Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
04/06/2024, 19:27
Behavioral task
behavioral1
Sample
2d28839d23a555dd9baa9a94df400fc0_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
2d28839d23a555dd9baa9a94df400fc0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
2d28839d23a555dd9baa9a94df400fc0_NeikiAnalytics.exe
-
Size
669KB
-
MD5
2d28839d23a555dd9baa9a94df400fc0
-
SHA1
b6dc05926c47c4288a6d47301aed2b988fc124b8
-
SHA256
4dcc76744ec04203874711329e184a24c9052e3c47635f72dab1b55ff91b0a84
-
SHA512
cc8c4085350852b09a211762efc6400475dd9f54118c603b71689914383a7abaac613dfdb0f4baaa4734dfa32af307d2e6b904584d916bbb24f8d741bd499164
-
SSDEEP
12288:2TFDnsDhf6fxeVKhMpQnqr+cI3a72LXrY6x46UbR/qYglMi:2TBnsDgfAchMpQnqrdX72LbY6x46uR/i
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abbbnchb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioijbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgodbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbijhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocajbekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abpfhcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aiinen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cljcelan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlhnbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aalmklfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aepojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilknfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nccjhafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afdlhchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eilpeooq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feeiob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmiam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhnfkigh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpcbqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdoclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gphmeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndgggf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkkemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mekdekin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Menakj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhcdaibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpafkknm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiigehkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lplogdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdamqndn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogfpbeim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjilieka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Penfelgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amndem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbdqmghm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onbddoog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faokjpfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgqemakf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohqbqhde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oomhcbjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpkjond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bloqah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhjhkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqqapjnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgodbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egdilkbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplkfgoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cobbhfhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fehjeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chcqpmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpapln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aalmklfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpdhklkl.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000b0000000144ac-5.dat family_berbew behavioral1/files/0x0008000000014af6-18.dat family_berbew behavioral1/files/0x0007000000014b70-33.dat family_berbew behavioral1/files/0x000a000000014ef8-56.dat family_berbew behavioral1/files/0x00080000000155f3-61.dat family_berbew behavioral1/files/0x0007000000015605-80.dat family_berbew behavioral1/files/0x0006000000015626-88.dat family_berbew behavioral1/files/0x0006000000015c6b-114.dat family_berbew behavioral1/files/0x0006000000015c83-133.dat family_berbew behavioral1/files/0x0006000000015c3d-108.dat family_berbew behavioral1/files/0x00090000000149f5-142.dat family_berbew behavioral1/files/0x0006000000015cce-157.dat family_berbew behavioral1/files/0x0006000000015cf6-169.dat family_berbew behavioral1/files/0x0006000000015d07-188.dat family_berbew behavioral1/files/0x0006000000015d1a-201.dat family_berbew behavioral1/files/0x0006000000015d31-206.dat family_berbew behavioral1/files/0x0006000000016176-242.dat family_berbew behavioral1/files/0x0006000000016448-249.dat family_berbew behavioral1/files/0x0006000000016ca5-301.dat family_berbew behavioral1/files/0x0006000000017374-374.dat family_berbew behavioral1/files/0x000500000001860c-420.dat family_berbew behavioral1/files/0x0006000000019052-451.dat family_berbew behavioral1/files/0x0005000000019159-462.dat family_berbew behavioral1/files/0x00050000000191b0-475.dat family_berbew behavioral1/files/0x000500000001920d-506.dat family_berbew behavioral1/files/0x00050000000192d8-517.dat family_berbew behavioral1/files/0x00050000000192f0-526.dat family_berbew behavioral1/files/0x00050000000193bd-561.dat family_berbew behavioral1/files/0x00050000000193e1-584.dat family_berbew behavioral1/files/0x000500000001944d-609.dat family_berbew behavioral1/files/0x0005000000019484-620.dat family_berbew behavioral1/files/0x00050000000195be-641.dat family_berbew behavioral1/files/0x000500000001972f-652.dat family_berbew behavioral1/files/0x0005000000019ee2-707.dat family_berbew behavioral1/files/0x0005000000019fe7-717.dat family_berbew behavioral1/files/0x000500000001a3ab-740.dat family_berbew behavioral1/files/0x000500000001a3b5-751.dat family_berbew behavioral1/files/0x000500000001a3b8-762.dat family_berbew behavioral1/files/0x000500000001a405-773.dat family_berbew behavioral1/files/0x000500000001a413-784.dat family_berbew behavioral1/files/0x000500000001a436-808.dat family_berbew behavioral1/files/0x000500000001a44b-862.dat family_berbew behavioral1/files/0x000500000001a458-878.dat family_berbew behavioral1/files/0x000500000001a45c-893.dat family_berbew behavioral1/files/0x000500000001a460-905.dat family_berbew behavioral1/files/0x000500000001a468-934.dat family_berbew behavioral1/files/0x000500000001a46c-945.dat family_berbew behavioral1/files/0x000500000001a470-958.dat family_berbew behavioral1/files/0x000500000001a474-970.dat family_berbew behavioral1/files/0x000500000001a47c-995.dat family_berbew behavioral1/files/0x000500000001a481-1012.dat family_berbew behavioral1/files/0x000500000001a508-1030.dat family_berbew behavioral1/files/0x000500000001acfa-1042.dat family_berbew behavioral1/files/0x000500000001ad53-1055.dat family_berbew behavioral1/files/0x000500000001c64e-1066.dat family_berbew behavioral1/files/0x000500000001c7c8-1113.dat family_berbew behavioral1/files/0x000500000001c7e8-1129.dat family_berbew behavioral1/files/0x000500000001c7f3-1155.dat family_berbew behavioral1/files/0x000500000001c7ff-1188.dat family_berbew behavioral1/files/0x000500000001c803-1200.dat family_berbew behavioral1/files/0x000500000001c7fb-1177.dat family_berbew behavioral1/files/0x000500000001c80c-1211.dat family_berbew behavioral1/files/0x000500000001c81b-1228.dat family_berbew behavioral1/files/0x000500000001c82e-1240.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1600 Ifhbdj32.exe 1880 Ifkojiim.exe 2600 Jilhldfn.exe 2452 Jgqemakf.exe 2856 Jjoailji.exe 2444 Jakfkfpc.exe 2876 Jmbgpg32.exe 2460 Jfkkimlh.exe 3016 Jiigehkl.exe 2828 Kpcpbb32.exe 2812 Kegnkh32.exe 2976 Khekgc32.exe 944 Koocdnai.exe 2096 Laplei32.exe 1344 Lfmdnp32.exe 2540 Lchnnp32.exe 816 Lefkjkmc.exe 1736 Llqcfe32.exe 1524 Lplogdmj.exe 984 Mcjkcplm.exe 1920 Mekdekin.exe 912 Mhjpaf32.exe 1768 Mcodno32.exe 2200 Menakj32.exe 616 Mlgigdoh.exe 2184 Mofecpnl.exe 1580 Mohbip32.exe 2960 Magnek32.exe 2572 Mpjoqhah.exe 2596 Mkobnqan.exe 1864 Njbcim32.exe 2472 Nplkfgoe.exe 2516 Ndgggf32.exe 2616 Ngfcca32.exe 2488 Nlblkhei.exe 1148 Nghphaeo.exe 776 Nfkpdn32.exe 2864 Nnbhek32.exe 1652 Nqqdag32.exe 596 Nocemcbj.exe 1240 Nfmmin32.exe 2816 Nlgefh32.exe 1312 Ncancbha.exe 952 Nfpjomgd.exe 1404 Nhnfkigh.exe 2104 Nohnhc32.exe 2376 Nccjhafn.exe 1688 Ohqbqhde.exe 1812 Okoomd32.exe 2004 Onmkio32.exe 3068 Obigjnkf.exe 2536 Odgcfijj.exe 2548 Ogfpbeim.exe 2872 Oomhcbjp.exe 2412 Oiellh32.exe 2712 Okchhc32.exe 1232 Onbddoog.exe 2688 Oqqapjnk.exe 3024 Ocomlemo.exe 2660 Okfencna.exe 328 Ondajnme.exe 1624 Oqcnfjli.exe 2320 Ocajbekl.exe 960 Ongnonkb.exe -
Loads dropped DLL 64 IoCs
