Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 14:54
Behavioral task
behavioral1
Sample
674def43f5f63225cd60fadf4a6e5ea0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
674def43f5f63225cd60fadf4a6e5ea0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
674def43f5f63225cd60fadf4a6e5ea0_NeikiAnalytics.exe
-
Size
416KB
-
MD5
674def43f5f63225cd60fadf4a6e5ea0
-
SHA1
4f9ba59fb5f5a60e7cfc1578bae9d64e7f6574f3
-
SHA256
076079131f13e569f09937c7104343af45753bfa5b88416bcc80db24c3fd726c
-
SHA512
23749fa03674b5cfcc07ce39ee6b4214e6acb1e7f440e2da29ae67591d171b852814f194bce18e7c42308ce01eddc52d4258ac23b826aa34b74822c3f0eb6e79
-
SSDEEP
12288:958vaFXjYJ07kE0KoFtw2gu9RxrBIUbPLwH96/I0lOZ0vbqFB:9uvCYJ07kE0KoFtw2gu9RxrBIUbPLwHh
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpecfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdkao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pflomnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckjpacfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dookgcij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmanoifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmjaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iaeiieeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpphap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghkllmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chhjkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Filldb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lajhofao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndpfkdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahlgfdeq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlnbeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhnli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcbakpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bldcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmocpado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmehnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdgneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhpiojfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkeelohh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmocpado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joifam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lihmjejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oklkmnbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djklnnaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Filldb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iblpjdpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfjqnjkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lahkigca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eiomkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkgbbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jifdebic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mggpgmof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcegmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dojald32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqelenlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdooajdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cljcelan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeqdep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kemejc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhhnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gaqcoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhkcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behnnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djefobmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bekkcljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfffnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jehkodcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joplbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqideepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnobnmpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lkppbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejhlgaeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emnndlod.