Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 09:53
Behavioral task
behavioral1
Sample
538d03890fe41037ea8231f2e583e980_NEIKI.exe
Resource
win7-20231129-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
538d03890fe41037ea8231f2e583e980_NEIKI.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
538d03890fe41037ea8231f2e583e980_NEIKI.exe
-
Size
208KB
-
MD5
538d03890fe41037ea8231f2e583e980
-
SHA1
ece9210a488d437e01470095940c8adcad9a2d36
-
SHA256
f90a6ffa7a94fc215305c1e893ade2158eba658954a3f66e9664e90e85d4febb
-
SHA512
5cd6af31a1010dc27eeeedd1a51a76dec00bcac15316c8f91b26aa4900d6968325488c2d97f62b87cd39964b1841a4c1934bdcd5ec174039c153a5aa001d2864
-
SSDEEP
6144:/yR3SMFHwnDX4EYtCwGtMtkiXOoloMr1JeSldqP7+x55KmC:/ygyChtMtkM71r1MSXqPix55Kx
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjjhbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkfblfab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmijbcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejoomhmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdjagjco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knbiofhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbabgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekpmbddq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eejjjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpqodfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbhoqj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maodigil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfoafi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afghneoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abponp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjepjkhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfjjga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknmla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnoklk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdilnojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jqglkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afgacokc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngaionfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdffbake.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqilgmdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkcadhgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgbnmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiefcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhpiafnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmpkadnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iicbehnq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibqpimpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgjljpkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhihdcbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikbnacmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nepgjaeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alabgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aompak32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000c000000023b9d-6.dat family_berbew behavioral2/files/0x000a000000023baa-14.dat family_berbew behavioral2/files/0x000a000000023bac-17.dat family_berbew behavioral2/files/0x000a000000023bae-30.dat family_berbew behavioral2/files/0x000a000000023bb1-38.dat family_berbew behavioral2/files/0x000a000000023bb3-46.dat family_berbew behavioral2/files/0x0031000000023bb5-54.dat family_berbew behavioral2/files/0x000a000000023bb7-62.dat family_berbew behavioral2/files/0x000a000000023bb9-70.dat family_berbew behavioral2/files/0x000a000000023bbb-78.dat family_berbew behavioral2/files/0x000a000000023bbd-86.dat family_berbew behavioral2/files/0x000a000000023bbf-89.dat family_berbew behavioral2/files/0x000a000000023bc1-102.dat family_berbew behavioral2/files/0x000a000000023bc3-110.dat family_berbew behavioral2/files/0x000a000000023bc5-118.dat family_berbew behavioral2/files/0x000a000000023bc7-126.dat family_berbew behavioral2/files/0x000a000000023bc9-134.dat family_berbew behavioral2/files/0x000a000000023bcb-142.dat family_berbew behavioral2/files/0x000a000000023bcd-150.dat family_berbew behavioral2/files/0x000a000000023bcf-158.dat family_berbew behavioral2/files/0x000b000000023ba7-166.dat family_berbew behavioral2/files/0x000a000000023bd2-174.dat family_berbew behavioral2/files/0x000a000000023bd5-182.dat family_berbew behavioral2/files/0x000a000000023bd7-190.dat family_berbew behavioral2/files/0x000a000000023bd9-198.dat family_berbew behavioral2/files/0x000a000000023bdb-206.dat family_berbew behavioral2/files/0x000a000000023bdd-214.dat family_berbew behavioral2/files/0x000b000000023bdf-223.dat family_berbew behavioral2/files/0x000a000000023be8-231.dat family_berbew behavioral2/files/0x0008000000023bf8-238.dat family_berbew behavioral2/files/0x0009000000023bfe-246.dat family_berbew behavioral2/files/0x000e000000023c03-255.dat family_berbew behavioral2/files/0x0007000000023cd0-515.dat family_berbew behavioral2/files/0x0007000000023cd4-527.dat family_berbew behavioral2/files/0x0007000000023cdb-551.dat family_berbew behavioral2/files/0x0007000000023d04-689.dat family_berbew