pid Process 2360 2d28839d23a555dd9baa9a94df400fc0_NeikiAnalytics.exe 2360 2d28839d23a555dd9baa9a94df400fc0_NeikiAnalytics.exe 1600 Ifhbdj32.exe 1600 Ifhbdj32.exe 1880 Ifkojiim.exe 1880 Ifkojiim.exe 2600 Jilhldfn.exe 2600 Jilhldfn.exe 2452 Jgqemakf.exe 2452 Jgqemakf.exe 2856 Jjoailji.exe 2856 Jjoailji.exe 2444 Jakfkfpc.exe 2444 Jakfkfpc.exe 2876 Jmbgpg32.exe 2876 Jmbgpg32.exe 2460 Jfkkimlh.exe 2460 Jfkkimlh.exe 3016 Jiigehkl.exe 3016 Jiigehkl.exe 2828 Kpcpbb32.exe 2828 Kpcpbb32.exe 2812 Kegnkh32.exe 2812 Kegnkh32.exe 2976 Khekgc32.exe 2976 Khekgc32.exe 944 Koocdnai.exe 944 Koocdnai.exe 2096 Laplei32.exe 2096 Laplei32.exe 1344 Lfmdnp32.exe 1344 Lfmdnp32.exe 2540 Lchnnp32.exe 2540 Lchnnp32.exe 816 Lefkjkmc.exe 816 Lefkjkmc.exe 1736 Llqcfe32.exe 1736 Llqcfe32.exe 1524 Lplogdmj.exe 1524 Lplogdmj.exe 984 Mcjkcplm.exe 984 Mcjkcplm.exe 1920 Mekdekin.exe 1920 Mekdekin.exe 912 Mhjpaf32.exe 912 Mhjpaf32.exe 1768 Mcodno32.exe 1768 Mcodno32.exe 2200 Menakj32.exe 2200 Menakj32.exe 616 Mlgigdoh.exe 616 Mlgigdoh.exe 2184 Mofecpnl.exe 2184 Mofecpnl.exe 1580 Mohbip32.exe 1580 Mohbip32.exe 2960 Magnek32.exe 2960 Magnek32.exe 2572 Mpjoqhah.exe 2572 Mpjoqhah.exe 2596 Mkobnqan.exe 2596 Mkobnqan.exe 1864 Njbcim32.exe 1864 Njbcim32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Njbcim32.exe Mkobnqan.exe File opened for modification C:\Windows\SysWOW64\Ndgggf32.exe Nplkfgoe.exe File opened for modification C:\Windows\SysWOW64\Nlblkhei.exe Ngfcca32.exe File created C:\Windows\SysWOW64\Plahag32.exe Pjpkjond.exe File created C:\Windows\SysWOW64\Apajlhka.exe Aigaon32.exe File created C:\Windows\SysWOW64\Aloeodfi.dll Fbdqmghm.exe File created C:\Windows\SysWOW64\Hmlnoc32.exe Hknach32.exe File created C:\Windows\SysWOW64\Qhegaocb.dll Mekdekin.exe File created C:\Windows\SysWOW64\Gknfklng.dll Hejoiedd.exe File created C:\Windows\SysWOW64\Ccfhhffh.exe Coklgg32.exe File created C:\Windows\SysWOW64\Hcnpbi32.exe Hobcak32.exe File opened for modification C:\Windows\SysWOW64\Jakfkfpc.exe Jjoailji.exe File created C:\Windows\SysWOW64\Njbcim32.exe Mkobnqan.exe File created C:\Windows\SysWOW64\Obljmlpp.dll Nfpjomgd.exe File created C:\Windows\SysWOW64\Hbfdaihk.dll Paejki32.exe File created C:\Windows\SysWOW64\Lbjhdo32.dll Qnfjna32.exe File created C:\Windows\SysWOW64\Qhooggdn.exe Qaefjm32.exe File created C:\Windows\SysWOW64\Afdlhchf.exe Qecoqk32.exe File created C:\Windows\SysWOW64\Dnlidb32.exe Dgaqgh32.exe File opened for modification C:\Windows\SysWOW64\Ifhbdj32.exe 2d28839d23a555dd9baa9a94df400fc0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Gmibbifn.dll Hogmmjfo.exe File created C:\Windows\SysWOW64\Haobqm32.dll Mohbip32.exe File created C:\Windows\SysWOW64\Mkobnqan.exe Mpjoqhah.exe File opened for modification C:\Windows\SysWOW64\Afdlhchf.exe Qecoqk32.exe File created C:\Windows\SysWOW64\Hecjkifm.dll Dgaqgh32.exe File opened for modification C:\Windows\SysWOW64\Flabbihl.exe Fhffaj32.exe File created C:\Windows\SysWOW64\Hahjpbad.exe Hmlnoc32.exe File created C:\Windows\SysWOW64\Jgqemakf.exe Jilhldfn.exe File created C:\Windows\SysWOW64\Onmkio32.exe Okoomd32.exe File created C:\Windows\SysWOW64\Eiaiqn32.exe Ebgacddo.exe File created C:\Windows\SysWOW64\Lndipl32.dll Laplei32.exe File opened for modification C:\Windows\SysWOW64\Mofecpnl.exe Mlgigdoh.exe File created C:\Windows\SysWOW64\Ocomlemo.exe Oqqapjnk.exe File created C:\Windows\SysWOW64\Cjbmjplb.exe Cciemedf.exe File opened for modification C:\Windows\SysWOW64\Lchnnp32.exe Lfmdnp32.exe File created C:\Windows\SysWOW64\Lkcmiimi.dll Dkkpbgli.exe File opened for modification C:\Windows\SysWOW64\Ghkllmoi.exe Gdopkn32.exe File opened for modification C:\Windows\SysWOW64\Ongnonkb.exe Ocajbekl.exe File created C:\Windows\SysWOW64\Dmafennb.exe Djbiicon.exe File created C:\Windows\SysWOW64\Ahpjhc32.dll Ghfbqn32.exe File created C:\Windows\SysWOW64\Ahcfok32.dll Dbehoa32.exe File opened for modification C:\Windows\SysWOW64\Bbflib32.exe Bkodhe32.exe File created C:\Windows\SysWOW64\Dmljjm32.dll Ccfhhffh.exe File opened for modification C:\Windows\SysWOW64\Boiccdnf.exe Ahokfj32.exe File created C:\Windows\SysWOW64\Ompoljfn.dll Onbddoog.exe File created C:\Windows\SysWOW64\Qaefjm32.exe Qnfjna32.exe File created C:\Windows\SysWOW64\Aiinen32.exe Afkbib32.exe File opened for modification C:\Windows\SysWOW64\Bloqah32.exe Bhcdaibd.exe File created C:\Windows\SysWOW64\Copfbfjj.exe Claifkkf.exe File opened for modification C:\Windows\SysWOW64\Enkece32.exe Elmigj32.exe File created C:\Windows\SysWOW64\Ildamhjd.dll Nlblkhei.exe File created C:\Windows\SysWOW64\Kgcampld.dll Eilpeooq.exe File created C:\Windows\SysWOW64\Faagpp32.exe Fmekoalh.exe File created C:\Windows\SysWOW64\Ghhofmql.exe Ghfbqn32.exe File created C:\Windows\SysWOW64\Hknach32.exe Hgbebiao.exe File opened for modification C:\Windows\SysWOW64\Hjhhocjj.exe Hellne32.exe File created C:\Windows\SysWOW64\Nplkfgoe.exe Njbcim32.exe File created C:\Windows\SysWOW64\Dnelgk32.dll Okfencna.exe File created C:\Windows\SysWOW64\Iddckpim.dll Pgobhcac.exe File opened for modification C:\Windows\SysWOW64\Plahag32.exe Pjpkjond.exe File opened for modification C:\Windows\SysWOW64\Qhooggdn.exe Qaefjm32.exe File opened for modification C:\Windows\SysWOW64\Ffkcbgek.exe Faokjpfd.exe File created C:\Windows\SysWOW64\Fpfdalii.exe Fjilieka.exe File opened for modification C:\Windows\SysWOW64\Hahjpbad.exe Hmlnoc32.exe -
