Analysis
-
max time kernel
136s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 03:26
Behavioral task
behavioral1
Sample
de92b7dafa17184154af9dff7fa89ec0_NEIKI.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
de92b7dafa17184154af9dff7fa89ec0_NEIKI.exe
Resource
win10v2004-20240226-en
General
-
Target
de92b7dafa17184154af9dff7fa89ec0_NEIKI.exe
-
Size
276KB
-
MD5
de92b7dafa17184154af9dff7fa89ec0
-
SHA1
2f9140226be41655be51b4cedc3da2ec75af3755
-
SHA256
e8408325e806f3181cf62d6cfede33073ce8bad9762ba8d91a363b06c75c1cad
-
SHA512
a3185a1b6b48c12567282e990dd3743a8d4457ba755cc8e0e4e00d834e9e5a151d729e837fa8dd0f9d17adb5eed9dd55b73e8538db736e033c85193c30fcbd6a
-
SSDEEP
6144:1qdwQ/v3NDhmB6u3dWZHEFJ7aWN1rtMsQBOSGaF+:SNDhmBv2HEGWN1RMs1S7
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hejono32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qahkch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnlkllcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hoakpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcbkbnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ongpeejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oooodcci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iapjeq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mebkbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcgmiiii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnlkllcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dohmff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcppogqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjdqhjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbjgcnll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Neeifa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihhmgaqb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpkqbq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbiakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilbnkiba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmgmhgig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fempbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqmicpbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfcdaehf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgbmdd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlgjko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdgjgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qolbgbgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqiiamjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbjlpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibagmiie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibagmiie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndfqlnno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efhjjcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgomaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olkqnjhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aljefena.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kacgld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emdaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npmjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pocpqcpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" de92b7dafa17184154af9dff7fa89ec0_NEIKI.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjieii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgomaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mboqnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbamcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Habeni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdaedgdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfcdaehf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkiclepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imbaobmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpbdfgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeigilml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fghcqq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jginej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kppbejka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjoknhbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piikhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikcmmjkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhjeoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmoehojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmnlnfcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocdqcikl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oediim32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0008000000023272-6.dat