Analysis
-
max time kernel
121s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 14:54
Behavioral task
behavioral1
Sample
674def43f5f63225cd60fadf4a6e5ea0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
674def43f5f63225cd60fadf4a6e5ea0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
674def43f5f63225cd60fadf4a6e5ea0_NeikiAnalytics.exe
-
Size
416KB
-
MD5
674def43f5f63225cd60fadf4a6e5ea0
-
SHA1
4f9ba59fb5f5a60e7cfc1578bae9d64e7f6574f3
-
SHA256
076079131f13e569f09937c7104343af45753bfa5b88416bcc80db24c3fd726c
-
SHA512
23749fa03674b5cfcc07ce39ee6b4214e6acb1e7f440e2da29ae67591d171b852814f194bce18e7c42308ce01eddc52d4258ac23b826aa34b74822c3f0eb6e79
-
SSDEEP
12288:958vaFXjYJ07kE0KoFtw2gu9RxrBIUbPLwH96/I0lOZ0vbqFB:9uvCYJ07kE0KoFtw2gu9RxrBIUbPLwHh
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eapedd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ednaqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jejefqaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eiobceef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcbnnpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdkoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mnphmkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcbdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oflgep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqfdnhfk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemqih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dijbno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deoaid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfnegggi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knalji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lggldm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckpjfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kldmckic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpobg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahfdjanb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ehimanbq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ophjiaql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehhpla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfqmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nenbjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmojkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qljjjqlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpgeee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjkblhfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Neqopnhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhkdmlg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfckahdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amgapeea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eobocb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodjjimm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icgjmapi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daekdooc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqmeal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkcfid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mahnhhod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcinna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggahedjn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogogcpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmigoagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chlflabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Glkmmefl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdlnbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbbagk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilccoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmohno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iihkpg32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0008000000022f51-6.dat family_berbew behavioral2/files/0x000700000002340f-16.dat family_berbew behavioral2/files/0x0007000000023411-23.dat family_berbew