Program crash 1 IoCs
pid pid_target Process 3840 3080 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kegnkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lilchoah.dll" Bloqah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emhlfmgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Faagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcodno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ondajnme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmqdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacebaej.dll" Balijo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmqgncdn.dll" Dfijnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahokfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlakpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lndipl32.dll" Laplei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mofecpnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njbcim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onbddoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moealbej.dll" Qjmkcbcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll" Hhjhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifkojiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojjljknn.dll" Kpcpbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Magnek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkhcmgnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgbebiao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 2d28839d23a555dd9baa9a94df400fc0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpjoqhah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpfgi32.dll" Gicbeald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll" Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aofqfokm.dll" Aiinen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifjcn32.dll" Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhjhkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcodno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Damgbk32.dll" Nnbhek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gooqhm32.dll" Okoomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okoomd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qnigda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll" Gaemjbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll" Hhmepp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhcdaibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hecjkifm.dll" Dgaqgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlppdeb.dll" Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqmnhocj.dll" Fnpnndgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgaqgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbidmekh.dll" Elmigj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Laplei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaepofcm.dll" Mkobnqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlobf32.dll" Nghphaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iacnpbdl.dll" Ondajnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocdp32.dll" Mofecpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nfpjomgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qlhnbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcknbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdecfpj.dll" Bkdmcdoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcfdgiid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emcbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fakndl32.dll" Jfkkimlh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkobnqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peinaf32.dll" Ndgggf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Higdqfol.dll" Pbpjiphi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbflib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambcae32.dll" Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll" Hgbebiao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhjhkq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2360 