat family_berbew behavioral1/files/0x0006000000016ccf-368.dat family_berbew behavioral1/files/0x0006000000016cf0-377.dat family_berbew behavioral1/files/0x0006000000016d11-388.dat family_berbew behavioral1/files/0x0006000000016d36-396.dat family_berbew behavioral1/memory/2412-400-0x00000000002B0000-0x00000000002F2000-memory.dmp family_berbew behavioral1/files/0x0006000000016d4a-410.dat family_berbew behavioral1/files/0x0006000000016d55-418.dat family_berbew behavioral1/files/0x0006000000016d89-430.dat family_berbew behavioral1/files/0x000600000001704f-440.dat family_berbew behavioral1/files/0x000500000001868c-451.dat family_berbew behavioral1/files/0x00050000000186a0-463.dat family_berbew behavioral1/files/0x0006000000018ae8-473.dat family_berbew behavioral1/files/0x0006000000018b33-483.dat family_berbew behavioral1/files/0x0006000000018b42-495.dat family_berbew behavioral1/files/0x0006000000018b6a-506.dat family_berbew behavioral1/files/0x0006000000018b96-515.dat family_berbew behavioral1/files/0x0006000000018d06-524.dat family_berbew behavioral1/files/0x00050000000192f4-537.dat family_berbew behavioral1/files/0x0005000000019333-546.dat family_berbew behavioral1/files/0x0005000000019377-556.dat family_berbew behavioral1/files/0x00050000000193b0-566.dat family_berbew behavioral1/files/0x000500000001946b-578.dat family_berbew behavioral1/files/0x0005000000019473-589.dat family_berbew behavioral1/files/0x00050000000194a4-601.dat family_berbew behavioral1/files/0x00040000000194d8-613.dat family_berbew behavioral1/files/0x00050000000194e8-624.dat family_berbew behavioral1/files/0x00050000000194ee-636.dat family_berbew behavioral1/files/0x00050000000194f2-644.dat family_berbew behavioral1/files/0x000500000001950c-655.dat family_berbew behavioral1/files/0x0005000000019547-665.dat family_berbew behavioral1/files/0x000500000001959c-677.dat family_berbew behavioral1/files/0x00050000000195a2-686.dat family_berbew behavioral1/files/0x00050000000195a6-700.dat family_berbew behavioral1/files/0x00050000000195a8-712.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1740 Ioliqbjn.exe 2924 Inafbooe.exe 2480 Jeadap32.exe 2756 Jjaimn32.exe 2528 Jblnaq32.exe 2408 Kbokgpgg.exe 2336 Kjllab32.exe 1656 Kmobhmnn.exe 2560 Lfhfab32.exe 2188 Lmfhil32.exe 1920 Lgpiij32.exe 2040 Mnojacgm.exe 1692 Mnaggcej.exe 2948 Mjhhld32.exe 592 Nehomq32.exe 628 Noemqe32.exe 3016 Ogqaehak.exe 1968 Oifdbb32.exe 1624 Ocohkh32.exe 1940 Peoalc32.exe 2960 Pkofjijm.exe 2968 Pnopldgn.exe 2216 Pggdejno.exe 1704 Akqpom32.exe 1312 Aidphq32.exe 1448 Aboaff32.exe 2464 Agljom32.exe 2512 Bjmbqhif.exe 2680 Bjoofhgc.exe 2412 Bpnddn32.exe 2384 Bigimdjh.exe 768 Cofnjj32.exe 1156 Cikbhc32.exe 864 Cmmhaf32.exe 1216 Cffljlpc.exe 2588 Cdjmcpnl.exe 1532 Ckcepj32.exe 1524 Dkfbfjdf.exe 2324 Ddnfop32.exe 1472 Dljkcb32.exe 932 Dcccpl32.exe 472 Dllhhaep.exe 1504 Dedlag32.exe 1724 Dchmkkkj.exe 1152 Eoompl32.exe 1508 Eeielfhk.exe 1492 Eoajel32.exe 1484 Egmojnlf.exe 2792 Epecbd32.exe 2864 Elldgehk.exe 2036 Efdhpjok.exe 2248 Elnqmd32.exe 1756 Fheabelm.exe 2448 Fcjeon32.exe 2636 Fmcjhdbc.exe 2516 Ffkoai32.exe 2392 Fnfcel32.exe 2080 Fdpkbf32.exe 292 Fbdlkj32.exe 2640 Fgadda32.exe 756 Geeemeif.exe 1924 Gkomjo32.exe 1648 Gcjbna32.exe 1148 Gpabcbdb.exe -
Loads dropped DLL 64 IoCs