family_berbew behavioral2/files/0x0008000000023277-14.dat family_berbew behavioral2/files/0x000800000002327a-22.dat family_berbew behavioral2/files/0x000700000002327c-30.dat family_berbew behavioral2/files/0x000700000002327f-39.dat family_berbew behavioral2/files/0x0007000000023281-47.dat family_berbew behavioral2/files/0x0007000000023283-55.dat family_berbew behavioral2/files/0x0007000000023285-63.dat family_berbew behavioral2/files/0x0007000000023287-70.dat family_berbew behavioral2/files/0x0007000000023289-79.dat family_berbew behavioral2/files/0x000700000002328b-87.dat family_berbew behavioral2/files/0x000700000002328d-96.dat family_berbew behavioral2/files/0x000700000002328f-105.dat family_berbew behavioral2/files/0x0007000000023291-114.dat family_berbew behavioral2/files/0x0007000000023293-123.dat family_berbew behavioral2/files/0x0007000000023295-132.dat family_berbew behavioral2/files/0x0007000000023297-141.dat family_berbew behavioral2/files/0x0007000000023299-150.dat family_berbew behavioral2/files/0x000700000002329b-159.dat family_berbew behavioral2/files/0x000700000002329d-167.dat family_berbew behavioral2/files/0x000700000002329f-177.dat family_berbew behavioral2/files/0x00070000000232a1-186.dat family_berbew behavioral2/files/0x00070000000232a3-195.dat family_berbew behavioral2/files/0x00070000000232a7-204.dat family_berbew behavioral2/files/0x00070000000232a9-213.dat family_berbew behavioral2/files/0x00070000000232ab-217.dat family_berbew behavioral2/files/0x00070000000232ae-231.dat family_berbew behavioral2/files/0x00070000000232b0-240.dat family_berbew behavioral2/files/0x00070000000232b2-248.dat family_berbew behavioral2/files/0x00070000000232b4-253.dat family_berbew behavioral2/files/0x00070000000232b4-259.dat family_berbew behavioral2/files/0x00070000000232b6-267.dat family_berbew behavioral2/files/0x00070000000232b8-276.dat family_berbew behavioral2/files/0x00070000000232ca-329.dat family_berbew behavioral2/files/0x00070000000232db-385.dat family_berbew behavioral2/files/0x00070000000232f6-448.dat family_berbew behavioral2/files/0x00070000000232fa-462.dat family_berbew behavioral2/files/0x00070000000232fe-476.dat family_berbew behavioral2/files/0x0007000000023301-503.dat family_berbew behavioral2/files/0x0007000000023311-559.dat family_berbew behavioral2/files/0x0007000000023317-579.dat family_berbew behavioral2/files/0x000700000002331d-599.dat family_berbew behavioral2/files/0x000700000002332b-647.dat family_berbew behavioral2/files/0x0007000000023339-696.dat family_berbew behavioral2/files/0x000700000002333f-717.dat family_berbew behavioral2/files/0x0007000000023349-752.dat family_berbew behavioral2/files/0x000700000002334f-773.dat family_berbew behavioral2/files/0x0007000000023355-794.dat family_berbew behavioral2/files/0x0007000000023361-836.dat family_berbew behavioral2/files/0x0007000000023365-850.dat family_berbew behavioral2/files/0x000700000002336b-871.dat family_berbew behavioral2/files/0x0007000000023371-892.dat family_berbew behavioral2/files/0x0007000000023375-906.dat family_berbew behavioral2/files/0x000700000002337d-934.dat family_berbew behavioral2/files/0x000700000002338d-990.dat family_berbew behavioral2/files/0x0007000000023395-1017.dat family_berbew behavioral2/files/0x000700000002339b-1038.dat family_berbew behavioral2/files/0x00070000000233a5-1073.dat family_berbew behavioral2/files/0x00070000000233ab-1094.dat family_berbew behavioral2/files/0x00070000000233b1-1115.dat family_berbew behavioral2/files/0x00070000000233d1-1227.dat family_berbew behavioral2/files/0x00070000000233d7-1248.dat family_berbew behavioral2/files/0x00070000000233f2-1336.dat family_berbew behavioral2/files/0x0007000000023406-1401.