behavioral2/files/0x0007000000023d08-703.dat family_berbew behavioral2/files/0x0007000000023d0e-724.dat family_berbew behavioral2/files/0x0007000000023d22-791.dat family_berbew behavioral2/files/0x0007000000023d26-805.dat family_berbew behavioral2/files/0x0007000000023d32-845.dat family_berbew behavioral2/files/0x0007000000023d38-866.dat family_berbew behavioral2/files/0x0007000000023d46-919.dat family_berbew behavioral2/files/0x0007000000023d4e-947.dat family_berbew behavioral2/files/0x0007000000023d50-955.dat family_berbew behavioral2/files/0x0007000000023d5a-987.dat family_berbew behavioral2/files/0x0007000000023d6a-1043.dat family_berbew behavioral2/files/0x0007000000023d77-1083.dat family_berbew behavioral2/files/0x0007000000023d79-1091.dat family_berbew behavioral2/files/0x0007000000023d7d-1104.dat family_berbew behavioral2/files/0x0007000000023d85-1131.dat family_berbew behavioral2/files/0x0007000000023d89-1142.dat family_berbew behavioral2/files/0x0007000000023d95-1181.dat family_berbew behavioral2/files/0x0007000000023da1-1218.dat family_berbew behavioral2/files/0x0007000000023da7-1239.dat family_berbew behavioral2/files/0x0007000000023dab-1253.dat family_berbew behavioral2/files/0x0007000000023daf-1266.dat family_berbew behavioral2/files/0x0007000000023db3-1279.dat family_berbew behavioral2/files/0x0007000000023dbf-1320.dat family_berbew behavioral2/files/0x0008000000023dc7-1341.dat family_berbew behavioral2/files/0x0007000000023dce-1369.dat family_berbew behavioral2/files/0x0007000000023ddc-1417.dat family_berbew behavioral2/files/0x0007000000023dfa-1550.dat family_berbew behavioral2/files/0x0007000000023e25-1687.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4052 Jpgdbg32.exe 4516 Jjmhppqd.exe 3688 Jiphkm32.exe 32 Jagqlj32.exe 1480 Jjpeepnb.exe 4932 Jplmmfmi.exe 2644 Jfffjqdf.exe 2080 Jaljgidl.exe 4192 Jdjfcecp.exe 1716 Jkdnpo32.exe 2996 Jpaghf32.exe 3096 Jfkoeppq.exe 2520 Kmegbjgn.exe 4772 Kbapjafe.exe 4304 Kilhgk32.exe 1376 Kdaldd32.exe 2844 Kinemkko.exe 1196 Kmjqmi32.exe 1892 Kbfiep32.exe 2216 Kknafn32.exe 4808 Kcifkp32.exe 1652 Kibnhjgj.exe 1636 Kdhbec32.exe 2420 Kkbkamnl.exe 2428 Lalcng32.exe 1048 Lgikfn32.exe 2552 Laopdgcg.exe 1976 Lgkhlnbn.exe 4856 Lkgdml32.exe 3904 Lpcmec32.exe 3844 Ldohebqh.exe 4292 Lkiqbl32.exe 3332 Lilanioo.exe 1248 Laciofpa.exe 1756 Lpfijcfl.exe 4424 Lgpagm32.exe 3424 Lklnhlfb.exe 1624 Laefdf32.exe 3960 Lddbqa32.exe 3492 Lgbnmm32.exe 5088 Mjqjih32.exe 3836 Mnlfigcc.exe 1748 Mdfofakp.exe 4532 Mciobn32.exe 4460 Mjcgohig.exe 3988 Majopeii.exe 4352 Mdiklqhm.exe 3912 Mgghhlhq.exe 3000 Mjeddggd.exe 3968 Mamleegg.exe 3648 Mdkhapfj.exe 3204 Mgidml32.exe 1380 Maohkd32.exe 1980 Mcpebmkb.exe 4548 Mnfipekh.exe 4864 Nnolfdcn.exe 4572 Nggqoj32.exe 1212 Njfmke32.exe 4336 Nbmelbid.exe 1584 Ndkahnhh.exe 1524 Okeieh32.exe 4948 Ondeac32.exe 3664 Odnnnnfe.exe 2928 Okhfjh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bldgdago.exe Bdmpcdfm.exe File created C:\Windows\SysWOW64\Ggnedlao.exe Gdoihpbk.exe File created C:\Windows\SysWOW64\Lpefcn32.dll Process not Found File created C:\Windows\SysWOW64\Pccahbmn.exe Process not Found File created C:\Windows\SysWOW64\Bmijpchc.dll Process not Found File created C:\Windows\SysWOW64\Akeodedd.dll Process not Found File opened for modification C:\Windows\SysWOW64\Foclgq32.exe Process not Found File created C:\Windows\SysWOW64\Oileggkb.exe Ocamjm32.exe File created C:\Windows\SysWOW64\Ggebqoki.dll Fmjaphek.exe File created C:\Windows\SysWOW64\Jlllhigk.dll Process not Found File created C:\Windows\SysWOW64\Beapme32.dll Odocigqg.exe File created C:\Windows\SysWOW64\Mglfplgk.exe Lmgabcge.exe File opened for modification C:\Windows\SysWOW64\Pccahbmn.exe Process not Found File created C:\Windows\SysWOW64\Knegmo32.dll Ohlimd32.exe File created C:\Windows\SysWOW64\Jbaojpgb.exe Jjjghcfp.exe File created C:\Windows\SysWOW64\Ahippdbe.exe Process not Found File created C:\Windows\SysWOW64\Iogkekkb.dll Process not Found File opened for modification C:\Windows\SysWOW64\Iehmmb32.exe Process not Found File created C:\Windows\SysWOW64\Jpgmha32.exe Jmhale32.exe File created C:\Windows\SysWOW64\Paoollik.exe Process not Found File created C:\Windows\SysWOW64\Gbdhjm32.dll Ngbpidjh.exe File opened for modification C:\Windows\SysWOW64\Pidabppl.exe Pamiaboj.exe File created C:\Windows\SysWOW64\Qkdbgdbg.dll Gmcdffmq.exe File opened for modification C:\Windows\SysWOW64\Oqhoeb32.exe Process not Found File created C:\Windows\SysWOW64\Dqklch32.dll Pcmeke32.exe File created C:\Windows\SysWOW64\Bnmoijje.exe Process not Found File created C:\Windows\SysWOW64\Bobcpmfc.exe Bldgdago.exe File created C:\Windows\SysWOW64\Gpgind32.exe Process not Found File created C:\Windows\SysWOW64\Gicaifkq.dll Idcepgmg.exe File opened for modification C:\Windows\SysWOW64\Pldcjeia.exe Process not Found File created C:\Windows\SysWOW64\Jphkkpbp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nqpcjj32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pjoppf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lfkaag32.exe Ldleel32.exe File created C:\Windows\SysWOW64\Ppajlp32.dll Mlmbfqoj.exe File created