pid Process 2240 31e00efda5730a285dd5f396ed99a720_NeikiAnalytics.exe 2240 31e00efda5730a285dd5f396ed99a720_NeikiAnalytics.exe 1740 Ioliqbjn.exe 1740 Ioliqbjn.exe 2924 Inafbooe.exe 2924 Inafbooe.exe 2480 Jeadap32.exe 2480 Jeadap32.exe 2756 Jjaimn32.exe 2756 Jjaimn32.exe 2528 Jblnaq32.exe 2528 Jblnaq32.exe 2408 Kbokgpgg.exe 2408 Kbokgpgg.exe 2336 Kjllab32.exe 2336 Kjllab32.exe 1656 Kmobhmnn.exe 1656 Kmobhmnn.exe 2560 Lfhfab32.exe 2560 Lfhfab32.exe 2188 Lmfhil32.exe 2188 Lmfhil32.exe 1920 Lgpiij32.exe 1920 Lgpiij32.exe 2040 Mnojacgm.exe 2040 Mnojacgm.exe 1692 Mnaggcej.exe 1692 Mnaggcej.exe 2948 Mjhhld32.exe 2948 Mjhhld32.exe 592 Nehomq32.exe 592 Nehomq32.exe 628 Noemqe32.exe 628 Noemqe32.exe 3016 Ogqaehak.exe 3016 Ogqaehak.exe 1968 Oifdbb32.exe 1968 Oifdbb32.exe 1624 Ocohkh32.exe 1624 Ocohkh32.exe 1940 Peoalc32.exe 1940 Peoalc32.exe 2960 Pkofjijm.exe 2960 Pkofjijm.exe 2968 Pnopldgn.exe 2968 Pnopldgn.exe 2216 Pggdejno.exe 2216 Pggdejno.exe 1704 Akqpom32.exe 1704 Akqpom32.exe 1312 Aidphq32.exe 1312 Aidphq32.exe 1448 Aboaff32.exe 1448 Aboaff32.exe 2464 Agljom32.exe 2464 Agljom32.exe 2512 Bjmbqhif.exe 2512 Bjmbqhif.exe 2680 Bjoofhgc.exe 2680 Bjoofhgc.exe 2412 Bpnddn32.exe 2412 Bpnddn32.exe 2384 Bigimdjh.exe 2384 Bigimdjh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ficnqdac.dll Bpnddn32.exe File created C:\Windows\SysWOW64\Dfmcfjpo.dll Ajqljc32.exe File created C:\Windows\SysWOW64\Jpbalb32.exe Ijehdl32.exe File created C:\Windows\SysWOW64\Eeiheo32.exe Deenjpcd.exe File created C:\Windows\SysWOW64\Pdonhj32.exe Ogknoe32.exe File created C:\Windows\SysWOW64\Gedjkeaj.dll Iflmjihl.exe File opened for modification C:\Windows\SysWOW64\Jigbebhb.exe Imaapa32.exe File created C:\Windows\SysWOW64\Goqnae32.exe Gamnhq32.exe File opened for modification C:\Windows\SysWOW64\Hmdkjmip.exe Hmbndmkb.exe File opened for modification C:\Windows\SysWOW64\Lbjofi32.exe Libjncnc.exe File created C:\Windows\SysWOW64\Eeielfhk.exe Eoompl32.exe File opened for modification C:\Windows\SysWOW64\Fgadda32.exe Fbdlkj32.exe File opened for modification C:\Windows\SysWOW64\Jjdofm32.exe Jhafhe32.exe File opened for modification C:\Windows\SysWOW64\Ahpifj32.exe Alihaioe.exe File opened for modification C:\Windows\SysWOW64\Dmmpolof.exe Dhpgfeao.exe File opened for modification C:\Windows\SysWOW64\Eimcjl32.exe Epeoaffo.exe File created C:\Windows\SysWOW64\Eacpijip.dll Epecbd32.exe File created C:\Windows\SysWOW64\Jjdofm32.exe Jhafhe32.exe File opened for modification C:\Windows\SysWOW64\Ghdgfbkl.exe Gcgnnlle.exe File opened for modification C:\Windows\SysWOW64\Pggdejno.exe Pnopldgn.exe File opened for modification C:\Windows\SysWOW64\Mfmndn32.exe Mnaiol32.exe File created C:\Windows\SysWOW64\Pfebnmcj.exe Pbgjgomc.exe File created C:\Windows\SysWOW64\Deondj32.exe Dnefhpma.exe File created C:\Windows\SysWOW64\Cbpjnb32.dll Dnhbmpkn.exe File created C:\Windows\SysWOW64\Peoalc32.exe Ocohkh32.exe File opened for modification C:\Windows\SysWOW64\Dogpdg32.exe Dacpkc32.exe File opened for modification C:\Windows\SysWOW64\Eaheeecg.exe Eaeipfei.exe File opened for modification C:\Windows\SysWOW64\Lkbmbl32.exe Kkpqlm32.exe File created C:\Windows\SysWOW64\Cfoaho32.exe Cmfmojcb.exe File created C:\Windows\SysWOW64\Ogqaehak.exe Noemqe32.exe File created C:\Windows\SysWOW64\Ipbgkbdb.dll Maefamlh.exe File created C:\Windows\SysWOW64\Ppmgfb32.exe Pfebnmcj.exe File opened for modification C:\Windows\SysWOW64\Eoebgcol.exe Efjmbaba.exe File opened for modification C:\Windows\SysWOW64\Pkofjijm.exe Peoalc32.exe File created C:\Windows\SysWOW64\Peedka32.exe Poklngnf.exe File created C:\Windows\SysWOW64\Pfhmhm32.dll Eelkeeah.exe File opened for modification C:\Windows\SysWOW64\Kncaojfb.exe Kdklfe32.exe File opened for modification C:\Windows\SysWOW64\Oadkej32.exe Ndqkleln.exe File opened for modification C:\Windows\SysWOW64\Ggkibhjf.exe Gnbejb32.exe File created C:\Windows\SysWOW64\Ldjbkb32.exe Lkbmbl32.exe File created C:\Windows\SysWOW64\Blkjkflb.exe Baefnmml.exe File created C:\Windows\SysWOW64\Mjhhld32.exe Mnaggcej.exe