Analysis
-
max time kernel
143s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 15:22
Behavioral task
behavioral1
Sample
ed01df66d5e1c13def6f76d4a197fe90_NEIKI.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
ed01df66d5e1c13def6f76d4a197fe90_NEIKI.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
ed01df66d5e1c13def6f76d4a197fe90_NEIKI.exe
-
Size
664KB
-
MD5
ed01df66d5e1c13def6f76d4a197fe90
-
SHA1
90cf57d83632837377687c7608d7ffacac602298
-
SHA256
73b81b6d88b4de01f63d55c56c767d7fd83a9aa4e7535185adb286b67f71be7a
-
SHA512
6c9212042336c5a69bfafe3aef35a5100e76f0353d1520345d5b35686b7d3413992dded805b8bceeb28d97e232c85304bae609e81601b06daf2804824806fa43
-
SSDEEP
12288:wNhXhpV6yYP4rbpV6yYPg058KpV6yYPNUir2MhNl6zX3w9As/xO23WM6tJmDYjm:wNfW4XWleKWNUir2MhNl6zX3w9As/xOX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacbfdao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkncdifl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elagacbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmoliohh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hclakimb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hadkpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjmoibog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmqgnhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecbenm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gqikdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibojncfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iapjlk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmfddnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcklgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mnlfigcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcdegnep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fqkocpod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbcakg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hccglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpgdbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkkdan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjhqjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkdnpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldkojb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dephckaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmkbnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbckbepg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipckgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijhodq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpjjod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmapha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iakaql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Majopeii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpjqhgol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcgohig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Commqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gameonno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdaldd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdpalp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfcgge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdjfcecp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkdggmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbkhfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad ed01df66d5e1c13def6f76d4a197fe90_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcnhmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjfihc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmfbjnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmjqmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkbkamnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njcpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbcakg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpihai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpaghf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kknafn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngedij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ehekqe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fopldmcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jplmmfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jaljgidl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbklj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbllkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jkdnpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpdelajl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Capchmmb.