C:\Windows\SysWOW64\Eqlfhjig.exe Process not Found File created C:\Windows\SysWOW64\Gbbajjlp.exe Process not Found File created C:\Windows\SysWOW64\Fbbnpn32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fdlnbm32.exe Flqimk32.exe File created C:\Windows\SysWOW64\Ogjkhmfa.dll Hkbdki32.exe File opened for modification C:\Windows\SysWOW64\Ojoign32.exe Ocdqjceo.exe File created C:\Windows\SysWOW64\Jgakbm32.exe Jkkjmlan.exe File created C:\Windows\SysWOW64\Bcodim32.dll Nknobkje.exe File created C:\Windows\SysWOW64\Igliicdk.dll Aoabad32.exe File created C:\Windows\SysWOW64\Gbabigfj.exe Gpcfmkff.exe File opened for modification C:\Windows\SysWOW64\Mnpabe32.exe Process not Found File created C:\Windows\SysWOW64\Eaklidoi.exe Ekacmjgl.exe File opened for modification C:\Windows\SysWOW64\Eemnjbaj.exe Ecoangbg.exe File created C:\Windows\SysWOW64\Npdopj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Chlflabp.exe Process not Found File created C:\Windows\SysWOW64\Gppcmeem.exe Process not Found File created C:\Windows\SysWOW64\Qkipkani.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gemkelcd.exe Process not Found File created C:\Windows\SysWOW64\Mljmhflh.exe Process not Found File created C:\Windows\SysWOW64\Nkbjac32.dll Kpjcdn32.exe File opened for modification C:\Windows\SysWOW64\Opadhb32.exe Ohjlgefb.exe File opened for modification C:\Windows\SysWOW64\Odoogi32.exe Process not Found File created C:\Windows\SysWOW64\Jfkoeppq.exe Jpaghf32.exe File created C:\Windows\SysWOW64\Occomh32.dll Ealkjh32.exe File opened for modification C:\Windows\SysWOW64\Hnfjbdmk.exe Hglaej32.exe File opened for modification C:\Windows\SysWOW64\Hbihjifh.exe Process not Found File created C:\Windows\SysWOW64\Nblolm32.exe Process not Found File created C:\Windows\SysWOW64\Ooajidfn.dll Jfoiokfb.exe File created C:\Windows\SysWOW64\Fibojhim.exe Fgdbnmji.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3096 3080 Process not Found 1706 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcejfha.dll" Fdcjlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hhknpmma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Embddb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Igigla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dojcgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bnhjohkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnnkgo32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbackgod.dll" Cidjbmcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fhdohp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjliajmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdmpcdfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibnccmbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ejdocm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Midfokpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdokpl32.dll" Maodigil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pedlgbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehjgecbe.dll" Paegjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmnagpbq.dll" Jkodhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okogahgo.dll" Acgolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebafce32.dll" Fmgejhgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbjeaofg.dll" Bqilgmdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Efjimhnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lldfjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idpeeehm.dll" Ohqbhdpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmpbqoqg.dll" Ciafbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfokn32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Edjgfcec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll" Kknafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qgcbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffkpn32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Odnnnnfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfkegm32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cglblmfn.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjpfk32.dll" Lgmngglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfefkkqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofmkc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieoigp32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebooppnl.dll" Okjbpglo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lekehdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmdqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkpbin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpfohk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mpablkhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Amodep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcebldil.dll" Nbcjnilj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 184 wrote to memory of 4052 184 538d03890fe41037ea8231f2e583e980_NEIKI.exe 84 PID 184 wrote to memory of 4052 184 538d03890fe41037ea8231f2e583e980_NEIKI.exe 84 PID 184 wrote to memory of 4052 184 538d03890fe41037ea8231f2e583e980_NEIKI.exe 84 PID 4052 wrote to memory of 4516 4052 Jpgdbg32.exe 85 PID 4052 