Analysis
-
max time kernel
100s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 14:43
Behavioral task
behavioral1
Sample
62f6a85679633452f20c0721e6fada50_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
62f6a85679633452f20c0721e6fada50_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
62f6a85679633452f20c0721e6fada50_NeikiAnalytics.exe
-
Size
1000KB
-
MD5
62f6a85679633452f20c0721e6fada50
-
SHA1
7167b8646d14827c4f8cd8eec16ddc538a84b9cb
-
SHA256
8497915f15013a7499a26dd60370484cd2dec2e2af8d0ad2ca783d4be1f49734
-
SHA512
0d52441eebba36ee0e0e8c79e26b2d16c5760c396646f1d4f85765425142f3d103009744ece01894a1ef01c21f27363b2bc7d440356eb0812c6017e0225c9dd3
-
SSDEEP
12288:6lI7AeltHBFLPj3TmLnWrOxNuxC97hFq9o7:3HltHBFLPj368MoC9Dq9o7
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pleaoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epikpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnkkjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibccic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddonekbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcbnnpka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcejco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lknojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmlkhofd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhkdmlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfcicmqp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deokon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mplafeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pofjpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecbjkngo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdmcidam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqiogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmabdibj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccchof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpjjod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlkipgpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oncofm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpgmha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggbook32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmhlgmmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmlkhofd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipegmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kecabifp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjoiil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alfkbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jidklf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inlihl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bddjpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elgfgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eolpmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbmcbime.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajggomog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaqgek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbiaapdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqfmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdcjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdffbake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fggocmhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okedcjcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajggomog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aanjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpcfmkff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmoohe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdnldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gacjadad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmfeidbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iojbpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jidklf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gododflk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfcicmqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Miifeq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcibama.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hofmfmhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nomncpcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfcjfk32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0009000000023409-6.dat family_berbew behavioral2/files/0x0008000000023415-14.dat family_berbew behavioral2/files/0x0007000000023417-22.dat family_berbew behavioral2/files/0x000700000002341b-39.dat family_berbew behavioral2/files/0x000700000002341d-47.dat family_berbew behavioral2/files/0x0007000000023427-81.dat family_berbew behavioral2/files/0x0007000000023441-173.dat family_berbew behavioral2/files/0x0007000000023451-229.dat family_berbew behavioral2/files/0x000700000002344f-222.dat family_berbew behavioral2/files/0x000700000002344d-215.dat family_berbew behavioral2/files/0x000700000002344b-208.dat family_berbew behavioral2/files/0x0007000000023449-201.dat family_berbew behavioral2/files/0x0007000000023447-194.dat family_berbew behavioral2/files/0x0007000000023445-187.dat family_berbew behavioral2/files/0x0007000000023443-180.dat family_berbew behavioral2/files/0x000700000002343f-166.dat family_berbew behavioral2/files/0x000700000002343d-159.dat family_berbew behavioral2/files/0x000700000002343b-152.dat family_berbew behavioral2/files/0x0007000000023439-145.dat family_berbew behavioral2/files/0x0007000000023437-138.dat family_berbew behavioral2/files/0x0007000000023435-131.dat family_berbew behavioral2/files/0x0007000000023433-124.dat family_berbew behavioral2/files/0x0007000000023431-117.dat family_berbew behavioral2/files/0x000700000002342f-110.dat family_berbew behavioral2/files/0x000700000002342d-103.dat family_berbew behavioral2/files/0x000700000002342b-96.dat family_berbew behavioral2/files/0x0007000000023429-89.dat family_berbew behavioral2/files/0x0007000000023425-75.dat family_berbew behavioral2/files/0x0007000000023423-68.dat family_berbew behavioral2/files/0x0007000000023421-61.dat family_berbew behavioral2/files/0x000700000002341f-54.dat family_berbew behavioral2/files/0x0007000000023419-31.dat family_berbew behavioral2/files/0x000700000002351a-857.dat family_berbew behavioral2/files/0x0007000000023534-929.dat family_berbew behavioral2/files/0x0007000000023543-977.dat family_berbew behavioral2/files/0x000d00000002337e-1055.dat family_berbew behavioral2/files/0x0007000000023566-1108.dat family_berbew behavioral2/files/0x000700000002356c-1127.dat family_berbew behavioral2/files/0x0007000000023573-1145.dat family_berbew behavioral2/files/0x0007000000023579-1162.dat family_berbew behavioral2/files/0x000700000002357d-1175.dat family_berbew behavioral2/files/0x0007000000023581-1187.dat family_berbew behavioral2/files/0x000700000002358b-1216.dat family_berbew behavioral2/files/0x00070000000235b1-1335.dat family_berbew behavioral2/files/0x00070000000235bc-1362.dat family_berbew behavioral2/files/0x00070000000235c0-1374.dat family_berbew behavioral2/files/0x00080000000235b9-1458.dat family_berbew behavioral2/files/0x00070000000235e4-1512.dat family_berbew behavioral2/files/0x00070000000235ec-1536.dat family_berbew behavioral2/files/0x00070000000235f2-1557.dat family_berbew behavioral2/files/0x00070000000235f4-1565.dat family_berbew behavioral2/files/0x00070000000235fc-1591.dat family_berbew behavioral2/files/0x0007000000023600-1603.dat family_berbew behavioral2/files/0x0007000000023606-1622.dat family_berbew behavioral2/files/0x000700000002360c-1643.dat family_berbew behavioral2/files/0x000700000002361a-1690.dat family_berbew behavioral2/files/0x0007000000023622-1718.dat family_berbew behavioral2/files/0x000700000002362c-1753.dat family_berbew behavioral2/files/0x0007000000023630-1766.dat family_berbew behavioral2/files/0x000700000002363a-1801.dat family_berbew behavioral2/files/0x0007000000023644-1834.dat family_berbew behavioral2/files/0x000700000002364a-1853.dat family_berbew behavioral2/files/0x0007000000023650-1873.dat family_berbew behavioral2/files/0x000700000002365e-1921.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3488 Hmmhjm32.exe 4456 Iffmccbi.exe 2212 Icjmmg32.exe 2308 Ijdeiaio.exe 1408 Iannfk32.exe 2184 Icljbg32.exe 3152 Ijfboafl.exe 4780 Imdnklfp.exe 4596 Ipckgh32.exe 5080 Idofhfmm.exe 1164 Ifmcdblq.exe 2444 Iikopmkd.exe 1548 Iabgaklg.exe 4452 Ipegmg32.exe 4928 Ibccic32.exe 2232 Ijkljp32.exe 3572 Imihfl32.exe 4944 Jpgdbg32.exe 2452 Jdcpcf32.exe 3684 Jfaloa32.exe 3012 Jjmhppqd.exe 4828 Jmkdlkph.exe 1272 Jagqlj32.exe 2028 Jdemhe32.exe 1084 Jfdida32.exe 1552 Jibeql32.exe 4736 Jmnaakne.exe 3920 Jplmmfmi.exe 4040 Jbkjjblm.exe 3752 Jfffjqdf.exe 4540 Jidbflcj.exe 3564 Jmpngk32.exe 5012 Jpojcf32.exe 1244 Jbmfoa32.exe 2404 Jkdnpo32.exe 1788 Jmbklj32.exe 2908 Jangmibi.exe 4392 Jdmcidam.exe 1508 Jbocea32.exe 4384 Jkfkfohj.exe 1136 Kmegbjgn.exe 2708 Kpccnefa.exe 4836 Kbapjafe.exe 2344 Kkihknfg.exe 4832 Kmgdgjek.exe 396 Kgphpo32.exe 3652 Kinemkko.exe 1892 Kaemnhla.exe 2980 Kphmie32.exe 60 Kbfiep32.exe 4976 Kknafn32.exe 2236 Kmlnbi32.exe 4748 Kpjjod32.exe 3972 Kcifkp32.exe 3348 Kgdbkohf.exe 1884 Kmnjhioc.exe 1812 Kajfig32.exe 3908 Kdhbec32.exe 3916 Kgfoan32.exe 4152 Liekmj32.exe 4168 Lalcng32.exe 1308 Ldkojb32.exe 5052 Lcmofolg.exe 4696 Lkdggmlj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Blnoga32.exe Bdgged32.exe File created C:\Windows\SysWOW64\Bdifpa32.dll