Analysis
-
max time kernel
155s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 03:28
Behavioral task
behavioral1
Sample
def58c135319e9e83857f87fc881d520_NEIKI.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
def58c135319e9e83857f87fc881d520_NEIKI.exe
Resource
win10v2004-20240226-en
General
-
Target
def58c135319e9e83857f87fc881d520_NEIKI.exe
-
Size
177KB
-
MD5
def58c135319e9e83857f87fc881d520
-
SHA1
bdf81ca81f3e95bc86f3fb4df89604035c1ce20e
-
SHA256
9a86a973a6a1f86128ac59594c926561a0689863e8d000fe6f111ae8935724fb
-
SHA512
7ce35df7aedf1eb3a869c9839054fa8520c6523a1041bc1926929afb26591949f46105ce43fdc2da75b4f71c159a0d03af966ea0f57321faa54a4f037d6895b4
-
SSDEEP
3072:FqnMrigIxflQhTETg3q/haR5sS+vfvLHhjh8g1eGFyOsa:FqSiX0T8ga/harSvLHh98gwG0ON
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obfhmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lacbpccn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdmlkfjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfgfpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paocim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnhkdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odljjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcfmneaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijfkpnji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaifbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kanidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeolckne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgebnc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeolckne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afqifo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqbpahpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndkjik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkgdhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lefkkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkefmjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfgjbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kanidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apddce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgebnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paocim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Indkpcdk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jghhjq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odljjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkholi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfjcep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jghhjq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieeimlep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ammnhilb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfmlok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhmafcnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkgmoncl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nakhaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkholi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgfmeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcjodbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijhhenhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iebfmfdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejagaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhmafcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnhkdd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdmlkfjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbddobla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ammnhilb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfjeckpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijfkpnji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqbpahpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjdgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khfdlnab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knbinhfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afqifo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okneldkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhgdmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nakhaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfgjbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqbneq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcfmneaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfjeckpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndfanlpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Philfgdh.