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000023288-6.dat family_berbew behavioral2/files/0x000700000002340d-14.dat family_berbew behavioral2/files/0x000700000002340f-23.dat family_berbew behavioral2/files/0x0007000000023412-25.dat family_berbew behavioral2/files/0x0007000000023412-30.dat family_berbew behavioral2/files/0x0007000000023414-38.dat family_berbew behavioral2/files/0x0007000000023416-46.dat family_berbew behavioral2/files/0x0007000000023418-55.dat family_berbew behavioral2/files/0x000700000002341a-57.dat family_berbew behavioral2/files/0x000700000002341c-71.dat family_berbew behavioral2/files/0x000700000002341a-64.dat family_berbew behavioral2/files/0x000700000002341e-78.dat family_berbew behavioral2/files/0x0007000000023420-86.dat family_berbew behavioral2/files/0x0007000000023422-94.dat family_berbew behavioral2/files/0x0007000000023424-102.dat family_berbew behavioral2/files/0x0007000000023426-105.dat family_berbew behavioral2/files/0x0007000000023426-111.dat family_berbew behavioral2/files/0x0007000000023428-119.dat family_berbew behavioral2/files/0x000700000002342a-127.dat family_berbew behavioral2/files/0x000800000002340a-135.dat family_berbew behavioral2/files/0x000700000002342d-136.dat family_berbew behavioral2/files/0x0007000000023433-175.dat family_berbew behavioral2/files/0x0007000000023431-167.dat family_berbew behavioral2/files/0x000700000002342f-159.dat family_berbew behavioral2/files/0x000700000001d9e8-183.dat family_berbew behavioral2/files/0x0007000000023438-199.dat family_berbew behavioral2/files/0x000700000002343a-208.dat family_berbew behavioral2/files/0x000700000002343c-214.dat family_berbew behavioral2/files/0x0007000000023438-193.dat family_berbew behavioral2/files/0x0007000000023436-191.dat family_berbew behavioral2/files/0x0007000000023440-230.dat family_berbew behavioral2/files/0x0007000000023442-238.dat family_berbew behavioral2/files/0x0007000000023444-248.dat family_berbew behavioral2/files/0x0007000000023446-255.dat family_berbew behavioral2/files/0x000700000002345e-317.dat family_berbew behavioral2/files/0x000700000002347a-401.dat family_berbew behavioral2/files/0x000700000002347e-412.dat family_berbew behavioral2/files/0x00070000000234b1-566.dat family_berbew behavioral2/files/0x00070000000234c7-643.dat family_berbew behavioral2/files/0x00070000000234f5-799.dat family_berbew behavioral2/files/0x00070000000234eb-764.dat family_berbew behavioral2/files/0x000500000002295f-897.dat family_berbew behavioral2/files/0x000a00000002336b-910.dat family_berbew behavioral2/files/0x00070000000234df-724.dat family_berbew behavioral2/files/0x00070000000234dd-715.dat family_berbew behavioral2/files/0x00070000000234d1-676.dat family_berbew behavioral2/files/0x00070000000234b5-578.dat family_berbew behavioral2/files/0x000700000002351b-977.dat family_berbew behavioral2/files/0x00070000000234ad-552.dat family_berbew behavioral2/files/0x000700000002349b-497.dat family_berbew behavioral2/files/0x0007000000023495-479.dat family_berbew behavioral2/files/0x0007000000023521-994.dat family_berbew behavioral2/files/0x0007000000023487-436.dat family_berbew behavioral2/files/0x0007000000023472-377.dat family_berbew behavioral2/files/0x0007000000023525-1008.dat family_berbew behavioral2/files/0x0007000000023466-341.dat family_berbew behavioral2/files/0x0007000000023462-329.dat family_berbew behavioral2/files/0x000700000002344c-263.dat family_berbew behavioral2/files/0x000700000002343e-223.dat family_berbew behavioral2/files/0x000700000002342f-152.dat family_berbew behavioral2/files/0x0006000000022960-151.dat family_berbew behavioral2/files/0x000700000002354a-1130.dat family_berbew behavioral2/files/0x0007000000023554-1163.dat family_berbew behavioral2/files/0x000700000002357e-1302.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4860 Chnlihnl.exe 3556 Cccpfa32.exe 1532 Ceblbm32.exe 3004 Caimgncj.exe 3896 Clnadfbp.exe 3652 Commqb32.exe 724 Cibank32.exe 540 Camfbm32.exe 232 Chgoogfa.exe 516 Capchmmb.exe 2984 Doccaall.exe 2324 Dabpnlkp.exe 4260 Dephckaf.exe 1556 Dhnepfpj.exe 4404 Dpemacql.exe 3504 Dagiil32.exe 1444 Djnaji32.exe 768 Dhcnke32.exe 2372 Ehekqe32.exe 1200 Elagacbk.exe 3776 Eoocmoao.exe 4584 Eckonn32.exe 2100 Eqalmafo.exe 3880 Eodlho32.exe 5072 Ebbidj32.exe 8 Ejjqeg32.exe 2156 Ecbenm32.exe 3420 Fbgbpihg.exe 3612 Fjnjqfij.exe 2808 Fmmfmbhn.exe 1760 Ficgacna.exe 1972 Fqkocpod.exe 4748 Fbllkh32.exe 740 Fifdgblo.exe 1140 Fmapha32.exe 2972 Fopldmcl.exe 4688 Fbnhphbp.exe 4384 Fjepaecb.exe 1536 