Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
30/05/2024, 06:52
Behavioral task
behavioral1
Sample
691079a44b9a1e371282675b7710df20_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
691079a44b9a1e371282675b7710df20_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
691079a44b9a1e371282675b7710df20_NeikiAnalytics.exe
-
Size
125KB
-
MD5
691079a44b9a1e371282675b7710df20
-
SHA1
6859fa4e2bf55d640765d45859f5161a92d5d723
-
SHA256
3f2d7326229c6fc6170b2bd544657f8e9944ce33a4a3c739e6750b21d1304489
-
SHA512
d7527b846dfefdeb53871627846807eb0d62f6a597d83fde6037660709ad1bdb8d4ddf206d97df0048adae75b2dbc88ccdd6c9b8180c4f4fbf158b97b0eeccb0
-
SSDEEP
3072:OqN49Vd2iY16o93zN4HBCcJ1WdTCn93OGey/ZhJakrPF:OwSj2iY16o93hyscyTCndOGeKTaG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbdklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhhfdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chhjkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjenhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccngld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fllnlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kafbec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhfipcid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blbfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olmhdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfdjhndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhjapjmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehgppi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efcfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhllob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlqdei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migbnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenobfak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icmlam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gohjaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fepiimfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Homclekn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfknbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Maedhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cckace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doobajme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Habfipdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhngjmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meijhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndhipoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlcnda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqmmpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgbhabjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpknlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blgpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpekon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkolkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjhknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqijej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkjfah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnicmdli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knmhgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebedndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djmicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnkjhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfbkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndmjedoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obafnlpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dogefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddokpmfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpocfncj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Migbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iheddndj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ileiplhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgfqaiod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlaeonld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkdpanhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpfkqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhndldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Comimg32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2068-0-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x000d00000001228c-5.dat family_berbew behavioral1/memory/2068-6-0x0000000000250000-0x0000000000297000-memory.dmp family_berbew behavioral1/files/0x0007000000014b9e-21.dat family_berbew behavioral1/memory/2932-27-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/memory/2236-24-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0007000000015065-33.dat family_berbew