Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 05:43
Behavioral task
behavioral1
Sample
9d7fcb23799320643f6ccbd925ed9a30_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
9d7fcb23799320643f6ccbd925ed9a30_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
9d7fcb23799320643f6ccbd925ed9a30_NeikiAnalytics.exe
-
Size
128KB
-
MD5
9d7fcb23799320643f6ccbd925ed9a30
-
SHA1
36bdca0d96140c0be873199e5c8647f2e7e902f3
-
SHA256
b0aba5f6695c30279425d442f16b91dc849a3b070a84d75c0c8dcd54123a5989
-
SHA512
fc8964969dcc8b61818d3190dff6f83eb0da6f24a282fd60cc9dd8faffdec7abef71515927d51b12e0e4c8622b9b0b000fcab7a5e82f6acbb7bb64364dd6f79b
-
SSDEEP
1536:qomisaVH4SxfUmMg/BF9mIByr9JtxHKJgReW5RQDORfRa9HprmRfRJCLIXG:qmvHdh/9oH5peDO5wkpHxG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onbddoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qlhnbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amejeljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nolhan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aekodi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhggmchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oobjaqaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qabcjgkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfamcogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofdcjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amndem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgmgmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmjfdejp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhmjkaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbdnoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clcflkic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflkdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jofiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcegmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kiccofna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lliflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncgdbmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nceclqan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oclilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahikqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecqqpgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Klqfhbbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baqbenep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbcnhjnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kanopipl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojficpfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alhjai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eihfjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mggpgmof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkeelohh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dcenlceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oelmai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Globlmmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkndaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bocolb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofbfdmeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiakjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccngld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocgpappk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpnbkeld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chbjffad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pminkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdnao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqideepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmdjdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amkpegnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjcbpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cafecmlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ondajnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfdpip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idmhkpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Miooigfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aaaoij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paggai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Apajlhka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjilieka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kemejc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgbggnhc.