Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 03:47
Behavioral task
behavioral1
Sample
e43cffa984cde39f6347cc8367a583d0_NEIKI.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
e43cffa984cde39f6347cc8367a583d0_NEIKI.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
e43cffa984cde39f6347cc8367a583d0_NEIKI.exe
-
Size
482KB
-
MD5
e43cffa984cde39f6347cc8367a583d0
-
SHA1
c40598fc4b83903c6a85e126a65fb172c77d4ed7
-
SHA256
d0b20760212986acd8ee4da2278c850e64d718acc007268992a36e2b7895c87e
-
SHA512
d7e5a14523300208266e838e4cc3629b259a1aee44723cfe096111e92febd6b825a87318edfc5b97a23b34ea34900d0172fa1f5c55b9f7637de82a4a3201c620
-
SSDEEP
12288:3vXdy7/OJSLrpV6yYP4rbpV6yYPg058KpV6yYP8OThj:yWJSLrW4XWleKW8OThj
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hldiinke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dcphdqmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Napameoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcjodbgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhghge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfjakgpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljjpnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nandhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbijinfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlppno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Napameoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feifgnki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gomkkagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlppno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gjkbnfha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgbpdgap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhobjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oggllnkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbekii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daollh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbfjjlgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imjgbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkboeobh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbldphde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocgbend.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oifppdpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ampaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qhghge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afkipi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kimgba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejojljqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ldfoad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eemgkpef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okpkgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppdjpcng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjmodffo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amoknh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndjcne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diafqi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfccogfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgmllpng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpgnjebd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icpecm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lindkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmaciefp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmqiec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onmahojj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogefqeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfbbdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmbopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahgamo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlfhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lindkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdeiqgkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjkbnfha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qihoak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Inkjfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfkgp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dblnid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhcjbfag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adepji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkefmjcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iapjgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odifjipd.