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000a000000012286-5.dat family_berbew behavioral1/files/0x0007000000015cc7-24.dat family_berbew behavioral1/files/0x0007000000015cf0-33.dat family_berbew behavioral1/files/0x0007000000015d12-54.dat family_berbew behavioral1/files/0x0006000000016581-61.dat family_berbew behavioral1/files/0x0006000000016835-74.dat family_berbew behavioral1/files/0x0006000000016c52-88.dat family_berbew behavioral1/files/0x0006000000016c78-107.dat family_berbew behavioral1/files/0x0037000000015b6e-115.dat family_berbew behavioral1/files/0x0006000000016d17-129.dat family_berbew behavioral1/files/0x0006000000016d32-143.dat family_berbew behavioral1/files/0x0006000000016d43-160.dat family_berbew behavioral1/files/0x0006000000016d5f-172.dat family_berbew behavioral1/files/0x0006000000016d68-192.dat family_berbew behavioral1/files/0x0006000000016d8b-200.dat family_berbew behavioral1/files/0x0006000000016dba-221.dat family_berbew behavioral1/files/0x0006000000016dd1-229.dat family_berbew behavioral1/files/0x0006000000016de3-240.dat family_berbew behavioral1/files/0x0006000000017223-251.dat family_berbew behavioral1/files/0x00060000000173f6-262.dat family_berbew behavioral1/files/0x0006000000017577-273.dat family_berbew behavioral1/files/0x000d000000018673-284.dat family_berbew behavioral1/files/0x000500000001870f-293.dat family_berbew behavioral1/memory/1248-306-0x0000000000250000-0x0000000000285000-memory.dmp family_berbew behavioral1/memory/1248-307-0x0000000000250000-0x0000000000285000-memory.dmp family_berbew behavioral1/files/0x0005000000018723-303.dat family_berbew behavioral1/files/0x0005000000018797-314.dat family_berbew behavioral1/files/0x00050000000187b3-325.dat family_berbew behavioral1/files/0x0006000000018bd9-338.dat family_berbew behavioral1/memory/1680-344-0x00000000002F0000-0x0000000000325000-memory.dmp family_berbew behavioral1/files/0x00060000000190da-348.dat family_berbew behavioral1/files/0x0005000000019358-360.dat family_berbew behavioral1/files/0x00050000000193e5-369.dat family_berbew behavioral1/memory/2832-373-0x0000000000250000-0x0000000000285000-memory.dmp family_berbew behavioral1/files/0x0005000000019428-380.dat family_berbew behavioral1/files/0x0005000000019447-391.dat family_berbew behavioral1/files/0x000500000001947b-403.dat family_berbew behavioral1/files/0x000500000001951f-412.dat family_berbew behavioral1/memory/2916-420-0x0000000000250000-0x0000000000285000-memory.dmp family_berbew behavioral1/files/0x00050000000195b1-423.dat family_berbew behavioral1/memory/1960-430-0x0000000000250000-0x0000000000285000-memory.dmp family_berbew behavioral1/files/0x0005000000019629-435.dat family_berbew behavioral1/files/0x000500000001962d-446.dat family_berbew behavioral1/memory/1904-452-0x0000000000250000-0x0000000000285000-memory.dmp family_berbew behavioral1/files/0x0005000000019631-455.dat family_berbew behavioral1/files/0x0005000000019637-468.dat family_berbew behavioral1/memory/1036-470-0x0000000000250000-0x0000000000285000-memory.dmp family_berbew behavioral1/files/0x000500000001963d-477.dat family_berbew behavioral1/files/0x0005000000019640-488.dat family_berbew behavioral1/files/0x0005000000019642-500.dat family_berbew behavioral1/files/0x000500000001968a-512.dat family_berbew behavioral1/files/0x00050000000196c2-522.dat family_berbew behavioral1/files/0x0005000000019707-535.dat family_berbew behavioral1/files/0x0005000000019724-543.dat family_berbew behavioral1/files/0x0005000000019911-555.dat family_berbew behavioral1/files/0x0005000000019973-566.dat family_berbew behavioral1/files/0x0005000000019c6a-577.dat family_berbew behavioral1/files/0x0005000000019c6e-589.dat family_berbew behavioral1/files/0x0005000000019ebb-601.dat family_berbew behavioral1/files/0x000500000001a052-613.dat family_berbew behavioral1/files/0x000500000001a0ba-624.dat family_berbew behavioral1/files/0x000500000001a0fa-638.dat family_berbew behavioral1/files/0x000500000001a41e-648.dat family_berbew behavioral1/files/0x000500000001a476-660.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2064 Amejeljk.exe 2924 Ailkjmpo.exe 2716 Bingpmnl.exe 2520 Bbflib32.exe 2536 Bhfagipa.exe 2732 Bhhnli32.exe 1696 Bdooajdc.exe 1384 Cljcelan.exe 1432 Coklgg32.exe 2892 Comimg32.exe 2020 Ckdjbh32.exe 1580 Chhjkl32.exe 2276 Dkhcmgnl.exe 392 Dqelenlc.exe 664 Dnilobkm.exe 1480 Dmoipopd.exe 1132 Djefobmk.exe 1128 Ebpkce32.exe 1368 Ejgcdb32.exe 1340 Ebbgid32.exe 3052 Eeqdep32.exe 800 Ekklaj32.exe 1248 Eiomkn32.exe 1708 Elmigj32.exe 1800 Eiaiqn32.exe 1680 Egdilkbf.exe 2824 Fhffaj32.exe 2656 Flabbihl.exe 2832 Fhhcgj32.exe 2764 Fjgoce32.exe 2560 Ffnphf32.exe 2588 Filldb32.exe 2916 Fjlhneio.exe 1960 Fddmgjpo.exe 2688 Ffbicfoc.exe 1904 Globlmmj.exe 1296 Glaoalkh.exe 1036 Gopkmhjk.exe 1152 Gldkfl32.exe 2372 Gaqcoc32.exe 2304 Ghkllmoi.exe 1476 Goddhg32.exe 2132 Gmgdddmq.exe 892 Ghmiam32.exe 2092 Gkkemh32.exe 2212 Gmjaic32.exe 1652 Gphmeo32.exe 2872 Hknach32.exe 3048 Hpkjko32.exe 1244 Hdfflm32.exe 316 Hpmgqnfl.exe 2096 Hggomh32.exe 2668 Hnagjbdf.exe 2780 Hjhhocjj.exe 2476 Hlfdkoin.exe 2556 Hodpgjha.exe 1224 Henidd32.exe 2580 Hjjddchg.exe 1996 Hogmmjfo.exe 1788 Iaeiieeb.exe 2368 Idceea32.exe 2608 Ioijbj32.exe 580 Ifcbodli.exe 1856 Ihankokm.exe -