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/756-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000b0000000149f5-5.dat family_berbew behavioral1/memory/756-6-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew behavioral1/memory/2536-14-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0008000000015605-20.dat family_berbew behavioral1/memory/2536-22-0x00000000002D0000-0x0000000000311000-memory.dmp family_berbew behavioral1/memory/2664-28-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0007000000015626-34.dat family_berbew behavioral1/memory/2664-37-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew behavioral1/files/0x000a000000015c52-50.dat family_berbew behavioral1/memory/2580-54-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0007000000015c78-60.dat family_berbew behavioral1/memory/2580-62-0x00000000002A0000-0x00000000002E1000-memory.dmp family_berbew behavioral1/files/0x0007000000015c9f-73.dat family_berbew behavioral1/files/0x0006000000015cce-93.dat family_berbew behavioral1/memory/2524-99-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000015cf6-108.dat family_berbew behavioral1/files/0x0006000000015d07-113.dat family_berbew behavioral1/memory/2992-107-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000015d1a-126.dat family_berbew behavioral1/files/0x0006000000015d31-146.dat family_berbew behavioral1/memory/2968-159-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000015f7a-171.dat family_berbew behavioral1/files/0x0006000000016448-199.dat family_berbew behavioral1/files/0x00060000000165ae-212.dat family_berbew behavioral1/files/0x0006000000016ca5-249.dat family_berbew behavioral1/memory/992-248-0x0000000000290000-0x00000000002D1000-memory.dmp family_berbew behavioral1/memory/844-253-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000016cbe-262.dat family_berbew behavioral1/memory/1840-265-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1140-276-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000016d57-293.dat family_berbew behavioral1/memory/1056-308-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000016fed-314.dat family_berbew behavioral1/files/0x0006000000017371-327.dat family_berbew behavioral1/memory/2592-339-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2652-365-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0005000000018717-377.dat family_berbew behavioral1/files/0x0006000000018fbf-399.dat family_berbew behavioral1/memory/2712-404-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2776-415-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x00050000000191c8-434.dat family_berbew behavioral1/files/0x00050000000191dd-443.dat family_berbew behavioral1/files/0x0005000000019216-465.dat family_berbew behavioral1/memory/2304-492-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000500000001932a-499.dat family_berbew behavioral1/files/0x00050000000193ab-506.dat family_berbew behavioral1/files/0x00050000000193dd-529.dat family_berbew behavioral1/files/0x0005000000019433-552.dat family_berbew behavioral1/files/0x00050000000194b1-577.dat family_berbew behavioral1/files/0x00050000000195bf-597.dat family_berbew behavioral1/files/0x00050000000199e7-609.dat family_berbew behavioral1/files/0x0005000000019a84-619.dat family_berbew behavioral1/files/0x0005000000019ecb-648.dat family_berbew behavioral1/files/0x000500000001a43b-771.dat family_berbew behavioral1/files/0x000500000001a456-816.dat family_berbew behavioral1/files/0x000500000001a462-860.dat family_berbew behavioral1/files/0x000500000001a476-922.dat family_berbew behavioral1/files/0x000500000001a47a-935.dat family_berbew behavioral1/files/0x000500000001a498-957.dat family_berbew behavioral1/files/0x000500000001c6e5-1007.dat family_berbew behavioral1/files/0x000500000001c6fd-1018.dat family_berbew behavioral1/files/0x000500000001c7f1-1080.dat family_berbew behavioral1/files/0x000500000001c7f9-1106.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2536 Kbhbom32.exe 2664 Klqfhbbe.exe 2600 Kanopipl.exe 2580 Lhggmchi.exe 2612 Loapim32.exe 2616 Lekhfgfc.exe 2524 Lhjdbcef.exe 2992 Lkhpnnej.exe 2160 Lmgmjjdn.exe 1972 Lhlqhb32.exe 2744 Lkkmdn32.exe 2968 Lmiipi32.exe 1376 Lkmjin32.exe 2068 Lipjejgp.exe 2016 Llnfaffc.exe 2224 Lpjbad32.exe 752 Lgdjnofi.exe 992 Lefkjkmc.exe 2424 Libgjj32.exe 844 Lplogdmj.exe 1840 Mgfgdn32.exe 1140 Mlcple32.exe 3068 Moalhq32.exe 2120 Maphdl32.exe 1056 Migpeiag.exe 1664 Mochnppo.exe 2172 Mabejlob.exe 2592 Mdqafgnf.exe 2604 Mhlmgf32.exe 2652 Mkjica32.exe 2516 Mnieom32.exe 2148 Mhnjle32.exe 2476 Mgajhbkg.exe 2712 Magnek32.exe 2776 Mdejaf32.exe 3004 Mkobnqan.exe 1592 Njbcim32.exe 1244 Nplkfgoe.exe 2064 Ndgggf32.exe 2848 Ngfcca32.exe 2232 Njdpomfe.exe 2304 Npnhlg32.exe 2228 Nghphaeo.exe 1680 Nnbhek32.exe 620 Nocemcbj.exe 1200 Ngkmnacm.exe 3044 Njiijlbp.exe 2340 Nlgefh32.exe 112 Nqcagfim.exe 1892 Ncancbha.exe 2908 Nbdnoo32.exe 2452 Nhnfkigh.exe 908 Nmjblg32.exe 2672 Nkmbgdfl.exe 2492 Ofbfdmeb.exe 2988 Omloag32.exe 2704 Okoomd32.exe 2952 Obigjnkf.exe 772 Ofdcjm32.exe 2132 Oicpfh32.exe 1432 Ogfpbeim.exe 1784 Oomhcbjp.exe 2036 Onphoo32.exe 2552 Oqndkj32.exe -
