Analysis
-
max time kernel
141s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14/05/2024, 00:03
Behavioral task
behavioral1
Sample
3b436634841af88f8cac32d59e71dcb0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
3b436634841af88f8cac32d59e71dcb0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
3b436634841af88f8cac32d59e71dcb0_NeikiAnalytics.exe
-
Size
3.7MB
-
MD5
3b436634841af88f8cac32d59e71dcb0
-
SHA1
9d1ddd6d9b13d22aac29b1560cefe7a9ae3db544
-
SHA256
78921dd0aca44a2bff89c63b13bf5c047bf4b62f4efdb7a6e92777df6c2db349
-
SHA512
44d055d59eb46f39903e249b5fac90000e356d7569ce32c89b72da8839a2a17e6568be035b5e4f7047b43564637c7a9c8788455de00b3005c85ad2074bc621d8
-
SSDEEP
98304:P6r6HaSHFaZRBEYyqmS2DiHPKQgmZ0aUgUjvha/4wzlF65T:vaSHFaZRBEYyqmS2DiHPKQgwUgUjvhoU
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epdkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enakbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inkccpgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knklagmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlcbenjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abphal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnbjopoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Namqci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjcplpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkjcplpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfkpqn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgjqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahokfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkncmmle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qedhdjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajhgmpfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhhadmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjakmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afiglkle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leajdfnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emnndlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lapnnafn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Labkdack.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blpjegfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdpndnei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhllob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afohaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndlim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlljjjnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbiqfied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohhkjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qiladcdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlmlecec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndkmpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anojbobe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadloj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdnepk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nofdklgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dndlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmjojo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npojdpef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkdgpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajpjakhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biojif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blobjaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lijjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olmhdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obojhlbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijbdha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqemdbaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anlfbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnbjopoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceclqan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihjnom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kofopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Modkfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohaeia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajbggjfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abphal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icjhagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnicmdli.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000c000000015653-5.dat family_berbew behavioral1/files/0x0007000000015cff-27.dat family_berbew behavioral1/files/0x0007000000015d42-34.dat family_berbew behavioral1/files/0x0009000000015d5f-50.dat family_berbew behavioral1/files/0x0034000000015ccd-62.dat family_berbew behavioral1/files/0x0034000000015ccd-64.dat family_berbew behavioral1/files/0x0034000000015ccd-69.dat family_berbew behavioral1/files/0x0006000000016cdc-120.dat family_berbew behavioral1/files/0x0006000000016d18-141.dat family_berbew behavioral1/files/0x0006000000016d34-153.dat family_berbew behavioral1/files/0x0006000000016d3e-171.dat family_berbew behavioral1/files/0x0006000000016da5-215.dat family_berbew behavioral1/files/0x000500000001875a-289.dat family_berbew behavioral1/files/0x00050000000186f6-279.dat family_berbew behavioral1/files/0x0031000000018649-267.dat family_berbew behavioral1/files/0x0006000000017437-256.dat family_berbew behavioral1/files/0x00060000000171df-246.dat family_berbew behavioral1/files/0x000600000001704a-237.dat family_berbew behavioral1/files/0x0006000000016db9-229.dat family_berbew behavioral1/files/0x0006000000016db9-228.dat family_berbew behavioral1/files/0x0006000000016db9-222.dat family_berbew behavioral1/files/0x0006000000016da5-208.dat family_berbew behavioral1/files/0x0006000000016da5-207.dat family_berbew behavioral1/files/0x0006000000016da5-205.dat family_berbew behavioral1/files/0x0006000000016d8e-199.dat family_berbew behavioral1/files/0x000500000001876e-300.dat family_berbew behavioral1/files/0x0005000000018785-309.dat family_berbew behavioral1/files/0x00050000000192e7-343.dat family_berbew behavioral1/memory/2920-358-0x0000000000300000-0x0000000000333000-memory.dmp family_berbew behavioral1/files/0x000500000001961b-485.dat family_berbew behavioral1/files/0x0005000000019c48-568.dat family_berbew behavioral1/files/0x0005000000019db1-591.dat family_berbew behavioral1/files/0x000500000001a34e-639.dat family_berbew behavioral1/files/0x000500000001a44e-662.dat family_berbew behavioral1/files/0x000500000001a4a4-679.dat family_berbew behavioral1/files/0x000500000001a4b3-696.dat family_berbew behavioral1/files/0x000500000001a4d7-772.dat family_berbew behavioral1/files/0x000500000001a4dc-784.dat family_berbew behavioral1/files/0x000500000001a4e9-826.dat family_berbew behavioral1/files/0x000500000001c772-988.dat family_berbew behavioral1/files/0x000500000001c8c2-1172.dat family_berbew behavioral1/files/0x000500000001c940-1197.dat family_berbew behavioral1/files/0x000400000001c95f-1261.dat family_berbew behavioral1/files/0x000400000001c979-1292.dat family_berbew behavioral1/files/0x000400000001cb6f-1335.dat family_berbew behavioral1/files/0x000400000001cb7b-1343.dat family_berbew behavioral1/files/0x000400000001cbe1-1469.dat family_berbew behavioral1/files/0x000400000001cc93-1590.dat family_berbew behavioral1/files/0x000400000001cc99-1606.dat family_berbew behavioral1/files/0x000400000001cc9e-1639.dat family_berbew behavioral1/files/0x000400000001cc9b-1631.dat family_berbew behavioral1/files/0x000400000001cc97-1602.dat family_berbew behavioral1/files/0x000400000001cca5-1688.dat family_berbew behavioral1/files/0x000400000001ccba-1703.dat family_berbew behavioral1/files/0x000400000001cd46-1716.dat family_berbew behavioral1/files/0x000400000001cd68-1725.dat family_berbew behavioral1/files/0x000400000001cd8d-1743.dat family_berbew behavioral1/files/0x000400000001cdcb-1760.dat family_berbew behavioral1/files/0x000400000001cef6-1802.dat family_berbew behavioral1/files/0x000400000001cf81-1837.dat family_berbew behavioral1/files/0x000400000001cf7c-1824.dat family_berbew behavioral1/files/0x000400000001d009-1863.dat family_berbew behavioral1/files/0x000400000001d01c-1884.dat family_berbew behavioral1/files/0x000400000001d026-1896.