wrote to memory of 1600 2360 2d28839d23a555dd9baa9a94df400fc0_NeikiAnalytics.exe 28 PID 2360 wrote to memory of 1600 2360 2d28839d23a555dd9baa9a94df400fc0_NeikiAnalytics.exe 28 PID 2360 wrote to memory of 1600 2360 2d28839d23a555dd9baa9a94df400fc0_NeikiAnalytics.exe 28 PID 2360 wrote to memory of 1600 2360 2d28839d23a555dd9baa9a94df400fc0_NeikiAnalytics.exe 28 PID 1600 wrote to memory of 1880 1600 Ifhbdj32.exe 29 PID 1600 wrote to memory of 1880 1600 Ifhbdj32.exe 29 PID 1600 wrote to memory of 1880 1600 Ifhbdj32.exe 29 PID 1600 wrote to memory of 1880 1600 Ifhbdj32.exe 29 PID 1880 wrote to memory of 2600 1880 Ifkojiim.exe 30 PID 1880 wrote to memory of 2600 1880 Ifkojiim.exe 30 PID 1880 wrote to memory of 2600 1880 Ifkojiim.exe 30 PID 1880 wrote to memory of 2600 1880 Ifkojiim.exe 30 PID 2600 wrote to memory of 2452 2600 Jilhldfn.exe 31 PID 2600 wrote to memory of 2452 2600 Jilhldfn.exe 31 PID 2600 wrote to memory of 2452 2600 Jilhldfn.exe 31 PID 2600 wrote to memory of 2452 2600 Jilhldfn.exe 31 PID 2452 wrote to memory of 2856 2452 Jgqemakf.exe 32 PID 2452 wrote to memory of 2856 2452 Jgqemakf.exe 32 PID 2452 wrote to memory of 2856 2452 Jgqemakf.exe 32 PID 2452 wrote to memory of 2856 2452 Jgqemakf.exe 32 PID 2856 wrote to memory of 2444 2856 Jjoailji.exe 33 PID 2856 wrote to memory of 2444 2856 Jjoailji.exe 33 PID 2856 wrote to memory of 2444 2856 Jjoailji.exe 33 PID 2856 wrote to memory of 2444 2856 Jjoailji.exe 33 PID 2444 wrote to memory of 2876 2444 Jakfkfpc.exe 34 PID 2444 wrote to memory of 2876 2444 Jakfkfpc.exe 34 PID 2444 wrote to memory of 2876 2444 Jakfkfpc.exe 34 PID 2444 wrote to memory of 2876 2444 Jakfkfpc.exe 34 PID 2876 wrote to memory of 2460 2876 Jmbgpg32.exe 35 PID 2876 wrote to memory of 2460 2876 Jmbgpg32.exe 35 PID 2876 wrote to memory of 2460 2876 Jmbgpg32.exe 35 PID 2876 wrote to memory of 2460 2876 Jmbgpg32.exe 35 PID 2460 wrote to memory of 3016 2460 Jfkkimlh.exe 36 PID 2460 wrote to memory of 3016 2460 Jfkkimlh.exe 36 PID 2460 wrote to memory of 3016 2460 Jfkkimlh.exe 36 PID 2460 wrote to memory of 3016 2460 Jfkkimlh.exe 36 PID 3016 wrote to memory of 2828 3016 Jiigehkl.exe 37 PID 3016 wrote to memory of 2828 3016 Jiigehkl.exe 37 PID 3016 wrote to memory of 2828 3016 Jiigehkl.exe 37 PID 3016 wrote to memory of 2828 3016 Jiigehkl.exe 37 PID 2828 wrote to memory of 2812 2828 Kpcpbb32.exe 38 PID 2828 wrote to memory of 2812 2828 Kpcpbb32.exe 38 PID 2828 wrote to memory of 2812 2828 Kpcpbb32.exe 38 PID 2828 wrote to memory of 2812 2828 Kpcpbb32.exe 38 PID 2812 wrote to memory of 2976 2812 Kegnkh32.exe 39 PID 2812 wrote to memory of 2976 2812 Kegnkh32.exe 39 PID 2812 wrote to memory of 2976 2812 Kegnkh32.exe 39 PID 2812 wrote to memory of 2976 2812 Kegnkh32.exe 39 PID 2976 wrote to memory of 944 2976 Khekgc32.exe 40 PID 2976 wrote to memory of 944 2976 Khekgc32.exe 40 PID 2976 wrote to memory of 944 2976 Khekgc32.exe 40 PID 2976 wrote to memory of 944 2976 Khekgc32.exe 40 PID 944 wrote to memory of 2096 944 Koocdnai.exe 41 PID 944 wrote to memory of 2096 944 Koocdnai.exe 41 PID 944 wrote to memory of 2096 944 Koocdnai.exe 41 PID 944 wrote to memory of 2096 944 Koocdnai.exe 41 PID 2096 wrote to memory of 1344 2096 Laplei32.exe 42 PID 2096 wrote to memory of 1344 2096 Laplei32.exe 42 PID 2096 wrote to memory of 1344 2096 Laplei32.exe 42 PID 2096 wrote to memory of 1344 2096 Laplei32.exe 42 PID 1344 wrote to memory of 2540 1344 Lfmdnp32.exe 43 PID 1344 wrote to memory of 2540 1344 Lfmdnp32.exe 43 PID 1344 wrote to memory of 2540 1344 Lfmdnp32.exe 43 PID 1344 wrote to memory of 2540 1344 Lfmdnp32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d28839d23a555dd9baa9a94df400fc0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2d28839d23a555dd9baa9a94df400fc0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Ifhbdj32.exeC:\Windows\system32\Ifhbdj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Jgqemakf.exeC:\Windows\system32\Jgqemakf.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Jjoailji.exeC:\Windows\system32\Jjoailji.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Jakfkfpc.exeC:\Windows\system32\Jakfkfpc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Kpcpbb32.exeC:\Windows\system32\Kpcpbb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2540 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:816 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:912 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:616 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1148 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe38⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe40⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe41⤵