File opened for modification C:\Windows\SysWOW64\Adifpk32.exe Ahbekjcf.exe File created C:\Windows\SysWOW64\Ijjnkj32.dll Koaclfgl.exe File created C:\Windows\SysWOW64\Jjaimn32.exe Jeadap32.exe File created C:\Windows\SysWOW64\Kalpeaik.dll Jblnaq32.exe File opened for modification C:\Windows\SysWOW64\Hpbdmo32.exe Hcldhnkk.exe File opened for modification C:\Windows\SysWOW64\Jkchmo32.exe Jbhcim32.exe File created C:\Windows\SysWOW64\Jhafhe32.exe Iegjqk32.exe File created C:\Windows\SysWOW64\Kgnkci32.exe Kenoifpb.exe File opened for modification C:\Windows\SysWOW64\Nbeedh32.exe Mimpkcdn.exe File created C:\Windows\SysWOW64\Iofjqboi.dll Jpbalb32.exe File created C:\Windows\SysWOW64\Deenjpcd.exe Dmijfmfi.exe File created C:\Windows\SysWOW64\Nbhhdnlh.exe Nbflno32.exe File opened for modification C:\Windows\SysWOW64\Egmabg32.exe Eeiheo32.exe File created C:\Windows\SysWOW64\Mimpkcdn.exe Mhhgpc32.exe File created C:\Windows\SysWOW64\Fmiogi32.dll Adfbpega.exe File created C:\Windows\SysWOW64\Pnalcc32.dll Hklhae32.exe File opened for modification C:\Windows\SysWOW64\Ieponofk.exe Hmdkjmip.exe File opened for modification C:\Windows\SysWOW64\Heliepmn.exe Hkdemk32.exe File opened for modification C:\Windows\SysWOW64\Ajhddk32.exe Aobpfb32.exe File created C:\Windows\SysWOW64\Pocdjfob.dll Dblhmoio.exe File opened for modification C:\Windows\SysWOW64\Jnmiag32.exe Jedehaea.exe File created C:\Windows\SysWOW64\Plaimk32.exe Palepb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2256 4612 WerFault.exe 440 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eoebgcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghdgfbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jncnhl32.dll" Mnaiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghdjfq32.dll" Ciagojda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnefhpma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eimcjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkchmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmmeon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkomjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmcjhdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohagbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekcfk32.dll" Eeiheo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfafae32.dll" Fapeic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldjbkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccnifd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnhbmpkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egmojnlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjcccnbp.dll" Igqhpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aidphq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgiekfhg.dll" Injndk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejebfdmb.dll" Ihdpbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aobpfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbkalpla.dll" Epeoaffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnaggcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lneaqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgbioq32.dll" Mpebmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdfik32.dll" Nihcog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipfpae32.dll" Agbbgqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmmpolof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhioeeeo.dll" Dllhhaep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kablnadm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eoajel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hinbppna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahmefdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hilcfe32.dll" Djfdob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnfcel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inmmbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idebfofe.dll" Ffkoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqhepmkh.dll" Gonale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blangfdh.dll" Nameek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmhjag32.dll" Gfhgpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkofjijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmcjhdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpoolael.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbflno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgpiij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcgnnlle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apoldh32.dll" Ggicgopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afbioogg.dll" Mclebc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oidiekdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kljabgnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdqlajbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmagpjhh.dll" Ipeaco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieljfpdl.dll" Cikbhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbqmnm32.dll" Elldgehk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjdofm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liolokfg.dll" Ogknoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plaimk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffhlolm.dll" Eaeipfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdcic32.dll" Hcgjmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hckabh32.dll" Ogqaehak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jakcpl32.dll" Ccgklc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imldmnjj.dll" Ejcmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inmmbc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2240 wrote to memory of 1740 2240 31e00efda5730a285dd5f396ed99a720_NeikiAnalytics.exe 28 PID 2240 wrote to memory of 1740 2240 31e00efda5730a285dd5f396ed99a720_NeikiAnalytics.exe 28 PID 2240 wrote to memory of 1740 2240 31e00efda5730a285dd5f396ed99a720_NeikiAnalytics.exe 28 PID 2240 wrote to memory of 1740 2240 31e00efda5730a285dd5f396ed99a720_NeikiAnalytics.exe 28 PID 1740 wrote to memory of 2924 1740 Ioliqbjn.exe 29 PID 1740 wrote to memory of 2924 1740 Ioliqbjn.exe 29 PID 1740 wrote to memory of 2924 1740 Ioliqbjn.exe 29 PID 1740 wrote to memory of 2924 1740 Ioliqbjn.exe 29 PID 2924 wrote to memory of 2480 2924 Inafbooe.exe 30 PID 2924 wrote to memory of 2480 2924 Inafbooe.exe 30 PID 2924 wrote to memory of 2480 2924 Inafbooe.exe 30 PID 2924 wrote to memory of 2480 2924 Inafbooe.exe 30 PID 2480 wrote to memory of 2756 2480 Jeadap32.exe 31 PID 2480 wrote to memory of 2756 2480 Jeadap32.exe 31 PID 2480 wrote to memory of 2756 2480 Jeadap32.exe 31 PID 2480 wrote to memory of 2756 2480 Jeadap32.exe 31 PID 2756 wrote to memory of 2528 2756 Jjaimn32.exe 32 PID 2756 wrote to memory of 2528 2756 Jjaimn32.exe 32 PID 2756 wrote to memory of 2528 2756 Jjaimn32.exe 32 PID 2756 wrote to memory of 2528 2756 Jjaimn32.exe 32 PID 2528 wrote to memory of 2408 2528 Jblnaq32.exe 33 PID 2528 wrote to memory of 2408 2528 Jblnaq32.exe 33 PID 2528 wrote to memory of 2408 2528 Jblnaq32.exe 33 PID 2528 wrote to memory of 2408 2528 Jblnaq32.exe 33 PID 2408 wrote to memory of 2336 2408 Kbokgpgg.exe 34 PID 2408 wrote to memory of 2336 2408 Kbokgpgg.exe 34 PID 2408 wrote to memory of 2336 