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000800000002325d-6.dat family_berbew behavioral2/files/0x000700000002325f-14.dat family_berbew behavioral2/files/0x0007000000023261-22.dat family_berbew behavioral2/files/0x0007000000023265-34.dat family_berbew behavioral2/files/0x0007000000023263-31.dat family_berbew behavioral2/files/0x0007000000023267-46.dat family_berbew behavioral2/files/0x0007000000023269-54.dat family_berbew behavioral2/files/0x000700000002326b-65.dat family_berbew behavioral2/files/0x000700000002326d-66.dat family_berbew behavioral2/files/0x000700000002326d-73.dat family_berbew behavioral2/files/0x000700000002326f-79.dat family_berbew behavioral2/files/0x0007000000023271-87.dat family_berbew behavioral2/files/0x0007000000023273-92.dat family_berbew behavioral2/files/0x0007000000023275-108.dat family_berbew behavioral2/files/0x0007000000023277-115.dat family_berbew behavioral2/files/0x0007000000023279-126.dat family_berbew behavioral2/files/0x000700000002327b-132.dat family_berbew behavioral2/files/0x000700000002327d-141.dat family_berbew behavioral2/files/0x000700000002327f-152.dat family_berbew behavioral2/files/0x0007000000023281-159.dat family_berbew behavioral2/files/0x0007000000023283-163.dat family_berbew behavioral2/files/0x0007000000023283-171.dat family_berbew behavioral2/files/0x0007000000023285-177.dat family_berbew behavioral2/files/0x0007000000023287-187.dat family_berbew behavioral2/files/0x0007000000023289-195.dat family_berbew behavioral2/files/0x000700000002328b-205.dat family_berbew behavioral2/files/0x000700000002328d-213.dat family_berbew behavioral2/files/0x000700000002328f-223.dat family_berbew behavioral2/files/0x0007000000023291-227.dat family_berbew behavioral2/files/0x0007000000023294-240.dat family_berbew behavioral2/files/0x0007000000023298-259.dat family_berbew behavioral2/files/0x000700000002329a-267.dat family_berbew behavioral2/files/0x000700000002329c-277.dat family_berbew behavioral2/files/0x00070000000232ae-337.dat family_berbew behavioral2/files/0x00070000000232ac-329.dat family_berbew behavioral2/files/0x00070000000232be-392.dat family_berbew behavioral2/files/0x00070000000232c9-426.dat family_berbew behavioral2/files/0x0007000000023298-253.dat family_berbew behavioral2/files/0x0007000000023296-251.dat family_berbew behavioral2/files/0x00070000000232ef-559.dat family_berbew behavioral2/files/0x00070000000232fc-608.dat family_berbew behavioral2/files/0x0007000000023304-635.dat family_berbew behavioral2/files/0x000700000002331a-712.dat family_berbew behavioral2/files/0x0007000000023326-755.dat family_berbew behavioral2/files/0x000200000001e32b-796.dat family_berbew behavioral2/files/0x0007000000023333-804.dat family_berbew behavioral2/files/0x0007000000023339-824.dat family_berbew behavioral2/files/0x000700000002333d-838.dat family_berbew behavioral2/files/0x0007000000023349-880.dat family_berbew behavioral2/files/0x000700000002334d-894.dat family_berbew behavioral2/files/0x000700000002334f-902.dat family_berbew behavioral2/files/0x000700000002335d-950.dat family_berbew behavioral2/files/0x0007000000023369-992.dat family_berbew behavioral2/files/0x0007000000023375-1027.dat family_berbew behavioral2/files/0x0007000000023388-1090.dat family_berbew behavioral2/files/0x0007000000023395-1132.dat family_berbew behavioral2/files/0x000700000002339c-1153.dat family_berbew behavioral2/files/0x00080000000233aa-1216.dat family_berbew behavioral2/files/0x00070000000233b9-1236.dat family_berbew behavioral2/files/0x00070000000233c1-1262.dat family_berbew behavioral2/files/0x00070000000233c7-1283.dat family_berbew behavioral2/files/0x00070000000233cd-1304.dat family_berbew behavioral2/files/0x00070000000233d6-1332.dat family_berbew behavioral2/files/0x00070000000233dc-1353.