Loads dropped DLL 64 IoCs
pid Process 756 9d7fcb23799320643f6ccbd925ed9a30_NeikiAnalytics.exe 756 9d7fcb23799320643f6ccbd925ed9a30_NeikiAnalytics.exe 2536 Kbhbom32.exe 2536 Kbhbom32.exe 2664 Klqfhbbe.exe 2664 Klqfhbbe.exe 2600 Kanopipl.exe 2600 Kanopipl.exe 2580 Lhggmchi.exe 2580 Lhggmchi.exe 2612 Loapim32.exe 2612 Loapim32.exe 2616 Lekhfgfc.exe 2616 Lekhfgfc.exe 2524 Lhjdbcef.exe 2524 Lhjdbcef.exe 2992 Lkhpnnej.exe 2992 Lkhpnnej.exe 2160 Lmgmjjdn.exe 2160 Lmgmjjdn.exe 1972 Lhlqhb32.exe 1972 Lhlqhb32.exe 2744 Lkkmdn32.exe 2744 Lkkmdn32.exe 2968 Lmiipi32.exe 2968 Lmiipi32.exe 1376 Lkmjin32.exe 1376 Lkmjin32.exe 2068 Lipjejgp.exe 2068 Lipjejgp.exe 2016 Llnfaffc.exe 2016 Llnfaffc.exe 2224 Lpjbad32.exe 2224 Lpjbad32.exe 752 Lgdjnofi.exe 752 Lgdjnofi.exe 992 Lefkjkmc.exe 992 Lefkjkmc.exe 2424 Libgjj32.exe 2424 Libgjj32.exe 844 Lplogdmj.exe 844 Lplogdmj.exe 1840 Mgfgdn32.exe 1840 Mgfgdn32.exe 1140 Mlcple32.exe 1140 Mlcple32.exe 3068 Moalhq32.exe 3068 Moalhq32.exe 2120 Maphdl32.exe 2120 Maphdl32.exe 1056 Migpeiag.exe 1056 Migpeiag.exe 1664 Mochnppo.exe 1664 Mochnppo.exe 2172 Mabejlob.exe 2172 Mabejlob.exe 2592 Mdqafgnf.exe 2592 Mdqafgnf.exe 2604 Mhlmgf32.exe 2604 Mhlmgf32.exe 2652 Mkjica32.exe 2652 Mkjica32.exe 2516 Mnieom32.exe 2516 Mnieom32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kjcpii32.exe Kfgdhjmk.exe File opened for modification C:\Windows\SysWOW64\Ajejgp32.exe Ahgnke32.exe File created C:\Windows\SysWOW64\Opiehf32.dll Ckoilb32.exe File opened for modification C:\Windows\SysWOW64\Oelmai32.exe Obnqem32.exe File opened for modification C:\Windows\SysWOW64\Qagcpljo.exe Qnigda32.exe File opened for modification C:\Windows\SysWOW64\Lgeceh32.dll Cbnbobin.exe File opened for modification C:\Windows\SysWOW64\Fjilieka.exe Fhkpmjln.exe File created C:\Windows\SysWOW64\Hgbebiao.exe Gphmeo32.exe File created C:\Windows\SysWOW64\Kijmee32.dll Nocnbmoo.exe File created C:\Windows\SysWOW64\Aodnnc32.dll Maphdl32.exe File opened for modification C:\Windows\SysWOW64\Gkddnkjk.dll Alenki32.exe File opened for modification C:\Windows\SysWOW64\Nolhan32.exe Mlmlecec.exe File opened for modification C:\Windows\SysWOW64\Qbbfopeg.exe Qnfjna32.exe File created C:\Windows\SysWOW64\Kkgmgmfd.exe Kgkafo32.exe File opened for modification C:\Windows\SysWOW64\Chbjffad.exe Cahail32.exe File opened for modification C:\Windows\SysWOW64\Egafleqm.exe Ecejkf32.exe File created C:\Windows\SysWOW64\Bdfggf32.dll Kbhbom32.exe File created C:\Windows\SysWOW64\Dfnfdcqd.dll Mpfkqb32.exe File created C:\Windows\SysWOW64\Apcfahio.exe Alhjai32.exe File created C:\Windows\SysWOW64\Lbnemk32.exe Lckdanld.exe File opened for modification C:\Windows\SysWOW64\Alpmfdcb.exe Ahdaee32.exe File opened for modification C:\Windows\SysWOW64\Coelaaoi.exe Bhkdeggl.exe File created C:\Windows\SysWOW64\Lpjbad32.exe Llnfaffc.exe File opened for modification C:\Windows\SysWOW64\Nnbhek32.exe Nghphaeo.exe File opened for modification C:\Windows\SysWOW64\Kaceodek.exe Kneicieh.exe File created C:\Windows\SysWOW64\Clkmne32.dll Fidoim32.exe File created C:\Windows\SysWOW64\Iklgpmjo.dll Ckignd32.exe File created C:\Windows\SysWOW64\Ogjbla32.dll Eiomkn32.exe File opened for modification C:\Windows\SysWOW64\Pflomnkb.exe Pcnbablo.exe File opened for modification C:\Windows\SysWOW64\Ehgppi32.exe Eqpgol32.exe File created C:\Windows\SysWOW64\Klealkpf.dll Lekhfgfc.exe File created C:\Windows\SysWOW64\Klaoplan.dll Jfghif32.exe File opened for modification C:\Windows\SysWOW64\Ojficpfn.exe Oghlgdgk.exe File created C:\Windows\SysWOW64\Ndpaod32.dll Jqdipqbp.exe File created C:\Windows\SysWOW64\Pmdmeemc.dll Pmqdkj32.exe File created C:\Windows\SysWOW64\Obafnlpn.exe Oobjaqaj.exe File opened for modification C:\Windows\SysWOW64\Mnieom32.exe Mkjica32.exe File opened for modification C:\Windows\SysWOW64\Piehkkcl.exe Peiljl32.exe File opened for modification C:\Windows\SysWOW64\Aadloj32.exe Aoepcn32.exe File opened for modification C:\Windows\SysWOW64\Dfffnn32.exe Dnoomqbg.exe File opened for modification C:\Windows\SysWOW64\Bjijdadm.exe Bkfjhd32.exe File created C:\Windows\SysWOW64\Ajlppdeb.dll Fckjalhj.exe File created C:\Windows\SysWOW64\Hkfmal32.dll Cpjiajeb.exe File created C:\Windows\SysWOW64\Ckccgane.exe Cdikkg32.exe File created C:\Windows\SysWOW64\Pbmmcq32.exe Ppoqge32.exe File opened for modification C:\Windows\SysWOW64\Pigeqkai.exe Pelipl32.exe File created C:\Windows\SysWOW64\Medfkpfc.dll Pfbccp32.exe File opened for modification C:\Windows\SysWOW64\Eeqdep32.exe Epdkli32.exe File created C:\Windows\SysWOW64\Qffmipmp.dll Enfenplo.exe File opened for modification C:\Windows\SysWOW64\Ahakmf32.exe Adeplhib.exe File opened for modification