behavioral1/memory/2932-35-0x0000000000250000-0x0000000000297000-memory.dmp family_berbew behavioral1/memory/2804-46-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0008000000015678-53.dat family_berbew behavioral1/memory/2628-54-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000015d53-60.dat family_berbew behavioral1/memory/2632-67-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000015d7b-73.dat family_berbew behavioral1/memory/2500-80-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000015d90-86.dat family_berbew behavioral1/memory/2948-93-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000015dca-99.dat family_berbew behavioral1/memory/1900-106-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000015f73-112.dat family_berbew behavioral1/memory/1424-119-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x000600000001611e-125.dat family_berbew behavioral1/memory/1652-132-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x00060000000162e4-138.dat family_berbew behavioral1/memory/1652-140-0x0000000000290000-0x00000000002D7000-memory.dmp family_berbew behavioral1/memory/2184-146-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000016581-152.dat family_berbew behavioral1/memory/1748-159-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000016835-165.dat family_berbew behavioral1/memory/2456-173-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000016c52-184.dat family_berbew behavioral1/memory/2972-185-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000016c78-191.dat family_berbew behavioral1/memory/2292-198-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000016ceb-206.dat family_berbew behavioral1/memory/2420-211-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x003600000001489f-220.dat family_berbew behavioral1/memory/1116-221-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000016d32-227.dat family_berbew behavioral1/memory/1412-232-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000016d43-238.dat family_berbew behavioral1/files/0x0006000000016d5f-249.dat family_berbew behavioral1/memory/2440-243-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/memory/760-254-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000016d68-260.dat family_berbew behavioral1/memory/1888-276-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000016d8b-271.dat family_berbew behavioral1/memory/2820-265-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/memory/760-263-0x00000000002A0000-0x00000000002E7000-memory.dmp family_berbew behavioral1/files/0x0006000000016dba-282.dat family_berbew behavioral1/memory/1672-287-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/memory/1888-285-0x0000000000350000-0x0000000000397000-memory.dmp family_berbew behavioral1/files/0x0006000000016dd1-293.dat family_berbew behavioral1/memory/1084-302-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000016de3-304.dat family_berbew behavioral1/memory/2856-309-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/memory/2856-314-0x00000000002D0000-0x0000000000317000-memory.dmp family_berbew behavioral1/files/0x0006000000017223-316.dat family_berbew behavioral1/memory/1996-319-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x00060000000173f6-326.dat family_berbew behavioral1/memory/3008-330-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000017577-336.dat family_berbew behavioral1/memory/2680-341-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/memory/3008-339-0x0000000000250000-0x0000000000297000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2236 Bdooajdc.exe 2932 Cjlgiqbk.exe 2804 Cgpgce32.exe 2628 Cllpkl32.exe 2632 Cgbdhd32.exe 2500 Chcqpmep.exe 2948 Comimg32.exe 1900 Chemfl32.exe 1424 Cckace32.exe 1652 Chhjkl32.exe 2184 Cobbhfhg.exe 1748 Ddokpmfo.exe 2456 Dngoibmo.exe 2972 Dqelenlc.exe 2292 Djnpnc32.exe 2420 Dqhhknjp.exe 1116 Djpmccqq.exe 1412 Dnlidb32.exe 2440 Dqjepm32.exe 760 Dgdmmgpj.exe 2820 Doobajme.exe 1888 Dgfjbgmh.exe 1672 Ebpkce32.exe 1084 Eijcpoac.exe 2856 Ekholjqg.exe 1996 Eeqdep32.exe 3008 Ebedndfa.exe 2680 Eiomkn32.exe 2744 Ebgacddo.exe 2496 Eloemi32.exe 2480 Ennaieib.exe 2892 Fckjalhj.exe 2432 Faokjpfd.exe 1556 Fjgoce32.exe 2176 Fmekoalh.exe 380 Fhkpmjln.exe 1564 Fpfdalii.exe 1576 Fbdqmghm.exe 2016 Ffpmnf32.exe 2776 Fddmgjpo.exe 2220 Globlmmj.exe 536 Gpknlk32.exe 2316 Ghfbqn32.exe 1712 Gopkmhjk.exe 2340 Gejcjbah.exe 1252 Gldkfl32.exe 1544 Gobgcg32.exe 236 Gbnccfpb.exe 3040 Gdopkn32.exe 2904 Gkihhhnm.exe 1976 Gmgdddmq.exe 2620 Geolea32.exe 2752 Gdamqndn.exe 2188 Ggpimica.exe 2468 Gmjaic32.exe 2396 Gphmeo32.exe 860 Ghoegl32.exe 1632 Hiqbndpb.exe 2164 Hdfflm32.exe 1572 Hkpnhgge.exe 2040 Hnojdcfi.exe 2536 Hpmgqnfl.exe 1120 Hckcmjep.exe 580 Hiekid32.exe -
Loads dropped DLL 64 IoCs