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4664 Fbbicl32.exe 5060 Fnkfmm32.exe 2928 Gkaclqkk.exe 8 Gbnhoj32.exe 620 Gndick32.exe 1776 Geanfelc.exe 3956 Hpioin32.exe 4124 Hlppno32.exe 1600 Hbldphde.exe 1252 Hldiinke.exe 4012 Iacngdgj.exe 3524 Ibcjqgnm.exe 2136 Ilphdlqh.exe 1808 Jpnakk32.exe 1824 Jocnlg32.exe 4816 Jeocna32.exe 4228 Jafdcbge.exe 848 Khbiello.exe 2720 Kamjda32.exe 3040 Kocgbend.exe 4216 Lindkm32.exe 3808 Ljbnfleo.exe 3980 Llcghg32.exe 892 Mhjhmhhd.exe 4912 Mofmobmo.exe 2240 Mlofcf32.exe 2424 Nmaciefp.exe 232 Nmcpoedn.exe 3096 Njgqhicg.exe 3512 Njjmni32.exe 2384 Ncbafoge.exe 1492 Ojnfihmo.exe 4336 Ocgkan32.exe 1996 Ocihgnam.exe 2152 Oifppdpd.exe 1448 Ockdmmoj.exe 1796 Pimfpc32.exe 2416 Pbekii32.exe 3952 Pfccogfc.exe 3232 Pmphaaln.exe 2108 Pciqnk32.exe 1952 Qapnmopa.exe 1484 Apggckbf.exe 2872 Amkhmoap.exe 2488 Adepji32.exe 1648 Abjmkf32.exe 4392 Ampaho32.exe 2904 Bmbnnn32.exe 4540 Bmdkcnie.exe 1636 Binhnomg.exe 4744 Bkmeha32.exe 2312 Bdeiqgkj.exe 3380 Cienon32.exe 664 Cmbgdl32.exe 4808 Ciihjmcj.exe 3608 Cpcpfg32.exe 544 Cgmhcaac.exe 4716 Cmgqpkip.exe 2248 Dkkaiphj.exe 1752 Daeifj32.exe 3732 Dknnoofg.exe 1128 Dahfkimd.exe 3768 Dggkipii.exe 1768 Daollh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Afeban32.exe Aiabhj32.exe File opened for modification C:\Windows\SysWOW64\Aaofedkl.exe Ahgamo32.exe File opened for modification C:\Windows\SysWOW64\Dahfkimd.exe Dknnoofg.exe File created C:\Windows\SysWOW64\Hagapc32.dll Gbpnjdkg.exe File opened for modification C:\Windows\SysWOW64\Gbnhoj32.exe Gkaclqkk.exe File created C:\Windows\SysWOW64\Ikpnha32.dll Kaioidkh.exe File created C:\Windows\SysWOW64\Kclnfi32.exe Kciaqi32.exe File created C:\Windows\SysWOW64\Nhhldc32.exe Nandhi32.exe File opened for modification C:\Windows\SysWOW64\Dbijinfl.exe Diafqi32.exe File created C:\Windows\SysWOW64\Mlbmonhi.dll e43cffa984cde39f6347cc8367a583d0_NEIKI.exe File created C:\Windows\SysWOW64\Mnokmd32.dll Dkkaiphj.exe File created C:\Windows\SysWOW64\Blknpdho.exe Bldgoeog.exe File created C:\Windows\SysWOW64\Ggiffjfe.dll Hnjaonij.exe File opened for modification C:\Windows\SysWOW64\Kciaqi32.exe Kidmcqeg.exe File created C:\Windows\SysWOW64\Pdmikb32.exe Phfhfa32.exe File opened for modification C:\Windows\SysWOW64\Iapjgo32.exe Hcljmj32.exe File opened for modification C:\Windows\SysWOW64\Gphddlfp.exe Fpfholhc.exe File created C:\Windows\SysWOW64\Ejfcjp32.dll Dojlhg32.exe File created C:\Windows\SysWOW64\Kihnhc32.dll Iqmplbpl.exe File created C:\Windows\SysWOW64\Ahnljade.dll Kciaqi32.exe File created C:\Windows\SysWOW64\Pleapoon.dll Ijngkf32.exe File opened for modification C:\Windows\SysWOW64\Pnhjig32.exe Ppdjpcng.exe File opened for modification C:\Windows\SysWOW64\Medglemj.exe Mhnjna32.exe File opened for modification C:\Windows\SysWOW64\Eeddfe32.exe Ellpmolj.exe File opened for modification C:\Windows\SysWOW64\Eoladdeo.exe Eojeodga.exe File opened for modification C:\Windows\SysWOW64\Hnokjm32.exe Hnmnengg.exe File opened for modification C:\Windows\SysWOW64\Nibbklke.exe Nipffmmg.exe File opened for modification C:\Windows\SysWOW64\Kjdqhjpf.exe Kaioidkh.exe File opened for modification C:\Windows\SysWOW64\Lmdbooik.exe Kclnfi32.exe File opened for modification C:\Windows\SysWOW64\Ejojljqa.exe Ekimjn32.exe File created C:\Windows\SysWOW64\Fpncnb32.dll Gphddlfp.exe File created C:\Windows\SysWOW64\Apjfbb32.dll Lindkm32.exe File opened for modification C:\Windows\SysWOW64\Mhnjna32.exe Moalil32.exe File created C:\Windows\SysWOW64\Khabdi32.dll Ioffhn32.exe File opened for modification C:\Windows\SysWOW64\Lmneemaq.exe Lpjelibg.exe File created C:\Windows\SysWOW64\Cbiabq32.exe Ciqmjkno.exe File created C:\Windows\SysWOW64\Jafdcbge.exe Jeocna32.exe File created C:\Windows\SysWOW64\Adepji32.exe Amkhmoap.exe File created C:\Windows\SysWOW64\Bkcdbi32.dll Ifoijonj.exe File created C:\Windows\SysWOW64\Lhcjbfag.exe Lmneemaq.exe File created C:\Windows\SysWOW64\Aagfblqi.dll Oiqomj32.exe File created C:\Windows\SysWOW64\Lbccec32.dll Bdlncn32.exe File created C:\Windows\SysWOW64\Kldphm32.dll Agnkck32.exe File opened for modification C:\Windows\SysWOW64\Pimfpc32.exe Ockdmmoj.exe File created C:\Windows\SysWOW64\Daeifj32.exe Dkkaiphj.exe File opened for modification C:\Windows\SysWOW64\Lojfin32.exe