Fihqmb32.exe 644 Fqohnp32.exe 1096 Fobiilai.exe 4848 Fbqefhpm.exe 556 Fflaff32.exe 900 Fijmbb32.exe 4836 Fodeolof.exe 1960 Gbcakg32.exe 2848 Gimjhafg.exe 2948 Gqdbiofi.exe 3412 Gcbnejem.exe 3436 Gfqjafdq.exe 4572 Gmkbnp32.exe 4940 Gqfooodg.exe 1368 Gcekkjcj.exe 3220 Gfcgge32.exe 4712 Gmmocpjk.exe 4168 Gqikdn32.exe 1020 Gcggpj32.exe 2464 Gfedle32.exe 1388 Gjapmdid.exe 2748 Gmoliohh.exe 4976 Gcidfi32.exe 1980 Gmaioo32.exe 460 Gameonno.exe 1512 Hclakimb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kpccnefa.exe Kmegbjgn.exe File created C:\Windows\SysWOW64\Fnelfilp.dll Maohkd32.exe File opened for modification C:\Windows\SysWOW64\Hjfihc32.exe Hclakimb.exe File opened for modification C:\Windows\SysWOW64\Hjjbcbqj.exe Hbckbepg.exe File opened for modification C:\Windows\SysWOW64\Jmkdlkph.exe Jiphkm32.exe File created C:\Windows\SysWOW64\Ghmfdf32.dll Jplmmfmi.exe File created C:\Windows\SysWOW64\Jmbklj32.exe Jigollag.exe File created C:\Windows\SysWOW64\Ejjqeg32.exe Ebbidj32.exe File created C:\Windows\SysWOW64\Hpihai32.exe Hjmoibog.exe File opened for modification C:\Windows\SysWOW64\Jmpngk32.exe Jjbako32.exe File created C:\Windows\SysWOW64\Kilhgk32.exe Kgmlkp32.exe File opened for modification C:\Windows\SysWOW64\Mcklgm32.exe Mpmokb32.exe File created C:\Windows\SysWOW64\Iljnde32.dll Jfkoeppq.exe File created C:\Windows\SysWOW64\Joamagmq.dll Kmlnbi32.exe File created C:\Windows\SysWOW64\Addjcmqn.dll Ndidbn32.exe File opened for modification C:\Windows\SysWOW64\Fflaff32.exe Fbqefhpm.exe File opened for modification C:\Windows\SysWOW64\Gqfooodg.exe Gmkbnp32.exe File created C:\Windows\SysWOW64\Adakia32.dll Hjfihc32.exe File created C:\Windows\SysWOW64\Kflflhfg.dll Imgkql32.exe File created C:\Windows\SysWOW64\Kpjjod32.exe Kmlnbi32.exe File created C:\Windows\SysWOW64\Fqkocpod.exe Ficgacna.exe File created C:\Windows\SysWOW64\Imihfl32.exe Ijkljp32.exe File opened for modification C:\Windows\SysWOW64\Gimjhafg.exe Gbcakg32.exe File created C:\Windows\SysWOW64\Oeahce32.dll Gcekkjcj.exe File opened for modification C:\Windows\SysWOW64\Njljefql.exe Nkjjij32.exe File created C:\Windows\SysWOW64\Ceblbm32.exe Cccpfa32.exe File opened for modification C:\Windows\SysWOW64\Dephckaf.exe Dabpnlkp.exe File created C:\Windows\SysWOW64\Qnoaog32.dll Jiphkm32.exe File created C:\Windows\SysWOW64\Qekdppan.dll Jmpngk32.exe File opened for modification C:\Windows\SysWOW64\Kgmlkp32.exe Kbapjafe.exe File opened for modification C:\Windows\SysWOW64\Eodlho32.exe Eqalmafo.exe File opened for modification C:\Windows\SysWOW64\Ijaida32.exe Iffmccbi.exe File created C:\Windows\SysWOW64\Ajgblndm.dll Kkkdan32.exe File created C:\Windows\SysWOW64\Fogjfmfe.dll Kcifkp32.exe File created C:\Windows\SysWOW64\Inccjgbc.dll Hihicplj.exe File created C:\Windows\SysWOW64\Efhikhod.dll Lmqgnhmp.exe File created C:\Windows\SysWOW64\Egqcbapl.dll Mdpalp32.exe File opened for modification C:\Windows\SysWOW64\Gfqjafdq.exe Gcbnejem.exe File created C:\Windows\SysWOW64\Ggpfjejo.dll Jkdnpo32.exe File created C:\Windows\SysWOW64\Lknjmkdo.exe Lgbnmm32.exe File created C:\Windows\SysWOW64\Nacbfdao.exe Njljefql.exe File created C:\Windows\SysWOW64\Nbkhfc32.exe Njcpee32.exe File created C:\Windows\SysWOW64\Nngcpm32.dll Lgkhlnbn.exe File created C:\Windows\SysWOW64\Mlhblb32.dll Nceonl32.exe File created C:\Windows\SysWOW64\Ncgkcl32.exe Nqiogp32.exe File created C:\Windows\SysWOW64\Dakcla32.dll Iiibkn32.exe File opened for modification C:\Windows\SysWOW64\Imgkql32.exe Iikopmkd.exe File opened for modification C:\Windows\SysWOW64\Jaimbj32.exe Jmnaakne.exe File created C:\Windows\SysWOW64\Jigollag.exe Jkdnpo32.exe File opened for modification C:\Windows\SysWOW64\Jmbklj32.exe Jigollag.exe File created C:\Windows\SysWOW64\Ebjmif32.dll Dhnepfpj.exe File opened for modification C:\Windows\SysWOW64\Fihqmb32.exe Fjepaecb.exe File created C:\Windows\SysWOW64\Bpqnnk32.dll Ipegmg32.exe File created C:\Windows\SysWOW64\Ibhblqpo.dll Mnlfigcc.exe File created C:\Windows\SysWOW64\Nqiogp32.exe Nafokcol.exe File created C:\Windows\SysWOW64\Dephckaf.exe Dabpnlkp.exe File created C:\Windows\SysWOW64\Bdhngp32.dll Dpemacql.exe File opened for modification C:\Windows\SysWOW64\Jbmfoa32.exe Jdjfcecp.exe File created C:\Windows\SysWOW64\Hibljoco.exe Hfcpncdk.exe File created C:\Windows\SysWOW64\Iikopmkd.exe Ijhodq32.exe File created C:\Windows\SysWOW64\Kpmfddnf.exe Kajfig32.exe File created C:\Windows\SysWOW64\Lcdegnep.exe Lpfijcfl.exe File opened for modification C:\Windows\SysWOW64\Maohkd32.exe Mjhqjg32.exe File opened for modification C:\Windows\SysWOW64\Nacbfdao.exe Njljefql.