Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 14:39
Behavioral task
behavioral1
Sample
6166adb202080f1877df2e363c37bbd0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6166adb202080f1877df2e363c37bbd0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
6166adb202080f1877df2e363c37bbd0_NeikiAnalytics.exe
-
Size
320KB
-
MD5
6166adb202080f1877df2e363c37bbd0
-
SHA1
0c261e12b2798264c2c557c1af938bbc2f2567f6
-
SHA256
63c1c4217b487865e0644e5c0e6fac3075d1bceae1a3f5c54dd8c64623b8b233
-
SHA512
df148c28aef83d847f2be2d64749c98f4f3c4a7d89d36e56088bb77b9a3584a9b8cfa9454515a55cdef079dd75c3c125fcc4d69a29cc6a47097ea889f07edc9c
-
SSDEEP
6144:al3wQb7rCPXbo92ynnZlVrtv35CPXbo92ynn8sbeWDSqHB8oF8KdBT:algQZFHRFbe5qfF8KfT
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ailkjmpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghfbqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omgaek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkfjhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgodbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecpgmhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiaiqn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnnojlpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fphafl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paggai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdccfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnilobkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcfdgiid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eihfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fehjeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpjiajeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djbiicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmcoja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alenki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bopicc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmgfkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckignd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhhcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geolea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njkfpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajdadamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfgmhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqcagfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pijbfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apajlhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apcfahio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bagpopmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdakgibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhffaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnccfpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggpimica.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Banepo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgknheej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgknheej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjhkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onphoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojficpfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahokfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpfcgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqjepm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebedndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdqafgnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhlifi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqonkmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdoclk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fehjeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmkio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbmmcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pelipl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phjelg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afmonbqk.