pid Process 2068 691079a44b9a1e371282675b7710df20_NeikiAnalytics.exe 2068 691079a44b9a1e371282675b7710df20_NeikiAnalytics.exe 2236 Bdooajdc.exe 2236 Bdooajdc.exe 2932 Cjlgiqbk.exe 2932 Cjlgiqbk.exe 2804 Cgpgce32.exe 2804 Cgpgce32.exe 2628 Cllpkl32.exe 2628 Cllpkl32.exe 2632 Cgbdhd32.exe 2632 Cgbdhd32.exe 2500 Chcqpmep.exe 2500 Chcqpmep.exe 2948 Comimg32.exe 2948 Comimg32.exe 1900 Chemfl32.exe 1900 Chemfl32.exe 1424 Cckace32.exe 1424 Cckace32.exe 1652 Chhjkl32.exe 1652 Chhjkl32.exe 2184 Cobbhfhg.exe 2184 Cobbhfhg.exe 1748 Ddokpmfo.exe 1748 Ddokpmfo.exe 2456 Dngoibmo.exe 2456 Dngoibmo.exe 2972 Dqelenlc.exe 2972 Dqelenlc.exe 2292 Djnpnc32.exe 2292 Djnpnc32.exe 2420 Dqhhknjp.exe 2420 Dqhhknjp.exe 1116 Djpmccqq.exe 1116 Djpmccqq.exe 1412 Dnlidb32.exe 1412 Dnlidb32.exe 2440 Dqjepm32.exe 2440 Dqjepm32.exe 760 Dgdmmgpj.exe 760 Dgdmmgpj.exe 2820 Doobajme.exe 2820 Doobajme.exe 1888 Dgfjbgmh.exe 1888 Dgfjbgmh.exe 1672 Ebpkce32.exe 1672 Ebpkce32.exe 1084 Eijcpoac.exe 1084 Eijcpoac.exe 2856 Ekholjqg.exe 2856 Ekholjqg.exe 1996 Eeqdep32.exe 1996 Eeqdep32.exe 3008 Ebedndfa.exe 3008 Ebedndfa.exe 2680 Eiomkn32.exe 2680 Eiomkn32.exe 2744 Ebgacddo.exe 2744 Ebgacddo.exe 2496 Eloemi32.exe 2496 Eloemi32.exe 2480 Ennaieib.exe 2480 Ennaieib.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lckdanld.exe Kifpdelo.exe File opened for modification C:\Windows\SysWOW64\Abjebn32.exe Anojbobe.exe File opened for modification C:\Windows\SysWOW64\Gdamqndn.exe Geolea32.exe File created C:\Windows\SysWOW64\Cahail32.exe Cojema32.exe File opened for modification C:\Windows\SysWOW64\Gpqpjj32.exe Ganpomec.exe File created C:\Windows\SysWOW64\Iefhhbef.exe Igchlf32.exe File opened for modification C:\Windows\SysWOW64\Jgcdki32.exe Jdehon32.exe File created C:\Windows\SysWOW64\Klidkobf.dll Dqhhknjp.exe File opened for modification C:\Windows\SysWOW64\Fckjalhj.exe Ennaieib.exe File created C:\Windows\SysWOW64\Diaagb32.dll Mlaeonld.exe File created C:\Windows\SysWOW64\Hlnbfd32.dll Mimbdhhb.exe File opened for modification C:\Windows\SysWOW64\Dknekeef.exe Dhpiojfb.exe File opened for modification C:\Windows\SysWOW64\Pjenhm32.exe Pggbla32.exe File created C:\Windows\SysWOW64\Bhhognbb.dll Lbqabkql.exe File opened for modification C:\Windows\SysWOW64\Gljnej32.exe Gikaio32.exe File created C:\Windows\SysWOW64\Ngdfge32.dll Ioolqh32.exe File created C:\Windows\SysWOW64\Jlbjhf32.dll Lhpfqama.exe File opened for modification C:\Windows\SysWOW64\Ihankokm.exe Ifcbodli.exe File created C:\Windows\SysWOW64\Lpgimglf.dll Iefhhbef.exe File created C:\Windows\SysWOW64\Hoopae32.exe Hlqdei32.exe File created C:\Windows\SysWOW64\Gfhladfn.exe Gpncej32.exe File opened for modification C:\Windows\SysWOW64\Iedkbc32.exe Icfofg32.exe File created C:\Windows\SysWOW64\Gejcjbah.exe Gopkmhjk.exe File opened for modification C:\Windows\SysWOW64\Inifnq32.exe Iimjmbae.exe File opened for modification C:\Windows\SysWOW64\Kbbngf32.exe Kocbkk32.exe File created C:\Windows\SysWOW64\Ikddbj32.exe Icmlam32.exe File created C:\Windows\SysWOW64\Lbeknj32.exe Lkncmmle.exe File created C:\Windows\SysWOW64\Pcnbablo.exe Papfegmk.exe File opened for modification C:\Windows\SysWOW64\Cnobnmpl.exe Cjdfmo32.exe File opened for modification C:\Windows\SysWOW64\Fenmdm32.exe Fbopgb32.exe File created C:\Windows\SysWOW64\Jobnme32.dll Inngcfid.exe File opened for modification C:\Windows\SysWOW64\Mkeimlfm.exe Mhgmapfi.exe File opened for modification C:\Windows\SysWOW64\Ifkacb32.exe Icmegf32.exe File created C:\Windows\SysWOW64\Djhmenjp.dll Oddpfc32.exe File created C:\Windows\SysWOW64\Galmmc32.dll Dlnbeh32.exe File created C:\Windows\SysWOW64\Mledlaqd.dll Dbkknojp.exe File created C:\Windows\SysWOW64\Jiiegafd.dll Ennaieib.exe File opened for modification C:\Windows\SysWOW64\Gdopkn32.exe Gbnccfpb.exe File opened for modification C:\Windows\SysWOW64\Dglpbbbg.exe Dcadac32.exe File opened for modification C:\Windows\SysWOW64\Ihoafpmp.exe Ieqeidnl.exe File created C:\Windows\SysWOW64\Mmceigep.exe Mkeimlfm.exe File opened for modification C:\Windows\SysWOW64\Heglio32.exe Homclekn.exe File created C:\Windows\SysWOW64\Mbpgggol.exe Mkhofjoj.exe File opened for modification C:\Windows\SysWOW64\Mencccop.exe Mbpgggol.exe File created C:\Windows\SysWOW64\Hjlanqkq.dll Cgpgce32.exe File created C:\Windows\SysWOW64\Obmhdd32.dll Peiepfgg.exe File created C:\Windows\SysWOW64\Eiomkn32.exe Ebedndfa.exe File created C:\Windows\SysWOW64\Iqopea32.exe Inqcif32.exe File created C:\Windows\SysWOW64\Gpmcnehn.dll Idmhkpml.exe File created C:\Windows\SysWOW64\Gljnej32.exe Gikaio32.exe File opened for modification C:\Windows\SysWOW64\Cllpkl32.exe Cgpgce32.exe File created C:\Windows\SysWOW64\Moljch32.dll Qedhdjnh.exe File created C:\Windows\SysWOW64\Jejhecaj.exe Jbllihbf.exe File created C:\Windows\SysWOW64\Eojnkg32.exe