Loads dropped DLL 64 IoCs
pid Process 2932 674def43f5f63225cd60fadf4a6e5ea0_NeikiAnalytics.exe 2932 674def43f5f63225cd60fadf4a6e5ea0_NeikiAnalytics.exe 2064 Amejeljk.exe 2064 Amejeljk.exe 2924 Ailkjmpo.exe 2924 Ailkjmpo.exe 2716 Bingpmnl.exe 2716 Bingpmnl.exe 2520 Bbflib32.exe 2520 Bbflib32.exe 2536 Bhfagipa.exe 2536 Bhfagipa.exe 2732 Bhhnli32.exe 2732 Bhhnli32.exe 1696 Bdooajdc.exe 1696 Bdooajdc.exe 1384 Cljcelan.exe 1384 Cljcelan.exe 1432 Coklgg32.exe 1432 Coklgg32.exe 2892 Comimg32.exe 2892 Comimg32.exe 2020 Ckdjbh32.exe 2020 Ckdjbh32.exe 1580 Chhjkl32.exe 1580 Chhjkl32.exe 2276 Dkhcmgnl.exe 2276 Dkhcmgnl.exe 392 Dqelenlc.exe 392 Dqelenlc.exe 664 Dnilobkm.exe 664 Dnilobkm.exe 1480 Dmoipopd.exe 1480 Dmoipopd.exe 1132 Djefobmk.exe 1132 Djefobmk.exe 1128 Ebpkce32.exe 1128 Ebpkce32.exe 1368 Ejgcdb32.exe 1368 Ejgcdb32.exe 1340 Ebbgid32.exe 1340 Ebbgid32.exe 3052 Eeqdep32.exe 3052 Eeqdep32.exe 800 Ekklaj32.exe 800 Ekklaj32.exe 1248 Eiomkn32.exe 1248 Eiomkn32.exe 1708 Elmigj32.exe 1708 Elmigj32.exe 1800 Eiaiqn32.exe 1800 Eiaiqn32.exe 1680 Egdilkbf.exe 1680 Egdilkbf.exe 2824 Fhffaj32.exe 2824 Fhffaj32.exe 2656 Flabbihl.exe 2656 Flabbihl.exe 2832 Fhhcgj32.exe 2832 Fhhcgj32.exe 2764 Fjgoce32.exe 2764 Fjgoce32.exe 2560 Ffnphf32.exe 2560 Ffnphf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lihmjejl.exe Lfjqnjkh.exe File opened for modification C:\Windows\SysWOW64\Bkommo32.exe Bdeeqehb.exe File opened for modification C:\Windows\SysWOW64\Cghggc32.exe Cpnojioo.exe File created C:\Windows\SysWOW64\Oehfcmhd.dll Cghggc32.exe File created C:\Windows\SysWOW64\Jfcfmmpb.dll Amejeljk.exe File opened for modification C:\Windows\SysWOW64\Jkpgfn32.exe Jjojofgn.exe File created C:\Windows\SysWOW64\Iajcde32.exe Iokfhi32.exe File created C:\Windows\SysWOW64\Nmngmj32.dll Joplbl32.exe File opened for modification C:\Windows\SysWOW64\Kaceodek.exe Kjjmbj32.exe File created C:\Windows\SysWOW64\Pmanoifd.exe Pjcabmga.exe File opened for modification C:\Windows\SysWOW64\Alegac32.exe Aekodi32.exe File opened for modification C:\Windows\SysWOW64\Dojald32.exe Dhpiojfb.exe File created C:\Windows\SysWOW64\Hpkjko32.exe Hknach32.exe File created C:\Windows\SysWOW64\Mhfkbo32.dll Henidd32.exe File created C:\Windows\SysWOW64\Kfgdhjmk.exe Kcihlong.exe File created C:\Windows\SysWOW64\Maoajf32.exe Mkeimlfm.exe File created C:\Windows\SysWOW64\Oklkmnbp.exe Npfgpe32.exe File opened for modification C:\Windows\SysWOW64\Pbfpik32.exe Pgplkb32.exe File created C:\Windows\SysWOW64\Ncfnmo32.dll Blpjegfm.exe File opened for modification C:\Windows\SysWOW64\Ceaadk32.exe Cafecmlj.exe File created C:\Windows\SysWOW64\Hnagjbdf.exe Hggomh32.exe File opened for modification C:\Windows\SysWOW64\Henidd32.exe Hodpgjha.exe File opened for modification C:\Windows\SysWOW64\Cafecmlj.exe Clilkfnb.exe File created C:\Windows\SysWOW64\Opiehf32.dll Ckoilb32.exe File created C:\Windows\SysWOW64\Codpklfq.dll Hknach32.exe File created C:\Windows\SysWOW64\Mpdnkb32.exe Mmfbogcn.exe File opened for modification C:\Windows\SysWOW64\Ihdkao32.exe Iajcde32.exe File opened for modification C:\Windows\SysWOW64\Kgpjanje.exe Kafbec32.exe File created C:\Windows\SysWOW64\Bcinmgng.dll Kcihlong.exe File opened for modification C:\Windows\SysWOW64\Lbeknj32.exe Llkbap32.exe File created C:\Windows\SysWOW64\Fbbecd32.dll Nocnbmoo.exe File created C:\Windows\SysWOW64\Lcoich32.dll Nnhkcj32.exe File created C:\Windows\SysWOW64\Lanfmb32.dll Ekklaj32.exe File opened for modification C:\Windows\SysWOW64\Ffbicfoc.exe Fddmgjpo.exe File created C:\Windows\SysWOW64\Pgplkb32.exe Pfoocjfd.exe File opened for modification C:\Windows\SysWOW64\Cdgneh32.exe Cnmehnan.exe File opened for modification C:\Windows\SysWOW64\Dpeekh32.exe Djklnnaj.exe File opened for modification C:\Windows\SysWOW64\Idceea32.exe Iaeiieeb.exe File created C:\Windows\SysWOW64\Odobjg32.exe Oobjaqaj.exe File created C:\Windows\SysWOW64\Lbeknj32.exe Llkbap32.exe File opened for modification C:\Windows\SysWOW64\Mamddf32.exe Mmahdggc.exe File created C:\Windows\SysWOW64\Pmmokmik.dll Oqkqkdne.exe File created C:\Windows\SysWOW64\Djihnh32.dll Pflomnkb.exe File created C:\Windows\SysWOW64\Cgllco32.dll Enhacojl.exe File created