Gejopl32.exe File opened for modification C:\Windows\SysWOW64\Ngjkfd32.exe Process not Found File created C:\Windows\SysWOW64\Dgcaaddl.dll Nimbkc32.exe File created C:\Windows\SysWOW64\Fmndpq32.exe Ffclcgfn.exe File created C:\Windows\SysWOW64\Fnmnbf32.dll Ddonekbl.exe File opened for modification C:\Windows\SysWOW64\Joffnk32.exe Jgonlm32.exe File opened for modification C:\Windows\SysWOW64\Bdgged32.exe Bahkih32.exe File created C:\Windows\SysWOW64\Jcmdaljn.exe Ipoheakj.exe File opened for modification C:\Windows\SysWOW64\Mncmjfmk.exe Mkepnjng.exe File created C:\Windows\SysWOW64\Eekaebcm.exe Ekemhj32.exe File opened for modification C:\Windows\SysWOW64\Lenicahg.exe Lndagg32.exe File opened for modification C:\Windows\SysWOW64\Eiildjag.exe Edmclccp.exe File created C:\Windows\SysWOW64\Ekaapi32.exe Eehicoel.exe File created C:\Windows\SysWOW64\Hmahidnb.dll Fggfnc32.exe File created C:\Windows\SysWOW64\Ejchhgid.exe Eciplm32.exe File opened for modification C:\Windows\SysWOW64\Conclk32.exe Chdkoa32.exe File created C:\Windows\SysWOW64\Fjnnje32.dll Fafdkmap.exe File opened for modification C:\Windows\SysWOW64\Ijadbdoj.exe Igchfiof.exe File created C:\Windows\SysWOW64\Okkdic32.exe Ohmhmh32.exe File created C:\Windows\SysWOW64\Eopjfnlo.dll Process not Found File created C:\Windows\SysWOW64\Mjlcankg.dll Jagqlj32.exe File created C:\Windows\SysWOW64\Cpjljp32.dll Jkdnpo32.exe File created C:\Windows\SysWOW64\Mmgdfa32.dll Pofjpl32.exe File created C:\Windows\SysWOW64\Hgagmm32.dll Qfbobf32.exe File created C:\Windows\SysWOW64\Clgbhl32.dll Cljobphg.exe File created C:\Windows\SysWOW64\Hmmhjm32.exe 62f6a85679633452f20c0721e6fada50_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Jpppnp32.exe Jblpek32.exe File created C:\Windows\SysWOW64\Heapdjlp.exe Hodgkc32.exe File created C:\Windows\SysWOW64\Oalnaifk.dll Fkffog32.exe File created C:\Windows\SysWOW64\Icnpmp32.exe Iemppiab.exe File created C:\Windows\SysWOW64\Hmimkinm.dll Ogfcjm32.exe File opened for modification C:\Windows\SysWOW64\Jpdhkf32.exe Jkgpbp32.exe File created C:\Windows\SysWOW64\Lklnhlfb.exe Lcdegnep.exe File created C:\Windows\SysWOW64\Bgempgqo.dll Bbnpqk32.exe File created C:\Windows\SysWOW64\Cjpckf32.exe Ceckcp32.exe File created C:\Windows\SysWOW64\Omhebonp.dll Qlmgopjq.exe File opened for modification C:\Windows\SysWOW64\Oobfob32.exe Ohhnbhok.exe File opened for modification C:\Windows\SysWOW64\Digehphc.exe Dbnmke32.exe File created C:\Windows\SysWOW64\Pipagf32.dll Kdhbec32.exe File created C:\Windows\SysWOW64\Kmipecpd.dll Fdegandp.exe File created C:\Windows\SysWOW64\Ekamnhne.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kijjbofj.exe Kihnmohm.exe File created C:\Windows\SysWOW64\Podmed32.dll Fibojhim.exe File opened for modification C:\Windows\SysWOW64\Lnpofnhk.exe Lkabjbih.exe File opened for modification C:\Windows\SysWOW64\Qmhlgmmm.exe Qlgpod32.exe File created C:\Windows\SysWOW64\Cpdgqmnb.exe Process not Found File created C:\Windows\SysWOW64\Offdjb32.dll Ldkojb32.exe File created C:\Windows\SysWOW64\Deblhkch.dll Nbmelbid.exe File opened for modification C:\Windows\SysWOW64\Anmfbl32.exe Ahpmjejp.exe File created C:\Windows\SysWOW64\Ebcmfjll.dll Process not Found File created C:\Windows\SysWOW64\Pkoaeldi.dll Process not Found File created C:\Windows\SysWOW64\Ghiqbiae.dll Kpjjod32.exe File created C:\Windows\SysWOW64\Fdffbake.exe Fmlneg32.exe File created C:\Windows\SysWOW64\Mgmodn32.dll Process not Found File created C:\Windows\SysWOW64\Hkjjlhle.exe Hhknpmma.exe File created C:\Windows\SysWOW64\Oilmjcon.dll Lggldm32.exe File created C:\Windows\SysWOW64\Dfbiemdb.dll Nlmdbh32.exe File created C:\Windows\SysWOW64\Dicdcemd.dll Process not Found File opened for modification C:\Windows\SysWOW64\Anbkio32.exe Aldomc32.exe File created C:\Windows\SysWOW64\Fchddejl.exe Flnlhk32.exe File opened for modification C:\Windows\SysWOW64\Bmjkic32.exe Process not Found File created C:\Windows\SysWOW64\Phfkqkek.dll Acocaf32.exe File created C:\Windows\SysWOW64\Meebmkdh.dll Lbgalmej.