Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 03:32
Behavioral task
behavioral1
Sample
dffe872523645343024cb3cd4a4865d0_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dffe872523645343024cb3cd4a4865d0_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
dffe872523645343024cb3cd4a4865d0_NEIKI.exe
-
Size
115KB
-
MD5
dffe872523645343024cb3cd4a4865d0
-
SHA1
7b80806dd830cca43d2c13a207fd704812811f3e
-
SHA256
7fbce8e26a94cfc5232c6e278415bda87d7d2972a66f88840882ac32fb4f39e7
-
SHA512
81c863faf9b986599301a5e7ec0c5b6de2a9906acd35d3c74ef34f9e90b54ac44dbae91fe799062190a32ec655178e46435379962c0134adfcd618674e97ca1e
-
SSDEEP
3072:2KeIXu4OADpqXrFW2VTbWymWU6SMQehalNgFuk0:NeIXuJAwXrf6ymWU5MClN5
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flceckoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clbceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edkdkplj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hioiji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlopkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mimpolee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhdhon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhijqj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Banllbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acgolj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mehcdfch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfqlnm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnlhfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phhhhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edjgfcec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdgljmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbaipkbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfldelik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmhand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aealah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkidenlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffkjlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmlhii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpfcdojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekjfcipa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmlhii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgkjhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neffpj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmdqgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbhijepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjgchm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnaokmco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmcojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkjhoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohqbhdpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlfpdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ondeac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbenmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cioilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000600000002326f-6.dat family_berbew behavioral2/files/0x00080000000233ef-14.dat family_berbew behavioral2/files/0x00070000000233f1-22.dat family_berbew behavioral2/files/0x00070000000233f3-30.dat family_berbew behavioral2/files/0x00070000000233f5-39.dat family_berbew behavioral2/files/0x00070000000233f7-46.dat family_berbew behavioral2/files/0x00070000000233f9-54.dat family_berbew behavioral2/files/0x00070000000233fb-62.dat family_berbew behavioral2/files/0x00070000000233fd-66.dat family_berbew behavioral2/files/0x00070000000233ff-78.dat family_berbew behavioral2/files/0x0007000000023401-87.dat family_berbew behavioral2/files/0x0007000000023403-97.dat family_berbew behavioral2/files/0x0007000000023405-105.dat family_berbew behavioral2/files/0x0007000000023407-114.dat family_berbew behavioral2/files/0x0007000000023409-123.dat family_berbew behavioral2/files/0x000700000002340b-132.dat family_berbew behavioral2/files/0x000700000002340d-141.dat family_berbew behavioral2/files/0x00080000000233ed-150.dat family_berbew behavioral2/files/0x0007000000023410-154.dat family_berbew behavioral2/files/0x0007000000023412-168.dat family_berbew behavioral2/files/0x0007000000023414-176.dat family_berbew behavioral2/files/0x0007000000023416-186.dat family_berbew behavioral2/files/0x0007000000023418-194.dat