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000800000002326b-7.dat family_berbew behavioral2/files/0x0008000000023270-16.dat family_berbew behavioral2/files/0x0007000000023272-24.dat family_berbew behavioral2/files/0x0007000000023274-33.dat family_berbew behavioral2/files/0x000800000002326c-39.dat family_berbew behavioral2/files/0x0007000000023277-48.dat family_berbew behavioral2/files/0x000700000002327a-56.dat family_berbew behavioral2/files/0x000700000002327c-63.dat family_berbew behavioral2/files/0x000700000002327e-71.dat family_berbew behavioral2/files/0x0007000000023282-82.dat family_berbew behavioral2/files/0x0007000000023282-89.dat family_berbew behavioral2/files/0x0007000000023284-95.dat family_berbew behavioral2/files/0x0007000000023286-104.dat family_berbew behavioral2/files/0x0007000000023288-112.dat family_berbew behavioral2/files/0x000700000002328a-121.dat family_berbew behavioral2/files/0x000700000002328c-129.dat family_berbew behavioral2/files/0x000700000002328e-137.dat family_berbew behavioral2/files/0x0007000000023290-145.dat family_berbew behavioral2/files/0x0007000000023292-147.dat family_berbew behavioral2/files/0x0007000000023296-163.dat family_berbew behavioral2/files/0x0007000000023296-168.dat family_berbew behavioral2/files/0x0007000000023298-177.dat family_berbew behavioral2/files/0x000700000002329a-184.dat family_berbew behavioral2/files/0x000700000002329c-192.dat family_berbew behavioral2/files/0x000700000002329e-199.dat family_berbew behavioral2/files/0x00070000000232a0-207.dat family_berbew behavioral2/files/0x00070000000232a2-215.dat family_berbew behavioral2/files/0x00070000000232a6-223.dat family_berbew behavioral2/files/0x00070000000232a8-232.dat family_berbew behavioral2/files/0x00070000000232b0-255.dat family_berbew behavioral2/files/0x00070000000232b2-263.dat family_berbew behavioral2/files/0x00070000000232ad-248.dat family_berbew behavioral2/files/0x00070000000232ab-240.dat family_berbew behavioral2/files/0x00070000000232bd-290.dat family_berbew behavioral2/files/0x000200000001e32b-314.dat family_berbew behavioral2/files/0x00070000000232c8-325.dat family_berbew behavioral2/files/0x00070000000232cc-338.dat family_berbew behavioral2/files/0x00070000000232d3-355.dat family_berbew behavioral2/files/0x00070000000232ed-403.dat family_berbew behavioral2/files/0x00070000000232f9-439.dat family_berbew behavioral2/files/0x0007000000023306-493.dat family_berbew behavioral2/files/0x0008000000023314-537.dat family_berbew behavioral2/files/0x0007000000023318-551.dat family_berbew behavioral2/files/0x0007000000023325-593.dat family_berbew behavioral2/files/0x000700000002332b-614.dat family_berbew behavioral2/files/0x0007000000023333-642.dat family_berbew behavioral2/files/0x000700000002333d-677.dat family_berbew behavioral2/files/0x0007000000023339-663.dat family_berbew behavioral2/files/0x0007000000023343-698.dat family_berbew behavioral2/files/0x0007000000023349-719.dat family_berbew behavioral2/files/0x0007000000023354-754.dat family_berbew behavioral2/files/0x0007000000023350-740.dat family_berbew behavioral2/files/0x0007000000023358-768.dat family_berbew behavioral2/files/0x000700000002335e-790.dat family_berbew behavioral2/files/0x0007000000023362-803.dat family_berbew behavioral2/files/0x0007000000023366-817.dat family_berbew behavioral2/files/0x000700000002336e-846.dat family_berbew behavioral2/files/0x0007000000023374-865.dat family_berbew behavioral2/files/0x000700000002337c-892.dat family_berbew behavioral2/files/0x0007000000023382-914.dat family_berbew behavioral2/files/0x000700000002338a-940.dat family_berbew behavioral2/files/0x0007000000023392-967.dat family_berbew behavioral2/files/0x000700000002339e-1007.dat family_berbew behavioral2/files/0x00070000000233a2-1022.dat family_berbew -