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000e000000012248-5.dat family_berbew behavioral1/files/0x000f000000013f21-19.dat family_berbew behavioral1/files/0x0007000000014183-35.dat family_berbew behavioral1/files/0x00070000000141b5-51.dat family_berbew behavioral1/files/0x0008000000014983-67.dat family_berbew behavioral1/files/0x0006000000014b12-81.dat family_berbew behavioral1/files/0x0006000000014e5a-97.dat family_berbew behavioral1/files/0x0006000000015136-108.dat family_berbew behavioral1/files/0x00060000000153cf-125.dat family_berbew behavioral1/files/0x0006000000015b77-151.dat family_berbew behavioral1/files/0x0006000000015c51-167.dat family_berbew behavioral1/files/0x0006000000015c7c-172.dat family_berbew behavioral1/files/0x0006000000015c9c-191.dat family_berbew behavioral1/files/0x0006000000015cad-198.dat family_berbew behavioral1/files/0x0006000000015cc1-223.dat family_berbew behavioral1/files/0x0006000000015d5d-250.dat family_berbew behavioral1/files/0x00060000000167ef-306.dat family_berbew behavioral1/files/0x0006000000016c7a-336.dat family_berbew behavioral1/files/0x0006000000016cc9-346.dat family_berbew behavioral1/files/0x0006000000016cfe-369.dat family_berbew behavioral1/files/0x0006000000017060-432.dat family_berbew behavioral1/files/0x0005000000018664-485.dat family_berbew behavioral1/files/0x0005000000018717-509.dat family_berbew behavioral1/files/0x0006000000018ffa-531.dat family_berbew behavioral1/files/0x0005000000019383-560.dat family_berbew behavioral1/files/0x00050000000193a1-570.dat family_berbew behavioral1/files/0x00050000000193fa-580.dat family_berbew behavioral1/files/0x00050000000195e4-625.dat family_berbew behavioral1/files/0x00050000000195e8-638.dat family_berbew behavioral1/files/0x00050000000195f4-671.dat family_berbew behavioral1/files/0x00050000000195fa-691.dat family_berbew behavioral1/files/0x0005000000019752-722.dat family_berbew behavioral1/files/0x0005000000019809-734.dat family_berbew behavioral1/files/0x0005000000019c8d-772.dat family_berbew behavioral1/files/0x000500000001a013-812.dat family_berbew behavioral1/files/0x000500000001a321-828.dat family_berbew behavioral1/files/0x000500000001a488-879.dat family_berbew behavioral1/files/0x000500000001a4aa-905.dat family_berbew behavioral1/files/0x000500000001a4ba-943.dat family_berbew behavioral1/files/0x000500000001a4c2-969.dat family_berbew behavioral1/files/0x000500000001a4cf-1009.dat family_berbew behavioral1/files/0x000500000001a4df-1049.dat family_berbew behavioral1/files/0x000500000001a4e7-1074.dat family_berbew behavioral1/files/0x000500000001a4f2-1100.dat family_berbew behavioral1/files/0x000500000001a4f9-1114.dat family_berbew behavioral1/files/0x000500000001a743-1139.dat family_berbew behavioral1/files/0x000500000001c64f-1161.dat family_berbew behavioral1/files/0x000500000001c853-1223.dat family_berbew behavioral1/files/0x000500000001c862-1246.dat family_berbew behavioral1/files/0x000500000001c875-1259.dat family_berbew behavioral1/files/0x000500000001c888-1269.dat family_berbew behavioral1/files/0x000500000001c895-1302.dat family_berbew behavioral1/files/0x000500000001c8b2-1364.dat family_berbew behavioral1/files/0x000500000001c8b6-1376.dat family_berbew behavioral1/files/0x000500000001c8be-1406.dat family_berbew behavioral1/files/0x000500000001c8c6-1431.dat family_berbew behavioral1/files/0x000500000001c8ca-1440.dat family_berbew behavioral1/files/0x000400000001c94d-1476.dat family_berbew behavioral1/files/0x000400000001ca23-1501.dat family_berbew behavioral1/files/0x000400000001cb05-1526.dat family_berbew behavioral1/files/0x000400000001cb78-1564.dat family_berbew behavioral1/files/0x000400000001cb93-1606.dat family_berbew behavioral1/files/0x000400000001cbad-1632.dat family_berbew behavioral1/files/0x000400000001cbe3-1683.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1200 Lmiipi32.exe 2256 Ldcamcih.exe 2616 Lmkfei32.exe 2732 Lpjbad32.exe 2368 Lchnnp32.exe 2524 Lefkjkmc.exe 2632 Loooca32.exe 2716 Midcpj32.exe 2808 Mhgclfje.exe 2012 Moalhq32.exe 2392 Maphdl32.exe 2184 Mhjpaf32.exe 1596 Mkhmma32.exe 2104 Mabejlob.exe 2788 Mdqafgnf.exe 268 Mdcnlglc.exe 1492 Mgajhbkg.exe 1868 Mkmfhacp.exe 1048 Mohbip32.exe 2168 Mnkbdlbd.exe 1340 Mhqfbebj.exe 1372 Mgcgmb32.exe 1660 Njbcim32.exe 1252 Nnnojlpa.exe 1364 Ncjgbcoi.exe 1620 Ngfcca32.exe 2832 Nnplpl32.exe 2824 Ndjdlffl.exe 2684 Nfkpdn32.exe 2828 Nleiqhcg.exe 2436 Nqqdag32.exe 2800 Ncoamb32.exe 2004 Nfmmin32.exe 2580 Nhlifi32.exe 1036 Nqcagfim.exe 2108 Nofabc32.exe 1680 Nbdnoo32.exe 2900 Njkfpl32.exe 1260 Nmjblg32.exe 1864 Nkmbgdfl.exe 452 Nccjhafn.exe 2308 Nbfjdn32.exe 1688 Ofbfdmeb.exe 280 Ohqbqhde.exe 1528 Okoomd32.exe 1612 Onmkio32.exe 2672 Ofdcjm32.exe 1308 Odgcfijj.exe 848 Ogfpbeim.exe 2592 Onphoo32.exe 2376 Odjpkihg.exe 1988 Oghlgdgk.exe 1616 Ojficpfn.exe 2228 Onbddoog.exe 320 Obnqem32.exe 2760 Okfencna.exe 2428 Ojieip32.exe 1960 Omgaek32.exe 1880 Oqcnfjli.exe 2888 Ogmfbd32.exe 2836 Ofpfnqjp.exe 608 Ongnonkb.exe 1548 Paejki32.exe 1788 Pccfge32.exe -