C:\Windows\SysWOW64\Ejobhppq.exe Emkaol32.exe File created C:\Windows\SysWOW64\Dmoipopd.exe Dnilobkm.exe File created C:\Windows\SysWOW64\Fjgoce32.exe Fhhcgj32.exe File created C:\Windows\SysWOW64\Hjhhocjj.exe Hnagjbdf.exe File created C:\Windows\SysWOW64\Jbkpmm32.dll Miooigfo.exe File created C:\Windows\SysWOW64\Bpiipf32.exe Bmkmdk32.exe File opened for modification C:\Windows\SysWOW64\Dlgldibq.exe Dgjclbdi.exe File created C:\Windows\SysWOW64\Enhacojl.exe Efaibbij.exe File opened for modification C:\Windows\SysWOW64\Fjlhneio.exe Filldb32.exe File opened for modification C:\Windows\SysWOW64\Gaqcoc32.exe Gldkfl32.exe File created C:\Windows\SysWOW64\Kqgmkdbj.dll Kfegbj32.exe File created C:\Windows\SysWOW64\Lhbcfa32.exe Lahkigca.exe File opened for modification C:\Windows\SysWOW64\Nialog32.exe Nefpnhlc.exe File created C:\Windows\SysWOW64\Pbfpik32.exe Pgplkb32.exe File created C:\Windows\SysWOW64\Ccahbp32.exe Ckjpacfp.exe File created C:\Windows\SysWOW64\Dbhnhp32.exe Dojald32.exe File created C:\Windows\SysWOW64\Dnilobkm.exe Dqelenlc.exe File created C:\Windows\SysWOW64\Afldcl32.dll Kgkafo32.exe File created C:\Windows\SysWOW64\Kbmnmk32.dll Jcdbbloa.exe File created C:\Windows\SysWOW64\Kaceodek.exe Kjjmbj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3408 3344 WerFault.exe 282 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djihnh32.dll" Pflomnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhnfd32.dll" Qpecfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bekkcljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Midahn32.dll" Eiaiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmamfo32.dll" Mhdplq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckafbbph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blopagpd.dll" Dpeekh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dookgcij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfffnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkhgfq32.dll" Dhdcji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bbflib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll" Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkdpanhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kafbec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Albjlcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ccahbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebpkce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjlnif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmkmdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obcccl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dnilobkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibckiab.dll" Elmigj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jnqphi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kngfih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mkeimlfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmkmdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfamcogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlidlf32.dll" Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jcgogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klaoplan.dll" Jnqphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jifdebic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjifqd32.dll" Aamfnkai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjojofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chgdod32.dll" Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdeced32.dll" Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addnil32.dll" Globlmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Febhomkh.dll" Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll" Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdkmeh32.dll" Ihankokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglhipbb.dll" Kaceodek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lajhofao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Meccii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Clilkfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bldcpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckoilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ffbicfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dejpca32.dll" Idklfpon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjlnif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmkcoqd.dll" Ndpfkdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aamfnkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehfcmhd.dll" Cghggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfmal32.dll" Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijlhmj32.dll" Mcegmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inkaippf.dll" Ogeigofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohfeog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 