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8032 7940 WerFault.exe 312 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Camfbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebbidj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kilhgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nkjjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll" Gcidfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll" Jmnaakne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngiehn32.dll" Gbcakg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ipegmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jibpdc32.dll" Ijkljp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndghmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmmfmbhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hadkpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmeac32.dll" Jdhine32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kacphh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kcifkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adijolgl.dll" Gmoliohh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll" Jmkdlkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jaimbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll" Mdpalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjeddggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll" Mjjmog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nafokcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqlihepd.dll" Cccpfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eodlho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeahce32.dll" Gcekkjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odhibo32.dll" Gfcgge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbocjjm.dll" Gmmocpjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpbaqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll" Jiphkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpolqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofnpim32.dll" Cibank32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fqohnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqlckf.dll" Iffmccbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Maohkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dagiil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gmaioo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jfkoeppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kmegbjgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mciobn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll" Icjmmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpccnefa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nqfbaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ldkojb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lknjmkdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inolmdgj.dll" Commqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkiobic.dll" Haidklda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jagqlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll" Jmpngk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll" Kckbqpnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chnlihnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chgoogfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll" Hadkpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpccnefa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll" Nbkhfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehekqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fihqmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gqfooodg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gfedle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjbako32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ceblbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnkcb32.dll" Imihfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhcnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll" Iiibkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll" Kgmlkp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3484 wrote to memory of 4860 3484 ed01df66d5e1c13def6f76d4a197fe90_NEIKI.exe 82 PID 3484 wrote to memory of 4860 3484 ed01df66d5e1c13def6f76d4a197fe90_NEIKI.exe 82 PID 3484 wrote to memory of 4860 3484 ed01df66d5e1c13def6f76d4a197fe90_NEIKI.exe 82 PID 4860 wrote to memory of 3556 4860 Chnlihnl.exe 83 PID 4860 wrote to memory of 3556 4860 Chnlihnl.exe 83 PID 4860 wrote