behavioral2/files/0x0007000000023413-30.dat family_berbew behavioral2/files/0x0007000000023415-38.dat family_berbew behavioral2/files/0x0007000000023417-47.dat family_berbew behavioral2/files/0x0007000000023419-55.dat family_berbew behavioral2/files/0x000700000002341b-61.dat family_berbew behavioral2/files/0x000700000002341f-79.dat family_berbew behavioral2/files/0x0007000000023421-86.dat family_berbew behavioral2/files/0x0007000000023427-107.dat family_berbew behavioral2/files/0x0007000000023429-114.dat family_berbew behavioral2/files/0x0007000000023431-142.dat family_berbew behavioral2/files/0x0007000000023439-170.dat family_berbew behavioral2/files/0x000700000002343d-184.dat family_berbew behavioral2/files/0x000700000002344b-233.dat family_berbew behavioral2/files/0x0007000000023449-226.dat family_berbew behavioral2/files/0x0007000000023447-219.dat family_berbew behavioral2/files/0x0007000000023445-212.dat family_berbew behavioral2/files/0x0007000000023443-205.dat family_berbew behavioral2/files/0x0007000000023441-198.dat family_berbew behavioral2/files/0x000700000002343f-191.dat family_berbew behavioral2/files/0x000700000002343b-177.dat family_berbew behavioral2/files/0x0007000000023437-163.dat family_berbew behavioral2/files/0x0007000000023435-156.dat family_berbew behavioral2/files/0x0007000000023433-149.dat family_berbew behavioral2/files/0x000700000002342f-135.dat family_berbew behavioral2/files/0x000700000002342d-128.dat family_berbew behavioral2/files/0x000700000002342b-121.dat family_berbew behavioral2/files/0x0007000000023425-100.dat family_berbew behavioral2/files/0x0007000000023423-93.dat family_berbew behavioral2/files/0x000700000002341d-71.dat family_berbew behavioral2/files/0x00070000000234f4-761.dat family_berbew behavioral2/files/0x0007000000023500-797.dat family_berbew behavioral2/files/0x0007000000023504-808.dat family_berbew behavioral2/files/0x000700000002350a-827.dat family_berbew behavioral2/files/0x000700000002350c-834.dat family_berbew behavioral2/files/0x000700000002351f-887.dat family_berbew behavioral2/files/0x0007000000023541-988.dat family_berbew behavioral2/files/0x0007000000023568-1108.dat family_berbew behavioral2/files/0x00070000000235de-1555.dat family_berbew behavioral2/files/0x00070000000235e2-1563.dat family_berbew behavioral2/files/0x00070000000235fe-1651.dat family_berbew behavioral2/files/0x0007000000023607-1676.dat family_berbew behavioral2/files/0x000700000002360b-1688.dat family_berbew behavioral2/files/0x0007000000023613-1712.dat family_berbew behavioral2/files/0x0007000000023615-1720.dat family_berbew behavioral2/files/0x0007000000023620-1750.dat family_berbew behavioral2/files/0x0007000000023634-1810.dat family_berbew behavioral2/files/0x000700000002366c-2012.dat family_berbew behavioral2/files/0x0007000000023670-2024.dat family_berbew behavioral2/files/0x0007000000023678-2051.dat family_berbew behavioral2/files/0x000700000002369e-2183.dat family_berbew behavioral2/files/0x00070000000236a6-2210.dat family_berbew behavioral2/files/0x00070000000236ac-2230.dat family_berbew behavioral2/files/0x00070000000236b6-2265.dat family_berbew behavioral2/files/0x00070000000236c2-2306.dat family_berbew behavioral2/files/0x00070000000236cc-2340.dat family_berbew behavioral2/files/0x00070000000236d2-2358.dat family_berbew behavioral2/files/0x00070000000236de-2396.dat family_berbew behavioral2/files/0x00070000000236e0-2406.dat family_berbew behavioral2/files/0x00070000000236e8-2432.dat family_berbew behavioral2/files/0x0007000000023702-2521.dat family_berbew behavioral2/files/0x000700000002370a-2547.