Loads dropped DLL 64 IoCs
pid Process 2008 6166adb202080f1877df2e363c37bbd0_NeikiAnalytics.exe 2008 6166adb202080f1877df2e363c37bbd0_NeikiAnalytics.exe 1200 Lmiipi32.exe 1200 Lmiipi32.exe 2256 Ldcamcih.exe 2256 Ldcamcih.exe 2616 Lmkfei32.exe 2616 Lmkfei32.exe 2732 Lpjbad32.exe 2732 Lpjbad32.exe 2368 Lchnnp32.exe 2368 Lchnnp32.exe 2524 Lefkjkmc.exe 2524 Lefkjkmc.exe 2632 Loooca32.exe 2632 Loooca32.exe 2716 Midcpj32.exe 2716 Midcpj32.exe 2808 Mhgclfje.exe 2808 Mhgclfje.exe 2012 Moalhq32.exe 2012 Moalhq32.exe 2392 Maphdl32.exe 2392 Maphdl32.exe 2184 Mhjpaf32.exe 2184 Mhjpaf32.exe 1596 Mkhmma32.exe 1596 Mkhmma32.exe 2104 Mabejlob.exe 2104 Mabejlob.exe 2788 Mdqafgnf.exe 2788 Mdqafgnf.exe 268 Mdcnlglc.exe 268 Mdcnlglc.exe 1492 Mgajhbkg.exe 1492 Mgajhbkg.exe 1868 Mkmfhacp.exe 1868 Mkmfhacp.exe 1048 Mohbip32.exe 1048 Mohbip32.exe 2168 Mnkbdlbd.exe 2168 Mnkbdlbd.exe 1340 Mhqfbebj.exe 1340 Mhqfbebj.exe 1372 Mgcgmb32.exe 1372 Mgcgmb32.exe 1660 Njbcim32.exe 1660 Njbcim32.exe 1252 Nnnojlpa.exe 1252 Nnnojlpa.exe 1364 Ncjgbcoi.exe 1364 Ncjgbcoi.exe 1620 Ngfcca32.exe 1620 Ngfcca32.exe 2832 Nnplpl32.exe 2832 Nnplpl32.exe 2824 Ndjdlffl.exe 2824 Ndjdlffl.exe 2684 Nfkpdn32.exe 2684 Nfkpdn32.exe 2828 Nleiqhcg.exe 2828 Nleiqhcg.exe 2436 Nqqdag32.exe 2436 Nqqdag32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ongnonkb.exe Ofpfnqjp.exe File created C:\Windows\SysWOW64\Lhbjkfod.dll Ongnonkb.exe File opened for modification C:\Windows\SysWOW64\Fckjalhj.exe Fehjeo32.exe File opened for modification C:\Windows\SysWOW64\Gfefiemq.exe Gonnhhln.exe File created C:\Windows\SysWOW64\Ncjgbcoi.exe Nnnojlpa.exe File opened for modification C:\Windows\SysWOW64\Afiecb32.exe Adjigg32.exe File opened for modification C:\Windows\SysWOW64\Ebgacddo.exe Epieghdk.exe File created C:\Windows\SysWOW64\Iebpge32.dll Gdopkn32.exe File opened for modification C:\Windows\SysWOW64\Bdjefj32.exe Balijo32.exe File created C:\Windows\SysWOW64\Eiomkn32.exe Eiomkn32.exe File created C:\Windows\SysWOW64\Aloeodfi.dll Ffpmnf32.exe File opened for modification C:\Windows\SysWOW64\Nqqdag32.exe Nleiqhcg.exe File created C:\Windows\SysWOW64\Ebedndfa.exe Enihne32.exe File created C:\Windows\SysWOW64\Nnnojlpa.exe Njbcim32.exe File opened for modification C:\Windows\SysWOW64\Pnbacbac.exe Pmqdkj32.exe File created C:\Windows\SysWOW64\Fbeccf32.dll Abbbnchb.exe File created C:\Windows\SysWOW64\Hnbjle32.dll Nmjblg32.exe File created C:\Windows\SysWOW64\Ghhofmql.exe Gieojq32.exe File created C:\Windows\SysWOW64\Jolfcj32.dll Apajlhka.exe File opened for modification C:\Windows\SysWOW64\Blmdlhmp.exe Bingpmnl.exe File created C:\Windows\SysWOW64\Epaogi32.exe Eqonkmdh.exe File created C:\Windows\SysWOW64\Gejcjbah.exe Gbkgnfbd.exe File created C:\Windows\SysWOW64\Iklefg32.dll Afiecb32.exe File opened for modification C:\Windows\SysWOW64\Cngcjo32.exe Ckignd32.exe File created C:\Windows\SysWOW64\Fncann32.dll Dhmcfkme.exe File created C:\Windows\SysWOW64\Fpdhklkl.exe Fmekoalh.exe File created C:\Windows\SysWOW64\Hcifgjgc.exe Hdfflm32.exe File created C:\Windows\SysWOW64\Hgdbhi32.exe Hcifgjgc.exe File created C:\Windows\SysWOW64\Geolea32.exe Gacpdbej.exe File created C:\Windows\SysWOW64\Ggpimica.exe Ggpimica.exe File created C:\Windows\SysWOW64\Fmhheqje.exe Filldb32.exe File opened for modification C:\Windows\SysWOW64\Gmgdddmq.exe Gkihhhnm.exe File opened for modification C:\Windows\SysWOW64\Ihoafpmp.exe Idceea32.exe File created C:\Windows\SysWOW64\Bloqah32.exe Bdhhqk32.exe File created C:\Windows\SysWOW64\Comimg32.exe Cpjiajeb.exe File created C:\Windows\SysWOW64\Efjcibje.dll Ebgacddo.exe File created C:\Windows\SysWOW64\Hpmgqnfl.exe Hlakpp32.exe File created C:\Windows\SysWOW64\Kagdplnm.dll Mnkbdlbd.exe File opened for modification C:\Windows\SysWOW64\Pmlkpjpj.exe Pfbccp32.exe File created C:\Windows\SysWOW64\Fqpjbf32.dll Cfbhnaho.exe File created C:\Windows\SysWOW64\Dcfdgiid.exe Ddcdkl32.exe File created C:\Windows\SysWOW64\Jiiegafd.dll Fehjeo32.exe File created C:\Windows\SysWOW64\Facklcaq.dll Faokjpfd.exe File opened for modification C:\Windows\SysWOW64\Hiqbndpb.exe Hknach32.exe File created C:\Windows\SysWOW64\Omabcb32.dll Hknach32.exe File created C:\Windows\SysWOW64\Hcnpbi32.exe Hpocfncj.exe File opened for modification C:\Windows\SysWOW64\Qnigda32.exe Qhooggdn.exe File opened for modification C:\Windows\SysWOW64\Ghkllmoi.exe Gdopkn32.exe File opened for modification C:\Windows\SysWOW64\Dqelenlc.exe