to memory of 3556 4860 Chnlihnl.exe 83 PID 3556 wrote to memory of 1532 3556 Cccpfa32.exe 84 PID 3556 wrote to memory of 1532 3556 Cccpfa32.exe 84 PID 3556 wrote to memory of 1532 3556 Cccpfa32.exe 84 PID 1532 wrote to memory of 3004 1532 Ceblbm32.exe 85 PID 1532 wrote to memory of 3004 1532 Ceblbm32.exe 85 PID 1532 wrote to memory of 3004 1532 Ceblbm32.exe 85 PID 3004 wrote to memory of 3896 3004 Caimgncj.exe 86 PID 3004 wrote to memory of 3896 3004 Caimgncj.exe 86 PID 3004 wrote to memory of 3896 3004 Caimgncj.exe 86 PID 3896 wrote to memory of 3652 3896 Clnadfbp.exe 88 PID 3896 wrote to memory of 3652 3896 Clnadfbp.exe 88 PID 3896 wrote to memory of 3652 3896 Clnadfbp.exe 88 PID 3652 wrote to memory of 724 3652 Commqb32.exe 89 PID 3652 wrote to memory of 724 3652 Commqb32.exe 89 PID 3652 wrote to memory of 724 3652 Commqb32.exe 89 PID 724 wrote to memory of 540 724 Cibank32.exe 90 PID 724 wrote to memory of 540 724 Cibank32.exe 90 PID 724 wrote to memory of 540 724 Cibank32.exe 90 PID 540 wrote to memory of 232 540 Camfbm32.exe 92 PID 540 wrote to memory of 232 540 Camfbm32.exe 92 PID 540 wrote to memory of 232 540 Camfbm32.exe 92 PID 232 wrote to memory of 516 232 Chgoogfa.exe 94 PID 232 wrote to memory of 516 232 Chgoogfa.exe 94 PID 232 wrote to memory of 516 232 Chgoogfa.exe 94 PID 516 wrote to memory of 2984 516 Capchmmb.exe 95 PID 516 wrote to memory of 2984 516 Capchmmb.exe 95 PID 516 wrote to memory of 2984 516 Capchmmb.exe 95 PID 2984 wrote to memory of 2324 2984 Doccaall.exe 96 PID 2984 wrote to memory of 2324 2984 Doccaall.exe 96 PID 2984 wrote to memory of 2324 2984 Doccaall.exe 96 PID 2324 wrote to memory of 4260 2324 Dabpnlkp.exe 97 PID 2324 wrote to memory of 4260 2324 Dabpnlkp.exe 97 PID 2324 wrote to memory of 4260 2324 Dabpnlkp.exe 97 PID 4260 wrote to memory of 1556 4260 Dephckaf.exe 98 PID 4260 wrote to memory of 1556 4260 Dephckaf.exe 98 PID 4260 wrote to memory of 1556 4260 Dephckaf.exe 98 PID 1556 wrote to memory of 4404 1556 Dhnepfpj.exe 99 PID 1556 wrote to memory of 4404 1556 Dhnepfpj.exe 99 PID 1556 wrote to memory of 4404 1556 Dhnepfpj.exe 99 PID 4404 wrote to memory of 3504 4404 Dpemacql.exe 100 PID 4404 wrote to memory of 3504 4404 Dpemacql.exe 100 PID 4404 wrote to memory of 3504 4404 Dpemacql.exe 100 PID 3504 wrote to memory of 1444 3504 Dagiil32.exe 101 PID 3504 wrote to memory of 1444 3504 Dagiil32.exe 101 PID 3504 wrote to memory of 1444 3504 Dagiil32.exe 101 PID 1444 wrote to memory of 768 1444 Djnaji32.exe 102 PID 1444 wrote to memory of 768 1444 Djnaji32.exe 102 PID 1444 wrote to memory of 768 1444 Djnaji32.exe 102 PID 768 wrote to memory of 2372 768 Dhcnke32.exe 103 PID 768 wrote to memory of 2372 768 Dhcnke32.exe 103 PID 768 wrote to memory of 2372 768 Dhcnke32.exe 103 PID 2372 wrote to memory of 1200 2372 Ehekqe32.exe 104 PID 2372 wrote to memory of 1200 2372 Ehekqe32.exe 104 PID 2372 wrote to memory of 1200 2372 Ehekqe32.exe 104 PID 1200 wrote to memory of 3776 1200 Elagacbk.exe 105 PID 1200 wrote to memory of 3776 1200 Elagacbk.exe 105 PID 1200 wrote to memory of 3776 1200 Elagacbk.exe 105 PID 3776 wrote to memory of 4584 3776 Eoocmoao.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed01df66d5e1c13def6f76d4a197fe90_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\ed01df66d5e1c13def6f76d4a197fe90_NEIKI.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Chnlihnl.exeC:\Windows\system32\Chnlihnl.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Cccpfa32.exeC:\Windows\system32\Cccpfa32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\Ceblbm32.exeC:\Windows\system32\Ceblbm32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Caimgncj.exeC:\Windows\system32\Caimgncj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Clnadfbp.exeC:\Windows\system32\Clnadfbp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\Commqb32.exeC:\Windows\system32\Commqb32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\Cibank32.exeC:\Windows\system32\Cibank32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\Camfbm32.exeC:\Windows\system32\Camfbm32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Chgoogfa.exeC:\Windows\system32\Chgoogfa.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Capchmmb.exeC:\Windows\system32\Capchmmb.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\Doccaall.exeC:\Windows\system32\Doccaall.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Dabpnlkp.exeC:\Windows\system32\Dabpnlkp.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Dephckaf.exeC:\Windows\system32\Dephckaf.