Analysis
-
max time kernel
143s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14/05/2024, 19:21
Behavioral task
behavioral1
Sample
1517c7f618e27bad01227341384415c0_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
1517c7f618e27bad01227341384415c0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
1517c7f618e27bad01227341384415c0_NeikiAnalytics.exe
-
Size
108KB
-
MD5
1517c7f618e27bad01227341384415c0
-
SHA1
1a80f83ab22615a1960f52c545c0230fe3cfd0b1
-
SHA256
f14b5ace9851d39ebf0a75b7db2f61521e5af5e139f29359264d56f22ce736d9
-
SHA512
554f4e6d2ac4bf70c9f6347e72a76fa8906704daf5717c63e9be27da968ecea1a553ec9d86ee621c668c2b95b9abba2fe4882cad2a52babc004389d5e4690cae
-
SSDEEP
1536:KtqWv4XlP6Tcif1gggiWMwB+rjm8NiIqhn3HQ8BawTj2wQ3K:KXo6Tc3PikUjmOiBn3w8BdTj2h3K
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adgmoigj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gejopl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phonha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjpjgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oifppdpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keceoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kefbdjgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blqllqqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nadleilm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbcncibp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iloajfml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inkaqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddjmba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhiemoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjhbfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilkhog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnphoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnphoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oifppdpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okailj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aokkahlo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkkik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egpnooan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keceoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eblimcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieidhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgdpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phonha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdpnda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpcila32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmmmfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkibgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbhildae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcneeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chlflabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mledmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dinjjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmnpfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncjdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohhfknjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pomncfge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddekmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cohkokgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojajin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gihpkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmladbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gikdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lefkkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlbpma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpefaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jinboekc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojajin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gokbgpeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lancko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cohkokgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpgpgfmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gidnkkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jilfifme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojhiogdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eddnic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpcila32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gojiiafp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egaejeej.