Leoejh32.exe File created C:\Windows\SysWOW64\Dfkclp32.dll Belemd32.exe File created C:\Windows\SysWOW64\Mjkdhaje.dll Cihjeq32.exe File created C:\Windows\SysWOW64\Gomkkagl.exe Gpgnjebd.exe File created C:\Windows\SysWOW64\Olqjha32.dll Amkhmoap.exe File opened for modification C:\Windows\SysWOW64\Dkkaiphj.exe Cmgqpkip.exe File created C:\Windows\SysWOW64\Cobnge32.dll Hebcao32.exe File opened for modification C:\Windows\SysWOW64\Bldgoeog.exe Bblcfo32.exe File created C:\Windows\SysWOW64\Hcommoin.exe Gcmpgpkp.exe File created C:\Windows\SysWOW64\Jfjakgpa.exe Jifabb32.exe File created C:\Windows\SysWOW64\Nbjnhape.dll Hbldphde.exe File created C:\Windows\SysWOW64\Hkglgq32.dll Mhnjna32.exe File created C:\Windows\SysWOW64\Deagoa32.exe Dlicflic.exe File created C:\Windows\SysWOW64\Ahngmnnd.exe Abdoqd32.exe File opened for modification C:\Windows\SysWOW64\Jeilne32.exe Jcjodbgl.exe File opened for modification C:\Windows\SysWOW64\Ohkijc32.exe Nhhldc32.exe File created C:\Windows\SysWOW64\Ohobebig.exe Oinbgk32.exe File created C:\Windows\SysWOW64\Belemd32.exe Agckiqgg.exe File opened for modification C:\Windows\SysWOW64\Nandhi32.exe Ndjcne32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3704 3232 WerFault.exe 400 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eeodqocd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ijngkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Geanfelc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpaifo32.dll" Hbknebqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kacofh32.dll" Pndhhnda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifoijonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geijac32.dll" Chddpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cejaobel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Apggckbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjkdlall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fklociap.dll" Namegfql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amkhmoap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dknnoofg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dehnpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifgknd32.dll" Iqbpahpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Icminm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ljjpnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncmdhlq.dll" Gjkbnfha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eggkfmfh.dll" Djpfbahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifmldo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jcjodbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pdmikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdclbd32.dll" Aaofedkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obbcmknk.dll" Bbbkbbkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Khbiello.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Damlpgkc.dll" Mlofcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gklcce32.dll" Dpgbgpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djklgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hebcao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hcljmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hnmnengg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piajlc32.dll" Jmijnfgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aaofedkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pbekii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmbnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdedgjno.dll" Dknnoofg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npakijcp.dll" Mhjhmhhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gcmpgpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nandhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 