Executes dropped EXE 54 IoCs
pid Process 1204 Ejagaj32.exe 1408 Gkefmjcj.exe 2108 Gqbneq32.exe 3868 Hnhkdd32.exe 1568 Indkpcdk.exe 2828 Ieeimlep.exe 1636 Jeolckne.exe 2424 Jhoeef32.exe 3888 Kdmlkfjb.exe 1592 Kkgdhp32.exe 3744 Lhmafcnf.exe 1376 Lefkkg32.exe 3732 Lhgdmb32.exe 1944 Mkgmoncl.exe 2388 Nakhaf32.exe 1560 Obfhmd32.exe 4572 Odljjo32.exe 3792 Pkholi32.exe 312 Pbddobla.exe 4828 Pcfmneaa.exe 3400 Qfgfpp32.exe 1928 Qfjcep32.exe 4516 Apddce32.exe 1620 Aealll32.exe 1092 Afqifo32.exe 4992 Ammnhilb.exe 1728 Bfhofnpp.exe 2012 Fgfmeg32.exe 4372 Gfgjbb32.exe 3020 Hqkjaifk.exe 4604 Hgebnc32.exe 2428 Hmbkfjko.exe 2884 Ijfkpnji.exe 3536 Iqpclh32.exe 2128 Ijhhenhf.exe 2668 Iqbpahpc.exe 4588 Iebfmfdg.exe 1556 Ifcben32.exe 2156 Iaifbg32.exe 2300 Jcjodbgl.exe 3492 Jjdgal32.exe 436 Jghhjq32.exe 3068 Jaefne32.exe 4996 Khfdlnab.exe 3080 Kanidd32.exe 1112 Knbinhfl.exe 2224 Lacbpccn.exe 3804 Ndfanlpi.exe 2420 Ndkjik32.exe 3904 Okneldkf.exe 644 Paocim32.exe 3192 Philfgdh.exe 2360 Pfmlok32.exe 1140 Pkjegb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jcjodbgl.exe Iaifbg32.exe File created C:\Windows\SysWOW64\Gqbneq32.exe Gkefmjcj.exe File created C:\Windows\SysWOW64\Lhmafcnf.exe Kkgdhp32.exe File opened for modification C:\Windows\SysWOW64\Mkgmoncl.exe Lhgdmb32.exe File created C:\Windows\SysWOW64\Cefnemqj.dll Afqifo32.exe File opened for modification C:\Windows\SysWOW64\Hqkjaifk.exe Gfgjbb32.exe File created C:\Windows\SysWOW64\Iaifbg32.exe Ifcben32.exe File created C:\Windows\SysWOW64\Docpdpol.dll Iaifbg32.exe File opened for modification C:\Windows\SysWOW64\Hnhkdd32.exe Gqbneq32.exe File created C:\Windows\SysWOW64\Ndkjik32.exe Ndfanlpi.exe File opened for modification C:\Windows\SysWOW64\Paocim32.exe Okneldkf.exe File created C:\Windows\SysWOW64\Ndfanlpi.exe Lacbpccn.exe File created C:\Windows\SysWOW64\Jeolckne.exe Ieeimlep.exe File created C:\Windows\SysWOW64\Lefkkg32.exe Lhmafcnf.exe File opened for modification C:\Windows\SysWOW64\Pkjegb32.exe Pfmlok32.exe File created C:\Windows\SysWOW64\Dfaadk32.dll Indkpcdk.exe File opened for modification C:\Windows\SysWOW64\Gkefmjcj.exe Ejagaj32.exe File created C:\Windows\SysWOW64\Hnhkdd32.exe Gqbneq32.exe File created C:\Windows\SysWOW64\Ieeimlep.exe Indkpcdk.exe File opened for modification C:\Windows\SysWOW64\Ijhhenhf.exe Iqpclh32.exe File opened for modification C:\Windows\SysWOW64\Khfdlnab.exe Jaefne32.exe File opened for modification C:\Windows\SysWOW64\Philfgdh.exe Paocim32.exe File opened for modification C:\Windows\SysWOW64\Pfmlok32.exe Philfgdh.exe File created C:\Windows\SysWOW64\Qmofmb32.dll def58c135319e9e83857f87fc881d520_NEIKI.exe File created C:\Windows\SysWOW64\Jedoeg32.dll Philfgdh.exe File created C:\Windows\SysWOW64\Mefhfm32.dll Iqpclh32.exe File created C:\Windows\SysWOW64\Dikgnp32.dll Ifcben32.exe File opened for modification C:\Windows\SysWOW64\Lacbpccn.exe Knbinhfl.exe File opened for modification C:\Windows\SysWOW64\Ndfanlpi.exe Lacbpccn.exe File opened for modification C:\Windows\SysWOW64\Gfgjbb32.exe Fgfmeg32.exe File created C:\Windows\SysWOW64\Ebpmamlm.dll Kdmlkfjb.exe File created C:\Windows\SysWOW64\Pkholi32.exe Odljjo32.exe File opened for modification C:\Windows\SysWOW64\Pkholi32.exe Odljjo32.exe File created C:\Windows\SysWOW64\Pcfmneaa.exe Pbddobla.exe File created C:\Windows\SysWOW64\Jaefne32.exe Jghhjq32.exe File created C:\Windows\SysWOW64\Kanidd32.exe Khfdlnab.exe File created C:\Windows\SysWOW64\Hgqded32.dll Kanidd32.exe File created C:\Windows\SysWOW64\Fbkcnp32.dll Jhoeef32.exe File created C:\Windows\SysWOW64\Pkjegb32.exe Pfmlok32.exe File opened for modification C:\Windows\SysWOW64\Ndkjik32.exe Ndfanlpi.exe File opened for modification C:\Windows\SysWOW64\Pbddobla.exe Pkholi32.exe File created C:\Windows\SysWOW64\Jjdgal32.exe Jcjodbgl.exe File opened for