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2760 Fgfmeg32.exe 4172 Hdffah32.exe 1028 Hclccd32.exe 4356 Ifmldo32.exe 212 Jgekdq32.exe 2108 Jmgmhgig.exe 1192 Kjdqhjpf.exe 2816 Lmgfod32.exe 3992 Mkdiog32.exe 2208 Maehlqch.exe 3384 Odbpij32.exe 2400 Oediim32.exe 812 Okeklcen.exe 4748 Qnbdjl32.exe 5028 Aijeme32.exe 3916 Bichcc32.exe 368 Bfpkbfdi.exe 4152 Cpipkl32.exe 4012 Cppelkeb.exe 1496 Defajqko.exe 1120 Efhjjcpo.exe 5088 Ehkcgkdj.exe 4484 Eeaqfo32.exe 1368 Fghcqq32.exe 3020 Fempbm32.exe 4344 Fgmllpng.exe 4772 Ggdbmoho.exe 1748 Gjdknjep.exe 1288 Hjieii32.exe 1708 Hohjgpmo.exe 4612 Iqmplbpl.exe 4716 Icminm32.exe 4940 Ihmnldib.exe 4180 Ifqoehhl.exe 4876 Iiaggc32.exe 3676 Jicdlc32.exe 936 Jqmicpbj.exe 2880 Jginej32.exe 2244 Jmffnq32.exe 1216 Kpgoolbl.exe 2872 Kfcdaehf.exe 3040 Kpnepk32.exe 1164 Kppbejka.exe 3828 Lfmghdpl.exe 1740 Lcqgahoe.exe 644 Lccdghmc.exe 2984 Lhammfci.exe 4360 Malnklgg.exe 4168 Mdlgmgdh.exe 4616 Npjnbg32.exe 3732 Nplkhf32.exe 2228 Nmpkakak.exe 3544 Nmbhgjoi.exe 1048 Niihlkdm.exe 4756 Ndomiddc.exe 3684 Oacmchcl.exe 2788 Oaejhh32.exe 764 Opjgidfa.exe 4760 Ppffec32.exe 624 Pjoknhbe.exe 1328 Anffje32.exe 4192 Ajmgof32.exe 4924 Aklciimh.exe 3972 Akopoi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aomgmanl.dll Dkedjbgg.exe File created C:\Windows\SysWOW64\Nkieoo32.dll Jfllca32.exe File created C:\Windows\SysWOW64\Hnkkaaai.dll Nebdighb.exe File created C:\Windows\SysWOW64\Lmgfod32.exe Kjdqhjpf.exe File created C:\Windows\SysWOW64\Fboioldm.dll Fqiiamjp.exe File created C:\Windows\SysWOW64\Clohhbli.exe Cgbppknb.exe File created C:\Windows\SysWOW64\Knjjbggj.dll Pneelmjo.exe File opened for modification C:\Windows\SysWOW64\Libggiik.exe Lbhojo32.exe File created C:\Windows\SysWOW64\Ijjombcn.dll Ojcidelf.exe File opened for modification C:\Windows\SysWOW64\Pqpgnl32.exe Pjeoablq.exe File created C:\Windows\SysWOW64\Polnbakm.dll Anffje32.exe File created C:\Windows\SysWOW64\Jhmchd32.dll Jchaoe32.exe File created C:\Windows\SysWOW64\Efcagf32.dll Kpnepk32.exe File created C:\Windows\SysWOW64\Mdlgmgdh.exe Malnklgg.exe File opened for modification C:\Windows\SysWOW64\Kbebdpca.exe Klljhe32.exe File created C:\Windows\SysWOW64\Hijjpjqc.dll Qnbdjl32.exe File created C:\Windows\SysWOW64\Meajdj32.dll Eeaqfo32.exe File opened for modification C:\Windows\SysWOW64\Kddpnpdn.exe Kacgld32.exe File created C:\Windows\SysWOW64\Qkphie32.dll Iapjeq32.exe File created C:\Windows\SysWOW64\Baekjn32.dll Hcpcehko.exe File created C:\Windows\SysWOW64\Andmah32.dll Cmmbmiag.exe File created C:\Windows\SysWOW64\Bliioqol.dll Qmnbej32.exe File opened for modification C:\Windows\SysWOW64\Odelpm32.exe Oiphbd32.exe File created C:\Windows\SysWOW64\Fcbdhkme.dll Mgidgakk.exe File created C:\Windows\SysWOW64\Hlamak32.dll Nllleapo.exe File opened for modification C:\Windows\SysWOW64\Fgfmeg32.exe de92b7dafa17184154af9dff7fa89ec0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\Oiphbd32.exe Oinkmdml.exe File created C:\Windows\SysWOW64\Ifcpgiji.exe Hcbgen32.exe File created C:\Windows\SysWOW64\Iofienka.dll Jikojcaa.exe File opened for modification C:\Windows\SysWOW64\Alaaajmb.exe Ajbegg32.exe File created C:\Windows\SysWOW64\Lbjlpo32.exe Lplpcc32.exe File opened for modification C:\Windows\SysWOW64\Piikhc32.exe Plejoode.exe File created C:\Windows\SysWOW64\Nniohegg.dll Oihkgo32.exe File created C:\Windows\SysWOW64\Ooinijfk.dll Coepob32.exe File created C:\Windows\SysWOW64\Jginej32.exe Jqmicpbj.exe File created C:\Windows\SysWOW64\Mndjhhjp.exe Melfpb32.exe File opened for modification C:\Windows\SysWOW64\Ongpeejj.exe Obqopddf.exe File opened for modification C:\Windows\SysWOW64\Oaejhh32.exe Oacmchcl.exe File created C:\Windows\SysWOW64\Bkifnm32.dll Eljknl32.exe File created C:\Windows\SysWOW64\Bocaefab.dll Ifjfhh32.exe File opened for modification C:\Windows\SysWOW64\Llemnd32.exe Lekeajmm.exe File opened for modification C:\Windows\SysWOW64\Ndomiddc.exe Niihlkdm.exe File created C:\Windows\SysWOW64\Fdiqcb32.dll Liofdigo.exe File created C:\Windows\SysWOW64\Eciahbno.dll Jfoihalp.exe File created C:\Windows\SysWOW64\Gopdnemk.dll Qdhalj32.exe File created C:\Windows\SysWOW64\Ehglag32.dll Kddpnpdn.exe File created C:\Windows\SysWOW64\Jhealo32.dll Neeifa32.exe