2408 Kbokgpgg.exe 34 PID 2408 wrote to memory of 2336 2408 Kbokgpgg.exe 34 PID 2336 wrote to memory of 1656 2336 Kjllab32.exe 35 PID 2336 wrote to memory of 1656 2336 Kjllab32.exe 35 PID 2336 wrote to memory of 1656 2336 Kjllab32.exe 35 PID 2336 wrote to memory of 1656 2336 Kjllab32.exe 35 PID 1656 wrote to memory of 2560 1656 Kmobhmnn.exe 36 PID 1656 wrote to memory of 2560 1656 Kmobhmnn.exe 36 PID 1656 wrote to memory of 2560 1656 Kmobhmnn.exe 36 PID 1656 wrote to memory of 2560 1656 Kmobhmnn.exe 36 PID 2560 wrote to memory of 2188 2560 Lfhfab32.exe 37 PID 2560 wrote to memory of 2188 2560 Lfhfab32.exe 37 PID 2560 wrote to memory of 2188 2560 Lfhfab32.exe 37 PID 2560 wrote to memory of 2188 2560 Lfhfab32.exe 37 PID 2188 wrote to memory of 1920 2188 Lmfhil32.exe 38 PID 2188 wrote to memory of 1920 2188 Lmfhil32.exe 38 PID 2188 wrote to memory of 1920 2188 Lmfhil32.exe 38 PID 2188 wrote to memory of 1920 2188 Lmfhil32.exe 38 PID 1920 wrote to memory of 2040 1920 Lgpiij32.exe 39 PID 1920 wrote to memory of 2040 1920 Lgpiij32.exe 39 PID 1920 wrote to memory of 2040 1920 Lgpiij32.exe 39 PID 1920 wrote to memory of 2040 1920 Lgpiij32.exe 39 PID 2040 wrote to memory of 1692 2040 Mnojacgm.exe 40 PID 2040 wrote to memory of 1692 2040 Mnojacgm.exe 40 PID 2040 wrote to memory of 1692 2040 Mnojacgm.exe 40 PID 2040 wrote to memory of 1692 2040 Mnojacgm.exe 40 PID 1692 wrote to memory of 2948 1692 Mnaggcej.exe 41 PID 1692 wrote to memory of 2948 1692 Mnaggcej.exe 41 PID 1692 wrote to memory of 2948 1692 Mnaggcej.exe 41 PID 1692 wrote to memory of 2948 1692 Mnaggcej.exe 41 PID 2948 wrote to memory of 592 2948 Mjhhld32.exe 42 PID 2948 wrote to memory of 592 2948 Mjhhld32.exe 42 PID 2948 wrote to memory of 592 2948 Mjhhld32.exe 42 PID 2948 wrote to memory of 592 2948 Mjhhld32.exe 42 PID 592 wrote to memory of 628 592 Nehomq32.exe 43 PID 592 wrote to memory of 628 592 Nehomq32.exe 43 PID 592 wrote to memory of 628 592 Nehomq32.exe 43 PID 592 wrote to memory of 628 592 Nehomq32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\31e00efda5730a285dd5f396ed99a720_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\31e00efda5730a285dd5f396ed99a720_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Ioliqbjn.exeC:\Windows\system32\Ioliqbjn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Inafbooe.exeC:\Windows\system32\Inafbooe.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Jeadap32.exeC:\Windows\system32\Jeadap32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Jjaimn32.exeC:\Windows\system32\Jjaimn32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Jblnaq32.exeC:\Windows\system32\Jblnaq32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Kbokgpgg.exeC:\Windows\system32\Kbokgpgg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Kjllab32.exeC:\Windows\system32\Kjllab32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Kmobhmnn.exeC:\Windows\system32\Kmobhmnn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Lfhfab32.exeC:\Windows\system32\Lfhfab32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Lgpiij32.exeC:\Windows\system32\Lgpiij32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Mnojacgm.exeC:\Windows\system32\Mnojacgm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Mnaggcej.exeC:\Windows\system32\Mnaggcej.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Mjhhld32.exeC:\Windows\system32\Mjhhld32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Nehomq32.exeC:\Windows\system32\Nehomq32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:628 -
C:\Windows\SysWOW64\Ogqaehak.exeC:\Windows\system32\Ogqaehak.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\Ocohkh32.exeC:\Windows\system32\Ocohkh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Peoalc32.exeC:\Windows\system32\Peoalc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\Pkofjijm.exeC:\Windows\system32\Pkofjijm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Pggdejno.exeC:\Windows\system32\Pggdejno.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Akqpom32.exeC:\Windows\system32\Akqpom32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1448 -
C:\Windows\SysWOW64\Agljom32.exeC:\Windows\system32\Agljom32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\Bjmbqhif.exeC:\Windows\system32\Bjmbqhif.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2512 -
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Bpnddn32.exeC:\Windows\system32\Bpnddn32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Bigimdjh.exeC:\Windows\system32\Bigimdjh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384 -
C:\Windows\SysWOW64\Cofnjj32.exeC:\Windows\system32\Cofnjj32.exe33⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Cmmhaf32.exeC:\Windows\system32\Cmmhaf32.exe35⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Cdjmcpnl.exeC:\Windows\system32\Cdjmcpnl.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Ckcepj32.exeC:\Windows\system32\Ckcepj32.exe38⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Dkfbfjdf.exeC:\Windows\system32\Dkfbfjdf.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Ddnfop32.exeC:\Windows\system32\Ddnfop32.exe40⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Dljkcb32.exeC:\Windows\system32\Dljkcb32.exe41⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Dcccpl32.exeC:\Windows\system32\Dcccpl32.exe42⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Dllhhaep.exeC:\Windows\system32\Dllhhaep.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:472 -
C:\Windows\SysWOW64\Dedlag32.exeC:\Windows\system32\Dedlag32.exe44⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Dchmkkkj.exeC:\Windows\system32\Dchmkkkj.exe45⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Eoompl32.exeC:\Windows\system32\Eoompl32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Eeielfhk.exeC:\Windows\system32\Eeielfhk.exe47⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Egmojnlf.exeC:\Windows\system32\Egmojnlf.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Efdhpjok.exeC:\Windows\system32\Efdhpjok.exe52⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Elnqmd32.exeC:\Windows\system32\Elnqmd32.exe53⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Fheabelm.exeC:\Windows\system32\Fheabelm.exe54⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe55⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Ffkoai32.exeC:\Windows\system32\Ffkoai32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe59⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:292 -
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe61⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Geeemeif.exeC:\Windows\system32\Geeemeif.exe62⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Gkomjo32.exeC:\Windows\system32\Gkomjo32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Gcjbna32.exeC:\Windows\system32\Gcjbna32.exe64⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe65⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Giiglhjb.exeC:\Windows\system32\Giiglhjb.exe66⤵PID:692
-
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe67⤵PID:1628
-
C:\Windows\SysWOW64\Gcahoqhf.exeC:\Windows\system32\Gcahoqhf.exe68⤵PID:2712
-
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe69⤵PID:2296
-
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe70⤵PID:2044
