Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 03:52
Behavioral task
behavioral1
Sample
181b6a13899ec15f78cfd79230bb4a70_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
181b6a13899ec15f78cfd79230bb4a70_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
181b6a13899ec15f78cfd79230bb4a70_NeikiAnalytics.exe
-
Size
143KB
-
MD5
181b6a13899ec15f78cfd79230bb4a70
-
SHA1
64f9e5b48cd49fd5113a447b00dcdc1117c9b417
-
SHA256
9e9671a977c6f79fa29694e92212878b308b5618f792d1603a46be41be92e3e3
-
SHA512
b37f5933695a8c1e22385548888b3787bd49c8806af6f08d2b58f227abd37a61c64e3ce7da3026d1b8b2df7bf34cc77bc1075a644c2cae00a108c9808920ede1
-
SSDEEP
1536:fS4pb0V66MEeAhbTtuZ4x0rGn0UQ5ziJE93isirBUBEVGBtVM2hZV03fca13y:bSVjeY3Rx0rGn03N93bsGfhv0vt3y
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jigollag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcbiao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcnhmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maaepd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjqgff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffggkgmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqikdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibccic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kknafn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lalcng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lknjmkdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnlfigcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fihqmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icjmmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibojncfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbahlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnlfigcc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdfofakp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjeddggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nceonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffekegon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbhmdbnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcgblncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkepnjng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndidbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbjhlfhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjjbcbqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lphfpbdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbocea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgpagm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laefdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcnejk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iakaql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifmcdblq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hihicplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmklen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjolnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iidipnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibojncfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fomonm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fopldmcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfcgge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbkjjblm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqiogp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laalifad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpkbebbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdpalp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndbnboqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbanme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Habnjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijkljp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaimbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmfddnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgikfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nacbfdao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmapha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fopldmcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iapjlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hccglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbhdmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mncmjfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpihai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldmlpbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnepih32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/2012-0-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0009000000023387-6.dat family_berbew behavioral2/memory/2284-7-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000a000000023407-14.dat family_berbew behavioral2/memory/4664-15-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0008000000023409-17.dat family_berbew behavioral2/files/0x000800000002340b-31.dat family_berbew