family_berbew behavioral2/files/0x000700000002341a-203.dat family_berbew behavioral2/files/0x000700000002341c-211.dat family_berbew behavioral2/files/0x000700000002341e-221.dat family_berbew behavioral2/files/0x0007000000023420-230.dat family_berbew behavioral2/files/0x0007000000023422-239.dat family_berbew behavioral2/files/0x0007000000023424-248.dat family_berbew behavioral2/files/0x0007000000023426-257.dat family_berbew behavioral2/files/0x0007000000023428-266.dat family_berbew behavioral2/files/0x000700000002342a-275.dat family_berbew behavioral2/files/0x000700000002342e-287.dat family_berbew behavioral2/files/0x000700000002343a-328.dat family_berbew behavioral2/files/0x0007000000023444-358.dat family_berbew behavioral2/files/0x000700000002344c-386.dat family_berbew behavioral2/files/0x000700000002345a-434.dat family_berbew behavioral2/files/0x0007000000023462-462.dat family_berbew behavioral2/files/0x000700000002346c-496.dat family_berbew behavioral2/files/0x000700000002347a-546.dat family_berbew behavioral2/files/0x0007000000023480-566.dat family_berbew behavioral2/files/0x000700000002348e-615.dat family_berbew behavioral2/files/0x00070000000234a6-700.dat family_berbew behavioral2/files/0x00070000000234aa-714.dat family_berbew behavioral2/files/0x00070000000234b4-748.dat family_berbew behavioral2/files/0x00070000000234c8-816.dat family_berbew behavioral2/files/0x00070000000234dc-887.dat family_berbew behavioral2/files/0x00070000000234fc-999.dat family_berbew behavioral2/files/0x0007000000023502-1020.dat family_berbew behavioral2/files/0x000700000002350c-1055.dat family_berbew behavioral2/files/0x0007000000023512-1075.dat family_berbew behavioral2/files/0x0007000000023516-1090.dat family_berbew behavioral2/files/0x0007000000023526-1145.dat family_berbew behavioral2/files/0x000700000002353e-1230.dat family_berbew behavioral2/files/0x0007000000023552-1299.dat family_berbew behavioral2/files/0x0007000000023558-1320.dat family_berbew behavioral2/files/0x0007000000023572-1410.dat family_berbew behavioral2/files/0x000700000002357c-1444.dat family_berbew behavioral2/files/0x0007000000023582-1465.dat family_berbew behavioral2/files/0x0007000000023586-1480.dat family_berbew behavioral2/files/0x0007000000023590-1514.dat family_berbew behavioral2/files/0x000700000002359c-1556.dat family_berbew behavioral2/files/0x000700000002359e-1564.dat family_berbew behavioral2/files/0x00070000000235a4-1584.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1960 Nqpego32.exe 4680 Okeieh32.exe 232 Ondeac32.exe 4048 Ogljjiei.exe 4100 Okhfjh32.exe 1384 Oqdoboli.exe 4244 Okjbpglo.exe 1060 Obdkma32.exe 4484 Odbgim32.exe 5044 Ojopad32.exe 632 Ocgdji32.exe 4304 Onmhgb32.exe 3756 Oqkdcn32.exe 3508 Pjdilcla.exe 2208 Pbkamqmd.exe 2972 Peljol32.exe 1176 Pkfblfab.exe 3556 Pabkdmpi.exe 4960 Pnfkma32.exe 1828 Peqcjkfp.exe 1748 Pkjlge32.exe 4568 Qnkdhpjn.exe 4536 Qgciaf32.exe 4072 Acjjfggb.exe 5016 Aanjpk32.exe 5104 Aldomc32.exe 3160 Aaqgek32.exe 3712 Alfkbc32.exe 5004 Andgoobc.exe 4980 Alhhhcal.exe 2820 Aealah32.exe 4556 Alkdnboj.exe 2036 Becifhfj.exe 552 Blmacb32.exe 4488 Bnlnon32.exe 2000 Bhdbhcck.exe 3440 Bbifelba.exe 2288 Bdkcmdhp.exe 1664 Bblckl32.exe 1900 Bhikcb32.exe 4708 Bdolhc32.exe 4440 Bkidenlg.exe 116 Chmeobkq.exe 1292 Cogmkl32.exe 2828 Cddecc32.exe 3088 Cknnpm32.exe 3348 Cahfmgoo.exe 4032 Clnjjpod.exe 4088 Cajcbgml.exe 460 Cefoce32.exe 1984 Conclk32.exe 3764 Camphf32.exe 1712 Clbceo32.exe 4380 Doqpak32.exe 3092 Daolnf32.exe 3336 Dhidjpqc.exe 4132 Dkgqfl32.exe 872 Dboigi32.exe 4360 Ddpeoafg.exe 1108 Dlgmpogj.exe 1760 Doeiljfn.exe 3036 Dadeieea.exe 4948 Ddbbeade.exe 3736 Dkljak32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fqppci32.exe Process not Found File created C:\Windows\SysWOW64\Pegplgln.dll Ojopad32.exe File opened for modification C:\Windows\SysWOW64\Fmndpq32.exe Fjohde32.exe File created C:\Windows\SysWOW64\Gabfbmnl.dll Process not Found File created C:\Windows\SysWOW64\Fgjimp32.dll Process not Found File created C:\Windows\SysWOW64\Adopjh32.dll Ickchq32.exe File created C:\Windows\SysWOW64\Kjgeedch.