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3320 Cbqlfkmi.exe 3592 Cliaoq32.exe 4848 Cklaknjd.exe 216 Cbcilkjg.exe 1308 Cafigg32.exe 4508 Chbnia32.exe 1196 Ckpjfm32.exe 3892 Colffknh.exe 2096 Cajcbgml.exe 636 Chdkoa32.exe 2352 Clpgpp32.exe 4760 Ckcgkldl.exe 1608 Cbjoljdo.exe 696 Camphf32.exe 3104 Cehkhecb.exe 4896 Chghdqbf.exe 3828 Clbceo32.exe 4200 Ckedalaj.exe 2364 Doqpak32.exe 3924 Daolnf32.exe 1240 Dekhneap.exe 5096 Dhidjpqc.exe 2868 Dldpkoil.exe 680 Docmgjhp.exe 1676 Dboigi32.exe 2800 Demecd32.exe 3988 Ddpeoafg.exe 3404 Dhkapp32.exe 3560 Dkjmlk32.exe 3836 Doeiljfn.exe 4624 Dbaemi32.exe 4912 Deoaid32.exe 4316 Ddbbeade.exe 1448 Dhnnep32.exe 2944 Dlijfneg.exe 3308 Dohfbj32.exe 4372 Dccbbhld.exe 2856 Dafbne32.exe 564 Dddojq32.exe 4968 Dhpjkojk.exe 1520 Dllfkn32.exe 4348 Dkoggkjo.exe 2328 Dceohhja.exe 1912 Dahode32.exe 968 Dedkdcie.exe 4172 Ddgkpp32.exe 3660 Dlncan32.exe 3288 Ekacmjgl.exe 924 Eolpmi32.exe 4960 Eaklidoi.exe 1420 Elppfmoo.exe 3664 Ekcpbj32.exe 2264 Ecjhcg32.exe 4768 Eamhodmf.exe 2616 Eeidoc32.exe 2668 Edkdkplj.exe 1868 Elbmlmml.exe 3368 Ekemhj32.exe 1140 Eoaihhlp.exe 1840 Eapedd32.exe 3052 Eekaebcm.exe 1664 Ednaqo32.exe 1948 Ehimanbq.exe 4576 Ekhjmiad.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Iljpij32.exe Hildmn32.exe File created C:\Windows\SysWOW64\Dndfnlpc.dll Process not Found File created C:\Windows\SysWOW64\Llmglb32.dll Opdghh32.exe File opened for modification C:\Windows\SysWOW64\Emlenj32.exe Dfamapjo.exe File opened for modification C:\Windows\SysWOW64\Gohaeo32.exe Ghniielm.exe File opened for modification C:\Windows\SysWOW64\Molelb32.exe Miomdk32.exe File opened for modification C:\Windows\SysWOW64\Mbdiknlb.exe Process not Found File created C:\Windows\SysWOW64\Iigkob32.dll Lggldm32.exe File opened for modification C:\Windows\SysWOW64\Albpkc32.exe Aamknj32.exe File created C:\Windows\SysWOW64\Jkoepmnk.dll Cmjemflb.exe File created C:\Windows\SysWOW64\Foniaq32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ickchq32.exe Imakkfdg.exe File created C:\Windows\SysWOW64\Edgbbfnk.dll Kdeoemeg.exe File opened for modification C:\Windows\SysWOW64\Jngbjd32.exe Process not Found File created C:\Windows\SysWOW64\Cgifbhid.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gnnccl32.exe Process not Found File created C:\Windows\SysWOW64\Cimjkpjn.dll Process not Found File created C:\Windows\SysWOW64\Enemaimp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hcpclbfa.exe Hkikkeeo.exe File created C:\Windows\SysWOW64\Hakgmjoh.exe Goljqnpd.exe File created C:\Windows\SysWOW64\Fkldkg32.dll Nndjndbh.exe File opened for modification C:\Windows\SysWOW64\Bgnffj32.exe Process not Found File created C:\Windows\SysWOW64\Cepjip32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cdhhdlid.exe Cmnpgb32.exe File opened for modification C:\Windows\SysWOW64\Cmjemflb.exe Cfqmpl32.exe File created C:\Windows\SysWOW64\Kghlhg32.dll Ieliebnf.exe File opened for modification C:\Windows\SysWOW64\Fflohaij.exe Fneggdhg.exe File created C:\Windows\SysWOW64\Knnhjcog.exe Process not Found File created C:\Windows\SysWOW64\Dkndie32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Llnnmhfe.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dhkapp32.exe Ddpeoafg.exe File created C:\Windows\SysWOW64\Bfddbh32.dll Afoeiklb.exe File created C:\Windows\SysWOW64\Okgoadbf.dll Cjbpaf32.exe File created C:\Windows\SysWOW64\Mmkkmc32.exe Mkjnfkma.exe File opened for modification C:\Windows\SysWOW64\Mgehfkop.exe Malpia32.exe File opened for modification C:\Windows\SysWOW64\Ojdnid32.exe Ohfami32.exe File created C:\Windows\SysWOW64\Obnehj32.exe Process not Found File created C:\Windows\SysWOW64\Jedeph32.exe Jbeidl32.exe File created C:\Windows\SysWOW64\Mfilim32.dll Pfjcgn32.exe File created C:\Windows\SysWOW64\Qodeajbg.exe Process not Found File created C:\Windows\SysWOW64\Ejoigd32.dll Jjlmclqa.exe File created C:\Windows\SysWOW64\Aaohcj32.exe Albpkc32.exe File opened for modification C:\Windows\SysWOW64\Lomqcjie.exe Process not Found File created C:\Windows\SysWOW64\Ekjali32.dll Process not Found File created C:\Windows\SysWOW64\Qckcba32.dll Process not Found File created C:\Windows\SysWOW64\Nhgaocmg.dll Kfckahdj.exe File opened for modification C:\Windows\SysWOW64\Hnddgjbj.exe Hbmcbime.exe File created C:\Windows\SysWOW64\Johggfha.exe Process not Found File created C:\Windows\SysWOW64\Adgbpc32.exe Aqkgpedc.exe File created