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/4424-0-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0008000000023237-6.dat family_berbew behavioral2/memory/3108-7-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000800000002323b-14.dat family_berbew behavioral2/memory/3836-15-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000800000002323f-17.dat family_berbew behavioral2/memory/576-23-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023241-30.dat family_berbew behavioral2/memory/3396-31-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023243-38.dat family_berbew behavioral2/memory/4128-39-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023245-46.dat family_berbew behavioral2/memory/4436-47-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023247-54.dat family_berbew behavioral2/memory/1228-55-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023249-62.dat family_berbew behavioral2/memory/4828-63-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002324b-70.dat family_berbew behavioral2/memory/3612-71-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002324d-78.dat family_berbew behavioral2/memory/2052-79-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002324f-81.dat family_berbew behavioral2/memory/3760-87-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023252-94.dat family_berbew behavioral2/memory/2288-95-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023254-102.dat family_berbew behavioral2/memory/3972-103-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023256-110.dat family_berbew behavioral2/memory/2016-112-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023258-118.dat family_berbew behavioral2/memory/2164-119-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002325a-126.dat family_berbew behavioral2/memory/3676-128-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002325c-129.dat family_berbew behavioral2/memory/3080-136-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002325e-142.dat family_berbew behavioral2/memory/1784-143-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023260-145.dat family_berbew behavioral2/memory/4608-152-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023262-154.dat family_berbew behavioral2/memory/3668-160-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023264-166.dat family_berbew behavioral2/memory/3644-168-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023266-174.dat family_berbew behavioral2/memory/2944-175-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023268-182.dat family_berbew behavioral2/memory/2220-184-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002326a-190.dat family_berbew behavioral2/memory/4104-192-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002326c-198.dat family_berbew behavioral2/memory/388-200-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002326e-206.dat family_berbew behavioral2/memory/3100-207-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023270-214.dat family_berbew behavioral2/memory/4252-215-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/memory/3276-216-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023274-222.dat family_berbew behavioral2/memory/4816-224-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023276-230.dat family_berbew behavioral2/memory/4688-231-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x0007000000023278-238.dat family_berbew behavioral2/memory/2028-240-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral2/files/0x000700000002327a-246.dat family_berbew behavioral2/memory/2932-248-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3108 Anmfbl32.exe 3836 Ahgcjddh.exe 576 Alelqb32.exe 3396 Bkjiao32.exe 4128 Bklfgo32.exe 4436 Blqllqqa.exe 1228 Cfkmkf32.exe 4828 Chlflabp.exe 3612 Cohkokgj.exe 2052 Ddjmba32.exe 3760 Ddnfmqng.exe 2288 Ekmhejao.exe 3972 Eblimcdf.exe 2016 Efjbcakl.exe 2164 Fligqhga.exe 3676 Fpgpgfmh.exe 3080 Fmmmfj32.exe 