File created C:\Windows\SysWOW64\Fbnfgneq.dll Gaibhj32.exe File created C:\Windows\SysWOW64\Hfmqapcl.exe Hnblmnfa.exe File created C:\Windows\SysWOW64\Jimeelkc.exe Jfoihalp.exe File created C:\Windows\SysWOW64\Ojllkcdk.exe Ocbdni32.exe File opened for modification C:\Windows\SysWOW64\Hohjgpmo.exe Hjieii32.exe File created C:\Windows\SysWOW64\Bnkfonke.dll Iibaeb32.exe File created C:\Windows\SysWOW64\Iapjeq32.exe Ifjfhh32.exe File opened for modification C:\Windows\SysWOW64\Ndfqlnno.exe Njploeoi.exe File opened for modification C:\Windows\SysWOW64\Jmlkpgia.exe Ihhmgaqb.exe File opened for modification C:\Windows\SysWOW64\Goabhl32.exe Fdbked32.exe File opened for modification C:\Windows\SysWOW64\Pjaefc32.exe Pcgmiiii.exe File created C:\Windows\SysWOW64\Pmoabn32.exe Pjaefc32.exe File opened for modification C:\Windows\SysWOW64\Hcbgen32.exe Hpenpp32.exe File created C:\Windows\SysWOW64\Bebmpc32.dll Ocdqcikl.exe File opened for modification C:\Windows\SysWOW64\Jpdqlgdc.exe Jmfdpkeo.exe File opened for modification C:\Windows\SysWOW64\Mcfkkmeo.exe Mllcocna.exe File created C:\Windows\SysWOW64\Jponca32.dll Emdaee32.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 7324 7956 WerFault.exe 461 5500 7956 WerFault.exe 461 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iolhpo32.dll" Kpgoolbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnobfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccfmef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dohmff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blamdnfl.dll" Ajbegg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmaimd32.dll" Ldiiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogegkehh.dll" Dohmff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmolbene.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpgdlm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpbdfgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hoakpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kinnei32.dll" Ocbdni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npjnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npjnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eaenkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djoohk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oianmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgomaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpfhij32.dll" Mddbjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfoihalp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncdgmkio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdffah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Midign32.dll" Hfljfjpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iapjeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkedjbgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Goabhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imikmhae.dll" Qepccqlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbhojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lplpcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkdiog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iiaggc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npmjij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnmbao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Giacmggo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pneelmjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkkhjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmdihgkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmgmhgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oaejhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qdhalj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Himaco32.dll" Hejono32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcacpg32.dll" Ccipelcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncfdbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bichcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emdaee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcjimnjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkhmgp32.dll" Nljopa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