behavioral2/memory/384-32-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023410-47.dat family_berbew behavioral2/memory/1388-52-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023412-54.dat family_berbew behavioral2/files/0x0007000000023414-63.dat family_berbew behavioral2/files/0x0007000000023416-71.dat family_berbew behavioral2/files/0x0007000000023418-80.dat family_berbew behavioral2/memory/4456-95-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/4124-96-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002341c-94.dat family_berbew behavioral2/memory/4484-104-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023420-111.dat family_berbew behavioral2/files/0x0007000000023424-127.dat family_berbew behavioral2/files/0x0007000000023426-135.dat family_berbew behavioral2/memory/1544-136-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/3776-128-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023428-143.dat family_berbew behavioral2/files/0x000700000002342c-159.dat family_berbew behavioral2/memory/1612-162-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023430-175.dat family_berbew behavioral2/memory/3440-176-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023432-183.dat family_berbew behavioral2/files/0x0007000000023436-198.dat family_berbew behavioral2/memory/2548-208-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002343c-222.dat family_berbew behavioral2/memory/3764-232-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023444-255.dat family_berbew behavioral2/files/0x0007000000023448-262.dat family_berbew behavioral2/memory/3416-278-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/2928-300-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002345e-329.dat family_berbew behavioral2/memory/2380-344-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002346a-365.dat family_berbew behavioral2/memory/2496-394-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/1560-404-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/896-422-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002347d-425.dat family_berbew behavioral2/memory/2352-430-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023491-492.dat family_berbew behavioral2/memory/1968-502-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/2012-538-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/3872-545-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/2584-556-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/512-576-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/5240-592-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/5288-598-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000234e8-791.dat family_berbew behavioral2/files/0x00070000000234ec-802.dat family_berbew behavioral2/files/0x0007000000023500-869.dat family_berbew behavioral2/files/0x000700000002350a-896.dat family_berbew behavioral2/files/0x000700000002350e-908.dat family_berbew behavioral2/files/0x0007000000023512-922.dat family_berbew behavioral2/files/0x000700000002353f-1071.dat family_berbew behavioral2/files/0x0007000000023524-981.dat family_berbew behavioral2/files/0x0007000000023545-1091.dat family_berbew behavioral2/files/0x0007000000023549-1105.dat family_berbew behavioral2/files/0x00070000000234e6-783.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2284 Fhajlc32.exe 4664 Fokbim32.exe 928 Ffekegon.exe 384 Fjqgff32.exe 2020 Fmocba32.exe 1388 Fqkocpod.exe 4996 Fomonm32.exe 4264 Fbllkh32.exe 1252 Ffggkgmk.exe 3716 Fifdgblo.exe 4456 Fmapha32.exe 4124 Fopldmcl.exe 4484 Fbnhphbp.exe 4864 Ffjdqg32.exe 2472 Fihqmb32.exe 3776 Fqohnp32.exe 1544 Fcnejk32.exe 4892 Fflaff32.exe 4808 Fjhmgeao.exe 1612 Fmficqpc.exe 1236 Fodeolof.exe 3440 Gcpapkgp.exe 3108 Gfnnlffc.exe 3136 Gqdbiofi.exe 4884 Gcbnejem.exe 2548 Gjlfbd32.exe 3320 Gmkbnp32.exe 4900 Gqfooodg.exe 3764 Gcekkjcj.exe 3896 Gfcgge32.exe 3636 Giacca32.exe 5044 Gqikdn32.exe 4288 Gcggpj32.exe 2344 Gbjhlfhb.exe 3416 Gidphq32.exe 4508 Gqkhjn32.exe 2908 Gcidfi32.exe 1712 Gbldaffp.exe 2928 Gjclbc32.exe 4448 Gmaioo32.exe 944 Gppekj32.exe 4660 Hboagf32.exe 3060 Hjfihc32.exe 4116 Hihicplj.exe 4160 Hapaemll.exe 2380 Hbanme32.exe 2052 Hjhfnccl.exe 380 Hmfbjnbp.exe 4480 Habnjm32.exe 5076 Hcqjfh32.exe 4184 Hbckbepg.exe 212 Hjjbcbqj.exe 544 Himcoo32.exe 5000 Hpgkkioa.exe 2496 Hccglh32.exe 1560 Hfachc32.exe 4260 Hippdo32.exe 3500 Hmklen32.exe 896 Hpihai32.exe 1428 Hbhdmd32.exe 2352 Hjolnb32.exe 4816 Haidklda.exe 4544 Icgqggce.exe 4596 Iffmccbi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kmnjhioc.exe Kkpnlm32.exe File created C:\Windows\SysWOW64\Mpkbebbf.exe Mnlfigcc.exe File created C:\Windows\SysWOW64\Nbhkac32.exe Njacpf32.exe File created C:\Windows\SysWOW64\Fjqgff32.exe Ffekegon.exe File created C:\Windows\SysWOW64\Lpdcae32.dll Fmapha32.exe File created C:\Windows\SysWOW64\Ibilnj32.dll Hbanme32.exe File created C:\Windows\SysWOW64\Hjolnb32.exe Hbhdmd32.exe File opened for modification C:\Windows\SysWOW64\Jmkdlkph.exe Jjmhppqd.exe File