wrote to memory of 4516 4052 Jpgdbg32.exe 85 PID 4052 wrote to memory of 4516 4052 Jpgdbg32.exe 85 PID 4516 wrote to memory of 3688 4516 Jjmhppqd.exe 86 PID 4516 wrote to memory of 3688 4516 Jjmhppqd.exe 86 PID 4516 wrote to memory of 3688 4516 Jjmhppqd.exe 86 PID 3688 wrote to memory of 32 3688 Jiphkm32.exe 87 PID 3688 wrote to memory of 32 3688 Jiphkm32.exe 87 PID 3688 wrote to memory of 32 3688 Jiphkm32.exe 87 PID 32 wrote to memory of 1480 32 Jagqlj32.exe 88 PID 32 wrote to memory of 1480 32 Jagqlj32.exe 88 PID 32 wrote to memory of 1480 32 Jagqlj32.exe 88 PID 1480 wrote to memory of 4932 1480 Jjpeepnb.exe 89 PID 1480 wrote to memory of 4932 1480 Jjpeepnb.exe 89 PID 1480 wrote to memory of 4932 1480 Jjpeepnb.exe 89 PID 4932 wrote to memory of 2644 4932 Jplmmfmi.exe 90 PID 4932 wrote to memory of 2644 4932 Jplmmfmi.exe 90 PID 4932 wrote to memory of 2644 4932 Jplmmfmi.exe 90 PID 2644 wrote to memory of 2080 2644 Jfffjqdf.exe 91 PID 2644 wrote to memory of 2080 2644 Jfffjqdf.exe 91 PID 2644 wrote to memory of 2080 2644 Jfffjqdf.exe 91 PID 2080 wrote to memory of 4192 2080 Jaljgidl.exe 92 PID 2080 wrote to memory of 4192 2080 Jaljgidl.exe 92 PID 2080 wrote to memory of 4192 2080 Jaljgidl.exe 92 PID 4192 wrote to memory of 1716 4192 Jdjfcecp.exe 93 PID 4192 wrote to memory of 1716 4192 Jdjfcecp.exe 93 PID 4192 wrote to memory of 1716 4192 Jdjfcecp.exe 93 PID 1716 wrote to memory of 2996 1716 Jkdnpo32.exe 94 PID 1716 wrote to memory of 2996 1716 Jkdnpo32.exe 94 PID 1716 wrote to memory of 2996 1716 Jkdnpo32.exe 94 PID 2996 wrote to memory of 3096 2996 Jpaghf32.exe 95 PID 2996 wrote to memory of 3096 2996 Jpaghf32.exe 95 PID 2996 wrote to memory of 3096 2996 Jpaghf32.exe 95 PID 3096 wrote to memory of 2520 3096 Jfkoeppq.exe 96 PID 3096 wrote to memory of 2520 3096 Jfkoeppq.exe 96 PID 3096 wrote to memory of 2520 3096 Jfkoeppq.exe 96 PID 2520 wrote to memory of 4772 2520 Kmegbjgn.exe 97 PID 2520 wrote to memory of 4772 2520 Kmegbjgn.exe 97 PID 2520 wrote to memory of 4772 2520 Kmegbjgn.exe 97 PID 4772 wrote to memory of 4304 4772 Kbapjafe.exe 99 PID 4772 wrote to memory of 4304 4772 Kbapjafe.exe 99 PID 4772 wrote to memory of 4304 4772 Kbapjafe.exe 99 PID 4304 wrote to memory of 1376 4304 Kilhgk32.exe 100 PID 4304 wrote to memory of 1376 4304 Kilhgk32.exe 100 PID 4304 wrote to memory of 1376 4304 Kilhgk32.exe 100 PID 1376 wrote to memory of 2844 1376 Kdaldd32.exe 101 PID 1376 wrote to memory of 2844 1376 Kdaldd32.exe 101 PID 1376 wrote to memory of 2844 1376 Kdaldd32.exe 101 PID 2844 wrote to memory of 1196 2844 Kinemkko.exe 103 PID 2844 wrote to memory of 1196 2844 Kinemkko.exe 103 PID 2844 wrote to memory of 1196 2844 Kinemkko.exe 103 PID 1196 wrote to memory of 1892 1196 Kmjqmi32.exe 104 PID 1196 wrote to memory of 1892 1196 Kmjqmi32.exe 104 PID 1196 wrote to memory of 1892 1196 Kmjqmi32.exe 104 PID 1892 wrote to memory of 2216 1892 Kbfiep32.exe 105 PID 1892 wrote to memory of 2216 1892 Kbfiep32.exe 105 PID 1892 wrote to memory of 2216 1892 Kbfiep32.exe 105 PID 2216 wrote to memory of 4808 2216 Kknafn32.exe 106 PID 2216 wrote to memory of 4808 2216 Kknafn32.exe 106 PID 2216 wrote to memory of 4808 2216 Kknafn32.exe 106 PID 4808 wrote to memory of 1652 4808 Kcifkp32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\538d03890fe41037ea8231f2e583e980_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\538d03890fe41037ea8231f2e583e980_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:184 -
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\Jagqlj32.exeC:\Windows\system32\Jagqlj32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Jfkoeppq.exeC:\Windows\system32\Jfkoeppq.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\Kdaldd32.exeC:\Windows\system32\Kdaldd32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe23⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe24⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe25⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe26⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe27⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe28⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe29⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe30⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe31⤵
- Executes dropped EXE
PID:3904 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe32⤵
- Executes dropped EXE
PID:3844 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe33⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Lilanioo.exeC:\Windows\system32\Lilanioo.exe34⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe35⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe36⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe37⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Lklnhlfb.exeC:\Windows\system32\Lklnhlfb.exe38⤵
- Executes dropped EXE
PID:3424 -
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe39⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe40⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe42⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe43⤵
- Executes dropped EXE
PID:3836 -