jicdlc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lijlii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hejono32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmffnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fongpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkedmpik.dll" Lcbmlbig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bckkpd32.dll" Iiaggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcqgahoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnfgneq.dll" Gaibhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bonjnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opmaaodc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aejfjocb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ildkpiqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgekdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpnepk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mboqnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biidbpdf.dll" Fcjimnjl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4076 wrote to memory of 2760 4076 de92b7dafa17184154af9dff7fa89ec0_NEIKI.exe 91 PID 4076 wrote to memory of 2760 4076 de92b7dafa17184154af9dff7fa89ec0_NEIKI.exe 91 PID 4076 wrote to memory of 2760 4076 de92b7dafa17184154af9dff7fa89ec0_NEIKI.exe 91 PID 2760 wrote to memory of 4172 2760 Fgfmeg32.exe 92 PID 2760 wrote to memory of 4172 2760 Fgfmeg32.exe 92 PID 2760 wrote to memory of 4172 2760 Fgfmeg32.exe 92 PID 4172 wrote to memory of 1028 4172 Hdffah32.exe 93 PID 4172 wrote to memory of 1028 4172 Hdffah32.exe 93 PID 4172 wrote to memory of 1028 4172 Hdffah32.exe 93 PID 1028 wrote to memory of 4356 1028 Hclccd32.exe 94 PID 1028 wrote to memory of 4356 1028 Hclccd32.exe 94 PID 1028 wrote to memory of 4356 1028 Hclccd32.exe 94 PID 4356 wrote to memory of 212 4356 Ifmldo32.exe 95 PID 4356 wrote to memory of 212 4356 Ifmldo32.exe 95 PID 4356 wrote to memory of 212 4356 Ifmldo32.exe 95 PID 212 wrote to memory of 2108 212 Jgekdq32.exe 96 PID 212 wrote to memory of 2108 212 Jgekdq32.exe 96 PID 212 wrote to memory of 2108 212 Jgekdq32.exe 96 PID 2108 wrote to memory of 1192 2108 Jmgmhgig.exe 97 PID 2108 wrote to memory of 1192 2108 Jmgmhgig.exe 97 PID 2108 wrote to memory of 1192 2108 Jmgmhgig.exe 97 PID 1192 wrote to memory of 2816 1192 Kjdqhjpf.exe 98 PID 1192 wrote to memory of 2816 1192 Kjdqhjpf.exe 98 PID 1192 wrote to memory of 2816 1192 Kjdqhjpf.exe 98 PID 2816 wrote to memory of 3992 2816 Lmgfod32.exe 99 PID 2816 wrote to memory of 3992 2816 Lmgfod32.exe 99 PID 2816 wrote to memory of 3992 2816 Lmgfod32.exe 99 PID 3992 wrote to memory of 2208 3992 Mkdiog32.exe 100 PID 3992 wrote to memory of 2208 3992 Mkdiog32.exe 100 PID 3992 wrote to memory of 2208 3992 Mkdiog32.exe 100 PID 2208 wrote to memory of 3384 2208 Maehlqch.exe 101 PID 2208 wrote to memory of 3384 2208 Maehlqch.exe 101 PID 2208 wrote to memory of 3384 2208 Maehlqch.exe 101 PID 3384 wrote to memory of 2400 3384 Odbpij32.exe 102 PID 3384 wrote to memory of 2400 3384 Odbpij32.exe 102 PID 3384 wrote to memory of 2400 3384 Odbpij32.exe 102 PID 2400 wrote to memory of 812 2400 Oediim32.exe 103 PID 2400 wrote to memory of 812 2400 Oediim32.exe 103 PID 2400 wrote to memory of 812 2400 Oediim32.exe 103 PID 812 wrote to memory of 4748 812 Okeklcen.exe 104 PID 812 wrote to memory of 4748 812 Okeklcen.exe 104 PID 812 wrote to memory of 4748 812 Okeklcen.exe 104 PID 4748 wrote to memory of 5028 4748 Qnbdjl32.exe 105 PID 4748 wrote to memory of 5028 4748 Qnbdjl32.exe 105 PID 4748 wrote to memory of 5028 4748 Qnbdjl32.exe 105 PID 5028 wrote to memory of 3916 5028 Aijeme32.exe 106 PID 5028 wrote to memory of 3916 5028 Aijeme32.exe 106 PID 5028 wrote to memory of 3916 5028 Aijeme32.exe 106 PID 3916 wrote to memory of 368 3916 Bichcc32.exe 107 PID 3916 wrote to memory of 368 3916 Bichcc32.exe 107 PID 3916 wrote to memory of 368 3916 Bichcc32.exe 107 PID 368 wrote to memory of 4152 368 Bfpkbfdi.exe 108 PID 368 wrote to memory of 4152 368 Bfpkbfdi.exe 108 PID 368 wrote to memory of 4152 368 Bfpkbfdi.exe 108 PID 4152 wrote to memory of 4012 4152 Cpipkl32.exe 109 PID 4152 wrote to memory of 4012 4152 Cpipkl32.exe 109 PID 4152 wrote to memory of 4012 4152 Cpipkl32.exe 109 PID 4012 wrote to memory of 1496 4012 Cppelkeb.exe 110 PID 4012 wrote to memory of 1496 4012 Cppelkeb.exe 110 PID 4012 wrote to memory of 1496 4012 Cppelkeb.exe 110 PID 1496 wrote to memory of 1120 1496 Defajqko.exe 111 PID 1496 wrote to memory of 1120 1496 Defajqko.exe 111 PID 1496 wrote to memory of 1120 1496 Defajqko.exe 111 PID 1120 wrote to memory of 5088 1120 Efhjjcpo.