created C:\Windows\SysWOW64\Gfcgge32.exe Gcekkjcj.exe File created C:\Windows\SysWOW64\Gqikdn32.exe Giacca32.exe File created C:\Windows\SysWOW64\Hfkkgo32.dll Ibccic32.exe File opened for modification C:\Windows\SysWOW64\Lcgblncm.exe Lphfpbdi.exe File created C:\Windows\SysWOW64\Qcldhk32.dll Mgidml32.exe File created C:\Windows\SysWOW64\Ibadbaha.dll Hmklen32.exe File created C:\Windows\SysWOW64\Ppaaagol.dll Kdcijcke.exe File created C:\Windows\SysWOW64\Mbfppi32.dll Fokbim32.exe File created C:\Windows\SysWOW64\Hpbjkl32.dll Fcnejk32.exe File created C:\Windows\SysWOW64\Gqkhjn32.exe Gidphq32.exe File created C:\Windows\SysWOW64\Eagncfoj.dll Gppekj32.exe File opened for modification C:\Windows\SysWOW64\Hihicplj.exe Hjfihc32.exe File created C:\Windows\SysWOW64\Kknafn32.exe Kbfiep32.exe File created C:\Windows\SysWOW64\Nkqpjidj.exe Ncihikcg.exe File created C:\Windows\SysWOW64\Kbmebabl.dll Iiffen32.exe File created C:\Windows\SysWOW64\Ifmcdblq.exe Ibagcc32.exe File opened for modification C:\Windows\SysWOW64\Mdmegp32.exe Maohkd32.exe File opened for modification C:\Windows\SysWOW64\Gmkbnp32.exe Gjlfbd32.exe File opened for modification C:\Windows\SysWOW64\Jbhmdbnp.exe Jdemhe32.exe File created C:\Windows\SysWOW64\Ibimpp32.dll Jdhine32.exe File opened for modification C:\Windows\SysWOW64\Lkiqbl32.exe Lcbiao32.exe File created C:\Windows\SysWOW64\Mjeddggd.exe Mgghhlhq.exe File created C:\Windows\SysWOW64\Bademghm.dll Fmocba32.exe File opened for modification C:\Windows\SysWOW64\Fifdgblo.exe Ffggkgmk.exe File opened for modification C:\Windows\SysWOW64\Jibeql32.exe Jbhmdbnp.exe File opened for modification C:\Windows\SysWOW64\Laalifad.exe Lnepih32.exe File opened for modification C:\Windows\SysWOW64\Mdpalp32.exe Maaepd32.exe File opened for modification C:\Windows\SysWOW64\Gbldaffp.exe Gcidfi32.exe File created C:\Windows\SysWOW64\Ngcgcjnc.exe Nddkgonp.exe File opened for modification C:\Windows\SysWOW64\Ncihikcg.exe Ndghmo32.exe File opened for modification C:\Windows\SysWOW64\Mkpgck32.exe Mdfofakp.exe File created C:\Windows\SysWOW64\Fihqmb32.exe Ffjdqg32.exe File created C:\Windows\SysWOW64\Fqohnp32.exe Fihqmb32.exe File created C:\Windows\SysWOW64\Fcnejk32.exe Fqohnp32.exe File created C:\Windows\SysWOW64\Imppcc32.dll Kkbkamnl.exe File created C:\Windows\SysWOW64\Efhikhod.dll Liekmj32.exe File created C:\Windows\SysWOW64\Mcnhmm32.exe Mpolqa32.exe File opened for modification C:\Windows\SysWOW64\Njljefql.exe Nkjjij32.exe File created C:\Windows\SysWOW64\Oeahce32.dll Gcekkjcj.exe File created C:\Windows\SysWOW64\Hapaemll.exe Hihicplj.exe File created C:\Windows\SysWOW64\Bbamkcqa.dll Hihicplj.exe File created C:\Windows\SysWOW64\Habnjm32.exe Hmfbjnbp.exe File created C:\Windows\SysWOW64\Ldmlpbbj.exe Lgikfn32.exe File created C:\Windows\SysWOW64\Fqkocpod.exe Fmocba32.exe File created C:\Windows\SysWOW64\Fmficqpc.exe Fjhmgeao.exe File created C:\Windows\SysWOW64\Bkmdbdbp.dll Gfcgge32.exe File created C:\Windows\SysWOW64\Lmbocjjm.dll Giacca32.exe File opened for modification C:\Windows\SysWOW64\Iakaql32.exe Iidipnal.exe File opened for modification C:\Windows\SysWOW64\Kkkdan32.exe Kbdmpqcb.exe File created C:\Windows\SysWOW64\Ddpfgd32.dll Nkqpjidj.exe File created C:\Windows\SysWOW64\Maohkd32.exe Mncmjfmk.exe File created C:\Windows\SysWOW64\Lcglnp32.dll Fmficqpc.exe File created C:\Windows\SysWOW64\Mngoghpn.dll Gmaioo32.exe File created C:\Windows\SysWOW64\Hboagf32.exe Gppekj32.exe File created C:\Windows\SysWOW64\Ifhiib32.exe Icjmmg32.exe File opened for modification C:\Windows\SysWOW64\Mcnhmm32.exe Mpolqa32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6264 6796 WerFault.exe 279 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfcgge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmdbdbp.dll" Gfcgge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adakia32.dll" Hjfihc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fokbim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlcankg.dll" Jmkdlkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll" Mgghhlhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmkbnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibojncfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll" Kbapjafe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmkbnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdhine32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nddkgonp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmfbjnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll" Gjclbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjolnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkfkfohj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcmofolg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll" Lknjmkdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcklgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcplce32.dll" Ffggkgmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpmfddnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkepnjng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkgmcjld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncldnkae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll" Iapjlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijkljp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll" Jpaghf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laalifad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifhiib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifmcdblq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfhbppbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honckk32.dll" Hmfbjnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnocof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipqnahgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll" Imihfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll" Jigollag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdffocib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll" Mnocof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkjjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqfooodg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll" Kmnjhioc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkbkamnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnodhch.dll" Iidipnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iikopmkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibccic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbmfoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kagichjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdmegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll" Nkjjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll" Iikopmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempmq32.dll" Icjmmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmnjhioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll" Lnepih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqiogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbijmok.dll" Gqfooodg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkgdml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjeddggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhmioko.dll" Gqikdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcnejk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibooqjdb.dll" Hjjbcbqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcifkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmddeh32.dll" Fifdgblo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fflaff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjolnb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2012 wrote to memory of 2284 2012 181b6a13899ec15f78cfd79230bb4a70_NeikiAnalytics.exe 84 PID 2012 wrote to memory of 2284 2012 181b6a13899ec15f78cfd79230bb4a70_NeikiAnalytics.exe 84 PID 2012 wrote to memory of 2284 2012 181b6a13899ec15f78cfd79230bb4a70_NeikiAnalytics.exe 84 PID 2284 wrote to memory of 4664 2284 Fhajlc32.exe 85 PID 2284 wrote to memory of 4664 2284 Fhajlc32.exe 85 PID 2284 wrote to memory of 4664 2284 Fhajlc32.exe 85 PID 4664 wrote to memory of 928 4664 Fokbim32.exe 86 PID 4664 wrote to memory of 928 4664 Fokbim32.exe 86 PID 4664 wrote to memory of 928 4664 Fokbim32.exe 86 PID 928 wrote to memory of 384 928 Ffekegon.exe 87 PID 928 wrote to memory of 384 928 Ffekegon.exe 87 PID 928 wrote to memory of 384 928 Ffekegon.exe 87 PID 384 wrote to memory of 2020 384 Fjqgff32.exe 88 PID 384 wrote to memory of 2020 384 Fjqgff32.exe 88 PID 384 wrote to memory of 2020 384 Fjqgff32.exe 88 PID 2020 wrote to memory of 1388 2020 Fmocba32.exe 89 PID 2020 wrote to memory of 1388 2020 Fmocba32.exe 89 PID 2020 wrote to memory of 1388 2020 Fmocba32.exe 89 PID 1388 wrote to memory of 4996 1388 Fqkocpod.exe 90 PID 1388 wrote to memory of 4996 1388 Fqkocpod.exe 90 PID 1388 wrote to memory of 4996 1388 Fqkocpod.exe 90 PID 4996 wrote to memory of 4264 4996 Fomonm32.exe 91 PID 4996 wrote to memory of 4264 4996 Fomonm32.exe 91 PID 4996 wrote to memory of 4264 4996 Fomonm32.exe 91 PID 4264 wrote to memory of 1252 4264 Fbllkh32.exe 92 PID 4264 wrote to memory of 1252 4264 Fbllkh32.exe 92 PID 4264 wrote to memory of 1252 4264 Fbllkh32.exe 92 PID 1252 wrote to memory of 3716 1252 Ffggkgmk.exe 93 PID 1252 wrote to memory of 3716 1252 Ffggkgmk.exe 93 PID 1252 wrote to memory of 3716 1252 Ffggkgmk.exe 93 PID 3716 wrote to memory of 4456 3716 Fifdgblo.exe 94 PID 3716 wrote to memory of 4456 3716 Fifdgblo.exe 94 PID 3716 wrote to memory of 4456 3716 Fifdgblo.exe 94 PID 4456 wrote to memory of 4124 4456 Fmapha32.exe 95 PID 4456 wrote to memory of 4124 4456 Fmapha32.exe 95 PID 4456 wrote to memory of 4124 4456 Fmapha32.exe 95 PID 4124 wrote to memory of 4484 4124 Fopldmcl.exe 96 PID 4124 wrote to memory of 4484 4124 Fopldmcl.exe 96 PID 4124 wrote to memory of 4484 4124 Fopldmcl.exe 96 PID 4484 wrote to memory of 4864 4484 Fbnhphbp.exe 97 PID 