C:\Windows\SysWOW64\Bjmnoi32.exe Agoabn32.exe File created C:\Windows\SysWOW64\Lllcen32.exe Lmiciaaj.exe File created C:\Windows\SysWOW64\Cdcoim32.exe Cmiflbel.exe File created C:\Windows\SysWOW64\Idbodn32.exe Hnhghcki.exe File opened for modification C:\Windows\SysWOW64\Dmohno32.exe Dfdpad32.exe File created C:\Windows\SysWOW64\Papbpdoi.dll Qfcfml32.exe File created C:\Windows\SysWOW64\Kbejge32.dll Baicac32.exe File opened for modification C:\Windows\SysWOW64\Cjkjpgfi.exe Cdabcm32.exe File created C:\Windows\SysWOW64\Ifkadchb.dll Edpgli32.exe File created C:\Windows\SysWOW64\Lhncdi32.exe Lbqklb32.exe File created C:\Windows\SysWOW64\Nbenoa32.dll Chlflabp.exe File created C:\Windows\SysWOW64\Jmehcnhg.dll Icifbang.exe File created C:\Windows\SysWOW64\Jpijnqkp.exe Jmknaell.exe File opened for modification C:\Windows\SysWOW64\Lohqnd32.exe Process not Found File created C:\Windows\SysWOW64\Fjjnifbl.exe Fdqfll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2856 15124 Process not Found 1559 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cbgnemjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leldmdbk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Faihkbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecaobgnf.dll" Mlopkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iffahdpm.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idmdhm32.dll" Lnnikdnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njghbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gikgni32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foolmeif.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmkfp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gdhmnlcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pgnilpah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cmniml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkgiimng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gdqgmmjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Loglacfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bbnkonbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghghj32.dll" Lgqfdnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfokn32.dll" Geohklaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpenlneh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjphcf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpiaib32.dll" Gkkojgao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aflaie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pddhbipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjehnm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ljhefhha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mnmdme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cafigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flakaffp.dll" Flngfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Flngfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Malpia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmfgek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jleijb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkngh32.dll" Klqcioba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ocnjidkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpgfooop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lcjcnoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Malpia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Genaegmo.dll" Dllfkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fkalchij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajhddjfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Majjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amoppdld.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaeokj32.dll" Lpqiemge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akejpg32.dll" Jecofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqknpl32.dll" Hefnkkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll" Adgbpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fdkggg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dndhqgbm.