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2212 Ahokfj32.exe 2960 Blmdlhmp.exe 2816 Bnbjopoi.exe 2756 Bnefdp32.exe 2612 Ckdjbh32.exe 2888 Cfinoq32.exe 2516 Dflkdp32.exe 2868 Dodonf32.exe 2360 Dqelenlc.exe 1880 Dhmcfkme.exe 1576 Dnilobkm.exe 2296 Dnlidb32.exe 2132 Dchali32.exe 2304 Dnneja32.exe 2312 Dqlafm32.exe 1488 Dgfjbgmh.exe 2544 Emcbkn32.exe 1092 Ebpkce32.exe 840 Eijcpoac.exe 804 Epdkli32.exe 1168 Efncicpm.exe 964 Emhlfmgj.exe 1696 Ebedndfa.exe 3024 Kaceodek.exe 884 Kmjfdejp.exe 1972 Kmmcjehm.exe 2920 Kfegbj32.exe 1148 Kjcpii32.exe 2752 Lldlqakb.exe 2472 Lbnemk32.exe 2284 Lemaif32.exe 1828 Lmcijcbe.exe 1948 Lbqabkql.exe 2228 Lijjoe32.exe 2424 Lliflp32.exe 1792 Lbcnhjnj.exe 3036 Leajdfnm.exe 1552 Lhpfqama.exe 548 Lkncmmle.exe 908 Lahkigca.exe 756 Lecgje32.exe 1136 Lmolnh32.exe 776 Lefdpe32.exe 2812 Mhdplq32.exe 3064 Mkclhl32.exe 844 Mdkqqa32.exe 2244 Mhgmapfi.exe 2904 Mkeimlfm.exe 2680 Mmceigep.exe 2496 Mdmmfa32.exe 1628 Mgljbm32.exe 1616 Mlibjc32.exe 2160 Mcbjgn32.exe 1660 Meagci32.exe 2116 Mmhodf32.exe 1988 Mpfkqb32.exe 2336 Mcegmm32.exe 2152 Meccii32.exe 2984 Mlmlecec.exe 1564 Najdnj32.exe 1624 Nhdlkdkg.exe 1980 Nkbhgojk.exe 1588 Namqci32.exe 2636 Ndkmpe32.exe -
Loads dropped DLL 64 IoCs
pid Process 2860 3b436634841af88f8cac32d59e71dcb0_NeikiAnalytics.exe 2860 3b436634841af88f8cac32d59e71dcb0_NeikiAnalytics.exe 2212 Ahokfj32.exe 2212 Ahokfj32.exe 2960 Blmdlhmp.exe 2960 Blmdlhmp.exe 2816 Bnbjopoi.exe 2816 Bnbjopoi.exe 2756 Bnefdp32.exe 2756 Bnefdp32.exe 2612 Ckdjbh32.exe 2612 Ckdjbh32.exe 2888 Cfinoq32.exe 2888 Cfinoq32.exe 2516 Dflkdp32.exe 2516 Dflkdp32.exe 2868 Dodonf32.exe 2868 Dodonf32.exe 2360 Dqelenlc.exe 2360 Dqelenlc.exe 1880 Dhmcfkme.exe 1880 Dhmcfkme.exe 1576 Dnilobkm.exe 1576 Dnilobkm.exe 2296 Dnlidb32.exe 2296 Dnlidb32.exe 2132 Dchali32.exe 2132 Dchali32.exe 2304 Dnneja32.exe 2304 Dnneja32.exe 2312 Dqlafm32.exe 2312 Dqlafm32.exe 1488 Dgfjbgmh.exe 1488 Dgfjbgmh.exe 2544 Emcbkn32.exe 2544 Emcbkn32.exe 1092 Ebpkce32.exe 1092 Ebpkce32.exe 840 Eijcpoac.exe 840 Eijcpoac.exe 804 Epdkli32.exe 804 Epdkli32.exe 1168 Efncicpm.exe 1168 Efncicpm.exe 964 Emhlfmgj.exe 964 Emhlfmgj.exe 1696 Ebedndfa.exe 1696 Ebedndfa.exe 3024 Kaceodek.exe 3024 Kaceodek.exe 884 Kmjfdejp.exe 884 Kmjfdejp.exe 1972 Kmmcjehm.exe 1972 Kmmcjehm.exe 2920 Kfegbj32.exe 2920 Kfegbj32.exe 1148 Kjcpii32.exe 1148 Kjcpii32.exe 2752 Lldlqakb.exe 2752 Lldlqakb.exe 2472 Lbnemk32.exe 2472 Lbnemk32.exe 2284 Lemaif32.exe 2284 Lemaif32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jgojpjem.exe Jdpndnei.exe File opened for modification C:\Windows\SysWOW64\Ocalkn32.exe Oqcpob32.exe File opened for modification C:\Windows\SysWOW64\Cmgechbh.exe Cdoajb32.exe File created C:\Windows\SysWOW64\Aoogfhfp.dll Cbgjqo32.exe File opened for modification C:\Windows\SysWOW64\Mdmmfa32.exe Mmceigep.exe File opened for modification C:\Windows\SysWOW64\Hiknhbcg.exe Hdnepk32.exe File created C:\Windows\SysWOW64\Nmgpon32.dll Inkccpgk.exe File created C:\Windows\SysWOW64\Lgmcqkkh.exe Labkdack.exe File created C:\Windows\SysWOW64\Mieeibkn.exe Meijhc32.exe File created C:\Windows\SysWOW64\Pkdgpo32.exe Pbkbgjcc.exe File created C:\Windows\SysWOW64\Cdoajb32.exe Bmeimhdj.exe File created C:\Windows\SysWOW64\Cadhnmnm.exe Coelaaoi.exe File created C:\Windows\SysWOW64\Cpnojioo.exe Cjdfmo32.exe File opened for modification C:\Windows\SysWOW64\Ilcmjl32.exe Ijdqna32.exe File created C:\Windows\SysWOW64\Ddgkcd32.dll Dqelenlc.exe File opened for modification C:\Windows\SysWOW64\Aaaoij32.exe Ajhgmpfg.exe File opened for modification C:\Windows\SysWOW64\Blpjegfm.exe Biamilfj.exe File created C:\Windows\SysWOW64\Abeemhkh.exe Qjnmlk32.exe File opened for modification C:\Windows\SysWOW64\Bioqclil.exe Bjlqhoba.exe File created C:\Windows\SysWOW64\Kcacch32.dll Kjifhc32.exe File opened for modification C:\Windows\SysWOW64\Lnbbbffj.exe Llcefjgf.exe File created C:\Windows\SysWOW64\Ckpfcfnm.dll Cklfll32.exe File created C:\Windows\SysWOW64\Oikojfgk.exe Odobjg32.exe File created C:\Windows\SysWOW64\Pgeefbhm.exe Pnlqnl32.exe File created C:\Windows\SysWOW64\Hfjiem32.dll Llcefjgf.exe File created C:\Windows\SysWOW64\Mdacop32.exe Modkfi32.exe File opened for modification C:\Windows\SysWOW64\Alpmfdcb.exe