4484 wrote to memory of 4864 4484 Fbnhphbp.exe 97 PID 4484 wrote to memory of 4864 4484 Fbnhphbp.exe 97 PID 4864 wrote to memory of 2472 4864 Ffjdqg32.exe 98 PID 4864 wrote to memory of 2472 4864 Ffjdqg32.exe 98 PID 4864 wrote to memory of 2472 4864 Ffjdqg32.exe 98 PID 2472 wrote to memory of 3776 2472 Fihqmb32.exe 99 PID 2472 wrote to memory of 3776 2472 Fihqmb32.exe 99 PID 2472 wrote to memory of 3776 2472 Fihqmb32.exe 99 PID 3776 wrote to memory of 1544 3776 Fqohnp32.exe 100 PID 3776 wrote to memory of 1544 3776 Fqohnp32.exe 100 PID 3776 wrote to memory of 1544 3776 Fqohnp32.exe 100 PID 1544 wrote to memory of 4892 1544 Fcnejk32.exe 101 PID 1544 wrote to memory of 4892 1544 Fcnejk32.exe 101 PID 1544 wrote to memory of 4892 1544 Fcnejk32.exe 101 PID 4892 wrote to memory of 4808 4892 Fflaff32.exe 102 PID 4892 wrote to memory of 4808 4892 Fflaff32.exe 102 PID 4892 wrote to memory of 4808 4892 Fflaff32.exe 102 PID 4808 wrote to memory of 1612 4808 Fjhmgeao.exe 104 PID 4808 wrote to memory of 1612 4808 Fjhmgeao.exe 104 PID 4808 wrote to memory of 1612 4808 Fjhmgeao.exe 104 PID 1612 wrote to memory of 1236 1612 Fmficqpc.exe 105 PID 1612 wrote to memory of 1236 1612 Fmficqpc.exe 105 PID 1612 wrote to memory of 1236 1612 Fmficqpc.exe 105 PID 1236 wrote to memory of 3440 1236 Fodeolof.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\181b6a13899ec15f78cfd79230bb4a70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\181b6a13899ec15f78cfd79230bb4a70_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Fhajlc32.exeC:\Windows\system32\Fhajlc32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Ffekegon.exeC:\Windows\system32\Ffekegon.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Fqkocpod.exeC:\Windows\system32\Fqkocpod.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\Fmapha32.exeC:\Windows\system32\Fmapha32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\Fopldmcl.exeC:\Windows\system32\Fopldmcl.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SysWOW64\Fcnejk32.exeC:\Windows\system32\Fcnejk32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\Fjhmgeao.exeC:\Windows\system32\Fjhmgeao.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Fmficqpc.exeC:\Windows\system32\Fmficqpc.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Gcpapkgp.exeC:\Windows\system32\Gcpapkgp.exe23⤵
- Executes dropped EXE
PID:3440 -
C:\Windows\SysWOW64\Gfnnlffc.exeC:\Windows\system32\Gfnnlffc.exe24⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe25⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Gcbnejem.exeC:\Windows\system32\Gcbnejem.exe26⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Gjlfbd32.exeC:\Windows\system32\Gjlfbd32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:3320 -
C:\Windows\SysWOW64\Gqfooodg.exeC:\Windows\system32\Gqfooodg.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4900 -
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3764 -
C:\Windows\SysWOW64\Gfcgge32.exeC:\Windows\system32\Gfcgge32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3896 -
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3636 -
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5044 -
C:\Windows\SysWOW64\Gcggpj32.exeC:\Windows\system32\Gcggpj32.exe34⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Gbjhlfhb.exeC:\Windows\system32\Gbjhlfhb.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Gidphq32.exeC:\Windows\system32\Gidphq32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3416 -
C:\Windows\SysWOW64\Gqkhjn32.exeC:\Windows\system32\Gqkhjn32.exe37⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Gcidfi32.exeC:\Windows\system32\Gcidfi32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Gbldaffp.exeC:\Windows\system32\Gbldaffp.exe39⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4448 -
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:944 -
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe43⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Hjfihc32.exeC:\Windows\system32\Hjfihc32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4116 -
C:\Windows\SysWOW64\Hapaemll.exeC:\Windows\system32\Hapaemll.exe46⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe48⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Hmfbjnbp.exeC:\Windows\system32\Hmfbjnbp.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:380 -
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe51⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Hbckbepg.exeC:\Windows\system32\Hbckbepg.exe52⤵
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Hjjbcbqj.exeC:\Windows\system32\Hjjbcbqj.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:212 -
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe54⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Hpgkkioa.exeC:\Windows\system32\Hpgkkioa.exe55⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe57⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe58⤵
- Executes dropped EXE