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\Dhnepfpj.exeC:\Windows\system32\Dhnepfpj.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Dpemacql.exeC:\Windows\system32\Dpemacql.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Dagiil32.exeC:\Windows\system32\Dagiil32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Djnaji32.exeC:\Windows\system32\Djnaji32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Dhcnke32.exeC:\Windows\system32\Dhcnke32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Ehekqe32.exeC:\Windows\system32\Ehekqe32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Elagacbk.exeC:\Windows\system32\Elagacbk.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Eoocmoao.exeC:\Windows\system32\Eoocmoao.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SysWOW64\Eckonn32.exeC:\Windows\system32\Eckonn32.exe23⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Eqalmafo.exeC:\Windows\system32\Eqalmafo.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Eodlho32.exeC:\Windows\system32\Eodlho32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:3880 -
C:\Windows\SysWOW64\Ebbidj32.exeC:\Windows\system32\Ebbidj32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5072 -
C:\Windows\SysWOW64\Ejjqeg32.exeC:\Windows\system32\Ejjqeg32.exe27⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Ecbenm32.exeC:\Windows\system32\Ecbenm32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Fbgbpihg.exeC:\Windows\system32\Fbgbpihg.exe29⤵
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\Fjnjqfij.exeC:\Windows\system32\Fjnjqfij.exe30⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Fmmfmbhn.exeC:\Windows\system32\Fmmfmbhn.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Ficgacna.exeC:\Windows\system32\Ficgacna.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Fqkocpod.exeC:\Windows\system32\Fqkocpod.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe35⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Fmapha32.exeC:\Windows\system32\Fmapha32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Fopldmcl.exeC:\Windows\system32\Fopldmcl.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe38⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Fjepaecb.exeC:\Windows\system32\Fjepaecb.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4384 -
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:644 -
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe42⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Fbqefhpm.exeC:\Windows\system32\Fbqefhpm.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4848 -
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe44⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe45⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe46⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Gbcakg32.exeC:\Windows\system32\Gbcakg32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Gimjhafg.exeC:\Windows\system32\Gimjhafg.exe48⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe49⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Gcbnejem.exeC:\Windows\system32\Gcbnejem.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3412 -
C:\Windows\SysWOW64\Gfqjafdq.exeC:\Windows\system32\Gfqjafdq.exe51⤵
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4572 -
C:\Windows\SysWOW64\Gqfooodg.exeC:\Windows\system32\Gqfooodg.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:4940 -
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Gfcgge32.exeC:\Windows\system32\Gfcgge32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3220 -
C:\Windows\SysWOW64\Gmmocpjk.exeC:\Windows\system32\Gmmocpjk.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:4712 -
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Gcggpj32.exeC:\Windows\system32\Gcggpj32.exe58⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Gfedle32.exeC:\Windows\system32\Gfedle32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Gjapmdid.exeC:\Windows\system32\Gjapmdid.exe60⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Gmoliohh.exeC:\Windows\system32\Gmoliohh.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Gcidfi32.exeC:\Windows\system32\Gcidfi32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:4976 -
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Gameonno.exeC:\Windows\system32\Gameonno.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\Hclakimb.exeC:\Windows\system32\Hclakimb.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Hjfihc32.exeC:\Windows\system32\Hjfihc32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:936 -