674def43f5f63225cd60fadf4a6e5ea0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bbflib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eiaiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Npfgpe32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2932 wrote to memory of 2064 2932 674def43f5f63225cd60fadf4a6e5ea0_NeikiAnalytics.exe 29 PID 2932 wrote to memory of 2064 2932 674def43f5f63225cd60fadf4a6e5ea0_NeikiAnalytics.exe 29 PID 2932 wrote to memory of 2064 2932 674def43f5f63225cd60fadf4a6e5ea0_NeikiAnalytics.exe 29 PID 2932 wrote to memory of 2064 2932 674def43f5f63225cd60fadf4a6e5ea0_NeikiAnalytics.exe 29 PID 2064 wrote to memory of 2924 2064 Amejeljk.exe 30 PID 2064 wrote to memory of 2924 2064 Amejeljk.exe 30 PID 2064 wrote to memory of 2924 2064 Amejeljk.exe 30 PID 2064 wrote to memory of 2924 2064 Amejeljk.exe 30 PID 2924 wrote to memory of 2716 2924 Ailkjmpo.exe 31 PID 2924 wrote to memory of 2716 2924 Ailkjmpo.exe 31 PID 2924 wrote to memory of 2716 2924 Ailkjmpo.exe 31 PID 2924 wrote to memory of 2716 2924 Ailkjmpo.exe 31 PID 2716 wrote to memory of 2520 2716 Bingpmnl.exe 32 PID 2716 wrote to memory of 2520 2716 Bingpmnl.exe 32 PID 2716 wrote to memory of 2520 2716 Bingpmnl.exe 32 PID 2716 wrote to memory of 2520 2716 Bingpmnl.exe 32 PID 2520 wrote to memory of 2536 2520 Bbflib32.exe 33 PID 2520 wrote to memory of 2536 2520 Bbflib32.exe 33 PID 2520 wrote to memory of 2536 2520 Bbflib32.exe 33 PID 2520 wrote to memory of 2536 2520 Bbflib32.exe 33 PID 2536 wrote to memory of 2732 2536 Bhfagipa.exe 34 PID 2536 wrote to memory of 2732 2536 Bhfagipa.exe 34 PID 2536 wrote to memory of 2732 2536 Bhfagipa.exe 34 PID 2536 wrote to memory of 2732 2536 Bhfagipa.exe 34 PID 2732 wrote to memory of 1696 2732 Bhhnli32.exe 35 PID 2732 wrote to memory of 1696 2732 Bhhnli32.exe 35 PID 2732 wrote to memory of 1696 2732 Bhhnli32.exe 35 PID 2732 wrote to memory of 1696 2732 Bhhnli32.exe 35 PID 1696 wrote to memory of 1384 1696 Bdooajdc.exe 36 PID 1696 wrote to memory of 1384 1696 Bdooajdc.exe 36 PID 1696 wrote to memory of 1384 1696 Bdooajdc.exe 36 PID 1696 wrote to memory of 1384 1696 Bdooajdc.exe 36 PID 1384 wrote to memory of 1432 1384 Cljcelan.exe 37 PID 1384 wrote to memory of 1432 1384 Cljcelan.exe 37 PID 1384 wrote to memory of 1432 1384 Cljcelan.exe 37 PID 1384 wrote to memory of 1432 1384 Cljcelan.exe 37 PID 1432 wrote to memory of 2892 1432 Coklgg32.exe 38 PID 1432 wrote to memory of 2892 1432 Coklgg32.exe 38 PID 1432 wrote to memory of 2892 1432 Coklgg32.exe 38 PID 1432 wrote to memory of 2892 1432 Coklgg32.exe 38 PID 2892 wrote to memory of 2020 2892 Comimg32.exe 39 PID 2892 wrote to memory of 2020 2892 Comimg32.exe 39 PID 2892 wrote to memory of 2020 2892 Comimg32.exe 39 PID 2892 wrote to memory of 2020 2892 Comimg32.exe 39 PID 2020 wrote to memory of 1580 2020 Ckdjbh32.exe 40 PID 2020 wrote to memory of 1580 2020 Ckdjbh32.exe 40 PID 2020 wrote to memory of 1580 2020 Ckdjbh32.exe 40 PID 2020 wrote to memory of 1580 2020 Ckdjbh32.exe 40 PID 1580 wrote to memory of 2276 1580 Chhjkl32.exe 41 PID 1580 wrote to memory of 2276 1580 Chhjkl32.exe 41 PID 1580 wrote to memory of 2276 1580 Chhjkl32.exe 41 PID 1580 wrote to memory of 2276 1580 Chhjkl32.exe 41 PID 2276 wrote to memory of 392 2276 Dkhcmgnl.exe 42 PID 2276 wrote to memory of 392 2276 Dkhcmgnl.exe 42 PID 2276 wrote to memory of 392 2276 Dkhcmgnl.exe 42 PID 2276 wrote to memory of 392 2276 Dkhcmgnl.exe 42 PID 392 wrote to memory of 664 392 Dqelenlc.exe 43 PID 392 wrote to memory of 664 392 Dqelenlc.exe 43 PID 392 wrote to memory of 664 392 Dqelenlc.exe 43 PID 392 wrote to memory of 664 392 Dqelenlc.exe 43 PID 664 wrote to memory of 1480 664 Dnilobkm.exe 44 PID 664 wrote to memory of 1480 664 Dnilobkm.exe 44 PID 664 wrote to memory of 1480 664 Dnilobkm.exe 44 PID 664 wrote to memory of 1480 664 Dnilobkm.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\674def43f5f63225cd60fadf4a6e5ea0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\674def43f5f63225cd60fadf4a6e5ea0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1132 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1128 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1368 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1340 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:800 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1248 -