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10440 13960 Process not Found 1239 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpmhl32.dll" Icgjmapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djdflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdhedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpcpem32.dll" Hcpojd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncnkogdb.dll" Bnnjen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhgejlhj.dll" Bhfonc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ingpmmgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jidklf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oncofm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aecqac32.dll" Cliaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phlacbfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipegmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klqcioba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efccmidp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hheoid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjjghcfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmfkoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccgjopal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmgnid32.dll" Eofgpikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djdflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djaiilmd.dll" Legjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladfllde.dll" Hpjmnjqn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qchmagie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknjnccp.dll" Ooagno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ophpeg32.dll" Kkcfid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jddnfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Diicml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmofagfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfojmmbg.dll" Paelfmaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffkjlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jiokfpph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddplkbaa.dll" Jcphab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jofalmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njfmke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll" Pnakhkol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oghppm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkofdbkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll" Jdemhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opemca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgnqgqan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gafmaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmihfl32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ciafbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qngfmkdl.dll" Icjmmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibobdqid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbandhne.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll" Ndghmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjhedep.dll" Lndagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkodhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpodlbng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdhedh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okkdic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Accfbokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dckpaahf.dll" Hbdjchgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqnalj32.dll" Jbbfdfkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lacdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mklbeh32.dll" Bnoknihb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Miomdk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1896 wrote to memory of 3488 1896 62f6a85679633452f20c0721e6fada50_NeikiAnalytics.exe 83 PID 1896 wrote to memory of 3488 1896 62f6a85679633452f20c0721e6fada50_NeikiAnalytics.exe 83 PID 1896 wrote to memory of 3488 1896 62f6a85679633452f20c0721e6fada50_NeikiAnalytics.exe 83 PID 3488 wrote to memory of 4456 3488 Hmmhjm32.exe 84 PID 3488 wrote to memory of 4456 3488 Hmmhjm32.exe 84 PID 3488 wrote to memory of 4456 3488 Hmmhjm32.exe 84 PID 4456 wrote to memory of 2212 4456 Iffmccbi.exe 86 PID 4456 wrote to memory of 2212 4456 Iffmccbi.exe 86 PID 4456 wrote to memory of 2212 4456 Iffmccbi.exe 86 PID 2212 wrote to memory of 2308 2212 Icjmmg32.exe 87 PID 2212 wrote to memory of 2308 2212 Icjmmg32.exe 87 PID 2212 wrote to memory of 2308 2212 Icjmmg32.exe 87 PID 2308 wrote to memory of 1408 2308 Ijdeiaio.exe 88 PID 2308 wrote to memory of 1408 2308 Ijdeiaio.exe 88 PID 2308 wrote to memory of 1408 2308 Ijdeiaio.exe 88 PID 1408 wrote to memory of 2184 1408 Iannfk32.exe 89 PID 1408 wrote to memory of 2184 1408 Iannfk32.exe 89 PID 1408 wrote to memory of 2184 1408 Iannfk32.exe 89 PID 2184 wrote to memory of 3152 2184 Icljbg32.exe 90 PID 2184 wrote to memory of 3152 2184 Icljbg32.exe 90 PID 2184 wrote to memory of 3152 2184 Icljbg32.exe 90 PID 3152 wrote to memory of 4780 3152 Ijfboafl.exe 91 PID 3152 wrote to memory of 4780 3152 Ijfboafl.exe 91 PID 3152 wrote to memory of 4780 3152 Ijfboafl.exe 91 PID 4780 wrote to memory of 4596 4780 Imdnklfp.exe 92 PID 4780 wrote to memory of 4596 4780 Imdnklfp.exe 92 PID 4780 wrote to memory of 4596 4780 Imdnklfp.exe 92 PID 4596 wrote to memory