C:\Windows\SysWOW64\Cjdfmo32.exe Chbjffad.exe File created C:\Windows\SysWOW64\Lpdbloof.exe Lliflp32.exe File created C:\Windows\SysWOW64\Obdkcckg.dll Mmfbogcn.exe File created C:\Windows\SysWOW64\Neeeodef.dll Ofdcjm32.exe File created C:\Windows\SysWOW64\Ikpjgkjq.exe Igdogl32.exe File opened for modification C:\Windows\SysWOW64\Facdeo32.exe Fjilieka.exe File opened for modification C:\Windows\SysWOW64\Kfbkmk32.exe Kcdnao32.exe File opened for modification C:\Windows\SysWOW64\Mhlmgf32.exe Mdqafgnf.exe File opened for modification C:\Windows\SysWOW64\Ogfpbeim.exe Oicpfh32.exe File created C:\Windows\SysWOW64\Abbmqhgj.dll Mgfgdn32.exe File created C:\Windows\SysWOW64\Cfgaiaci.exe Cbkeib32.exe File created C:\Windows\SysWOW64\Pbkafj32.dll Ccahbp32.exe File opened for modification C:\Windows\SysWOW64\Pmqdkj32.exe Piehkkcl.exe File created C:\Windows\SysWOW64\Kemejc32.exe Jbnhng32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6124 888 WerFault.exe 585 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ofbfdmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kedlancd.dll" Omloag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qnigda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Imfqjbli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbkhq32.dll" Jkbcln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lkncmmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneqdoee.dll" Coelaaoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfffnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lplogdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ofpfnqjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lbcnhjnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndkmpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Noqamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Objbcm32.dll" Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chpmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkbnm32.dll" Fnbkddem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Globlmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lckdanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moealbej.dll" Qljkhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jnqphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oglegn32.dll" Anccmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpbaebdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mijgof32.dll" Ojfaijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illjbiak.dll" Eccmffjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Enhacojl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lkkmdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ofdcjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbcoccqf.dll" Ojficpfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgecelp.dll" Igdogl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcoich32.dll" Nacgdhlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chbjffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajenen32.dll" Ppmdbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gegfdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncgdbmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chnqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojieip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoflni32.dll" Cciemedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdphdj.dll" Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Alnqqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cndbcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hejodhmc.dll" Oonafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ankdiqih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kemejc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemkjqde.dll" Lhmjkaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okphjd32.dll" Bifgdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Adeplhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipghqomc.dll" Ankdiqih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjmodopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiahfd32.dll" Ahokfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kiccofna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pmanoifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effdfo32.dll" Libgjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Omloag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elgpfqll.dll" Qeqbkkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcbjgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Enhacojl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oqcnfjli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ofpfnqjp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 756 wrote to memory