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nagiji32.exe Process not Found File created C:\Windows\SysWOW64\Gmfmgg32.dll Kqphfe32.exe File created C:\Windows\SysWOW64\Bkobmnka.exe Process not Found File created C:\Windows\SysWOW64\Mcfbkpab.exe Process not Found File created C:\Windows\SysWOW64\Flnakb32.dll Echknh32.exe File created C:\Windows\SysWOW64\Ckegbb32.dll Jfgdkd32.exe File opened for modification C:\Windows\SysWOW64\Ejflhm32.exe Efkphnbd.exe File created C:\Windows\SysWOW64\Oeddnh32.dll Gfkbde32.exe File created C:\Windows\SysWOW64\Qglobbdg.dll Process not Found File created C:\Windows\SysWOW64\Nmpmkplp.dll Jpijnqkp.exe File created C:\Windows\SysWOW64\Qffbbldm.exe Qcgffqei.exe File created C:\Windows\SysWOW64\Cdabcm32.exe Cabfga32.exe File created C:\Windows\SysWOW64\Naecop32.exe Process not Found File created C:\Windows\SysWOW64\Hahokfag.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dinmhkke.exe Djklmo32.exe File opened for modification C:\Windows\SysWOW64\Nghekkmn.exe Process not Found File created C:\Windows\SysWOW64\Qdhogopn.dll Process not Found File created C:\Windows\SysWOW64\Pjdhbppo.dll Process not Found File created C:\Windows\SysWOW64\Ibjqaf32.exe Process not Found File created C:\Windows\SysWOW64\Gflonn32.dll Process not Found File created C:\Windows\SysWOW64\Nfjjppmm.exe Nckndeni.exe File created C:\Windows\SysWOW64\Gkdhjknm.exe Fhflnpoi.exe File created C:\Windows\SysWOW64\Hpjmnjqn.exe Gipdap32.exe File opened for modification C:\Windows\SysWOW64\Cammjakm.exe Process not Found File opened for modification C:\Windows\SysWOW64\Aolblopj.exe Process not Found File created C:\Windows\SysWOW64\Filclgic.dll Process not Found File created C:\Windows\SysWOW64\Ncpgam32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fqbliicp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hhaggp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kbaipkbi.exe Kpbmco32.exe File opened for modification C:\Windows\SysWOW64\Ndfqbhia.exe Nnlhfn32.exe File opened for modification C:\Windows\SysWOW64\Edknqiho.exe Ealadnik.exe File created C:\Windows\SysWOW64\Kmeddp32.dll Process not Found File created C:\Windows\SysWOW64\Fohoigfh.exe Fljcmlfd.exe File created C:\Windows\SysWOW64\Neffpj32.exe Nomncpcg.exe File created C:\Windows\SysWOW64\Gafian32.dll Phhhhc32.exe File created C:\Windows\SysWOW64\Bhbcfbjk.exe Process not Found File created C:\Windows\SysWOW64\Gifffn32.dll Process not Found File created C:\Windows\SysWOW64\Jkdnhmdp.dll Ocamjm32.exe File opened for modification C:\Windows\SysWOW64\Pcicklnn.exe Ploknb32.exe File created C:\Windows\SysWOW64\Nefped32.exe Nbgcih32.exe File opened for modification C:\Windows\SysWOW64\Popbpqjh.exe Process not Found File created C:\Windows\SysWOW64\Ngpock32.dll Niklpj32.exe File created C:\Windows\SysWOW64\Agdcpkll.exe Process not Found File created C:\Windows\SysWOW64\Kcbfcigf.exe Process not Found File created C:\Windows\SysWOW64\Jeekkafl.exe Jnkcogno.exe File opened for modification C:\Windows\SysWOW64\Cpihcgoa.exe Cmklglpn.exe File created C:\Windows\SysWOW64\Jdedak32.exe Jqiipljg.exe File opened for modification C:\Windows\SysWOW64\Iidphgcn.exe Process not Found File created C:\Windows\SysWOW64\Gedapeof.dll Knooej32.exe File created C:\Windows\SysWOW64\Ebgpad32.exe Process not Found File created C:\Windows\SysWOW64\Legben32.exe Process not Found File created C:\Windows\SysWOW64\Menbeg32.dll Nojanpej.exe File created C:\Windows\SysWOW64\Lhnoigkk.dll Process not Found File created C:\Windows\SysWOW64\Kbaipkbi.exe Kpbmco32.exe File created C:\Windows\SysWOW64\Leqcid32.dll Bjokdipf.exe File created C:\Windows\SysWOW64\Ndkqipob.dll Cjinkg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 15708 15636 Process not Found 1733 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmbiamhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiiggoaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jggocdgo.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjphcf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gglpibgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjcmebie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oajpfn32.dll" Hiiggoaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdchadai.dll" Bdkcmdhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ealkjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaompd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmdhcddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjakdno.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhidjpqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kimnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eachem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inaoom32.dll" Locbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiihahme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgepom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll" Cmnpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cffdpghg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmcdffmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccemjbpf.dll" Gahcmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjjdgc32.dll" Injcmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbohan32.dll" Alkdnboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mifnjj32.dll" Ekhjmiad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beeoaapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpkphjeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djdflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chembclp.dll" Fhmigagd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppioondd.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocedcbl.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcmgfbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnpppgdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iohjlmeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipebnafj.dll" Mekgdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnmijq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abklmb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdfqocb.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afhohlbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpbdopck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hidkle32.dll" Fmndpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbiipkjk.dll" Mebcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdicgd32.dll" Ocgdji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijegcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcleml32.dll" Jcikgacl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcggio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfgdkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nonlon32.dll" Nacmdf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4312 wrote to memory of 1960 4312 dffe872523645343024cb3cd4a4865d0_NEIKI.exe 79 PID 4312 wrote to memory of 1960 4312 dffe872523645343024cb3cd4a4865d0_NEIKI.exe 79 PID 4312 wrote to memory of 1960 4312 dffe872523645343024cb3cd4a4865d0_NEIKI.exe 79 PID 1960 wrote to memory of 4680 1960 Nqpego32.exe 80 PID 1960 wrote to memory of 4680 1960 Nqpego32.exe 80 PID 1960 wrote to memory of 4680 1960 Nqpego32.exe 80 PID 4680 wrote to memory of 232 4680 Okeieh32.exe 81 PID 4680 wrote to memory of 232 4680 Okeieh32.exe 81 PID 4680 wrote to memory of 232 4680 Okeieh32.exe 81 PID 232 wrote to memory of 4048 232 Ondeac32.exe 82 PID 232 wrote to memory of 4048 232 Ondeac32.exe 82 PID 232 wrote to memory of 4048 232 Ondeac32.exe 82 PID 4048 wrote to memory of 4100 4048 Ogljjiei.exe 83 PID 4048 wrote to memory of 4100 4048 Ogljjiei.exe 83 PID 4048 wrote to memory of 4100 4048 Ogljjiei.exe 83 PID 4100 wrote to memory of 1384 4100 Okhfjh32.exe 84 PID 4100 wrote to memory of 1384 4100 Okhfjh32.exe 84 PID 4100 wrote to memory of 1384 4100 Okhfjh32.exe 84 PID 1384 wrote to memory of 4244 1384 Oqdoboli.exe 85 PID 1384 wrote to memory of 4244 1384 Oqdoboli.exe 85 PID 1384 wrote to memory of 4244 1384 Oqdoboli.exe 85 PID 4244 wrote to memory of 1060 4244 Okjbpglo.exe 86 PID 4244 wrote to memory of 1060 4244 Okjbpglo.exe 86 PID 4244 wrote to memory of 1060 4244 Okjbpglo.exe 86 PID 1060 wrote to memory of 4484 1060 Obdkma32.exe 87 PID 1060 wrote to memory of 4484 1060 Obdkma32.exe 87 PID 1060 wrote to memory of 4484 1060 Obdkma32.exe 87 PID 4484 wrote to memory of 5044 4484 Odbgim32.exe 88 PID 4484 wrote to memory of 5044 4484 Odbgim32.exe 88 PID 4484 wrote to memory of 5044 4484 Odbgim32.exe 88 PID 5044 wrote to memory of 632 5044 Ojopad32.exe 89 PID 5044 wrote to memory of 632 5044 Ojopad32.exe 89 PID 5044 wrote to memory of 632 5044 Ojopad32.exe 89 PID 632 wrote to memory of 4304 632 Ocgdji32.exe 90 PID 632 wrote to memory of 4304 632 Ocgdji32.exe 90 PID 632 wrote to memory of 4304 632 Ocgdji32.exe 90 PID 4304 wrote to memory of 3756 4304 Onmhgb32.exe 91 PID 4304 wrote to memory of 