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe38⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe39⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1476 -
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe45⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe46⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe48⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe50⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe52⤵PID:2100
-
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe53⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe56⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe57⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1224 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe60⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe61⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe64⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe65⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe67⤵
- Drops file in System32 directory
PID:788 -
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe68⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:692 -
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe70⤵PID:576
-
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1984 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe72⤵
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe73⤵PID:2300
-
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe74⤵PID:2672
-
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe75⤵PID:2568
-
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe76⤵PID:1972
-
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe77⤵PID:1940
-
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe78⤵PID:1532
-
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe79⤵
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2268 -
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe81⤵
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:828 -
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe83⤵
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe84⤵
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:768 -
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2204 -
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe87⤵
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe89⤵
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe91⤵PID:2532
-
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2040 -
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe93⤵
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe94⤵
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe95⤵
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2800 -
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe97⤵
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe99⤵PID:404
-
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe100⤵PID:1564
-
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe101⤵PID:1068
-
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe102⤵
- Drops file in System32 directory
PID:492 -
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe103⤵PID:2148
-
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe104⤵
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe105⤵PID:2712
-
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2664 -
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1440 -
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2756 -
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe109⤵PID:2028
-
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe110⤵PID:2552
-
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe111⤵PID:2864
-
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe112⤵PID:680
-
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe113⤵PID:1640
-
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe114⤵
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe115⤵PID:3028
-
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe117⤵PID:340
-
C:\Windows\SysWOW64\Lkppbl32.exeC:\Windows\system32\Lkppbl32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1784 -
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe120⤵
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1724 -
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe122⤵
- Drops file in System32 directory
PID:2288
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-