of 2536 756 9d7fcb23799320643f6ccbd925ed9a30_NeikiAnalytics.exe 28 PID 756 wrote to memory of 2536 756 9d7fcb23799320643f6ccbd925ed9a30_NeikiAnalytics.exe 28 PID 756 wrote to memory of 2536 756 9d7fcb23799320643f6ccbd925ed9a30_NeikiAnalytics.exe 28 PID 756 wrote to memory of 2536 756 9d7fcb23799320643f6ccbd925ed9a30_NeikiAnalytics.exe 28 PID 2536 wrote to memory of 2664 2536 Kbhbom32.exe 29 PID 2536 wrote to memory of 2664 2536 Kbhbom32.exe 29 PID 2536 wrote to memory of 2664 2536 Kbhbom32.exe 29 PID 2536 wrote to memory of 2664 2536 Kbhbom32.exe 29 PID 2664 wrote to memory of 2600 2664 Klqfhbbe.exe 30 PID 2664 wrote to memory of 2600 2664 Klqfhbbe.exe 30 PID 2664 wrote to memory of 2600 2664 Klqfhbbe.exe 30 PID 2664 wrote to memory of 2600 2664 Klqfhbbe.exe 30 PID 2600 wrote to memory of 2580 2600 Kanopipl.exe 31 PID 2600 wrote to memory of 2580 2600 Kanopipl.exe 31 PID 2600 wrote to memory of 2580 2600 Kanopipl.exe 31 PID 2600 wrote to memory of 2580 2600 Kanopipl.exe 31 PID 2580 wrote to memory of 2612 2580 Lhggmchi.exe 32 PID 2580 wrote to memory of 2612 2580 Lhggmchi.exe 32 PID 2580 wrote to memory of 2612 2580 Lhggmchi.exe 32 PID 2580 wrote to memory of 2612 2580 Lhggmchi.exe 32 PID 2612 wrote to memory of 2616 2612 Loapim32.exe 33 PID 2612 wrote to memory of 2616 2612 Loapim32.exe 33 PID 2612 wrote to memory of 2616 2612 Loapim32.exe 33 PID 2612 wrote to memory of 2616 2612 Loapim32.exe 33 PID 2616 wrote to memory of 2524 2616 Lekhfgfc.exe 34 PID 2616 wrote to memory of 2524 2616 Lekhfgfc.exe 34 PID 2616 wrote to memory of 2524 2616 Lekhfgfc.exe 34 PID 2616 wrote to memory of 2524 2616 Lekhfgfc.exe 34 PID 2524 wrote to memory of 2992 2524 Lhjdbcef.exe 35 PID 2524 wrote to memory of 2992 2524 Lhjdbcef.exe 35 PID 2524 wrote to memory of 2992 2524 Lhjdbcef.exe 35 PID 2524 wrote to memory of 2992 2524 Lhjdbcef.exe 35 PID 2992 wrote to memory of 2160 2992 Lkhpnnej.exe 36 PID 2992 wrote to memory of 2160 2992 Lkhpnnej.exe 36 PID 2992 wrote to memory of 2160 2992 Lkhpnnej.exe 36 PID 2992 wrote to memory of 2160 2992 Lkhpnnej.exe 36 PID 2160 wrote to memory of 1972 2160 Lmgmjjdn.exe 37 PID 2160 wrote to memory of 1972 2160 Lmgmjjdn.exe 37 PID 2160 wrote to memory of 1972 2160 Lmgmjjdn.exe 37 PID 2160 wrote to memory of 1972 2160 Lmgmjjdn.exe 37 PID 1972 wrote to memory of 2744 1972 Lhlqhb32.exe 38 PID 1972 wrote to memory of 2744 1972 Lhlqhb32.exe 38 PID 1972 wrote to memory of 2744 1972 Lhlqhb32.exe 38 PID 1972 wrote to memory of 2744 1972 Lhlqhb32.exe 38 PID 2744 wrote to memory of 2968 2744 Lkkmdn32.exe 39 PID 2744 wrote to memory of 2968 2744 Lkkmdn32.exe 39 PID 2744 wrote to memory of 2968 2744 Lkkmdn32.exe 39 PID 2744 wrote to memory of 2968 2744 Lkkmdn32.exe 39 PID 2968 wrote to memory of 1376 2968 Lmiipi32.exe 40 PID 2968 wrote to memory of 1376 2968 Lmiipi32.exe 40 PID 2968 wrote to memory of 1376 2968 Lmiipi32.exe 40 PID 2968 wrote to memory of 1376 2968 Lmiipi32.exe 40 PID 1376 wrote to memory of 2068 1376 Lkmjin32.exe 41 PID 1376 wrote to memory of 2068 1376 Lkmjin32.exe 41 PID 1376 wrote to memory of 2068 1376 Lkmjin32.exe 41 PID 1376 wrote to memory of 2068 1376 Lkmjin32.exe 41 PID 2068 wrote to memory of 2016 2068 Lipjejgp.exe 42 PID 2068 wrote to memory of 2016 2068 Lipjejgp.exe 42 PID 2068 wrote to memory of 2016 2068 Lipjejgp.exe 42 PID 2068 wrote to memory of 2016 2068 Lipjejgp.exe 42 PID 2016 wrote to memory of 2224 2016 Llnfaffc.exe 43 PID 2016 wrote to memory of 2224 2016 Llnfaffc.exe 43 PID 2016 wrote to memory of 2224 2016 Llnfaffc.exe 43 PID 2016 wrote to memory of 2224 2016 Llnfaffc.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d7fcb23799320643f6ccbd925ed9a30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9d7fcb23799320643f6ccbd925ed9a30_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:752 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:992 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1140 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1056 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2172 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe33⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe34⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe35⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe36⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe37⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe38⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe39⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe40⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe41⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe42⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe43⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe45⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe46⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe47⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe48⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe49⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe50⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe51⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe53⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe54⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe55⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe58⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe59⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:772 