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhgbbckh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkkam32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jlobkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 540 wrote to memory of 3320 540 674def43f5f63225cd60fadf4a6e5ea0_NeikiAnalytics.exe 82 PID 540 wrote to memory of 3320 540 674def43f5f63225cd60fadf4a6e5ea0_NeikiAnalytics.exe 82 PID 540 wrote to memory of 3320 540 674def43f5f63225cd60fadf4a6e5ea0_NeikiAnalytics.exe 82 PID 3320 wrote to memory of 3592 3320 Cbqlfkmi.exe 83 PID 3320 wrote to memory of 3592 3320 Cbqlfkmi.exe 83 PID 3320 wrote to memory of 3592 3320 Cbqlfkmi.exe 83 PID 3592 wrote to memory of 4848 3592 Cliaoq32.exe 84 PID 3592 wrote to memory of 4848 3592 Cliaoq32.exe 84 PID 3592 wrote to memory of 4848 3592 Cliaoq32.exe 84 PID 4848 wrote to memory of 216 4848 Cklaknjd.exe 85 PID 4848 wrote to memory of 216 4848 Cklaknjd.exe 85 PID 4848 wrote to memory of 216 4848 Cklaknjd.exe 85 PID 216 wrote to memory of 1308 216 Cbcilkjg.exe 86 PID 216 wrote to memory of 1308 216 Cbcilkjg.exe 86 PID 216 wrote to memory of 1308 216 Cbcilkjg.exe 86 PID 1308 wrote to memory of 4508 1308 Cafigg32.exe 87 PID 1308 wrote to memory of 4508 1308 Cafigg32.exe 87 PID 1308 wrote to memory of 4508 1308 Cafigg32.exe 87 PID 4508 wrote to memory of 1196 4508 Chbnia32.exe 88 PID 4508 wrote to memory of 1196 4508 Chbnia32.exe 88 PID 4508 wrote to memory of 1196 4508 Chbnia32.exe 88 PID 1196 wrote to memory of 3892 1196 Ckpjfm32.exe 89 PID 1196 wrote to memory of 3892 1196 Ckpjfm32.exe 89 PID 1196 wrote to memory of 3892 1196 Ckpjfm32.exe 89 PID 3892 wrote to memory of 2096 3892 Colffknh.exe 90 PID 3892 wrote to memory of 2096 3892 Colffknh.exe 90 PID 3892 wrote to memory of 2096 3892 Colffknh.exe 90 PID 2096 wrote to memory of 636 2096 Cajcbgml.exe 91 PID 2096 wrote to memory of 636 2096 Cajcbgml.exe 91 PID 2096 wrote to memory of 636 2096 Cajcbgml.exe 91 PID 636 wrote to memory of 2352 636 Chdkoa32.exe 92 PID 636 wrote to memory of 2352 636 Chdkoa32.exe 92 PID 636 wrote to memory of 2352 636 Chdkoa32.exe 92 PID 2352 wrote to memory of 4760 2352 Clpgpp32.exe 93 PID 2352 wrote to memory of 4760 2352 Clpgpp32.exe 93 PID 2352 wrote to memory of 4760 2352 Clpgpp32.exe 93 PID 4760 wrote to memory of 1608 4760 Ckcgkldl.exe 94 PID 4760 wrote to memory of 1608 4760 Ckcgkldl.exe 94 PID 4760 wrote to memory of 1608 4760 Ckcgkldl.exe 94 PID 1608 wrote to memory of 696 1608 Cbjoljdo.exe 95 PID 1608 wrote to memory of 696 1608 Cbjoljdo.exe 95 PID 1608 wrote to memory of 696 1608 Cbjoljdo.exe 95 PID 696 wrote to memory of 3104 696 Camphf32.exe 96 PID 696 wrote to memory of 3104 696 Camphf32.exe 96 PID 696 wrote to memory of 3104 696 Camphf32.exe 96 PID 3104 wrote to memory of 4896 3104 Cehkhecb.exe 97 PID 3104 wrote to memory of 4896 3104 Cehkhecb.exe 97 PID 3104 wrote to memory of 4896 3104 Cehkhecb.exe 97 PID 4896 wrote to memory of 3828 4896 Chghdqbf.exe 98 PID 4896 wrote to memory of 3828 4896 Chghdqbf.exe 98 PID 4896 wrote to memory of 3828 4896 Chghdqbf.exe 98 PID 3828 wrote to memory of 4200 3828 Clbceo32.exe 99 PID 3828 wrote to memory of 4200 3828 Clbceo32.exe 99 PID 3828 wrote to memory of 4200 3828 Clbceo32.exe 99 PID 4200 wrote to memory of 2364 4200 Ckedalaj.exe 100 PID 4200 wrote to memory of 2364 4200 Ckedalaj.exe 100 PID 4200 wrote to memory of 2364 4200 Ckedalaj.exe 100 PID 2364 wrote to memory of 3924 2364 Doqpak32.exe 101 PID 2364 wrote to memory of 3924 2364 Doqpak32.exe 101 PID 2364 wrote to memory of 3924 2364 Doqpak32.exe 101 PID 3924 wrote to memory of 1240 3924 Daolnf32.exe 102 PID 3924 wrote to memory of 1240 3924 Daolnf32.exe 102 PID 3924 wrote to memory of 1240 3924 Daolnf32.exe 102 PID 1240 wrote to memory of 5096 1240 Dekhneap.