modification C:\Windows\SysWOW64\Jghhjq32.exe Jjdgal32.exe File opened for modification C:\Windows\SysWOW64\Kkgdhp32.exe Kdmlkfjb.exe File opened for modification C:\Windows\SysWOW64\Fgfmeg32.exe Cfjeckpj.exe File opened for modification C:\Windows\SysWOW64\Hgebnc32.exe Hqkjaifk.exe File created C:\Windows\SysWOW64\Lgilmo32.dll Qfjcep32.exe File opened for modification C:\Windows\SysWOW64\Odljjo32.exe Obfhmd32.exe File opened for modification C:\Windows\SysWOW64\Apddce32.exe Qfjcep32.exe File created C:\Windows\SysWOW64\Ijhhenhf.exe Iqpclh32.exe File opened for modification C:\Windows\SysWOW64\Iebfmfdg.exe Iqbpahpc.exe File created C:\Windows\SysWOW64\Ifcben32.exe Iebfmfdg.exe File created C:\Windows\SysWOW64\Mcjkng32.dll Pfmlok32.exe File created C:\Windows\SysWOW64\Lgahlk32.dll Hnhkdd32.exe File created C:\Windows\SysWOW64\Jhoeef32.exe Jeolckne.exe File opened for modification C:\Windows\SysWOW64\Kdmlkfjb.exe Jhoeef32.exe File created C:\Windows\SysWOW64\Qfgfpp32.exe Pcfmneaa.exe File created C:\Windows\SysWOW64\Hmbkfjko.exe Hgebnc32.exe File created C:\Windows\SysWOW64\Obncao32.dll Jghhjq32.exe File created C:\Windows\SysWOW64\Dodipp32.dll Ieeimlep.exe File opened for modification C:\Windows\SysWOW64\Aealll32.exe Apddce32.exe File opened for modification C:\Windows\SysWOW64\Hmbkfjko.exe Hgebnc32.exe File created C:\Windows\SysWOW64\Pohqjpee.dll Hmbkfjko.exe File created C:\Windows\SysWOW64\Mgeengon.dll Ijhhenhf.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Philfgdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node def58c135319e9e83857f87fc881d520_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkgdhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhmafcnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkgmoncl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knbinhfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bncpjk32.dll" Paocim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aealll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgfmeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqbpahpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okneldkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paocim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcjkng32.dll" Pfmlok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaefne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdlch32.dll" Lefkkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lefkkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obfhmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfjeckpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqkjaifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eloeba32.dll" Jeolckne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfjeckpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfgjbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmbkfjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnlnbkcc.dll" Okneldkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jedoeg32.dll" Philfgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijhhenhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jghhjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkefmjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfaadk32.dll" Indkpcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhinoa32.dll" Qfgfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aealll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecnjaee.dll" Bfhofnpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpjmf32.dll" Fgfmeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jghhjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lacbpccn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndfanlpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID def58c135319e9e83857f87fc881d520_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeolckne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijhhenhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kanidd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 