e43cffa984cde39f6347cc8367a583d0_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anijgd32.dll" Epdime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdmdjkpo.dll" Fpfholhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dknnoofg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmofmb32.dll" Ejojljqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppdjpcng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepjbf32.dll" Nmaciefp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oggllnkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfqgoo32.dll" Qihoak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dblnid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ejdonq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eojeodga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajmkad32.dll" Oinbgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgodh32.dll" Bnaffdfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ocgkan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cpcpfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gcghkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bloikp32.dll" Cejjdlap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nmaciefp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gbpnjdkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qnopjfgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hgbonm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nkboeobh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkmeha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djbehfpe.dll" Cmpcdfll.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2252 wrote to memory of 4664 2252 e43cffa984cde39f6347cc8367a583d0_NEIKI.exe 91 PID 2252 wrote to memory of 4664 2252 e43cffa984cde39f6347cc8367a583d0_NEIKI.exe 91 PID 2252 wrote to memory of 4664 2252 e43cffa984cde39f6347cc8367a583d0_NEIKI.exe 91 PID 4664 wrote to memory of 5060 4664 Fbbicl32.exe 92 PID 4664 wrote to memory of 5060 4664 Fbbicl32.exe 92 PID 4664 wrote to memory of 5060 4664 Fbbicl32.exe 92 PID 5060 wrote to memory of 2928 5060 Fnkfmm32.exe 93 PID 5060 wrote to memory of 2928 5060 Fnkfmm32.exe 93 PID 5060 wrote to memory of 2928 5060 Fnkfmm32.exe 93 PID 2928 wrote to memory of 8 2928 Gkaclqkk.exe 94 PID 2928 wrote to memory of 8 2928 Gkaclqkk.exe 94 PID 2928 wrote to memory of 8 2928 Gkaclqkk.exe 94 PID 8 wrote to memory of 620 8 Gbnhoj32.exe 95 PID 8 wrote to memory of 620 8 Gbnhoj32.exe 95 PID 8 wrote to memory of 620 8 Gbnhoj32.exe 95 PID 620 wrote to memory of 1776 620 Gndick32.exe 96 PID 620 wrote to memory of 1776 620 Gndick32.exe 96 PID 620 wrote to memory of 1776 620 Gndick32.exe 96 PID 1776 wrote to memory of 3956 1776 Geanfelc.exe 97 PID 1776 wrote to memory of 3956 1776 Geanfelc.exe 97 PID 1776 wrote to memory of 3956 1776 Geanfelc.exe 97 PID 3956 wrote to memory of 4124 3956 Hpioin32.exe 98 PID 3956 wrote to memory of 4124 3956 Hpioin32.exe 98 PID 3956 wrote to memory of 4124 3956 Hpioin32.exe 98 PID 4124 wrote to memory of 1600 4124 Hlppno32.exe 99 PID 4124 wrote to memory of 1600 4124 Hlppno32.exe 99 PID 4124 wrote to memory of 1600 4124 Hlppno32.exe 99 PID 1600 wrote to memory of 1252 1600 Hbldphde.exe 100 PID 1600 wrote to memory of 1252 1600 Hbldphde.exe 100 PID 1600 wrote to memory of 1252 1600 Hbldphde.exe 100 PID 1252 wrote to memory of 4012 1252 Hldiinke.exe 101 PID 1252 wrote to memory of 4012 1252 Hldiinke.exe 101 PID 1252 wrote to memory of 4012 1252 Hldiinke.exe 101 PID 4012 wrote to memory of 3524 4012 Iacngdgj.exe 102 PID 4012 wrote to memory of 3524 4012 Iacngdgj.exe 102 PID 4012 wrote to memory of 3524 4012 Iacngdgj.exe 102 PID 3524 wrote to memory of 2136 3524 Ibcjqgnm.exe 103 PID 3524 wrote to memory of 2136 3524 Ibcjqgnm.exe 103 PID 3524 wrote to memory of 2136 3524 Ibcjqgnm.exe 103 PID 2136 wrote to memory of 1808 2136 Ilphdlqh.exe 104 PID 2136 wrote to memory of 1808 2136 Ilphdlqh.exe 104 PID 2136 wrote to memory of 1808 2136 Ilphdlqh.exe 104 PID 1808 wrote to memory of 1824 1808 Jpnakk32.exe 105 PID 1808 wrote to memory of 1824 1808 Jpnakk32.exe 105 PID 1808 wrote to memory of 1824 1808 Jpnakk32.exe 105 PID 1824 wrote to memory of 4816 1824 Jocnlg32.exe 106 PID 1824 wrote to memory of 4816 1824 Jocnlg32.exe 106 PID 1824 wrote to memory of 4816 1824 Jocnlg32.exe 106 PID 4816 wrote to memory of 4228 4816 Jeocna32.exe 107 PID 4816 wrote to memory of 4228 4816 Jeocna32.exe 107 PID 4816 wrote to memory of 4228 4816 Jeocna32.exe 107 PID 4228 wrote to memory of 848 4228 Jafdcbge.exe 108 PID 4228 wrote to memory of 848 