Enhacojl.exe File opened for modification C:\Windows\SysWOW64\Gfmemc32.exe Gbaileio.exe File created C:\Windows\SysWOW64\Hojgfemq.exe Hlljjjnm.exe File opened for modification C:\Windows\SysWOW64\Dggcffhg.exe Ddigjkid.exe File opened for modification C:\Windows\SysWOW64\Mgnfhlin.exe Mdpjlajk.exe File created C:\Windows\SysWOW64\Oqkmbmdg.dll Mdpjlajk.exe File created C:\Windows\SysWOW64\Dbkknojp.exe Dolnad32.exe File opened for modification C:\Windows\SysWOW64\Kifpdelo.exe Kblhgk32.exe File created C:\Windows\SysWOW64\Cllpkl32.exe Cgpgce32.exe File opened for modification C:\Windows\SysWOW64\Bbokmqie.exe Bppoqeja.exe File created C:\Windows\SysWOW64\Cklmgb32.exe Clilkfnb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6116 6080 WerFault.exe 553 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkgklabn.dll" Qbelgood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icmlam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amfcikek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhpbmi32.dll" Hiknhbcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chemfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbaileio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgnhbba.dll" Cnkicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cafecmlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdikkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjlgiqbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnclnihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkakief.dll" Ekholjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndjfeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcadac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iheddndj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdehon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anojbobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaobdjof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcagpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cafecmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfmdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbcodmih.dll" Dggcffhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icbimi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndpfkdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbhmnkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbmjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lednakhd.dll" Dkcofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkcpip32.dll" Fmbhok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negpnjgm.dll" Mooaljkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebodiofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Heglio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqfmng32.dll" Kcdnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cghggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpgiom32.dll" Bdeeqehb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhqkpcf.dll" Lpbefoai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kklpekno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbhmnkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqpfa32.dll" Lccdel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpekon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmfmhhoj.dll" Idnaoohk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdpoifde.dll" Jmplcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cojema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chcqpmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egllae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chbjffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmbbdq32.dll" Fepiimfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgdfdaf.dll" Gbaileio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll" Gobgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijqnib32.dll" Lmolnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oikojfgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmbiipml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oqkqkdne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gljnej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmneda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chhjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpcfqoam.dll" Jhljdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhgmapfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aadloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhijaf32.dll" Enakbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Coelaaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdildlie.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2068 wrote to memory of 2236 2068 691079a44b9a1e371282675b7710df20_NeikiAnalytics.exe 28 PID 2068 wrote to memory of 2236 2068 691079a44b9a1e371282675b7710df20_NeikiAnalytics.exe 28 PID 2068 wrote to memory of 2236 2068 691079a44b9a1e371282675b7710df20_NeikiAnalytics.exe 28 PID 2068 wrote to memory of 2236 2068 691079a44b9a1e371282675b7710df20_NeikiAnalytics.exe 28 PID 2236 wrote to memory of 2932 2236 Bdooajdc.exe 29 PID 2236 wrote to memory of 2932 2236 Bdooajdc.exe 29 PID 2236 wrote to memory of 2932 2236 Bdooajdc.exe 29 PID 2236 wrote to memory of 2932 2236 Bdooajdc.exe 29 PID 2932 wrote to memory of 2804 2932 Cjlgiqbk.exe 30 PID 2932 wrote to memory of 2804 2932 Cjlgiqbk.exe 30 PID 2932 wrote to memory of 2804 2932 Cjlgiqbk.exe 30 PID 2932 wrote to memory of 2804 2932 Cjlgiqbk.exe 30 PID 2804 wrote to memory of 2628 2804 Cgpgce32.exe 31 PID 2804 wrote to memory of 2628 2804 Cgpgce32.exe 31 PID 2804 wrote to memory of 2628 2804 Cgpgce32.exe 31 PID 2804 wrote to memory of 2628 2804 Cgpgce32.exe 31 PID 2628 wrote to memory of 2632 2628 Cllpkl32.exe 32 PID 2628 wrote to memory of 2632 2628 Cllpkl32.exe 32 PID 2628 wrote to memory of 2632 2628 Cllpkl32.exe 32 PID 2628 wrote to memory of 2632 2628 Cllpkl32.exe 32 PID 2632 wrote to memory of 2500 2632 Cgbdhd32.exe 33 PID 2632 wrote to memory of 2500 2632 Cgbdhd32.exe 33 PID 2632 wrote to memory of 2500 2632 Cgbdhd32.exe 33 PID 2632 wrote to memory of 2500 2632 Cgbdhd32.exe 33 PID 2500 wrote to memory of 2948 2500 Chcqpmep.exe 34 PID 2500 wrote to memory of 2948 2500 Chcqpmep.exe 34 PID 2500 wrote to memory of 2948 2500 Chcqpmep.exe 34 PID 2500 wrote to memory of 2948 2500 Chcqpmep.exe 34 PID 2948 wrote to memory of 1900 2948 Comimg32.exe 35 PID 2948 wrote to memory of 1900 2948 Comimg32.exe 35 PID 2948 wrote to memory of 1900 2948 Comimg32.exe 35 PID 2948 wrote to memory of 1900 2948 Comimg32.exe 35 PID 1900 wrote to memory of 1424 1900 Chemfl32.exe 36 PID 1900 wrote to memory of 1424 1900 Chemfl32.exe 36 PID 1900 wrote to memory of 1424 1900 Chemfl32.exe 36 PID 1900 wrote to memory of 1424 1900 Chemfl32.exe 36 PID 1424 wrote to memory of 1652 1424 Cckace32.exe 37 PID 1424 wrote to memory of 1652 1424 Cckace32.exe 37 PID 1424 wrote to memory of 1652 1424 Cckace32.exe 37 PID 1424 wrote to memory of 1652 1424 Cckace32.exe 37 PID 1652 wrote to memory of 2184 1652 Chhjkl32.exe 38 PID 1652 wrote to memory of 2184 1652 Chhjkl32.exe 38 PID 1652 wrote to memory of 2184 1652 Chhjkl32.exe 38 PID 1652 wrote to memory of 2184 1652 Chhjkl32.exe 38 PID 2184 wrote to memory of 1748 2184 Cobbhfhg.exe 39 PID 2184 wrote to memory of 1748 2184 Cobbhfhg.exe 39 PID 2184 wrote to memory of 1748 2184 Cobbhfhg.exe 39 PID 2184 wrote to memory of 1748 2184 Cobbhfhg.exe 39 PID 1748 wrote to memory of 2456 1748 Ddokpmfo.exe 40 PID 1748 wrote to memory of 2456 1748 Ddokpmfo.exe 40 PID 1748 wrote to memory of 2456 1748 Ddokpmfo.exe 40 PID 1748 wrote to memory of 2456 1748 Ddokpmfo.exe 40 PID 2456 wrote to memory of 2972 2456 Dngoibmo.exe 41 PID 2456 wrote to memory of 2972 2456 Dngoibmo.exe 41 PID 2456 wrote to memory of 2972 2456 Dngoibmo.exe 41 PID 2456 wrote to memory of 2972 2456 Dngoibmo.exe 41 PID 2972 wrote to memory of 2292 2972 Dqelenlc.exe 42 PID 2972 wrote to memory of 2292 2972 Dqelenlc.exe 42 PID 2972 wrote to memory of 2292 2972 Dqelenlc.exe 42 PID 2972 wrote to memory of 2292 2972 Dqelenlc.exe 42 PID 2292 wrote to memory of 2420 2292 Djnpnc32.exe 43 PID 2292 wrote to memory of 2420 2292 Djnpnc32.exe 43 PID 2292 wrote to memory of 2420 2292 Djnpnc32.exe 43 PID 2292 wrote to memory of 2420 2292 Djnpnc32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\691079a44b9a1e371282675b7710df20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\691079a44b9a1e371282675b7710df20_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1116 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1412 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:760 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1888 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1084 -
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3008 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe33⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe34⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe35⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe36⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe37⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe38⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe39⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe40⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe42⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe44⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe46⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe47⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:236 