1784 Gidnkkpc.exe 4608 Gejopl32.exe 3668 Gfjkjo32.exe 3644 Gikdkj32.exe 2944 Gojiiafp.exe 2220 Hbjoeojc.exe 4104 Hifcgion.exe 388 Ibaeen32.exe 3100 Igajal32.exe 4252 Ieidhh32.exe 4816 Jgkmgk32.exe 4688 Jilfifme.exe 2028 Jinboekc.exe 2932 Kgdpni32.exe 4356 Kpoalo32.exe 4968 Kgkfnh32.exe 1048 Llmhaold.exe 4820 Lcimdh32.exe 2940 Moipoh32.exe 2272 Mjaabq32.exe 1712 Nclbpf32.exe 4320 Nadleilm.exe 3428 Nfcabp32.exe 4876 Ojajin32.exe 1244 Ombcji32.exe 4240 Omdppiif.exe 3256 Oabhfg32.exe 1860 Phonha32.exe 4596 Pmnbfhal.exe 2124 Pnmopk32.exe 4256 Pdjgha32.exe 3284 Qhhpop32.exe 4416 Qacameaj.exe 4684 Akkffkhk.exe 2388 Ahofoogd.exe 4864 Apjkcadp.exe 2548 Aokkahlo.exe 1988 Apodoq32.exe 5012 Bhhiemoj.exe 1456 Bkibgh32.exe 3556 Bogkmgba.exe 3412 Bahdob32.exe 4408 Dhdbhifj.exe 1432 Egaejeej.exe 4912 Eojiqb32.exe 4572 Fnbcgn32.exe 4940 Fgoakc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eahobg32.exe Eddnic32.exe File created C:\Windows\SysWOW64\Fdpnda32.exe Fcneeo32.exe File created C:\Windows\SysWOW64\Bejobk32.exe Acgfec32.exe File created C:\Windows\SysWOW64\Pdjgha32.exe Pnmopk32.exe File created C:\Windows\SysWOW64\Qglobbdg.dll Iojkeh32.exe File created C:\Windows\SysWOW64\Jeapcq32.exe Jikoopij.exe File created C:\Windows\SysWOW64\Cmpjoloh.exe Cpljehpo.exe File created C:\Windows\SysWOW64\Bkjbah32.dll Kopcbo32.exe File created C:\Windows\SysWOW64\Clbdpc32.exe Bejobk32.exe File opened for modification C:\Windows\SysWOW64\Mjaabq32.exe Moipoh32.exe File opened for modification C:\Windows\SysWOW64\Nfgklkoc.exe Mjpjgj32.exe File created C:\Windows\SysWOW64\Paenokbf.dll Afcmfe32.exe File opened for modification C:\Windows\SysWOW64\Djegekil.exe Dickplko.exe File created C:\Windows\SysWOW64\Iogkekkb.dll Cfkmkf32.exe File opened for modification C:\Windows\SysWOW64\Eojiqb32.exe Egaejeej.exe File created C:\Windows\SysWOW64\Elekoe32.dll Bpqjjjjl.exe File created C:\Windows\SysWOW64\Oapijm32.dll Ijiopd32.exe File created C:\Windows\SysWOW64\Balfdi32.dll Iloajfml.exe File opened for modification C:\Windows\SysWOW64\Apjkcadp.exe Ahofoogd.exe File opened for modification C:\Windows\SysWOW64\Bhhiemoj.exe Apodoq32.exe File opened for modification C:\Windows\SysWOW64\Mledmg32.exe Lancko32.exe File created C:\Windows\SysWOW64\Nqaiecjd.exe Nmcpoedn.exe File created C:\Windows\SysWOW64\Blqllqqa.exe Bklfgo32.exe File created C:\Windows\SysWOW64\Oabhfg32.exe Omdppiif.exe File created C:\Windows\SysWOW64\Nimmifgo.exe Nqaiecjd.exe File created C:\Windows\SysWOW64\Pplhhm32.exe Pmhbqbae.exe File created C:\Windows\SysWOW64\Amikgpcc.exe Qjhbfd32.exe File opened for modification C:\Windows\SysWOW64\Kbjbnnfg.exe Kefbdjgm.exe File opened for modification C:\Windows\SysWOW64\Aecialmb.exe Aimhmkgn.exe File created C:\Windows\SysWOW64\Ckbcpc32.dll Pdjgha32.exe File opened for modification C:\Windows\SysWOW64\Qacameaj.exe Qhhpop32.exe File opened for modification C:\Windows\SysWOW64\Iojkeh32.exe Ihmfco32.exe File created C:\Windows\SysWOW64\Aaeidf32.dll Klggli32.exe File created C:\Windows\SysWOW64\Kbjpeo32.dll Mjaabq32.exe File created C:\Windows\SysWOW64\Odibfg32.dll Pbcncibp.exe File created C:\Windows\SysWOW64\Gjaphgpl.exe Fdpnda32.exe File created C:\Windows\SysWOW64\Lfipab32.dll Ddnfmqng.exe File created C:\Windows\SysWOW64\Kpoalo32.exe Kgdpni32.exe File opened for modification C:\Windows\SysWOW64\Kpnjah32.exe Kplmliko.exe File opened for modification C:\Windows\SysWOW64\Pmhbqbae.exe Pbcncibp.exe File opened for modification C:\Windows\SysWOW64\Afcmfe32.exe Ajmladbl.exe File opened for modification C:\Windows\SysWOW64\Ohhfknjf.exe Oheienli.exe File created C:\Windows\SysWOW64\Aecialmb.exe Aimhmkgn.exe File created C:\Windows\SysWOW64\Eblimcdf.exe Ekmhejao.exe File opened for modification C:\Windows\SysWOW64\Dhdbhifj.exe Bahdob32.exe File opened for modification C:\Windows\SysWOW64\Lcclncbh.exe Klggli32.exe File created C:\Windows\SysWOW64\Nbebbk32.exe Nimmifgo.exe File opened for modification C:\Windows\SysWOW64\Bejobk32.exe Acgfec32.exe File created C:\Windows\SysWOW64\Dpefaq32.exe Cpcila32.exe File created C:\Windows\SysWOW64\Dinjjf32.exe Dpefaq32.exe File created C:\Windows\SysWOW64\Bepjbf32.dll Nfgklkoc.exe File opened for modification C:\Windows\SysWOW64\Dpopbepi.exe