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\674def43f5f63225cd60fadf4a6e5ea0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\674def43f5f63225cd60fadf4a6e5ea0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Chdkoa32.exeC:\Windows\system32\Chdkoa32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Ckcgkldl.exeC:\Windows\system32\Ckcgkldl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Cbjoljdo.exeC:\Windows\system32\Cbjoljdo.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe23⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe24⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe25⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Dboigi32.exeC:\Windows\system32\Dboigi32.exe26⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Demecd32.exeC:\Windows\system32\Demecd32.exe27⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Ddpeoafg.exeC:\Windows\system32\Ddpeoafg.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3988 -
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe29⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe30⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe31⤵
- Executes dropped EXE
PID:3836 -
C:\Windows\SysWOW64\Dbaemi32.exeC:\Windows\system32\Dbaemi32.exe32⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Ddbbeade.exeC:\Windows\system32\Ddbbeade.exe34⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Dhnnep32.exeC:\Windows\system32\Dhnnep32.exe35⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe36⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe37⤵
- Executes dropped EXE
PID:3308 -
C:\Windows\SysWOW64\Dccbbhld.exeC:\Windows\system32\Dccbbhld.exe38⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe39⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe40⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe41⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Dllfkn32.exeC:\Windows\system32\Dllfkn32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Dkoggkjo.exeC:\Windows\system32\Dkoggkjo.exe43⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe44⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Dahode32.exeC:\Windows\system32\Dahode32.exe45⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe46⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe47⤵
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe48⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe49⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Eolpmi32.exeC:\Windows\system32\Eolpmi32.exe50⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Eaklidoi.exeC:\Windows\system32\Eaklidoi.exe51⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe52⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Ekcpbj32.exeC:\Windows\system32\Ekcpbj32.exe53⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe54⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Eamhodmf.exeC:\Windows\system32\Eamhodmf.exe55⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe56⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe57⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe58⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Ekemhj32.exeC:\Windows\system32\Ekemhj32.exe59⤵
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe60⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Eapedd32.exeC:\Windows\system32\Eapedd32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe62⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Ehimanbq.exeC:\Windows\system32\Ehimanbq.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Ekhjmiad.exeC:\Windows\system32\Ekhjmiad.exe65⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Eocenh32.exeC:\Windows\system32\Eocenh32.exe66⤵PID:1536
-
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe67⤵PID:2152
-
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe68⤵PID:3332
-
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe69⤵PID:3768
-
C:\Windows\SysWOW64\Ehljfnpn.exeC:\Windows\system32\Ehljfnpn.exe70⤵PID:1780
-
C:\Windows\SysWOW64\Elgfgl32.exeC:\Windows\system32\Elgfgl32.exe71⤵PID:1596
-
C:\Windows\SysWOW64\Eofbch32.exeC:\Windows\system32\Eofbch32.exe72⤵PID:4720
-