4228 Jafdcbge.exe 108 PID 4228 wrote to memory of 848 4228 Jafdcbge.exe 108 PID 848 wrote to memory of 2720 848 Khbiello.exe 109 PID 848 wrote to memory of 2720 848 Khbiello.exe 109 PID 848 wrote to memory of 2720 848 Khbiello.exe 109 PID 2720 wrote to memory of 3040 2720 Kamjda32.exe 110 PID 2720 wrote to memory of 3040 2720 Kamjda32.exe 110 PID 2720 wrote to memory of 3040 2720 Kamjda32.exe 110 PID 3040 wrote to memory of 4216 3040 Kocgbend.exe 111 PID 3040 wrote to memory of 4216 3040 Kocgbend.exe 111 PID 3040 wrote to memory of 4216 3040 Kocgbend.exe 111 PID 4216 wrote to memory of 3808 4216 Lindkm32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\e43cffa984cde39f6347cc8367a583d0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\e43cffa984cde39f6347cc8367a583d0_NEIKI.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Fbbicl32.exeC:\Windows\system32\Fbbicl32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Fnkfmm32.exeC:\Windows\system32\Fnkfmm32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Gkaclqkk.exeC:\Windows\system32\Gkaclqkk.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Gbnhoj32.exeC:\Windows\system32\Gbnhoj32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\Gndick32.exeC:\Windows\system32\Gndick32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Geanfelc.exeC:\Windows\system32\Geanfelc.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Hpioin32.exeC:\Windows\system32\Hpioin32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\Hlppno32.exeC:\Windows\system32\Hlppno32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\Hbldphde.exeC:\Windows\system32\Hbldphde.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Hldiinke.exeC:\Windows\system32\Hldiinke.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Iacngdgj.exeC:\Windows\system32\Iacngdgj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Ibcjqgnm.exeC:\Windows\system32\Ibcjqgnm.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\Ilphdlqh.exeC:\Windows\system32\Ilphdlqh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Jpnakk32.exeC:\Windows\system32\Jpnakk32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Jocnlg32.exeC:\Windows\system32\Jocnlg32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Jeocna32.exeC:\Windows\system32\Jeocna32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\Jafdcbge.exeC:\Windows\system32\Jafdcbge.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Khbiello.exeC:\Windows\system32\Khbiello.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Kamjda32.exeC:\Windows\system32\Kamjda32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Kocgbend.exeC:\Windows\system32\Kocgbend.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Lindkm32.exeC:\Windows\system32\Lindkm32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\Ljbnfleo.exeC:\Windows\system32\Ljbnfleo.exe23⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Llcghg32.exeC:\Windows\system32\Llcghg32.exe24⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Mhjhmhhd.exeC:\Windows\system32\Mhjhmhhd.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:892 -
C:\Windows\SysWOW64\Mofmobmo.exeC:\Windows\system32\Mofmobmo.exe26⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Mlofcf32.exeC:\Windows\system32\Mlofcf32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Nmaciefp.exeC:\Windows\system32\Nmaciefp.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Nmcpoedn.exeC:\Windows\system32\Nmcpoedn.exe29⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Njgqhicg.exeC:\Windows\system32\Njgqhicg.exe30⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Njjmni32.exeC:\Windows\system32\Njjmni32.exe31⤵
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\Ncbafoge.exeC:\Windows\system32\Ncbafoge.exe32⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Ojnfihmo.exeC:\Windows\system32\Ojnfihmo.exe33⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Ocgkan32.exeC:\Windows\system32\Ocgkan32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:4336 -