Djegekil.exe File opened for modification C:\Windows\SysWOW64\Jeaiij32.exe Jacpcl32.exe File opened for modification C:\Windows\SysWOW64\Lknjhokg.exe Leoejh32.exe File created C:\Windows\SysWOW64\Eojpkdah.dll Hnphoj32.exe File created C:\Windows\SysWOW64\Eclhcj32.dll Eahobg32.exe File opened for modification C:\Windows\SysWOW64\Fligqhga.exe Efjbcakl.exe File created C:\Windows\SysWOW64\Qikoka32.dll Gikdkj32.exe File opened for modification C:\Windows\SysWOW64\Alelqb32.exe Ahgcjddh.exe File created C:\Windows\SysWOW64\Qedegh32.dll Ombcji32.exe File created C:\Windows\SysWOW64\Pnmopk32.exe Pmnbfhal.exe File opened for modification C:\Windows\SysWOW64\Dnljkk32.exe Cgmhcaac.exe File created C:\Windows\SysWOW64\Djegekil.exe Dickplko.exe File created C:\Windows\SysWOW64\Hgnfpc32.dll Koljgppp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 568 2464 WerFault.exe 280 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhifomdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpljehpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odbgdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okailj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chlflabp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nclbpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnkoiaif.dll" Nbebbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodamh32.dll" Eddnic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlbpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpgpgfmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieidhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jilfifme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lakfeodm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nimmifgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkpjeba.dll" Clbdpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blqllqqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elekoe32.dll" Bpqjjjjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcominjm.dll" Bbfmgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbhildae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeape32.dll" Bkibgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbfmgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhdebqbi.dll" Djegekil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahgcjddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qglobbdg.dll" Iojkeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kocphojh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbhgkfkg.dll" Jlkafdco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hicpnnio.dll" Ddjmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lciibdmj.dll" Hifcgion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bahdob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofegni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbhildae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekmhejao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfjkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eciqfjec.dll" Ihkjno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlkafdco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibaeen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jggocdgo.dll" Hlppno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gflonn32.dll" Oifppdpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Japjfm32.dll" Kefbdjgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmnpfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hohahelb.dll" Hbjoeojc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hockka32.dll" Qhhpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhcbhh32.dll" Qiiflaoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpqjjjjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dckahb32.dll" Jinboekc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jacpcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leoejh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bklfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gikdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbkkik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihmfco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpljehpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmnpfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efjbcakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdjgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnbcgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nakhaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khhmbdka.dll" Pokanf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbccbiml.dll" Dmkcpdao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqmlccdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhldbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfcabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gejopl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojhiogdd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4424 wrote to memory of 3108 4424 1517c7f618e27bad01227341384415c0_NeikiAnalytics.exe 90 PID 4424 wrote to memory of 3108 4424 1517c7f618e27bad01227341384415c0_NeikiAnalytics.exe 90 PID 4424 wrote to memory of 3108 4424 1517c7f618e27bad01227341384415c0_NeikiAnalytics.exe 90 PID 3108 wrote to memory of 3836 3108 Anmfbl32.exe 91 PID 3108 wrote to memory of 3836 3108 Anmfbl32.exe 91 PID 3108 wrote to memory of 3836 3108 Anmfbl32.exe 91 PID 3836 wrote to memory of 576 3836 Ahgcjddh.exe 92 PID 3836 wrote to memory of 576 3836 Ahgcjddh.exe 92 PID 3836 wrote to memory of 576 3836 Ahgcjddh.exe 92 PID 576 wrote to memory of 3396 576 Alelqb32.exe 93 PID 576 wrote to memory of 3396 576 Alelqb32.exe 93 PID 576 wrote to memory of 3396 576 Alelqb32.exe 93 PID 3396 wrote to memory of 4128 3396 Bkjiao32.exe 94 PID 3396 wrote to memory of 4128 3396 Bkjiao32.exe 94 PID 3396 wrote to memory of 4128 3396 Bkjiao32.exe 94 PID 4128 wrote to memory of 4436 4128 Bklfgo32.exe 95 PID 4128 wrote to memory of 4436 4128 Bklfgo32.exe 95 PID 4128 wrote to memory of 4436 4128 Bklfgo32.exe 95 PID 4436 wrote to memory of 1228 4436 Blqllqqa.exe 96 PID 4436 wrote to memory of 1228 4436 Blqllqqa.exe 96 PID 4436 wrote to memory of 1228 4436 Blqllqqa.exe 96 PID 1228 wrote to memory of 4828 1228 Cfkmkf32.exe 97 PID 1228 wrote to memory of 4828 1228 Cfkmkf32.exe 97 PID 1228 wrote to memory of 4828 1228 Cfkmkf32.exe 97 PID 4828 wrote to memory of 3612 4828 Chlflabp.exe 98 PID 4828 wrote to memory of 3612 4828 Chlflabp.exe 98 PID 4828 wrote to memory of 3612 4828 Chlflabp.exe 98 PID 3612 wrote to memory of 2052 3612 Cohkokgj.exe 99 PID 3612 wrote to memory of 2052 3612 Cohkokgj.exe 99 PID 3612 wrote to memory of 2052 3612 Cohkokgj.exe 99 PID 2052 wrote to memory of 3760 2052 Ddjmba32.exe 100 PID 2052 wrote to memory of 3760 2052 Ddjmba32.exe 100 PID 2052 wrote to memory of 3760 2052 Ddjmba32.exe 100 PID 3760 wrote to memory of 2288 3760 Ddnfmqng.exe 101 PID 3760 wrote to memory of 2288 3760 Ddnfmqng.exe 101 PID 3760 wrote to memory of 2288 3760 Ddnfmqng.exe 101 PID 2288 wrote to memory of 3972 2288 Ekmhejao.exe 102 PID 2288 wrote to memory of 3972 2288 Ekmhejao.exe 102 PID 2288 wrote to memory of 3972 2288 Ekmhejao.exe 102 PID 3972 wrote to memory of 2016 3972 Eblimcdf.exe 103 PID 3972 wrote to memory of 2016 3972 Eblimcdf.exe 103 PID 3972 wrote to memory of 2016 3972 Eblimcdf.exe 103 PID 2016 wrote to memory of 2164 2016 Efjbcakl.exe 104 PID 2016 wrote to memory of 2164 2016 Efjbcakl.exe 104 PID 2016 wrote to memory of 2164 2016 Efjbcakl.exe 104 PID 2164 wrote to memory of 3676 2164 Fligqhga.exe 105 PID 2164 wrote to memory of 3676 2164 Fligqhga.exe 105 PID 2164 wrote to memory of 3676 2164 Fligqhga.exe 105 PID 3676 wrote to memory of 3080 3676 Fpgpgfmh.exe 106 PID 3676 wrote to memory of 3080 3676 Fpgpgfmh.exe 106 PID 3676 wrote to memory of 3080 3676 Fpgpgfmh.exe 106 PID 3080 wrote to memory of 1784 3080 Fmmmfj32.exe 107 PID 3080 wrote to memory of 1784 3080 Fmmmfj32.exe 107 PID 3080 wrote to memory of 1784 3080 Fmmmfj32.exe 107 PID 1784 wrote to memory of 4608 1784 Gidnkkpc.exe 108 PID 1784 wrote to memory of 4608 1784 Gidnkkpc.exe 108 PID 1784 wrote to memory of 4608 1784 Gidnkkpc.exe 108 PID 4608 wrote to memory of 3668 4608 Gejopl32.exe 109 PID 4608 wrote to memory of 3668 4608 Gejopl32.exe 109 PID 4608 wrote to memory of 3668 4608 Gejopl32.exe 109 PID 3668 wrote to memory of 3644 3668 Gfjkjo32.exe 110 PID 3668 wrote to memory of 3644 3668 Gfjkjo32.exe 110 PID 3668 wrote to memory of 3644 3668 Gfjkjo32.exe 110 PID 3644 wrote to memory of 2944 3644 Gikdkj32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\1517c7f618e27bad01227341384415c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1517c7f618e27bad01227341384415c0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\Anmfbl32.exeC:\Windows\system32\Anmfbl32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\Ahgcjddh.exeC:\Windows\system32\Ahgcjddh.