def58c135319e9e83857f87fc881d520_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeolckne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inicjl32.dll" Jcjodbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdmlkfjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbddobla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qebeaf32.dll" Pcfmneaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ammnhilb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Docpdpol.dll" Iaifbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopdlj32.dll" Lacbpccn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkefmjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieeimlep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpacoj32.dll" Pkholi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dikgnp32.dll" Ifcben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjdgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdjpphi.dll" Obfhmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afqifo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipdih32.dll" Cfjeckpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkghpa32.dll" Gfgjbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaifbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfmlok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khfdlnab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Indkpcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honmnc32.dll" Odljjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ammnhilb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4832 wrote to memory of 1204 4832 def58c135319e9e83857f87fc881d520_NEIKI.exe 91 PID 4832 wrote to memory of 1204 4832 def58c135319e9e83857f87fc881d520_NEIKI.exe 91 PID 4832 wrote to memory of 1204 4832 def58c135319e9e83857f87fc881d520_NEIKI.exe 91 PID 1204 wrote to memory of 1408 1204 Ejagaj32.exe 92 PID 1204 wrote to memory of 1408 1204 Ejagaj32.exe 92 PID 1204 wrote to memory of 1408 1204 Ejagaj32.exe 92 PID 1408 wrote to memory of 2108 1408 Gkefmjcj.exe 93 PID 1408 wrote to memory of 2108 1408 Gkefmjcj.exe 93 PID 1408 wrote to memory of 2108 1408 Gkefmjcj.exe 93 PID 2108 wrote to memory of 3868 2108 Gqbneq32.exe 94 PID 2108 wrote to memory of 3868 2108 Gqbneq32.exe 94 PID 2108 wrote to memory of 3868 2108 Gqbneq32.exe 94 PID 3868 wrote to memory of 1568 3868 Hnhkdd32.exe 95 PID 3868 wrote to memory of 1568 3868 Hnhkdd32.exe 95 PID 3868 wrote to memory of 1568 3868 Hnhkdd32.exe 95 PID 1568 wrote to memory of 2828 1568 Indkpcdk.exe 96 PID 1568 wrote to memory of 2828 1568 Indkpcdk.exe 96 PID 1568 wrote to memory of 2828 1568 Indkpcdk.exe 96 PID 2828 wrote to memory of 1636 2828 Ieeimlep.exe 97 PID 2828 wrote to memory of 1636 2828 Ieeimlep.exe 97 PID 2828 wrote to memory of 1636 2828 Ieeimlep.exe 97 PID 1636 wrote to memory of 2424 1636 Jeolckne.exe 98 PID 1636 wrote to memory of 2424 1636 Jeolckne.exe 98 PID 1636 wrote to memory of 2424 1636 Jeolckne.exe 98 PID 2424 wrote to memory of 3888 2424 Jhoeef32.exe 99 PID 2424 wrote to memory of 3888 2424 Jhoeef32.exe 99 PID 2424 wrote to memory of 3888 2424 Jhoeef32.exe 99 PID 3888 wrote to memory of 1592 3888 Kdmlkfjb.exe 100 PID 3888 wrote to memory of 1592 3888 Kdmlkfjb.exe 100 PID 3888 wrote to memory of 1592 3888 Kdmlkfjb.exe 100 PID 1592 wrote to memory of 3744 1592 Kkgdhp32.exe 101 PID 1592 wrote to memory of 3744 1592 Kkgdhp32.exe 101 PID 1592 wrote to memory of 3744 1592 Kkgdhp32.exe 101 PID 3744 wrote to memory of 1376 3744 Lhmafcnf.exe 102 PID 3744 wrote to memory of 1376 3744 Lhmafcnf.exe 102 PID 3744 wrote to memory of 1376 3744 Lhmafcnf.exe 102 PID 1376 wrote to memory of 3732 1376 Lefkkg32.exe 103 PID 1376 wrote to memory of 3732 1376 Lefkkg32.exe 103 PID 1376 wrote to memory of 3732 1376 Lefkkg32.exe 103 PID 3732 wrote to memory of 1944 3732 Lhgdmb32.exe 104 PID 3732 wrote to memory of 1944 3732 Lhgdmb32.exe 104 PID 3732 wrote to memory of 1944 3732 Lhgdmb32.exe 104 PID 1944 wrote to memory of 2388 1944 Mkgmoncl.exe 105 PID 1944 wrote to memory of 2388 