Dngoibmo.exe File created C:\Windows\SysWOW64\Dfijnd32.exe Dgfjbgmh.exe File created C:\Windows\SysWOW64\Epieghdk.exe Elmigj32.exe File opened for modification C:\Windows\SysWOW64\Fhhcgj32.exe Fcmgfkeg.exe File created C:\Windows\SysWOW64\Qahefm32.dll Gpmjak32.exe File created C:\Windows\SysWOW64\Mnkbdlbd.exe Mohbip32.exe File created C:\Windows\SysWOW64\Ofpfnqjp.exe Ogmfbd32.exe File created C:\Windows\SysWOW64\Ghkllmoi.exe Gdopkn32.exe File created C:\Windows\SysWOW64\Mhllhfdh.dll Njbcim32.exe File opened for modification C:\Windows\SysWOW64\Dngoibmo.exe Dodonf32.exe File created C:\Windows\SysWOW64\Gelppaof.exe Gbnccfpb.exe File created C:\Windows\SysWOW64\Iklgpmjo.dll Ckignd32.exe File created C:\Windows\SysWOW64\Anapbp32.dll Dbehoa32.exe File opened for modification C:\Windows\SysWOW64\Ajphib32.exe Ahakmf32.exe File created C:\Windows\SysWOW64\Bpcbqk32.exe Bnefdp32.exe File created C:\Windows\SysWOW64\Ncoamb32.exe Nqqdag32.exe -
Program crash 1 IoCs
pid pid_target Process 4744 4720 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfgaiaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebagmn32.dll" Djbiicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbpjiphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pijbfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocdp32.dll" Mkmfhacp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obnqem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbodgap.dll" Cfinoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjjddchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnkbdlbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhljm32.dll" Qecoqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmddhkao.dll" Bagpopmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okoomd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plahag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll" Ieqeidnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhjhkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdopkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cckace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbehoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpknlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onbddoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmlkpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbifehk.dll" Beehencq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdakgibq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihoafpmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfdpip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiomkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcifgjgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lchnnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aofqfokm.dll" Amejeljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmlapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhjpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbhkqaj.dll" Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnebmi32.dll" Nqcagfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll" Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jngohf32.dll" Apomfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoflni32.dll" Comimg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkahhbbj.dll" Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfedefbi.dll" Dchali32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejbfhfaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdoclk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Filldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plahag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blmdlhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll" Hpapln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amndem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgohm32.dll" Ealnephf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hahjpbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jadhjcfk.dll" Phjelg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhfbdd32.dll" Ajdadamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbjlbfp.dll" Eiaiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnkge32.dll" Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fncann32.dll" Dhmcfkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefmambf.dll" Dqjepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcocb32.dll" Glfhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll" Ghoegl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2008 