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe67⤵
- Drops file in System32 directory
PID:3352 -
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe68⤵
- Modifies registry class
PID:4564 -
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe69⤵PID:4876
-
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe70⤵PID:3804
-
C:\Windows\SysWOW64\Hikfip32.exeC:\Windows\system32\Hikfip32.exe71⤵PID:452
-
C:\Windows\SysWOW64\Hmfbjnbp.exeC:\Windows\system32\Hmfbjnbp.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1716 -
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe73⤵PID:2812
-
C:\Windows\SysWOW64\Hbckbepg.exeC:\Windows\system32\Hbckbepg.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4708 -
C:\Windows\SysWOW64\Hjjbcbqj.exeC:\Windows\system32\Hjjbcbqj.exe75⤵PID:4740
-
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe76⤵PID:4640
-
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5016 -
C:\Windows\SysWOW64\Hbeghene.exeC:\Windows\system32\Hbeghene.exe79⤵PID:772
-
C:\Windows\SysWOW64\Hjmoibog.exeC:\Windows\system32\Hjmoibog.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4988 -
C:\Windows\SysWOW64\Hpihai32.exeC:\Windows\system32\Hpihai32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4204 -
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe82⤵PID:2144
-
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe83⤵
- Drops file in System32 directory
PID:4684 -
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe84⤵PID:2376
-
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe85⤵PID:776
-
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe86⤵
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Icgqggce.exeC:\Windows\system32\Icgqggce.exe87⤵PID:5136
-
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:5188 -
C:\Windows\SysWOW64\Ijaida32.exeC:\Windows\system32\Ijaida32.exe89⤵PID:5228
-
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5280 -
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe91⤵
- Modifies registry class
PID:5320 -
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe92⤵PID:5368
-
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe93⤵PID:5408
-
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe94⤵PID:5452
-
C:\Windows\SysWOW64\Ibojncfj.exeC:\Windows\system32\Ibojncfj.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5496 -
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe96⤵PID:5544
-
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe97⤵
- Drops file in System32 directory
- Modifies registry class
PID:5580 -
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5628 -
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5672 -
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe100⤵PID:5716
-
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe101⤵PID:5760
-
C:\Windows\SysWOW64\Ijhodq32.exeC:\Windows\system32\Ijhodq32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5800 -
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe103⤵
- Drops file in System32 directory
PID:5836 -
C:\Windows\SysWOW64\Imgkql32.exeC:\Windows\system32\Imgkql32.exe104⤵
- Drops file in System32 directory
PID:5884 -
C:\Windows\SysWOW64\Ipegmg32.exeC:\Windows\system32\Ipegmg32.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:5924 -
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe106⤵PID:5972
-
C:\Windows\SysWOW64\Ibccic32.exeC:\Windows\system32\Ibccic32.exe107⤵PID:6016
-
C:\Windows\SysWOW64\Ifopiajn.exeC:\Windows\system32\Ifopiajn.exe108⤵PID:6064
-
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:6100 -
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe110⤵
- Modifies registry class
PID:5152 -
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5212 -
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe112⤵PID:5300
-
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe113⤵PID:5360
-
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe114⤵PID:5404
-
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:5440 -
C:\Windows\SysWOW64\Jmkdlkph.exeC:\Windows\system32\Jmkdlkph.exe116⤵
- Modifies registry class
PID:5484 -
C:\Windows\SysWOW64\Jagqlj32.exeC:\Windows\system32\Jagqlj32.exe117⤵
- Modifies registry class
PID:5576 -
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5636 -
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe119⤵PID:5696
-
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe120⤵PID:5752
-
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:5820
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-