1944 Mkgmoncl.exe 105 PID 1944 wrote to memory of 2388 1944 Mkgmoncl.exe 105 PID 2388 wrote to memory of 1560 2388 Nakhaf32.exe 106 PID 2388 wrote to memory of 1560 2388 Nakhaf32.exe 106 PID 2388 wrote to memory of 1560 2388 Nakhaf32.exe 106 PID 1560 wrote to memory of 4572 1560 Obfhmd32.exe 107 PID 1560 wrote to memory of 4572 1560 Obfhmd32.exe 107 PID 1560 wrote to memory of 4572 1560 Obfhmd32.exe 107 PID 4572 wrote to memory of 3792 4572 Odljjo32.exe 108 PID 4572 wrote to memory of 3792 4572 Odljjo32.exe 108 PID 4572 wrote to memory of 3792 4572 Odljjo32.exe 108 PID 3792 wrote to memory of 312 3792 Pkholi32.exe 109 PID 3792 wrote to memory of 312 3792 Pkholi32.exe 109 PID 3792 wrote to memory of 312 3792 Pkholi32.exe 109 PID 312 wrote to memory of 4828 312 Pbddobla.exe 110 PID 312 wrote to memory of 4828 312 Pbddobla.exe 110 PID 312 wrote to memory of 4828 312 Pbddobla.exe 110 PID 4828 wrote to memory of 3400 4828 Pcfmneaa.exe 111 PID 4828 wrote to memory of 3400 4828 Pcfmneaa.exe 111 PID 4828 wrote to memory of 3400 4828 Pcfmneaa.exe 111 PID 3400 wrote to memory of 1928 3400 Qfgfpp32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\def58c135319e9e83857f87fc881d520_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\def58c135319e9e83857f87fc881d520_NEIKI.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Ejagaj32.exeC:\Windows\system32\Ejagaj32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\Gkefmjcj.exeC:\Windows\system32\Gkefmjcj.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Gqbneq32.exeC:\Windows\system32\Gqbneq32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Hnhkdd32.exeC:\Windows\system32\Hnhkdd32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\Indkpcdk.exeC:\Windows\system32\Indkpcdk.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Ieeimlep.exeC:\Windows\system32\Ieeimlep.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Jeolckne.exeC:\Windows\system32\Jeolckne.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Jhoeef32.exeC:\Windows\system32\Jhoeef32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Kdmlkfjb.exeC:\Windows\system32\Kdmlkfjb.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\Kkgdhp32.exeC:\Windows\system32\Kkgdhp32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Lhmafcnf.exeC:\Windows\system32\Lhmafcnf.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\Lefkkg32.exeC:\Windows\system32\Lefkkg32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Lhgdmb32.exeC:\Windows\system32\Lhgdmb32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SysWOW64\Mkgmoncl.exeC:\Windows\system32\Mkgmoncl.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Nakhaf32.exeC:\Windows\system32\Nakhaf32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Obfhmd32.exeC:\Windows\system32\Obfhmd32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Odljjo32.exeC:\Windows\system32\Odljjo32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Pkholi32.exeC:\Windows\system32\Pkholi32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\Pbddobla.exeC:\Windows\system32\Pbddobla.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Windows\SysWOW64\Pcfmneaa.exeC:\Windows\system32\Pcfmneaa.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Qfgfpp32.exeC:\Windows\system32\Qfgfpp32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\Qfjcep32.exeC:\Windows\system32\Qfjcep32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Apddce32.exeC:\Windows\system32\Apddce32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4516 -
C:\Windows\SysWOW64\Aealll32.exeC:\Windows\system32\Aealll32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Afqifo32.exeC:\Windows\system32\Afqifo32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Ammnhilb.exeC:\Windows\system32\Ammnhilb.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4992 -
C:\Windows\SysWOW64\Bfhofnpp.exeC:\Windows\system32\Bfhofnpp.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Cfjeckpj.exeC:\Windows\system32\Cfjeckpj.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Fgfmeg32.exeC:\Windows\system32\Fgfmeg32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Gfgjbb32.exeC:\Windows\system32\Gfgjbb32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4372 -