wrote to memory of 1200 2008 6166adb202080f1877df2e363c37bbd0_NeikiAnalytics.exe 28 PID 2008 wrote to memory of 1200 2008 6166adb202080f1877df2e363c37bbd0_NeikiAnalytics.exe 28 PID 2008 wrote to memory of 1200 2008 6166adb202080f1877df2e363c37bbd0_NeikiAnalytics.exe 28 PID 2008 wrote to memory of 1200 2008 6166adb202080f1877df2e363c37bbd0_NeikiAnalytics.exe 28 PID 1200 wrote to memory of 2256 1200 Lmiipi32.exe 29 PID 1200 wrote to memory of 2256 1200 Lmiipi32.exe 29 PID 1200 wrote to memory of 2256 1200 Lmiipi32.exe 29 PID 1200 wrote to memory of 2256 1200 Lmiipi32.exe 29 PID 2256 wrote to memory of 2616 2256 Ldcamcih.exe 30 PID 2256 wrote to memory of 2616 2256 Ldcamcih.exe 30 PID 2256 wrote to memory of 2616 2256 Ldcamcih.exe 30 PID 2256 wrote to memory of 2616 2256 Ldcamcih.exe 30 PID 2616 wrote to memory of 2732 2616 Lmkfei32.exe 31 PID 2616 wrote to memory of 2732 2616 Lmkfei32.exe 31 PID 2616 wrote to memory of 2732 2616 Lmkfei32.exe 31 PID 2616 wrote to memory of 2732 2616 Lmkfei32.exe 31 PID 2732 wrote to memory of 2368 2732 Lpjbad32.exe 32 PID 2732 wrote to memory of 2368 2732 Lpjbad32.exe 32 PID 2732 wrote to memory of 2368 2732 Lpjbad32.exe 32 PID 2732 wrote to memory of 2368 2732 Lpjbad32.exe 32 PID 2368 wrote to memory of 2524 2368 Lchnnp32.exe 33 PID 2368 wrote to memory of 2524 2368 Lchnnp32.exe 33 PID 2368 wrote to memory of 2524 2368 Lchnnp32.exe 33 PID 2368 wrote to memory of 2524 2368 Lchnnp32.exe 33 PID 2524 wrote to memory of 2632 2524 Lefkjkmc.exe 34 PID 2524 wrote to memory of 2632 2524 Lefkjkmc.exe 34 PID 2524 wrote to memory of 2632 2524 Lefkjkmc.exe 34 PID 2524 wrote to memory of 2632 2524 Lefkjkmc.exe 34 PID 2632 wrote to memory of 2716 2632 Loooca32.exe 35 PID 2632 wrote to memory of 2716 2632 Loooca32.exe 35 PID 2632 wrote to memory of 2716 2632 Loooca32.exe 35 PID 2632 wrote to memory of 2716 2632 Loooca32.exe 35 PID 2716 wrote to memory of 2808 2716 Midcpj32.exe 36 PID 2716 wrote to memory of 2808 2716 Midcpj32.exe 36 PID 2716 wrote to memory of 2808 2716 Midcpj32.exe 36 PID 2716 wrote to memory of 2808 2716 Midcpj32.exe 36 PID 2808 wrote to memory of 2012 2808 Mhgclfje.exe 37 PID 2808 wrote to memory of 2012 2808 Mhgclfje.exe 37 PID 2808 wrote to memory of 2012 2808 Mhgclfje.exe 37 PID 2808 wrote to memory of 2012 2808 Mhgclfje.exe 37 PID 2012 wrote to memory of 2392 2012 Moalhq32.exe 38 PID 2012 wrote to memory of 2392 2012 Moalhq32.exe 38 PID 2012 wrote to memory of 2392 2012 Moalhq32.exe 38 PID 2012 wrote to memory of 2392 2012 Moalhq32.exe 38 PID 2392 wrote to memory of 2184 2392 Maphdl32.exe 39 PID 2392 wrote to memory of 2184 2392 Maphdl32.exe 39 PID 2392 wrote to memory of 2184 2392 Maphdl32.exe 39 PID 2392 wrote to memory of 2184 2392 Maphdl32.exe 39 PID 2184 wrote to memory of 1596 2184 Mhjpaf32.exe 40 PID 2184 wrote to memory of 1596 2184 Mhjpaf32.exe 40 PID 2184 wrote to memory of 1596 2184 Mhjpaf32.exe 40 PID 2184 wrote to memory of 1596 2184 Mhjpaf32.exe 40 PID 1596 wrote to memory of 2104 1596 Mkhmma32.exe 41 PID 1596 wrote to memory of 2104 1596 Mkhmma32.exe 41 PID 1596 wrote to memory of 2104 1596 Mkhmma32.exe 41 PID 1596 wrote to memory of 2104 1596 Mkhmma32.exe 41 PID 2104 wrote to memory of 2788 2104 Mabejlob.exe 42 PID 2104 wrote to memory of 2788 2104 Mabejlob.exe 42 PID 2104 wrote to memory of 2788 2104 Mabejlob.exe 42 PID 2104 wrote to memory of 2788 2104 Mabejlob.exe 42 PID 2788 wrote to memory of 268 2788 Mdqafgnf.exe 43 PID 2788 wrote to memory of 268 2788 Mdqafgnf.exe 43 PID 2788 wrote to memory of 268 2788 Mdqafgnf.exe 43 PID 2788 wrote to memory of 268 2788 Mdqafgnf.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\6166adb202080f1877df2e363c37bbd0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6166adb202080f1877df2e363c37bbd0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:268 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1048 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1340 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1372 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1252 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1364 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe33⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe34⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe37⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe38⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1260 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe41⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe42⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe43⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe44⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe45⤵