- Executes dropped EXE
PID:596 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe42⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe43⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe44⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe47⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe51⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe52⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe53⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe56⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe57⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1232 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe60⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:328 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe63⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe65⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe66⤵
- Drops file in System32 directory
PID:572 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe67⤵
- Drops file in System32 directory
PID:540 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe68⤵PID:2736
-
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe69⤵PID:2892
-
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe70⤵PID:2640
-
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:764 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe72⤵PID:2560
-
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe73⤵PID:2728
-
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe74⤵PID:1572
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe75⤵
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe76⤵PID:2028
-
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe77⤵PID:3020
-
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe78⤵PID:2760
-
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe79⤵
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1820 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe82⤵
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe83⤵
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe84⤵PID:2836
-
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe85⤵
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe86⤵
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe87⤵
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1248 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:488 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe90⤵PID:2652
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe91⤵PID:1940
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1304 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe93⤵PID:1072
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe94⤵
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe95⤵PID:2068
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2632 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe97⤵
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe99⤵PID:2680
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2956 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1980 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe103⤵PID:1464
-
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe104⤵
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe105⤵
- Modifies registry class
PID:268 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe106⤵PID:2972
-
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe109⤵PID:2644
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe110⤵
- Modifies registry class
PID:980 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe111⤵PID:2180
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe112⤵
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1696 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe114⤵PID:1916
-
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe115⤵PID:672
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1176 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1948 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1632 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe119⤵PID:1888
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe120⤵PID:1704
-
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe121⤵PID:2764
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-