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe62⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe63⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe64⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe65⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe66⤵PID:1184
-
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe67⤵PID:3052
-
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe68⤵
- Drops file in System32 directory
PID:2260 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2724 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe71⤵
- Drops file in System32 directory
PID:448 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:588 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe73⤵PID:1868
-
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe74⤵PID:2784
-
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe75⤵
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2872 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe77⤵
- Modifies registry class
PID:1164 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe78⤵PID:1556
-
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe79⤵PID:868
-
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe80⤵
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe81⤵PID:2560
-
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3060 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe83⤵PID:2928
-
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe84⤵PID:2164
-
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe85⤵PID:2280
-
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe86⤵
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe87⤵
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe88⤵PID:1588
-
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1204 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe90⤵PID:1548
-
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe91⤵PID:2676
-
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2808 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe93⤵PID:2844
-
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe94⤵PID:1524
-
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe95⤵
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe96⤵PID:392
-
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe97⤵PID:2824
-
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe98⤵
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe99⤵
- Drops file in System32 directory
PID:1132 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe100⤵
- Drops file in System32 directory
PID:812 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe101⤵
- Drops file in System32 directory
PID:1480 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe102⤵PID:1136
-
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe103⤵
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe104⤵PID:2140
-
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe105⤵PID:2292
-
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe106⤵PID:2416
-
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe107⤵PID:1684
-
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe108⤵PID:2800
-
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe109⤵PID:680
-
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe110⤵PID:2252
-
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2628 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe112⤵
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe113⤵PID:1264
-
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe114⤵
- Modifies registry class
PID:1208 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe115⤵PID:604
-
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe116⤵PID:2556
-
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe117⤵
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:576 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe119⤵PID:1444
-
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe120⤵PID:1492
-
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:1792
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-