-
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2144 -
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe72⤵PID:1964
-
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe73⤵PID:1288
-
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe74⤵PID:2268
-
C:\Windows\SysWOW64\Iabhah32.exeC:\Windows\system32\Iabhah32.exe75⤵PID:2280
-
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe76⤵PID:2236
-
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe77⤵PID:1604
-
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe78⤵PID:2916
-
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe79⤵
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe81⤵
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe82⤵PID:2844
-
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe83⤵PID:1972
-
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe84⤵PID:1372
-
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2172 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe86⤵
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe87⤵PID:2720
-
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe88⤵PID:1696
-
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1596 -
C:\Windows\SysWOW64\Lblcfnhj.exeC:\Windows\system32\Lblcfnhj.exe90⤵PID:808
-
C:\Windows\SysWOW64\Ljghjpfe.exeC:\Windows\system32\Ljghjpfe.exe91⤵PID:956
-
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe92⤵PID:240
-
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe93⤵
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2888 -
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe95⤵PID:852
-
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe96⤵PID:2008
-
C:\Windows\SysWOW64\Mmogmjmn.exeC:\Windows\system32\Mmogmjmn.exe97⤵PID:1464
-
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe98⤵PID:2996
-
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2360 -
C:\Windows\SysWOW64\Mlfacfpc.exeC:\Windows\system32\Mlfacfpc.exe100⤵PID:2396
-
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2856 -
C:\Windows\SysWOW64\Maefamlh.exeC:\Windows\system32\Maefamlh.exe102⤵
- Drops file in System32 directory
PID:1384 -
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe103⤵PID:2572
-
C:\Windows\SysWOW64\Npmphinm.exeC:\Windows\system32\Npmphinm.exe104⤵PID:2444
-
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe105⤵PID:1540
-
C:\Windows\SysWOW64\Njdqka32.exeC:\Windows\system32\Njdqka32.exe106⤵PID:1684
-
C:\Windows\SysWOW64\Nfkapb32.exeC:\Windows\system32\Nfkapb32.exe107⤵PID:2952
-
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe108⤵PID:3004
-
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe109⤵PID:1804
-
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe110⤵
- Modifies registry class
PID:784 -
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe111⤵PID:2176
-
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2876 -
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe113⤵PID:3056
-
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe115⤵PID:2148
-
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe116⤵PID:2624
-
C:\Windows\SysWOW64\Poklngnf.exeC:\Windows\system32\Poklngnf.exe117⤵
- Drops file in System32 directory
PID:1160 -
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe118⤵PID:2564
-
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe119⤵
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Plaimk32.exeC:\Windows\system32\Plaimk32.exe120⤵
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Pldebkhj.exeC:\Windows\system32\Pldebkhj.exe121⤵PID:1984
-
C:\Windows\SysWOW64\Qdojgmfe.exeC:\Windows\system32\Qdojgmfe.exe122⤵PID:2212
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-