3756 4304 Onmhgb32.exe 91 PID 4304 wrote to memory of 3756 4304 Onmhgb32.exe 91 PID 3756 wrote to memory of 3508 3756 Oqkdcn32.exe 92 PID 3756 wrote to memory of 3508 3756 Oqkdcn32.exe 92 PID 3756 wrote to memory of 3508 3756 Oqkdcn32.exe 92 PID 3508 wrote to memory of 2208 3508 Pjdilcla.exe 93 PID 3508 wrote to memory of 2208 3508 Pjdilcla.exe 93 PID 3508 wrote to memory of 2208 3508 Pjdilcla.exe 93 PID 2208 wrote to memory of 2972 2208 Pbkamqmd.exe 94 PID 2208 wrote to memory of 2972 2208 Pbkamqmd.exe 94 PID 2208 wrote to memory of 2972 2208 Pbkamqmd.exe 94 PID 2972 wrote to memory of 1176 2972 Peljol32.exe 95 PID 2972 wrote to memory of 1176 2972 Peljol32.exe 95 PID 2972 wrote to memory of 1176 2972 Peljol32.exe 95 PID 1176 wrote to memory of 3556 1176 Pkfblfab.exe 96 PID 1176 wrote to memory of 3556 1176 Pkfblfab.exe 96 PID 1176 wrote to memory of 3556 1176 Pkfblfab.exe 96 PID 3556 wrote to memory of 4960 3556 Pabkdmpi.exe 97 PID 3556 wrote to memory of 4960 3556 Pabkdmpi.exe 97 PID 3556 wrote to memory of 4960 3556 Pabkdmpi.exe 97 PID 4960 wrote to memory of 1828 4960 Pnfkma32.exe 98 PID 4960 wrote to memory of 1828 4960 Pnfkma32.exe 98 PID 4960 wrote to memory of 1828 4960 Pnfkma32.exe 98 PID 1828 wrote to memory of 1748 1828 Peqcjkfp.exe 99 PID 1828 wrote to memory of 1748 1828 Peqcjkfp.exe 99 PID 1828 wrote to memory of 1748 1828 Peqcjkfp.exe 99 PID 1748 wrote to memory of 4568 1748 Pkjlge32.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\dffe872523645343024cb3cd4a4865d0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\dffe872523645343024cb3cd4a4865d0_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe23⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe24⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe25⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe26⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe27⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe28⤵
- Executes dropped EXE
PID:3160 -
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe29⤵
- Executes dropped EXE
PID:3712 -
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe30⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe31⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:4556 -
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe34⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe35⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe36⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe37⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe38⤵
- Executes dropped EXE
PID:3440 -
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe40⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe41⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe42⤵PID:2856
-
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe43⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe45⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe46⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Cddecc32.exeC:\Windows\system32\Cddecc32.exe47⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe48⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe49⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe50⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe51⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Cefoce32.exeC:\Windows\system32\Cefoce32.exe52⤵
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe53⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe54⤵
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe56⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe57⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:3336 -
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe59⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Dboigi32.exeC:\Windows\system32\Dboigi32.exe60⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Ddpeoafg.exeC:\Windows\system32\Ddpeoafg.exe61⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Dlgmpogj.exeC:\Windows\system32\Dlgmpogj.exe62⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe63⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Dadeieea.exeC:\Windows\system32\Dadeieea.exe64⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Ddbbeade.exeC:\Windows\system32\Ddbbeade.exe65⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Dkljak32.exeC:\Windows\system32\Dkljak32.exe66⤵