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe50⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe51⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe52⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe54⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe55⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe56⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe57⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe58⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe59⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe60⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe61⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe62⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe63⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe64⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe65⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1088 -
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe67⤵PID:2100
-
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe68⤵PID:1524
-
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe69⤵PID:832
-
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe70⤵PID:1460
-
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe71⤵PID:1536
-
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe72⤵PID:2712
-
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe73⤵PID:2504
-
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe74⤵
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe75⤵
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe76⤵PID:1680
-
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe77⤵PID:1628
-
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe78⤵
- Drops file in System32 directory
PID:768 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe79⤵PID:2408
-
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe80⤵PID:2688
-
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe81⤵
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe82⤵PID:1264
-
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe83⤵PID:2000
-
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe84⤵
- Drops file in System32 directory
PID:968 -
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe85⤵PID:1984
-
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe87⤵PID:2616
-
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe88⤵PID:2488
-
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe89⤵
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe90⤵PID:2128
-
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe91⤵PID:2124
-
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe92⤵PID:2528
-
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe93⤵PID:2080
-
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe94⤵PID:560
-
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe95⤵PID:2336
-
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe96⤵PID:2896
-
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe97⤵PID:936
-
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe98⤵PID:2260
-
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe99⤵PID:2796
-
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe100⤵PID:2692
-
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe101⤵PID:1764
-
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe102⤵
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe103⤵PID:1704
-
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1724 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe105⤵
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe106⤵PID:2284
-
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe107⤵PID:1240
-
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe108⤵PID:1004
-
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe109⤵PID:1612
-
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:564 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe111⤵PID:2324
-
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe112⤵PID:2572
-
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2728 -
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe114⤵
- Modifies registry class
PID:1788 -
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:696 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe116⤵PID:2180
-
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe117⤵PID:2084
-
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe118⤵PID:1980
-
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe119⤵PID:2056
-
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe120⤵PID:1420
-
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe121⤵
- Drops file in System32 directory
PID:828
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-