Abhimnma.exe File created C:\Windows\SysWOW64\Hnhijl32.dll Ahlgfdeq.exe File created C:\Windows\SysWOW64\Akigbbni.dll Cghggc32.exe File opened for modification C:\Windows\SysWOW64\Jdehon32.exe Jbgkcb32.exe File created C:\Windows\SysWOW64\Melfncqb.exe Mlcbenjb.exe File created C:\Windows\SysWOW64\Bphbeplm.exe Biojif32.exe File created C:\Windows\SysWOW64\Dfnfdcqd.dll Mpfkqb32.exe File created C:\Windows\SysWOW64\Bgagbb32.dll Mlibjc32.exe File created C:\Windows\SysWOW64\Lbadbn32.dll Enfenplo.exe File created C:\Windows\SysWOW64\Fpbche32.dll Qqeicede.exe File created C:\Windows\SysWOW64\Njlockkm.exe Nkiogn32.exe File created C:\Windows\SysWOW64\Bdacap32.dll Emkaol32.exe File opened for modification C:\Windows\SysWOW64\Ipjoplgo.exe Inkccpgk.exe File created C:\Windows\SysWOW64\Poceplpj.dll Lpjdjmfp.exe File opened for modification C:\Windows\SysWOW64\Qpgpkcpp.exe Qpecfc32.exe File created C:\Windows\SysWOW64\Elgkkpon.dll Cjdfmo32.exe File created C:\Windows\SysWOW64\Fffdil32.dll Icfofg32.exe File opened for modification C:\Windows\SysWOW64\Bdeeqehb.exe Bioqclil.exe File created C:\Windows\SysWOW64\Nmmhnm32.dll Hkaglf32.exe File created C:\Windows\SysWOW64\Idnhde32.dll Pflomnkb.exe File created C:\Windows\SysWOW64\Dfoqmo32.exe Dndlim32.exe File opened for modification C:\Windows\SysWOW64\Pbkbgjcc.exe Pomfkndo.exe File opened for modification C:\Windows\SysWOW64\Cpnojioo.exe Cjdfmo32.exe File opened for modification C:\Windows\SysWOW64\Pgpeal32.exe Pqemdbaj.exe File opened for modification C:\Windows\SysWOW64\Qijdocfj.exe Pkdgpo32.exe File created C:\Windows\SysWOW64\Fdilgioe.dll Labkdack.exe File created C:\Windows\SysWOW64\Lmlhnagm.exe Lbfdaigg.exe File created C:\Windows\SysWOW64\Pgmkloid.dll Npfgpe32.exe File opened for modification C:\Windows\SysWOW64\Ocimgp32.exe Olpdjf32.exe File opened for modification C:\Windows\SysWOW64\Enakbp32.exe Dkcofe32.exe File created C:\Windows\SysWOW64\Fepiimfg.exe Fbamma32.exe File created C:\Windows\SysWOW64\Odmfgh32.dll Hdlhjl32.exe File created C:\Windows\SysWOW64\Lnhplkhl.dll Ijbdha32.exe File created C:\Windows\SysWOW64\Dnneja32.exe Dchali32.exe File created C:\Windows\SysWOW64\Djhmenjp.dll Olmhdf32.exe File created C:\Windows\SysWOW64\Mnhlblil.dll Ogblbo32.exe File created C:\Windows\SysWOW64\Pfjbgnme.exe Peiepfgg.exe File created C:\Windows\SysWOW64\Nlbeqb32.exe Ndkmpe32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4420 3196 WerFault.exe 347 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfmjjgm.dll" Anojbobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifkacb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbadbn32.dll" Enfenplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpnojioo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpjdjmfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Melfncqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kganqf32.dll" Qgoapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobdlg32.dll" Dnlidb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qedhdjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bghjhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqnejn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfoak32.dll" Kmjojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmihnd32.dll" Olonpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgkeald.dll" Bpfeppop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qiejdkkn.dll" Ocnfbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fepiimfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knmhgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enakbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdphdj.dll" Bnefdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ligkin32.dll" Bioqclil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cahail32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmbknddp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abeemhkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afnagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhfcpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blmdlhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