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\Alelqb32.exeC:\Windows\system32\Alelqb32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Bkjiao32.exeC:\Windows\system32\Bkjiao32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\Bklfgo32.exeC:\Windows\system32\Bklfgo32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\Blqllqqa.exeC:\Windows\system32\Blqllqqa.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Cfkmkf32.exeC:\Windows\system32\Cfkmkf32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Chlflabp.exeC:\Windows\system32\Chlflabp.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Cohkokgj.exeC:\Windows\system32\Cohkokgj.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\Ddjmba32.exeC:\Windows\system32\Ddjmba32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Ddnfmqng.exeC:\Windows\system32\Ddnfmqng.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\Ekmhejao.exeC:\Windows\system32\Ekmhejao.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Eblimcdf.exeC:\Windows\system32\Eblimcdf.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Efjbcakl.exeC:\Windows\system32\Efjbcakl.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Fligqhga.exeC:\Windows\system32\Fligqhga.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Fpgpgfmh.exeC:\Windows\system32\Fpgpgfmh.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Fmmmfj32.exeC:\Windows\system32\Fmmmfj32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\Gidnkkpc.exeC:\Windows\system32\Gidnkkpc.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Gejopl32.exeC:\Windows\system32\Gejopl32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Gfjkjo32.exeC:\Windows\system32\Gfjkjo32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Gikdkj32.exeC:\Windows\system32\Gikdkj32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\Gojiiafp.exeC:\Windows\system32\Gojiiafp.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Hbjoeojc.exeC:\Windows\system32\Hbjoeojc.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Hifcgion.exeC:\Windows\system32\Hifcgion.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:4104 -
C:\Windows\SysWOW64\Ibaeen32.exeC:\Windows\system32\Ibaeen32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:388 -
C:\Windows\SysWOW64\Igajal32.exeC:\Windows\system32\Igajal32.exe27⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Ieidhh32.exeC:\Windows\system32\Ieidhh32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4252 -
C:\Windows\SysWOW64\Ipoheakj.exeC:\Windows\system32\Ipoheakj.exe29⤵PID:3276
-
C:\Windows\SysWOW64\Jgkmgk32.exeC:\Windows\system32\Jgkmgk32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Jilfifme.exeC:\Windows\system32\Jilfifme.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4688 -
C:\Windows\SysWOW64\Jinboekc.exeC:\Windows\system32\Jinboekc.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Kgdpni32.exeC:\Windows\system32\Kgdpni32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2932 -
C:\Windows\SysWOW64\Kpoalo32.exeC:\Windows\system32\Kpoalo32.exe34⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Kgkfnh32.exeC:\Windows\system32\Kgkfnh32.exe35⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Llmhaold.exeC:\Windows\system32\Llmhaold.exe36⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Lcimdh32.exeC:\Windows\system32\Lcimdh32.exe37⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Moipoh32.exeC:\Windows\system32\Moipoh32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Mjaabq32.exeC:\Windows\system32\Mjaabq32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Nclbpf32.exeC:\Windows\system32\Nclbpf32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Nadleilm.exeC:\Windows\system32\Nadleilm.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Nfcabp32.exeC:\Windows\system32\Nfcabp32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:3428 -