of 5080 4596 Ipckgh32.exe 93 PID 4596 wrote to memory of 5080 4596 Ipckgh32.exe 93 PID 4596 wrote to memory of 5080 4596 Ipckgh32.exe 93 PID 5080 wrote to memory of 1164 5080 Idofhfmm.exe 94 PID 5080 wrote to memory of 1164 5080 Idofhfmm.exe 94 PID 5080 wrote to memory of 1164 5080 Idofhfmm.exe 94 PID 1164 wrote to memory of 2444 1164 Ifmcdblq.exe 95 PID 1164 wrote to memory of 2444 1164 Ifmcdblq.exe 95 PID 1164 wrote to memory of 2444 1164 Ifmcdblq.exe 95 PID 2444 wrote to memory of 1548 2444 Iikopmkd.exe 96 PID 2444 wrote to memory of 1548 2444 Iikopmkd.exe 96 PID 2444 wrote to memory of 1548 2444 Iikopmkd.exe 96 PID 1548 wrote to memory of 4452 1548 Iabgaklg.exe 97 PID 1548 wrote to memory of 4452 1548 Iabgaklg.exe 97 PID 1548 wrote to memory of 4452 1548 Iabgaklg.exe 97 PID 4452 wrote to memory of 4928 4452 Ipegmg32.exe 98 PID 4452 wrote to memory of 4928 4452 Ipegmg32.exe 98 PID 4452 wrote to memory of 4928 4452 Ipegmg32.exe 98 PID 4928 wrote to memory of 2232 4928 Ibccic32.exe 99 PID 4928 wrote to memory of 2232 4928 Ibccic32.exe 99 PID 4928 wrote to memory of 2232 4928 Ibccic32.exe 99 PID 2232 wrote to memory of 3572 2232 Ijkljp32.exe 100 PID 2232 wrote to memory of 3572 2232 Ijkljp32.exe 100 PID 2232 wrote to memory of 3572 2232 Ijkljp32.exe 100 PID 3572 wrote to memory of 4944 3572 Imihfl32.exe 101 PID 3572 wrote to memory of 4944 3572 Imihfl32.exe 101 PID 3572 wrote to memory of 4944 3572 Imihfl32.exe 101 PID 4944 wrote to memory of 2452 4944 Jpgdbg32.exe 102 PID 4944 wrote to memory of 2452 4944 Jpgdbg32.exe 102 PID 4944 wrote to memory of 2452 4944 Jpgdbg32.exe 102 PID 2452 wrote to memory of 3684 2452 Jdcpcf32.exe 103 PID 2452 wrote to memory of 3684 2452 Jdcpcf32.exe 103 PID 2452 wrote to memory of 3684 2452 Jdcpcf32.exe 103 PID 3684 wrote to memory of 3012 3684 Jfaloa32.exe 104 PID 3684 wrote to memory of 3012 3684 Jfaloa32.exe 104 PID 3684 wrote to memory of 3012 3684 Jfaloa32.exe 104 PID 3012 wrote to memory of 4828 3012 Jjmhppqd.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\62f6a85679633452f20c0721e6fada50_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\62f6a85679633452f20c0721e6fada50_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Ijdeiaio.exeC:\Windows\system32\Ijdeiaio.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Imdnklfp.exeC:\Windows\system32\Imdnklfp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Idofhfmm.exeC:\Windows\system32\Idofhfmm.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Ipegmg32.exeC:\Windows\system32\Ipegmg32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Ibccic32.exeC:\Windows\system32\Ibccic32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Jdcpcf32.exeC:\Windows\system32\Jdcpcf32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Jmkdlkph.exeC:\Windows\system32\Jmkdlkph.exe23⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Jagqlj32.exeC:\Windows\system32\Jagqlj32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1272 -
C:\Windows\SysWOW64\Jdemhe32.exeC:\Windows\system32\Jdemhe32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe26⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe27⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe28⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe29⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe30⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe31⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Jidbflcj.exeC:\Windows\system32\Jidbflcj.exe32⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe33⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe34⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe35⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Jmbklj32.exeC:\Windows\system32\Jmbklj32.exe37⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe38⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe40⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe41⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe42⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe43⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe44⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe45⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe46⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Kgphpo32.exeC:\Windows\system32\Kgphpo32.exe47⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe48⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe49⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe50⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe51⤵
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe52⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe53⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4748 -