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\de92b7dafa17184154af9dff7fa89ec0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\de92b7dafa17184154af9dff7fa89ec0_NEIKI.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Fgfmeg32.exeC:\Windows\system32\Fgfmeg32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Hdffah32.exeC:\Windows\system32\Hdffah32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\Hclccd32.exeC:\Windows\system32\Hclccd32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Ifmldo32.exeC:\Windows\system32\Ifmldo32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Jgekdq32.exeC:\Windows\system32\Jgekdq32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\Jmgmhgig.exeC:\Windows\system32\Jmgmhgig.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Kjdqhjpf.exeC:\Windows\system32\Kjdqhjpf.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Lmgfod32.exeC:\Windows\system32\Lmgfod32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Mkdiog32.exeC:\Windows\system32\Mkdiog32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\Maehlqch.exeC:\Windows\system32\Maehlqch.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Odbpij32.exeC:\Windows\system32\Odbpij32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\Oediim32.exeC:\Windows\system32\Oediim32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Okeklcen.exeC:\Windows\system32\Okeklcen.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Qnbdjl32.exeC:\Windows\system32\Qnbdjl32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Aijeme32.exeC:\Windows\system32\Aijeme32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Bichcc32.exeC:\Windows\system32\Bichcc32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\Bfpkbfdi.exeC:\Windows\system32\Bfpkbfdi.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\Cpipkl32.exeC:\Windows\system32\Cpipkl32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\Cppelkeb.exeC:\Windows\system32\Cppelkeb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Defajqko.exeC:\Windows\system32\Defajqko.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Efhjjcpo.exeC:\Windows\system32\Efhjjcpo.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Ehkcgkdj.exeC:\Windows\system32\Ehkcgkdj.exe23⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Eeaqfo32.exeC:\Windows\system32\Eeaqfo32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4484 -
C:\Windows\SysWOW64\Fghcqq32.exeC:\Windows\system32\Fghcqq32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Fempbm32.exeC:\Windows\system32\Fempbm32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Fgmllpng.exeC:\Windows\system32\Fgmllpng.exe27⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Ggdbmoho.exeC:\Windows\system32\Ggdbmoho.exe28⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Gjdknjep.exeC:\Windows\system32\Gjdknjep.exe29⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Hjieii32.exeC:\Windows\system32\Hjieii32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1288 -
C:\Windows\SysWOW64\Hohjgpmo.exeC:\Windows\system32\Hohjgpmo.exe31⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Iqmplbpl.exeC:\Windows\system32\Iqmplbpl.exe32⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Icminm32.exeC:\Windows\system32\Icminm32.exe33⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Ihmnldib.exeC:\Windows\system32\Ihmnldib.exe34⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Ifqoehhl.exeC:\Windows\system32\Ifqoehhl.exe35⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Iiaggc32.exeC:\Windows\system32\Iiaggc32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4876 -
C:\Windows\SysWOW64\Jicdlc32.exeC:\Windows\system32\Jicdlc32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:3676 -