C:\Windows\SysWOW64\Ojajin32.exeC:\Windows\system32\Ojajin32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Ombcji32.exeC:\Windows\system32\Ombcji32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1244 -
C:\Windows\SysWOW64\Omdppiif.exeC:\Windows\system32\Omdppiif.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4240 -
C:\Windows\SysWOW64\Oabhfg32.exeC:\Windows\system32\Oabhfg32.exe46⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Phonha32.exeC:\Windows\system32\Phonha32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Pmnbfhal.exeC:\Windows\system32\Pmnbfhal.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4596 -
C:\Windows\SysWOW64\Pnmopk32.exeC:\Windows\system32\Pnmopk32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Pdjgha32.exeC:\Windows\system32\Pdjgha32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4256 -
C:\Windows\SysWOW64\Qhhpop32.exeC:\Windows\system32\Qhhpop32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3284 -
C:\Windows\SysWOW64\Qacameaj.exeC:\Windows\system32\Qacameaj.exe52⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Akkffkhk.exeC:\Windows\system32\Akkffkhk.exe53⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Ahofoogd.exeC:\Windows\system32\Ahofoogd.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Apjkcadp.exeC:\Windows\system32\Apjkcadp.exe55⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Aokkahlo.exeC:\Windows\system32\Aokkahlo.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Apodoq32.exeC:\Windows\system32\Apodoq32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Bhhiemoj.exeC:\Windows\system32\Bhhiemoj.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Bkibgh32.exeC:\Windows\system32\Bkibgh32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1456 -
C:\Windows\SysWOW64\Bogkmgba.exeC:\Windows\system32\Bogkmgba.exe60⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Bahdob32.exeC:\Windows\system32\Bahdob32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3412 -
C:\Windows\SysWOW64\Dhdbhifj.exeC:\Windows\system32\Dhdbhifj.exe62⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Egaejeej.exeC:\Windows\system32\Egaejeej.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1432 -
C:\Windows\SysWOW64\Eojiqb32.exeC:\Windows\system32\Eojiqb32.exe64⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Fnbcgn32.exeC:\Windows\system32\Fnbcgn32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:4572 -
C:\Windows\SysWOW64\Fgoakc32.exeC:\Windows\system32\Fgoakc32.exe66⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Gokbgpeg.exeC:\Windows\system32\Gokbgpeg.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2140 -
C:\Windows\SysWOW64\Gbkkik32.exeC:\Windows\system32\Gbkkik32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1444 -
C:\Windows\SysWOW64\Gihpkd32.exeC:\Windows\system32\Gihpkd32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4368 -
C:\Windows\SysWOW64\Hlppno32.exeC:\Windows\system32\Hlppno32.exe70⤵
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Hnphoj32.exeC:\Windows\system32\Hnphoj32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4432 -
C:\Windows\SysWOW64\Hifmmb32.exeC:\Windows\system32\Hifmmb32.exe72⤵PID:5044
-
C:\Windows\SysWOW64\Ihkjno32.exeC:\Windows\system32\Ihkjno32.exe73⤵
- Modifies registry class
PID:3468 -
C:\Windows\SysWOW64\Ihmfco32.exeC:\Windows\system32\Ihmfco32.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:5068 -
C:\Windows\SysWOW64\Iojkeh32.exeC:\Windows\system32\Iojkeh32.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Iehmmb32.exeC:\Windows\system32\Iehmmb32.exe76⤵PID:2560
-
C:\Windows\SysWOW64\Jhifomdj.exeC:\Windows\system32\Jhifomdj.exe77⤵
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Jikoopij.exeC:\Windows\system32\Jikoopij.exe78⤵
- Drops file in System32 directory
PID:1796 -
C:\Windows\SysWOW64\Jeapcq32.exeC:\Windows\system32\Jeapcq32.exe79⤵PID:3168
-
C:\Windows\SysWOW64\Khbiello.exeC:\Windows\system32\Khbiello.exe80⤵PID:4264
-
C:\Windows\SysWOW64\Kplmliko.exeC:\Windows\system32\Kplmliko.exe81⤵