lednakhd.dll" Dkcofe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqgoiokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmnek32.dll" Anlfbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbqabkql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llcefjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onbgmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfegbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cghggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajpjakhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emcbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inkaippf.dll" Ofhick32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkdgpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll" Bmeimhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fglhobmg.dll" Dodonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acahnedo.dll" Onjgiiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndcpj32.dll" Pqhpdhcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efcfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emnndlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgagbb32.dll" Mlibjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjcabmga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bioqclil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhmcfkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Docdkd32.dll" Npccpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcopobi.dll" Bhfcpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfadgaio.dll" Mhgmapfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Libicbma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blobjaba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boqbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cadhnmnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pomfkndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkabadei.dll" Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpfkqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebedndfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjakmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inifnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajejgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lndohedg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2860 wrote to memory of 2212 2860 3b436634841af88f8cac32d59e71dcb0_NeikiAnalytics.exe 28 PID 2860 wrote to memory of 2212 2860 3b436634841af88f8cac32d59e71dcb0_NeikiAnalytics.exe 28 PID 2860 wrote to memory of 2212 2860 3b436634841af88f8cac32d59e71dcb0_NeikiAnalytics.exe 28 PID 2860 wrote to memory of 2212 2860 3b436634841af88f8cac32d59e71dcb0_NeikiAnalytics.exe 28 PID 2212 wrote to memory of 2960 2212 Ahokfj32.exe 29 PID 2212 wrote to memory of 2960 2212 Ahokfj32.exe 29 PID 2212 wrote to memory of 2960 2212 Ahokfj32.exe 29 PID 2212 wrote to memory of 2960 2212 Ahokfj32.exe 29 PID 2960 wrote to memory of 2816 2960 Blmdlhmp.exe 30 PID 2960 wrote to memory of 2816 2960 Blmdlhmp.exe 30 PID 2960 wrote to memory of 2816 2960 Blmdlhmp.exe 30 PID 2960 wrote to memory of 2816 2960 Blmdlhmp.exe 30 PID 2816 wrote to memory of 2756 2816 Bnbjopoi.exe 31 PID 2816 wrote to memory of 2756 2816 Bnbjopoi.exe 31 PID 2816 wrote to memory of 2756 2816 Bnbjopoi.exe 31 PID 2816 wrote to memory of 2756 2816 Bnbjopoi.exe 31 PID 2756 wrote to memory of 2612 2756 Bnefdp32.exe 32 PID 2756 wrote to memory of 2612 2756 Bnefdp32.exe 32 PID 2756 wrote to memory of 2612 2756 Bnefdp32.exe 32 PID 2756 wrote to memory of 2612 2756 Bnefdp32.exe 32 PID 2612 wrote to memory of 2888 2612 Ckdjbh32.exe 33 PID 2612 wrote to memory of 2888 2612 Ckdjbh32.exe 33 PID 2612 wrote to memory of 2888 2612 Ckdjbh32.exe 33 PID 2612 wrote to memory of 2888 2612 Ckdjbh32.exe 33 PID 2888 wrote to memory of 2516 2888 Cfinoq32.exe 34 PID 2888 wrote to memory of 2516 2888 Cfinoq32.exe 34 PID 2888 wrote to memory of 2516 2888 Cfinoq32.exe 34 PID 2888 wrote to memory of 2516 2888 Cfinoq32.exe 34 PID 2516 wrote to memory of 2868 2516 Dflkdp32.exe 35 PID 2516 wrote to memory of 2868 2516 Dflkdp32.exe 35 PID 2516 wrote to memory of 