C:\Windows\SysWOW64\Jqmicpbj.exeC:\Windows\system32\Jqmicpbj.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:936 -
C:\Windows\SysWOW64\Jginej32.exeC:\Windows\system32\Jginej32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Jmffnq32.exeC:\Windows\system32\Jmffnq32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Kpgoolbl.exeC:\Windows\system32\Kpgoolbl.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1216 -
C:\Windows\SysWOW64\Kfcdaehf.exeC:\Windows\system32\Kfcdaehf.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Kpnepk32.exeC:\Windows\system32\Kpnepk32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Kppbejka.exeC:\Windows\system32\Kppbejka.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Lfmghdpl.exeC:\Windows\system32\Lfmghdpl.exe45⤵
- Executes dropped EXE
PID:3828 -
C:\Windows\SysWOW64\Lcqgahoe.exeC:\Windows\system32\Lcqgahoe.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Lccdghmc.exeC:\Windows\system32\Lccdghmc.exe47⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Lhammfci.exeC:\Windows\system32\Lhammfci.exe48⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Malnklgg.exeC:\Windows\system32\Malnklgg.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4360 -
C:\Windows\SysWOW64\Mdlgmgdh.exeC:\Windows\system32\Mdlgmgdh.exe50⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Npjnbg32.exeC:\Windows\system32\Npjnbg32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:4616 -
C:\Windows\SysWOW64\Nplkhf32.exeC:\Windows\system32\Nplkhf32.exe52⤵
- Executes dropped EXE
PID:3732 -
C:\Windows\SysWOW64\Nmpkakak.exeC:\Windows\system32\Nmpkakak.exe53⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Nmbhgjoi.exeC:\Windows\system32\Nmbhgjoi.exe54⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Niihlkdm.exeC:\Windows\system32\Niihlkdm.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1048 -
C:\Windows\SysWOW64\Ndomiddc.exeC:\Windows\system32\Ndomiddc.exe56⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Oacmchcl.exeC:\Windows\system32\Oacmchcl.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3684 -
C:\Windows\SysWOW64\Oaejhh32.exeC:\Windows\system32\Oaejhh32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Opjgidfa.exeC:\Windows\system32\Opjgidfa.exe59⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Ppffec32.exeC:\Windows\system32\Ppffec32.exe60⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Pjoknhbe.exeC:\Windows\system32\Pjoknhbe.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Anffje32.exeC:\Windows\system32\Anffje32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1328 -
C:\Windows\SysWOW64\Ajmgof32.exeC:\Windows\system32\Ajmgof32.exe63⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Aklciimh.exeC:\Windows\system32\Aklciimh.exe64⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Akopoi32.exeC:\Windows\system32\Akopoi32.exe65⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Bgeadjai.exeC:\Windows\system32\Bgeadjai.exe66⤵PID:1844
-
C:\Windows\SysWOW64\Dgomaf32.exeC:\Windows\system32\Dgomaf32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5100 -
C:\Windows\SysWOW64\Eaenkj32.exeC:\Windows\system32\Eaenkj32.exe68⤵
- Modifies registry class
PID:4488 -
C:\Windows\SysWOW64\Fongpm32.exeC:\Windows\system32\Fongpm32.exe69⤵
- Modifies registry class
PID:4516 -
C:\Windows\SysWOW64\Hleneo32.exeC:\Windows\system32\Hleneo32.exe70⤵PID:456
-
C:\Windows\SysWOW64\Haafnf32.exeC:\Windows\system32\Haafnf32.exe71⤵PID:2960
-
C:\Windows\SysWOW64\Hlgjko32.exeC:\Windows\system32\Hlgjko32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:416 -
C:\Windows\SysWOW64\Hebkid32.exeC:\Windows\system32\Hebkid32.exe73⤵PID:3592
-
C:\Windows\SysWOW64\Hedhoc32.exeC:\Windows\system32\Hedhoc32.exe74⤵PID:4160
-
C:\Windows\SysWOW64\Iibaeb32.exeC:\Windows\system32\Iibaeb32.exe75⤵
- Drops file in System32 directory
PID:5052 -
C:\Windows\SysWOW64\Ikcmmjkb.exeC:\Windows\system32\Ikcmmjkb.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4948 -
C:\Windows\SysWOW64\Jllmml32.exeC:\Windows\system32\Jllmml32.exe77⤵PID:3832
-
C:\Windows\SysWOW64\Jchaoe32.exeC:\Windows\system32\Jchaoe32.exe78⤵
- Drops file in System32 directory
PID:3848 -
C:\Windows\SysWOW64\Jhejgl32.exeC:\Windows\system32\Jhejgl32.exe79⤵PID:2152