C:\Windows\SysWOW64\Ocihgnam.exeC:\Windows\system32\Ocihgnam.exe35⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Oifppdpd.exeC:\Windows\system32\Oifppdpd.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Ockdmmoj.exeC:\Windows\system32\Ockdmmoj.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\Pimfpc32.exeC:\Windows\system32\Pimfpc32.exe38⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Pbekii32.exeC:\Windows\system32\Pbekii32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Pfccogfc.exeC:\Windows\system32\Pfccogfc.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Pmphaaln.exeC:\Windows\system32\Pmphaaln.exe41⤵
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Pciqnk32.exeC:\Windows\system32\Pciqnk32.exe42⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Qapnmopa.exeC:\Windows\system32\Qapnmopa.exe43⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Apggckbf.exeC:\Windows\system32\Apggckbf.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Amkhmoap.exeC:\Windows\system32\Amkhmoap.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Adepji32.exeC:\Windows\system32\Adepji32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Abjmkf32.exeC:\Windows\system32\Abjmkf32.exe47⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Ampaho32.exeC:\Windows\system32\Ampaho32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Bmbnnn32.exeC:\Windows\system32\Bmbnnn32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Bmdkcnie.exeC:\Windows\system32\Bmdkcnie.exe50⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Binhnomg.exeC:\Windows\system32\Binhnomg.exe51⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Bkmeha32.exeC:\Windows\system32\Bkmeha32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:4744 -
C:\Windows\SysWOW64\Bdeiqgkj.exeC:\Windows\system32\Bdeiqgkj.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Cienon32.exeC:\Windows\system32\Cienon32.exe54⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Cmbgdl32.exeC:\Windows\system32\Cmbgdl32.exe55⤵
- Executes dropped EXE
PID:664 -
C:\Windows\SysWOW64\Ciihjmcj.exeC:\Windows\system32\Ciihjmcj.exe56⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Cpcpfg32.exeC:\Windows\system32\Cpcpfg32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:3608 -
C:\Windows\SysWOW64\Cgmhcaac.exeC:\Windows\system32\Cgmhcaac.exe58⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Cmgqpkip.exeC:\Windows\system32\Cmgqpkip.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4716 -
C:\Windows\SysWOW64\Dkkaiphj.exeC:\Windows\system32\Dkkaiphj.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Daeifj32.exeC:\Windows\system32\Daeifj32.exe61⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Dknnoofg.exeC:\Windows\system32\Dknnoofg.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3732 -
C:\Windows\SysWOW64\Dahfkimd.exeC:\Windows\system32\Dahfkimd.exe63⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Dggkipii.exeC:\Windows\system32\Dggkipii.exe64⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\Daollh32.exeC:\Windows\system32\Daollh32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Dcphdqmj.exeC:\Windows\system32\Dcphdqmj.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3900 -
C:\Windows\SysWOW64\Ejjaqk32.exeC:\Windows\system32\Ejjaqk32.exe67⤵PID:1948
-
C:\Windows\SysWOW64\Epdime32.exeC:\Windows\system32\Epdime32.exe68⤵
- Modifies registry class
PID:3676 -
C:\Windows\SysWOW64\Ekimjn32.exeC:\Windows\system32\Ekimjn32.exe69⤵
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Ejojljqa.exeC:\Windows\system32\Ejojljqa.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Ejagaj32.exeC:\Windows\system32\Ejagaj32.exe71⤵PID:4000
-
C:\Windows\SysWOW64\Edfknb32.exeC:\Windows\system32\Edfknb32.exe72⤵PID:2900
-
C:\Windows\SysWOW64\Fnjocf32.exeC:\Windows\system32\Fnjocf32.exe73⤵PID:3148
-
C:\Windows\SysWOW64\Gcghkm32.exeC:\Windows\system32\Gcghkm32.exe74⤵
- Modifies registry class
PID:984 -
C:\Windows\SysWOW64\Gkefmjcj.exeC:\Windows\system32\Gkefmjcj.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:432 -
C:\Windows\SysWOW64\Gbpnjdkg.exeC:\Windows\system32\Gbpnjdkg.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:3592 -
C:\Windows\SysWOW64\Gjkbnfha.exeC:\Windows\system32\Gjkbnfha.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3216 -