2868 2516 Dflkdp32.exe 35 PID 2516 wrote to memory of 2868 2516 Dflkdp32.exe 35 PID 2868 wrote to memory of 2360 2868 Dodonf32.exe 36 PID 2868 wrote to memory of 2360 2868 Dodonf32.exe 36 PID 2868 wrote to memory of 2360 2868 Dodonf32.exe 36 PID 2868 wrote to memory of 2360 2868 Dodonf32.exe 36 PID 2360 wrote to memory of 1880 2360 Dqelenlc.exe 37 PID 2360 wrote to memory of 1880 2360 Dqelenlc.exe 37 PID 2360 wrote to memory of 1880 2360 Dqelenlc.exe 37 PID 2360 wrote to memory of 1880 2360 Dqelenlc.exe 37 PID 1880 wrote to memory of 1576 1880 Dhmcfkme.exe 38 PID 1880 wrote to memory of 1576 1880 Dhmcfkme.exe 38 PID 1880 wrote to memory of 1576 1880 Dhmcfkme.exe 38 PID 1880 wrote to memory of 1576 1880 Dhmcfkme.exe 38 PID 1576 wrote to memory of 2296 1576 Dnilobkm.exe 39 PID 1576 wrote to memory of 2296 1576 Dnilobkm.exe 39 PID 1576 wrote to memory of 2296 1576 Dnilobkm.exe 39 PID 1576 wrote to memory of 2296 1576 Dnilobkm.exe 39 PID 2296 wrote to memory of 2132 2296 Dnlidb32.exe 40 PID 2296 wrote to memory of 2132 2296 Dnlidb32.exe 40 PID 2296 wrote to memory of 2132 2296 Dnlidb32.exe 40 PID 2296 wrote to memory of 2132 2296 Dnlidb32.exe 40 PID 2132 wrote to memory of 2304 2132 Dchali32.exe 41 PID 2132 wrote to memory of 2304 2132 Dchali32.exe 41 PID 2132 wrote to memory of 2304 2132 Dchali32.exe 41 PID 2132 wrote to memory of 2304 2132 Dchali32.exe 41 PID 2304 wrote to memory of 2312 2304 Dnneja32.exe 42 PID 2304 wrote to memory of 2312 2304 Dnneja32.exe 42 PID 2304 wrote to memory of 2312 2304 Dnneja32.exe 42 PID 2304 wrote to memory of 2312 2304 Dnneja32.exe 42 PID 2312 wrote to memory of 1488 2312 Dqlafm32.exe 43 PID 2312 wrote to memory of 1488 2312 Dqlafm32.exe 43 PID 2312 wrote to memory of 1488 2312 Dqlafm32.exe 43 PID 2312 wrote to memory of 1488 2312 Dqlafm32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b436634841af88f8cac32d59e71dcb0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3b436634841af88f8cac32d59e71dcb0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1092 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:804 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1168 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1148 -
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Lmcijcbe.exeC:\Windows\system32\Lmcijcbe.exe33⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe36⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe37⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe39⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe41⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe42⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe43⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe44⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe45⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe46⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe47⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe49⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe51⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Mgljbm32.exeC:\Windows\system32\Mgljbm32.exe52⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe54⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe55⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Mmhodf32.exeC:\Windows\system32\Mmhodf32.exe56⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Mpfkqb32.exeC:\Windows\system32\Mpfkqb32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe58⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe59⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe61⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe62⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe63⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe66⤵PID:2524
-
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe67⤵PID:2148
-
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe68⤵PID:1772
-
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe69⤵PID:1028
-
C:\Windows\SysWOW64\Ndpfkdmf.exeC:\Windows\system32\Ndpfkdmf.exe70⤵PID:1372
-
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe71⤵