- Executes dropped EXE
PID:280 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe48⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe49⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe50⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe52⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe53⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:320 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe57⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe58⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe60⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:608 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe64⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe65⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe66⤵
- Drops file in System32 directory
PID:956 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe67⤵
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2920 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe69⤵PID:1796
-
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe70⤵
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe71⤵PID:2328
-
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe72⤵
- Modifies registry class
PID:828 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe73⤵PID:3028
-
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe74⤵PID:1556
-
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe75⤵PID:1944
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe76⤵
- Drops file in System32 directory
PID:276 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe77⤵PID:1592
-
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2440 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2148 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe81⤵PID:2016
-
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe82⤵
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe83⤵PID:1820
-
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe85⤵PID:3000
-
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe86⤵PID:1440
-
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe87⤵PID:1908
-
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1936 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe89⤵
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe90⤵PID:796
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe91⤵PID:1772
-
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe92⤵
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe93⤵
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe94⤵PID:2884
-
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe95⤵
- Modifies registry class
PID:1056 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe96⤵PID:2868
-
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe97⤵PID:2768
-
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe98⤵PID:2096
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe99⤵PID:1488
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe100⤵PID:1828
-
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe101⤵
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe102⤵
- Drops file in System32 directory
PID:604 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe103⤵
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe105⤵PID:2460
-
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1952 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe108⤵PID:2132
-
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe109⤵
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe111⤵
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2664 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2152 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2924 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2156 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe116⤵PID:1992
-
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe118⤵
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe119⤵
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe120⤵PID:2172
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe121⤵
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe122⤵
- Drops file in System32 directory
PID:1572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-