C:\Windows\SysWOW64\Hjmodffo.exeC:\Windows\system32\Hjmodffo.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4644 -
C:\Windows\SysWOW64\Hebcao32.exeC:\Windows\system32\Hebcao32.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:3588 -
C:\Windows\SysWOW64\Hbknebqi.exeC:\Windows\system32\Hbknebqi.exe80⤵
- Modifies registry class
PID:3312 -
C:\Windows\SysWOW64\Hcljmj32.exeC:\Windows\system32\Hcljmj32.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:3284 -
C:\Windows\SysWOW64\Iapjgo32.exeC:\Windows\system32\Iapjgo32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2080 -
C:\Windows\SysWOW64\Infhebbh.exeC:\Windows\system32\Infhebbh.exe83⤵PID:2448
-
C:\Windows\SysWOW64\Ijpepcfj.exeC:\Windows\system32\Ijpepcfj.exe84⤵PID:2596
-
C:\Windows\SysWOW64\Ihceigec.exeC:\Windows\system32\Ihceigec.exe85⤵PID:5140
-
C:\Windows\SysWOW64\Jehfcl32.exeC:\Windows\system32\Jehfcl32.exe86⤵PID:5184
-
C:\Windows\SysWOW64\Jdmcdhhe.exeC:\Windows\system32\Jdmcdhhe.exe87⤵PID:5228
-
C:\Windows\SysWOW64\Jjgkab32.exeC:\Windows\system32\Jjgkab32.exe88⤵PID:5276
-
C:\Windows\SysWOW64\Jelonkph.exeC:\Windows\system32\Jelonkph.exe89⤵PID:5320
-
C:\Windows\SysWOW64\Jlfhke32.exeC:\Windows\system32\Jlfhke32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5364 -
C:\Windows\SysWOW64\Jdalog32.exeC:\Windows\system32\Jdalog32.exe91⤵PID:5408
-
C:\Windows\SysWOW64\Jjkdlall.exeC:\Windows\system32\Jjkdlall.exe92⤵
- Modifies registry class
PID:5452 -
C:\Windows\SysWOW64\Jaemilci.exeC:\Windows\system32\Jaemilci.exe93⤵PID:5496
-
C:\Windows\SysWOW64\Kdffjgpj.exeC:\Windows\system32\Kdffjgpj.exe94⤵PID:5540
-
C:\Windows\SysWOW64\Kejloi32.exeC:\Windows\system32\Kejloi32.exe95⤵PID:5588
-
C:\Windows\SysWOW64\Leoejh32.exeC:\Windows\system32\Leoejh32.exe96⤵
- Drops file in System32 directory
PID:5636 -
C:\Windows\SysWOW64\Lojfin32.exeC:\Windows\system32\Lojfin32.exe97⤵PID:5680
-
C:\Windows\SysWOW64\Ldfoad32.exeC:\Windows\system32\Ldfoad32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5724 -
C:\Windows\SysWOW64\Lkcccn32.exeC:\Windows\system32\Lkcccn32.exe99⤵PID:5768
-
C:\Windows\SysWOW64\Ldkhlcnb.exeC:\Windows\system32\Ldkhlcnb.exe100⤵PID:5812
-
C:\Windows\SysWOW64\Moalil32.exeC:\Windows\system32\Moalil32.exe101⤵
- Drops file in System32 directory
PID:5880 -
C:\Windows\SysWOW64\Mhnjna32.exeC:\Windows\system32\Mhnjna32.exe102⤵
- Drops file in System32 directory
PID:5932 -
C:\Windows\SysWOW64\Medglemj.exeC:\Windows\system32\Medglemj.exe103⤵PID:5984
-
C:\Windows\SysWOW64\Namegfql.exeC:\Windows\system32\Namegfql.exe104⤵
- Modifies registry class
PID:6028 -
C:\Windows\SysWOW64\Napameoi.exeC:\Windows\system32\Napameoi.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6076 -
C:\Windows\SysWOW64\Odedipge.exeC:\Windows\system32\Odedipge.exe106⤵PID:6124
-
C:\Windows\SysWOW64\Ochamg32.exeC:\Windows\system32\Ochamg32.exe107⤵PID:5176
-
C:\Windows\SysWOW64\Pfppoa32.exeC:\Windows\system32\Pfppoa32.exe108⤵PID:5252
-
C:\Windows\SysWOW64\Pbljoafi.exeC:\Windows\system32\Pbljoafi.exe109⤵PID:5312
-
C:\Windows\SysWOW64\Qihoak32.exeC:\Windows\system32\Qihoak32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5388 -
C:\Windows\SysWOW64\Abpcja32.exeC:\Windows\system32\Abpcja32.exe111⤵PID:5448
-
C:\Windows\SysWOW64\Alkeifga.exeC:\Windows\system32\Alkeifga.exe112⤵PID:5528
-
C:\Windows\SysWOW64\Amkabind.exeC:\Windows\system32\Amkabind.exe113⤵PID:5596
-
C:\Windows\SysWOW64\Aiabhj32.exeC:\Windows\system32\Aiabhj32.exe114⤵
- Drops file in System32 directory
PID:5668 -
C:\Windows\SysWOW64\Afeban32.exeC:\Windows\system32\Afeban32.exe115⤵PID:5732
-
C:\Windows\SysWOW64\Amoknh32.exeC:\Windows\system32\Amoknh32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5800 -
C:\Windows\SysWOW64\Bblcfo32.exeC:\Windows\system32\Bblcfo32.exe117⤵
- Drops file in System32 directory
PID:5888 -
C:\Windows\SysWOW64\Bldgoeog.exeC:\Windows\system32\Bldgoeog.exe118⤵
- Drops file in System32 directory
PID:5960 -
C:\Windows\SysWOW64\Blknpdho.exeC:\Windows\system32\Blknpdho.exe119⤵PID:6036
-
C:\Windows\SysWOW64\Blnjecfl.exeC:\Windows\system32\Blnjecfl.exe120⤵PID:6108
-
C:\Windows\SysWOW64\Cmpcdfll.exeC:\Windows\system32\Cmpcdfll.exe121⤵
- Modifies registry class
PID:5160
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-