PID:4260 -
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3500 -
C:\Windows\SysWOW64\Hpihai32.exeC:\Windows\system32\Hpihai32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1428 -
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe63⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Icgqggce.exeC:\Windows\system32\Icgqggce.exe64⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe65⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4152 -
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2488 -
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:368 -
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe69⤵
- Modifies registry class
PID:3364 -
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe70⤵
- Drops file in System32 directory
PID:1044 -
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe71⤵PID:3580
-
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe72⤵
- Modifies registry class
PID:4308 -
C:\Windows\SysWOW64\Ibojncfj.exeC:\Windows\system32\Ibojncfj.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe74⤵PID:1968
-
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe76⤵PID:2364
-
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe77⤵
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe79⤵
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Imgkql32.exeC:\Windows\system32\Imgkql32.exe80⤵PID:3148
-
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe81⤵PID:3872
-
C:\Windows\SysWOW64\Ibccic32.exeC:\Windows\system32\Ibccic32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4868 -
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe84⤵
- Modifies registry class
PID:3940 -
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe85⤵PID:512
-
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe86⤵
- Drops file in System32 directory
PID:5148 -
C:\Windows\SysWOW64\Jmkdlkph.exeC:\Windows\system32\Jmkdlkph.exe87⤵
- Modifies registry class
PID:5196 -
C:\Windows\SysWOW64\Jdemhe32.exeC:\Windows\system32\Jdemhe32.exe88⤵
- Drops file in System32 directory
PID:5240 -
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5288 -
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe90⤵PID:5332
-
C:\Windows\SysWOW64\Jaimbj32.exeC:\Windows\system32\Jaimbj32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5372 -
C:\Windows\SysWOW64\Jdhine32.exeC:\Windows\system32\Jdhine32.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:5416 -
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5460 -
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe94⤵PID:5504
-
C:\Windows\SysWOW64\Jidbflcj.exeC:\Windows\system32\Jidbflcj.exe95⤵PID:5548
-
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe96⤵PID:5584
-
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe97⤵
- Modifies registry class
PID:5632 -
C:\Windows\SysWOW64\Jfhbppbc.exeC:\Windows\system32\Jfhbppbc.exe98⤵
- Modifies registry class
PID:5680 -
C:\Windows\SysWOW64\Jigollag.exeC:\Windows\system32\Jigollag.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5716 -
C:\Windows\SysWOW64\Jmbklj32.exeC:\Windows\system32\Jmbklj32.exe100⤵PID:5764
-
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe101⤵
- Modifies registry class
PID:5800 -
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5864 -
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe103⤵
- Modifies registry class
PID:5904 -
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe104⤵PID:5940
-
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe105⤵PID:5992
-
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe106⤵
- Modifies registry class
PID:6056 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe107⤵PID:6116
-
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe108⤵PID:5180
-
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe109⤵PID:2160
-
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe110⤵
- Drops file in System32 directory
PID:4712 -
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe111⤵PID:5408
-
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe112⤵PID:5484
-
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe113⤵PID:5524
-
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe114⤵
- Drops file in System32 directory
PID:5576 -
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe115⤵
- Drops file in System32 directory
PID:5640 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5704 -
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe117⤵PID:5740
-
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe118⤵
- Modifies registry class
PID:5808 -
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe119⤵
- Modifies registry class
PID:5892 -
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe120⤵
- Modifies registry class
PID:5952 -
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe121⤵
- Drops file in System32 directory
PID:6004 -
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe122⤵
- Modifies registry class
PID:6104
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-