C:\Windows\SysWOW64\Hqkjaifk.exeC:\Windows\system32\Hqkjaifk.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Hgebnc32.exeC:\Windows\system32\Hgebnc32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4604 -
C:\Windows\SysWOW64\Hmbkfjko.exeC:\Windows\system32\Hmbkfjko.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Ijfkpnji.exeC:\Windows\system32\Ijfkpnji.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Iqpclh32.exeC:\Windows\system32\Iqpclh32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3536 -
C:\Windows\SysWOW64\Ijhhenhf.exeC:\Windows\system32\Ijhhenhf.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Iqbpahpc.exeC:\Windows\system32\Iqbpahpc.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Iebfmfdg.exeC:\Windows\system32\Iebfmfdg.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4588 -
C:\Windows\SysWOW64\Ifcben32.exeC:\Windows\system32\Ifcben32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Iaifbg32.exeC:\Windows\system32\Iaifbg32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Jcjodbgl.exeC:\Windows\system32\Jcjodbgl.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Jjdgal32.exeC:\Windows\system32\Jjdgal32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3492 -
C:\Windows\SysWOW64\Jghhjq32.exeC:\Windows\system32\Jghhjq32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:436 -
C:\Windows\SysWOW64\Jaefne32.exeC:\Windows\system32\Jaefne32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Khfdlnab.exeC:\Windows\system32\Khfdlnab.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4996 -
C:\Windows\SysWOW64\Kanidd32.exeC:\Windows\system32\Kanidd32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3080 -
C:\Windows\SysWOW64\Knbinhfl.exeC:\Windows\system32\Knbinhfl.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1112 -
C:\Windows\SysWOW64\Lacbpccn.exeC:\Windows\system32\Lacbpccn.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Ndfanlpi.exeC:\Windows\system32\Ndfanlpi.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3804 -
C:\Windows\SysWOW64\Ndkjik32.exeC:\Windows\system32\Ndkjik32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Okneldkf.exeC:\Windows\system32\Okneldkf.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3904 -
C:\Windows\SysWOW64\Paocim32.exeC:\Windows\system32\Paocim32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:644 -
C:\Windows\SysWOW64\Philfgdh.exeC:\Windows\system32\Philfgdh.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3192 -
C:\Windows\SysWOW64\Pfmlok32.exeC:\Windows\system32\Pfmlok32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Pkjegb32.exeC:\Windows\system32\Pkjegb32.exe56⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Aoapcood.exeC:\Windows\system32\Aoapcood.exe57⤵PID:4376
-
C:\Windows\SysWOW64\Abipfifn.exeC:\Windows\system32\Abipfifn.exe58⤵PID:2932
-
C:\Windows\SysWOW64\Bbklli32.exeC:\Windows\system32\Bbklli32.exe59⤵PID:4836
-
C:\Windows\SysWOW64\Beaohcmf.exeC:\Windows\system32\Beaohcmf.exe60⤵PID:2352
-
C:\Windows\SysWOW64\Blkgen32.exeC:\Windows\system32\Blkgen32.exe61⤵PID:3008
-
C:\Windows\SysWOW64\Becknc32.exeC:\Windows\system32\Becknc32.exe62⤵PID:4428
-
C:\Windows\SysWOW64\Clbmfm32.exeC:\Windows\system32\Clbmfm32.exe63⤵PID:1936
-
C:\Windows\SysWOW64\Eeaqfo32.exeC:\Windows\system32\Eeaqfo32.exe64⤵PID:2028
-
C:\Windows\SysWOW64\Fghcqq32.exeC:\Windows\system32\Fghcqq32.exe65⤵PID:3864
-
C:\Windows\SysWOW64\Fcaqka32.exeC:\Windows\system32\Fcaqka32.exe66⤵PID:2240
-
C:\Windows\SysWOW64\Fhnichde.exeC:\Windows\system32\Fhnichde.exe67⤵PID:4960
-
C:\Windows\SysWOW64\Gpgnjebd.exeC:\Windows\system32\Gpgnjebd.exe68⤵PID:4624
-
C:\Windows\SysWOW64\Ghgljg32.exeC:\Windows\system32\Ghgljg32.exe69⤵PID:1184
-
C:\Windows\SysWOW64\Hohjgpmo.exeC:\Windows\system32\Hohjgpmo.exe70⤵PID:2608
-
C:\Windows\SysWOW64\Hfbbdj32.exeC:\Windows\system32\Hfbbdj32.exe71⤵PID:2492
-