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe44⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe45⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe46⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe47⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe48⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe49⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe50⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe51⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe52⤵
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe53⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe54⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe55⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe56⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe57⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe58⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe59⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe60⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe61⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe62⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe63⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:3664 -
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe65⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe66⤵PID:888
-
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe67⤵PID:1608
-
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe68⤵PID:1436
-
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe69⤵
- Modifies registry class
PID:668 -
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe70⤵PID:1800
-
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe71⤵PID:4852
-
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe72⤵PID:1688
-
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe73⤵PID:3364
-
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe74⤵PID:4508
-
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe75⤵PID:2960
-
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe76⤵PID:4392
-
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe77⤵PID:3252
-
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe78⤵PID:1828
-
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe79⤵PID:3848
-
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe80⤵PID:1132
-
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe81⤵PID:3796
-
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe82⤵PID:1264
-
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe83⤵PID:4456
-
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1476 -
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe85⤵PID:2832
-
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe86⤵PID:4616
-
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe87⤵PID:1564
-
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe88⤵PID:2432
-
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe89⤵
- Modifies registry class
PID:5128 -
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe90⤵PID:5172
-
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe91⤵PID:5228
-
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe92⤵PID:5296
-
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe93⤵PID:5368
-
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe94⤵PID:5420
-
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe95⤵PID:5484
-
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe96⤵PID:5560
-
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe97⤵PID:5612
-
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe98⤵PID:5652
-
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe99⤵PID:5704
-
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe100⤵PID:5744
-
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe101⤵PID:5800
-
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe102⤵PID:5844
-
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5904 -
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe104⤵PID:5948
-
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe105⤵PID:5992
-
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe106⤵PID:6036
-
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe107⤵PID:6084
-
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe108⤵PID:6124
-
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe109⤵PID:5136
-
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe110⤵PID:5216
-
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe111⤵PID:5316
-
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe112⤵PID:5408
-
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe113⤵PID:5520
-
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe114⤵PID:5636
-
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe115⤵PID:5692
-
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe116⤵PID:5760
-
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe117⤵PID:5836
-
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe118⤵PID:5912
-
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe119⤵PID:5988
-
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe120⤵PID:6056
-
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe121⤵PID:6108
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-