- Drops file in System32 directory
PID:5132 -
C:\Windows\SysWOW64\Kpnjah32.exeC:\Windows\system32\Kpnjah32.exe82⤵PID:5172
-
C:\Windows\SysWOW64\Klggli32.exeC:\Windows\system32\Klggli32.exe83⤵
- Drops file in System32 directory
PID:5220 -
C:\Windows\SysWOW64\Lcclncbh.exeC:\Windows\system32\Lcclncbh.exe84⤵PID:5264
-
C:\Windows\SysWOW64\Lhqefjpo.exeC:\Windows\system32\Lhqefjpo.exe85⤵PID:5308
-
C:\Windows\SysWOW64\Lakfeodm.exeC:\Windows\system32\Lakfeodm.exe86⤵
- Modifies registry class
PID:5352 -
C:\Windows\SysWOW64\Lancko32.exeC:\Windows\system32\Lancko32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5400 -
C:\Windows\SysWOW64\Mledmg32.exeC:\Windows\system32\Mledmg32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5444 -
C:\Windows\SysWOW64\Mhldbh32.exeC:\Windows\system32\Mhldbh32.exe89⤵
- Modifies registry class
PID:5488 -
C:\Windows\SysWOW64\Mjpjgj32.exeC:\Windows\system32\Mjpjgj32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5532 -
C:\Windows\SysWOW64\Nfgklkoc.exeC:\Windows\system32\Nfgklkoc.exe91⤵
- Drops file in System32 directory
PID:5576 -
C:\Windows\SysWOW64\Nmcpoedn.exeC:\Windows\system32\Nmcpoedn.exe92⤵
- Drops file in System32 directory
PID:5620 -
C:\Windows\SysWOW64\Nqaiecjd.exeC:\Windows\system32\Nqaiecjd.exe93⤵
- Drops file in System32 directory
PID:5664 -
C:\Windows\SysWOW64\Nimmifgo.exeC:\Windows\system32\Nimmifgo.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:5708 -
C:\Windows\SysWOW64\Nbebbk32.exeC:\Windows\system32\Nbebbk32.exe95⤵
- Modifies registry class
PID:5756 -
C:\Windows\SysWOW64\Ojnfihmo.exeC:\Windows\system32\Ojnfihmo.exe96⤵PID:5800
-
C:\Windows\SysWOW64\Ofegni32.exeC:\Windows\system32\Ofegni32.exe97⤵
- Modifies registry class
PID:5844 -
C:\Windows\SysWOW64\Ocihgnam.exeC:\Windows\system32\Ocihgnam.exe98⤵PID:5888
-
C:\Windows\SysWOW64\Oifppdpd.exeC:\Windows\system32\Oifppdpd.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5932 -
C:\Windows\SysWOW64\Omdieb32.exeC:\Windows\system32\Omdieb32.exe100⤵PID:5976
-
C:\Windows\SysWOW64\Ojhiogdd.exeC:\Windows\system32\Ojhiogdd.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6020 -
C:\Windows\SysWOW64\Pbcncibp.exeC:\Windows\system32\Pbcncibp.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6064 -
C:\Windows\SysWOW64\Pmhbqbae.exeC:\Windows\system32\Pmhbqbae.exe103⤵
- Drops file in System32 directory
PID:6108 -
C:\Windows\SysWOW64\Pplhhm32.exeC:\Windows\system32\Pplhhm32.exe104⤵PID:5128
-
C:\Windows\SysWOW64\Qppaclio.exeC:\Windows\system32\Qppaclio.exe105⤵PID:5184
-
C:\Windows\SysWOW64\Qiiflaoo.exeC:\Windows\system32\Qiiflaoo.exe106⤵
- Modifies registry class
PID:5256 -
C:\Windows\SysWOW64\Qjhbfd32.exeC:\Windows\system32\Qjhbfd32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5316 -
C:\Windows\SysWOW64\Amikgpcc.exeC:\Windows\system32\Amikgpcc.exe108⤵PID:5392
-
C:\Windows\SysWOW64\Ajmladbl.exeC:\Windows\system32\Ajmladbl.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5468 -
C:\Windows\SysWOW64\Afcmfe32.exeC:\Windows\system32\Afcmfe32.exe110⤵
- Drops file in System32 directory
PID:5524 -
C:\Windows\SysWOW64\Adgmoigj.exeC:\Windows\system32\Adgmoigj.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5588 -
C:\Windows\SysWOW64\Abmjqe32.exeC:\Windows\system32\Abmjqe32.exe112⤵PID:5652
-
C:\Windows\SysWOW64\Bpqjjjjl.exeC:\Windows\system32\Bpqjjjjl.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:5720 -
C:\Windows\SysWOW64\Bpcgpihi.exeC:\Windows\system32\Bpcgpihi.exe114⤵PID:5792
-
C:\Windows\SysWOW64\Babcil32.exeC:\Windows\system32\Babcil32.exe115⤵PID:5880
-
C:\Windows\SysWOW64\Bbfmgd32.exeC:\Windows\system32\Bbfmgd32.exe116⤵
- Modifies registry class
PID:5940 -
C:\Windows\SysWOW64\Bbhildae.exeC:\Windows\system32\Bbhildae.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6008 -
C:\Windows\SysWOW64\Cpljehpo.exeC:\Windows\system32\Cpljehpo.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:6080 -
C:\Windows\SysWOW64\Cmpjoloh.exeC:\Windows\system32\Cmpjoloh.exe119⤵PID:6140
-
C:\Windows\SysWOW64\Ckggnp32.exeC:\Windows\system32\Ckggnp32.exe120⤵PID:5208
-
C:\Windows\SysWOW64\Cgmhcaac.exeC:\Windows\system32\Cgmhcaac.exe121⤵
- Drops file in System32 directory
PID:5292
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-