C:\Windows\SysWOW64\Hokgmpkl.exeC:\Windows\system32\Hokgmpkl.exe72⤵PID:4608
-
C:\Windows\SysWOW64\Hfeoijbi.exeC:\Windows\system32\Hfeoijbi.exe73⤵PID:2124
-
C:\Windows\SysWOW64\Iqaiga32.exeC:\Windows\system32\Iqaiga32.exe74⤵PID:2100
-
C:\Windows\SysWOW64\Kimgba32.exeC:\Windows\system32\Kimgba32.exe75⤵PID:5168
-
C:\Windows\SysWOW64\Dilmeida.exeC:\Windows\system32\Dilmeida.exe76⤵PID:5208
-
C:\Windows\SysWOW64\Djmima32.exeC:\Windows\system32\Djmima32.exe77⤵PID:5248
-
C:\Windows\SysWOW64\Dagajlal.exeC:\Windows\system32\Dagajlal.exe78⤵PID:5288
-
C:\Windows\SysWOW64\Dgaiffii.exeC:\Windows\system32\Dgaiffii.exe79⤵PID:5328
-
C:\Windows\SysWOW64\Dbgndoho.exeC:\Windows\system32\Dbgndoho.exe80⤵PID:5392
-
C:\Windows\SysWOW64\Diafqi32.exeC:\Windows\system32\Diafqi32.exe81⤵PID:5444
-
C:\Windows\SysWOW64\Dnnoip32.exeC:\Windows\system32\Dnnoip32.exe82⤵PID:5488
-
C:\Windows\SysWOW64\Elfhmc32.exeC:\Windows\system32\Elfhmc32.exe83⤵PID:5548
-
C:\Windows\SysWOW64\Ebbmpmnb.exeC:\Windows\system32\Ebbmpmnb.exe84⤵PID:5608
-
C:\Windows\SysWOW64\Eimelg32.exeC:\Windows\system32\Eimelg32.exe85⤵PID:5668
-
C:\Windows\SysWOW64\Fajgfiag.exeC:\Windows\system32\Fajgfiag.exe86⤵PID:5716
-
C:\Windows\SysWOW64\Gklnem32.exeC:\Windows\system32\Gklnem32.exe87⤵PID:5760
-
C:\Windows\SysWOW64\Geflne32.exeC:\Windows\system32\Geflne32.exe88⤵PID:5808
-
C:\Windows\SysWOW64\Hlgjko32.exeC:\Windows\system32\Hlgjko32.exe89⤵PID:5852
-
C:\Windows\SysWOW64\Hlnqln32.exeC:\Windows\system32\Hlnqln32.exe90⤵PID:5900
-
C:\Windows\SysWOW64\Ilcjgm32.exeC:\Windows\system32\Ilcjgm32.exe91⤵PID:5948
-
C:\Windows\SysWOW64\Icakofel.exeC:\Windows\system32\Icakofel.exe92⤵PID:6004
-
C:\Windows\SysWOW64\Kmjinjnj.exeC:\Windows\system32\Kmjinjnj.exe93⤵PID:6052
-
C:\Windows\SysWOW64\Mcicma32.exeC:\Windows\system32\Mcicma32.exe94⤵PID:6124
-
C:\Windows\SysWOW64\Nipokfil.exeC:\Windows\system32\Nipokfil.exe95⤵PID:2596
-
C:\Windows\SysWOW64\Ncecioib.exeC:\Windows\system32\Ncecioib.exe96⤵PID:5144
-
C:\Windows\SysWOW64\Niblafgi.exeC:\Windows\system32\Niblafgi.exe97⤵PID:5232
-
C:\Windows\SysWOW64\Niiaae32.exeC:\Windows\system32\Niiaae32.exe98⤵PID:5320
-
C:\Windows\SysWOW64\Opefdo32.exeC:\Windows\system32\Opefdo32.exe99⤵PID:5436
-
C:\Windows\SysWOW64\Ojkkah32.exeC:\Windows\system32\Ojkkah32.exe100⤵PID:5480
-
C:\Windows\SysWOW64\Obfpejcl.exeC:\Windows\system32\Obfpejcl.exe101⤵PID:5600
-
C:\Windows\SysWOW64\Omnqhbap.exeC:\Windows\system32\Omnqhbap.exe102⤵PID:5516
-
C:\Windows\SysWOW64\Pcaoahio.exeC:\Windows\system32\Pcaoahio.exe103⤵PID:5748
-
C:\Windows\SysWOW64\Pljcjn32.exeC:\Windows\system32\Pljcjn32.exe104⤵PID:5788
-
C:\Windows\SysWOW64\Pindcboi.exeC:\Windows\system32\Pindcboi.exe105⤵PID:5848
-
C:\Windows\SysWOW64\Qkmqne32.exeC:\Windows\system32\Qkmqne32.exe106⤵PID:5912
-
C:\Windows\SysWOW64\Qciebg32.exeC:\Windows\system32\Qciebg32.exe107⤵PID:4272
-
C:\Windows\SysWOW64\Bkbcpb32.exeC:\Windows\system32\Bkbcpb32.exe108⤵PID:2204
-
C:\Windows\SysWOW64\Cgnmpbec.exeC:\Windows\system32\Cgnmpbec.exe109⤵PID:4736
-
C:\Windows\SysWOW64\Cnhell32.exeC:\Windows\system32\Cnhell32.exe110⤵PID:2176
-
C:\Windows\SysWOW64\Cqfahh32.exeC:\Windows\system32\Cqfahh32.exe111⤵PID:6028
-
C:\Windows\SysWOW64\Cgpjebcp.exeC:\Windows\system32\Cgpjebcp.exe112⤵PID:1592
-
C:\Windows\SysWOW64\Cnmoglij.exeC:\Windows\system32\Cnmoglij.exe113⤵PID:4872
-
C:\Windows\SysWOW64\Cdfgdf32.exeC:\Windows\system32\Cdfgdf32.exe114⤵PID:5192
-
C:\Windows\SysWOW64\Cgecpa32.exeC:\Windows\system32\Cgecpa32.exe115⤵PID:5272
-
C:\Windows\SysWOW64\Cmblhh32.exeC:\Windows\system32\Cmblhh32.exe116⤵PID:5432
-
C:\Windows\SysWOW64\Cmdhnhkp.exeC:\Windows\system32\Cmdhnhkp.exe117⤵PID:5556
-
C:\Windows\SysWOW64\Dmiaig32.exeC:\Windows\system32\Dmiaig32.exe118⤵PID:1944
-
C:\Windows\SysWOW64\Dccjfaog.exeC:\Windows\system32\Dccjfaog.exe119⤵PID:2388
-
C:\Windows\SysWOW64\Djmbbk32.exeC:\Windows\system32\Djmbbk32.exe120⤵PID:5584
-
C:\Windows\SysWOW64\Dnkkij32.exeC:\Windows\system32\Dnkkij32.exe121⤵PID:4020
-
C:\Windows\SysWOW64\Djalnkbo.exeC:\Windows\system32\Djalnkbo.exe122⤵PID:5780
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-