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe55⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe56⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe57⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe58⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3908 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe60⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Liekmj32.exeC:\Windows\system32\Liekmj32.exe61⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe62⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe64⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe65⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe66⤵PID:3444
-
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe67⤵PID:2580
-
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe68⤵PID:1012
-
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe69⤵PID:4896
-
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe70⤵PID:3860
-
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe71⤵PID:3900
-
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe72⤵PID:3688
-
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe73⤵PID:4520
-
C:\Windows\SysWOW64\Lilanioo.exeC:\Windows\system32\Lilanioo.exe74⤵PID:4228
-
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe75⤵PID:4240
-
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe76⤵PID:4952
-
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe77⤵
- Drops file in System32 directory
PID:3492 -
C:\Windows\SysWOW64\Lklnhlfb.exeC:\Windows\system32\Lklnhlfb.exe78⤵PID:1356
-
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe79⤵PID:5044
-
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe80⤵PID:5136
-
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe81⤵PID:5172
-
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe82⤵PID:5208
-
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe83⤵PID:5244
-
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe84⤵PID:5280
-
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe85⤵PID:5316
-
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe86⤵PID:5352
-
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe87⤵PID:5388
-
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe88⤵PID:5424
-
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe89⤵PID:5460
-
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe90⤵PID:5496
-
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe91⤵PID:5532
-
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe92⤵PID:5572
-
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe93⤵PID:5604
-
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe94⤵PID:5640
-
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe95⤵
- Drops file in System32 directory
PID:5676 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe96⤵PID:5712
-
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe97⤵PID:5748
-
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe98⤵PID:5784
-
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe99⤵PID:5820
-
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe100⤵PID:5856
-
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe101⤵PID:5892
-
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe102⤵PID:5928
-
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe103⤵PID:5964
-
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe104⤵PID:6000
-
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe105⤵PID:6036
-
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe106⤵PID:6072
-
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe107⤵PID:6108
-
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe108⤵PID:3224
-
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe109⤵PID:2784
-
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3568 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe111⤵PID:2412
-
C:\Windows\SysWOW64\Nkncdifl.exeC:\Windows\system32\Nkncdifl.exe112⤵PID:3628
-
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe113⤵PID:4764
-
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe114⤵PID:3024
-
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe115⤵
- Modifies registry class
PID:3988 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe116⤵PID:4316
-
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe117⤵PID:5160
-
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe118⤵PID:5220
-
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe119⤵PID:5276
-
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe120⤵PID:5328
-
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe121⤵PID:5384
-
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe122⤵
- Modifies registry class
PID:5452
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-