C:\Windows\SysWOW64\Ecandfpd.exeC:\Windows\system32\Ecandfpd.exe73⤵PID:3240
-
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe74⤵PID:4544
-
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe75⤵PID:1036
-
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe76⤵PID:2008
-
C:\Windows\SysWOW64\Fljcmlfd.exeC:\Windows\system32\Fljcmlfd.exe77⤵PID:2108
-
C:\Windows\SysWOW64\Fdegandp.exeC:\Windows\system32\Fdegandp.exe78⤵PID:4492
-
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe79⤵PID:4084
-
C:\Windows\SysWOW64\Fojlngce.exeC:\Windows\system32\Fojlngce.exe80⤵PID:5020
-
C:\Windows\SysWOW64\Faihkbci.exeC:\Windows\system32\Faihkbci.exe81⤵
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe82⤵PID:4868
-
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe83⤵PID:2288
-
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe84⤵
- Modifies registry class
PID:3224 -
C:\Windows\SysWOW64\Fomhdg32.exeC:\Windows\system32\Fomhdg32.exe85⤵PID:1996
-
C:\Windows\SysWOW64\Fakdpb32.exeC:\Windows\system32\Fakdpb32.exe86⤵PID:1896
-
C:\Windows\SysWOW64\Ffgqqaip.exeC:\Windows\system32\Ffgqqaip.exe87⤵PID:640
-
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe88⤵PID:3708
-
C:\Windows\SysWOW64\Flqimk32.exeC:\Windows\system32\Flqimk32.exe89⤵PID:3328
-
C:\Windows\SysWOW64\Fooeif32.exeC:\Windows\system32\Fooeif32.exe90⤵PID:3572
-
C:\Windows\SysWOW64\Fbnafb32.exeC:\Windows\system32\Fbnafb32.exe91⤵PID:5160
-
C:\Windows\SysWOW64\Fdlnbm32.exeC:\Windows\system32\Fdlnbm32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5192 -
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe93⤵PID:5228
-
C:\Windows\SysWOW64\Foabofnn.exeC:\Windows\system32\Foabofnn.exe94⤵PID:5272
-
C:\Windows\SysWOW64\Fcmnpe32.exeC:\Windows\system32\Fcmnpe32.exe95⤵PID:5304
-
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe96⤵PID:5344
-
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe97⤵PID:5380
-
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe98⤵PID:5412
-
C:\Windows\SysWOW64\Glebhjlg.exeC:\Windows\system32\Glebhjlg.exe99⤵PID:5452
-
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe100⤵PID:5484
-
C:\Windows\SysWOW64\Gcojed32.exeC:\Windows\system32\Gcojed32.exe101⤵PID:5524
-
C:\Windows\SysWOW64\Gfngap32.exeC:\Windows\system32\Gfngap32.exe102⤵PID:5560
-
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe103⤵
- Modifies registry class
PID:5592 -
C:\Windows\SysWOW64\Ghlcnk32.exeC:\Windows\system32\Ghlcnk32.exe104⤵PID:5632
-
C:\Windows\SysWOW64\Gkkojgao.exeC:\Windows\system32\Gkkojgao.exe105⤵
- Modifies registry class
PID:5664 -
C:\Windows\SysWOW64\Gofkje32.exeC:\Windows\system32\Gofkje32.exe106⤵PID:5704
-
C:\Windows\SysWOW64\Gcagkdba.exeC:\Windows\system32\Gcagkdba.exe107⤵PID:5740
-
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe108⤵PID:5916
-
C:\Windows\SysWOW64\Gdhmnlcj.exeC:\Windows\system32\Gdhmnlcj.exe109⤵
- Modifies registry class
PID:5960 -
C:\Windows\SysWOW64\Gkaejf32.exeC:\Windows\system32\Gkaejf32.exe110⤵PID:5996
-
C:\Windows\SysWOW64\Gblngpbd.exeC:\Windows\system32\Gblngpbd.exe111⤵PID:6040
-
C:\Windows\SysWOW64\Gfgjgo32.exeC:\Windows\system32\Gfgjgo32.exe112⤵PID:6088
-
C:\Windows\SysWOW64\Hiefcj32.exeC:\Windows\system32\Hiefcj32.exe113⤵PID:6124
-
C:\Windows\SysWOW64\Hkdbpe32.exeC:\Windows\system32\Hkdbpe32.exe114⤵PID:404
-
C:\Windows\SysWOW64\Hckjacjg.exeC:\Windows\system32\Hckjacjg.exe115⤵PID:4928
-
C:\Windows\SysWOW64\Hfifmnij.exeC:\Windows\system32\Hfifmnij.exe116⤵PID:900
-
C:\Windows\SysWOW64\Hihbijhn.exeC:\Windows\system32\Hihbijhn.exe117⤵PID:1432
-
C:\Windows\SysWOW64\Hobkfd32.exeC:\Windows\system32\Hobkfd32.exe118⤵PID:628
-
C:\Windows\SysWOW64\Hflcbngh.exeC:\Windows\system32\Hflcbngh.exe119⤵PID:5188
-
C:\Windows\SysWOW64\Hijooifk.exeC:\Windows\system32\Hijooifk.exe120⤵PID:5092
-
C:\Windows\SysWOW64\Hkikkeeo.exeC:\Windows\system32\Hkikkeeo.exe121⤵
- Drops file in System32 directory
PID:5324 -
C:\Windows\SysWOW64\Hcpclbfa.exeC:\Windows\system32\Hcpclbfa.exe122⤵PID:4208
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-