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Dccbbhld.exeC:\Windows\system32\Dccbbhld.exe67⤵PID:4796
-
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe68⤵PID:3844
-
C:\Windows\SysWOW64\Dllfkn32.exeC:\Windows\system32\Dllfkn32.exe69⤵PID:3572
-
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe70⤵PID:4112
-
C:\Windows\SysWOW64\Dahode32.exeC:\Windows\system32\Dahode32.exe71⤵PID:776
-
C:\Windows\SysWOW64\Dhbgqohi.exeC:\Windows\system32\Dhbgqohi.exe72⤵PID:1688
-
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe73⤵PID:4420
-
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe74⤵
- Drops file in System32 directory
PID:536 -
C:\Windows\SysWOW64\Eefhjc32.exeC:\Windows\system32\Eefhjc32.exe75⤵PID:184
-
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe76⤵PID:3788
-
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe77⤵PID:1704
-
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1956 -
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe79⤵PID:4572
-
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe80⤵PID:264
-
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe81⤵PID:1656
-
C:\Windows\SysWOW64\Ehimanbq.exeC:\Windows\system32\Ehimanbq.exe82⤵PID:2252
-
C:\Windows\SysWOW64\Ekhjmiad.exeC:\Windows\system32\Ekhjmiad.exe83⤵
- Modifies registry class
PID:3124 -
C:\Windows\SysWOW64\Eabbjc32.exeC:\Windows\system32\Eabbjc32.exe84⤵PID:4728
-
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe85⤵PID:3080
-
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1756 -
C:\Windows\SysWOW64\Ecandfpd.exeC:\Windows\system32\Ecandfpd.exe87⤵PID:2792
-
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe88⤵PID:4368
-
C:\Windows\SysWOW64\Fljcmlfd.exeC:\Windows\system32\Fljcmlfd.exe89⤵
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe90⤵PID:2860
-
C:\Windows\SysWOW64\Febgea32.exeC:\Windows\system32\Febgea32.exe91⤵PID:64
-
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe92⤵PID:4792
-
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe93⤵PID:612
-
C:\Windows\SysWOW64\Faihkbci.exeC:\Windows\system32\Faihkbci.exe94⤵PID:3260
-
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe95⤵PID:3288
-
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe96⤵PID:2560
-
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe97⤵PID:5064
-
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe98⤵PID:408
-
C:\Windows\SysWOW64\Flqimk32.exeC:\Windows\system32\Flqimk32.exe99⤵PID:540
-
C:\Windows\SysWOW64\Fooeif32.exeC:\Windows\system32\Fooeif32.exe100⤵PID:4784
-
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3032 -
C:\Windows\SysWOW64\Fcmnpe32.exeC:\Windows\system32\Fcmnpe32.exe102⤵PID:2028
-
C:\Windows\SysWOW64\Ffkjlp32.exeC:\Windows\system32\Ffkjlp32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3404 -
C:\Windows\SysWOW64\Glebhjlg.exeC:\Windows\system32\Glebhjlg.exe104⤵PID:2324
-
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe105⤵PID:4016
-
C:\Windows\SysWOW64\Gfngap32.exeC:\Windows\system32\Gfngap32.exe106⤵PID:2420
-
C:\Windows\SysWOW64\Ghlcnk32.exeC:\Windows\system32\Ghlcnk32.exe107⤵PID:4564
-
C:\Windows\SysWOW64\Gofkje32.exeC:\Windows\system32\Gofkje32.exe108⤵PID:3012
-
C:\Windows\SysWOW64\Gbdgfa32.exeC:\Windows\system32\Gbdgfa32.exe109⤵PID:1240
-
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe110⤵PID:3300
-
C:\Windows\SysWOW64\Gkmlofol.exeC:\Windows\system32\Gkmlofol.exe111⤵PID:2800
-
C:\Windows\SysWOW64\Gcddpdpo.exeC:\Windows\system32\Gcddpdpo.exe112⤵PID:2416
-
C:\Windows\SysWOW64\Gdeqhl32.exeC:\Windows\system32\Gdeqhl32.exe113⤵PID:4912
-
C:\Windows\SysWOW64\Gmlhii32.exeC:\Windows\system32\Gmlhii32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1788 -
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe115⤵PID:1272
-
C:\Windows\SysWOW64\Gdhmnlcj.exeC:\Windows\system32\Gdhmnlcj.exe116⤵PID:5080
-
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe117⤵PID:1920
-
C:\Windows\SysWOW64\Gomakdcp.exeC:\Windows\system32\Gomakdcp.exe118⤵PID:436
-
C:\Windows\SysWOW64\Gfgjgo32.exeC:\Windows\system32\Gfgjgo32.exe119⤵PID:3228
-
C:\Windows\SysWOW64\Hiefcj32.exeC:\Windows\system32\Hiefcj32.exe120⤵PID:1296
-
C:\Windows\SysWOW64\Hkdbpe32.exeC:\Windows\system32\Hkdbpe32.exe121⤵PID:4816
-
C:\Windows\SysWOW64\Hfifmnij.exeC:\Windows\system32\Hfifmnij.exe122⤵PID:4424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-