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Njlockkm.exeC:\Windows\system32\Njlockkm.exe72⤵PID:2000
-
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe73⤵
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Nceclqan.exeC:\Windows\system32\Nceclqan.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2628 -
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe75⤵PID:1524
-
C:\Windows\SysWOW64\Onjgiiad.exeC:\Windows\system32\Onjgiiad.exe76⤵
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe78⤵
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Ojahnj32.exeC:\Windows\system32\Ojahnj32.exe79⤵PID:1536
-
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe80⤵
- Drops file in System32 directory
PID:584 -
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe81⤵PID:2248
-
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe82⤵
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Ohfeog32.exeC:\Windows\system32\Ohfeog32.exe83⤵PID:3052
-
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe84⤵PID:1052
-
C:\Windows\SysWOW64\Obojhlbq.exeC:\Windows\system32\Obojhlbq.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1516 -
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe86⤵PID:2740
-
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe87⤵PID:1760
-
C:\Windows\SysWOW64\Ocnfbo32.exeC:\Windows\system32\Ocnfbo32.exe88⤵
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Odobjg32.exeC:\Windows\system32\Odobjg32.exe89⤵
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe90⤵PID:2792
-
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe91⤵PID:2220
-
C:\Windows\SysWOW64\Obcccl32.exeC:\Windows\system32\Obcccl32.exe92⤵PID:2696
-
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe93⤵PID:1592
-
C:\Windows\SysWOW64\Pqhpdhcc.exeC:\Windows\system32\Pqhpdhcc.exe94⤵
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe95⤵PID:2192
-
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe96⤵
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe97⤵PID:2088
-
C:\Windows\SysWOW64\Pjcabmga.exeC:\Windows\system32\Pjcabmga.exe98⤵
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Peiepfgg.exeC:\Windows\system32\Peiepfgg.exe99⤵
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Pfjbgnme.exeC:\Windows\system32\Pfjbgnme.exe100⤵PID:2252
-
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe101⤵PID:2584
-
C:\Windows\SysWOW64\Ppbfpd32.exeC:\Windows\system32\Ppbfpd32.exe102⤵PID:2280
-
C:\Windows\SysWOW64\Pflomnkb.exeC:\Windows\system32\Pflomnkb.exe103⤵
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe104⤵
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Qpgpkcpp.exeC:\Windows\system32\Qpgpkcpp.exe105⤵PID:1968
-
C:\Windows\SysWOW64\Qedhdjnh.exeC:\Windows\system32\Qedhdjnh.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe107⤵PID:1600
-
C:\Windows\SysWOW64\Abhimnma.exeC:\Windows\system32\Abhimnma.exe108⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Alpmfdcb.exeC:\Windows\system32\Alpmfdcb.exe109⤵PID:2820
-
C:\Windows\SysWOW64\Anojbobe.exeC:\Windows\system32\Anojbobe.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Aamfnkai.exeC:\Windows\system32\Aamfnkai.exe111⤵PID:1748
-
C:\Windows\SysWOW64\Ajejgp32.exeC:\Windows\system32\Ajejgp32.exe112⤵
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Ahikqd32.exeC:\Windows\system32\Ahikqd32.exe113⤵PID:500
-
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1436 -
C:\Windows\SysWOW64\Aaaoij32.exeC:\Windows\system32\Aaaoij32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:296 -
C:\Windows\SysWOW64\Ahlgfdeq.exeC:\Windows\system32\Ahlgfdeq.exe116⤵
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Afohaa32.exeC:\Windows\system32\Afohaa32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1012 -
C:\Windows\SysWOW64\Aadloj32.exeC:\Windows\system32\Aadloj32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1288 -
C:\Windows\SysWOW64\Bjlqhoba.exeC:\Windows\system32\Bjlqhoba.exe119⤵
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe120⤵
- Drops file in System32 directory
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Bdeeqehb.exeC:\Windows\system32\Bdeeqehb.exe121⤵PID:2572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-