-
C:\Windows\SysWOW64\Jbnopbdl.exeC:\Windows\system32\Jbnopbdl.exe80⤵PID:4884
-
C:\Windows\SysWOW64\Lijlii32.exeC:\Windows\system32\Lijlii32.exe81⤵
- Modifies registry class
PID:4660 -
C:\Windows\SysWOW64\Lcbmlbig.exeC:\Windows\system32\Lcbmlbig.exe82⤵
- Modifies registry class
PID:5148 -
C:\Windows\SysWOW64\Liofdigo.exeC:\Windows\system32\Liofdigo.exe83⤵
- Drops file in System32 directory
PID:5192 -
C:\Windows\SysWOW64\Liabjh32.exeC:\Windows\system32\Liabjh32.exe84⤵PID:5236
-
C:\Windows\SysWOW64\Mbjgcnll.exeC:\Windows\system32\Mbjgcnll.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5280 -
C:\Windows\SysWOW64\Mmokpglb.exeC:\Windows\system32\Mmokpglb.exe86⤵PID:5324
-
C:\Windows\SysWOW64\Mboqnm32.exeC:\Windows\system32\Mboqnm32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5368 -
C:\Windows\SysWOW64\Mbamcm32.exeC:\Windows\system32\Mbamcm32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5412 -
C:\Windows\SysWOW64\Mikepg32.exeC:\Windows\system32\Mikepg32.exe89⤵PID:5460
-
C:\Windows\SysWOW64\Npqmipjq.exeC:\Windows\system32\Npqmipjq.exe90⤵PID:5504
-
C:\Windows\SysWOW64\Omdnbd32.exeC:\Windows\system32\Omdnbd32.exe91⤵PID:5548
-
C:\Windows\SysWOW64\Ojhnlh32.exeC:\Windows\system32\Ojhnlh32.exe92⤵PID:5592
-
C:\Windows\SysWOW64\Oljkcpnb.exeC:\Windows\system32\Oljkcpnb.exe93⤵PID:5636
-
C:\Windows\SysWOW64\Oinkmdml.exeC:\Windows\system32\Oinkmdml.exe94⤵
- Drops file in System32 directory
PID:5680 -
C:\Windows\SysWOW64\Oiphbd32.exeC:\Windows\system32\Oiphbd32.exe95⤵
- Drops file in System32 directory
PID:5724 -
C:\Windows\SysWOW64\Odelpm32.exeC:\Windows\system32\Odelpm32.exe96⤵PID:5768
-
C:\Windows\SysWOW64\Plejoode.exeC:\Windows\system32\Plejoode.exe97⤵
- Drops file in System32 directory
PID:5816 -
C:\Windows\SysWOW64\Piikhc32.exeC:\Windows\system32\Piikhc32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5860 -
C:\Windows\SysWOW64\Pdoofl32.exeC:\Windows\system32\Pdoofl32.exe99⤵PID:5904
-
C:\Windows\SysWOW64\Qciebg32.exeC:\Windows\system32\Qciebg32.exe100⤵PID:5948
-
C:\Windows\SysWOW64\Qdhalj32.exeC:\Windows\system32\Qdhalj32.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:5992 -
C:\Windows\SysWOW64\Aiejda32.exeC:\Windows\system32\Aiejda32.exe102⤵PID:6040
-
C:\Windows\SysWOW64\Bgbmdd32.exeC:\Windows\system32\Bgbmdd32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6084 -
C:\Windows\SysWOW64\Bloflk32.exeC:\Windows\system32\Bloflk32.exe104⤵PID:6128
-
C:\Windows\SysWOW64\Bnobfn32.exeC:\Windows\system32\Bnobfn32.exe105⤵
- Modifies registry class
PID:5160 -
C:\Windows\SysWOW64\Cqfahh32.exeC:\Windows\system32\Cqfahh32.exe106⤵PID:5228
-
C:\Windows\SysWOW64\Cmmbmiag.exeC:\Windows\system32\Cmmbmiag.exe107⤵
- Drops file in System32 directory
PID:5320 -
C:\Windows\SysWOW64\Djoohk32.exeC:\Windows\system32\Djoohk32.exe108⤵
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Emdaee32.exeC:\Windows\system32\Emdaee32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5440 -
C:\Windows\SysWOW64\Eabjkdcc.exeC:\Windows\system32\Eabjkdcc.exe110⤵PID:5512
-
C:\Windows\SysWOW64\Ejkndijd.exeC:\Windows\system32\Ejkndijd.exe111⤵PID:5580
-
C:\Windows\SysWOW64\Eljknl32.exeC:\Windows\system32\Eljknl32.exe112⤵
- Drops file in System32 directory
PID:5652 -
C:\Windows\SysWOW64\Emlgedge.exeC:\Windows\system32\Emlgedge.exe113⤵PID:5720
-
C:\Windows\SysWOW64\Fnkdpgnh.exeC:\Windows\system32\Fnkdpgnh.exe114⤵PID:5788
-
C:\Windows\SysWOW64\Fhchhm32.exeC:\Windows\system32\Fhchhm32.exe115⤵PID:5856
-
C:\Windows\SysWOW64\Fcjimnjl.exeC:\Windows\system32\Fcjimnjl.exe116⤵
- Modifies registry class
PID:5936 -
C:\Windows\SysWOW64\Fmejlcoj.exeC:\Windows\system32\Fmejlcoj.exe117⤵PID:6000
-
C:\Windows\SysWOW64\Fhjoilop.exeC:\Windows\system32\Fhjoilop.exe118⤵PID:6068
-
C:\Windows\SysWOW64\Gmjcgb32.exeC:\Windows\system32\Gmjcgb32.exe119⤵PID:6140
-
C:\Windows\SysWOW64\Hejono32.exeC:\Windows\system32\Hejono32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5220 -
C:\Windows\SysWOW64\Hkggfe32.exeC:\Windows\system32\Hkggfe32.exe121⤵PID:3996
-
C:\Windows\SysWOW64\Hkiclepa.exeC:\Windows\system32\Hkiclepa.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5420
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-