Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 14:55
Behavioral task
behavioral1
Sample
67766a96f77c08af351e490df1db8560_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
67766a96f77c08af351e490df1db8560_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
67766a96f77c08af351e490df1db8560_NeikiAnalytics.exe
-
Size
1.3MB
-
MD5
67766a96f77c08af351e490df1db8560
-
SHA1
fd912b894a8fe8194b28bd17694f9541860124f7
-
SHA256
5f78a6b19846a52c08c0591319e1248cdf7ebf3deb6662ab2cc09bcb53dcffae
-
SHA512
3d080eb22fce62daac21da733c62c68ea920e2b6113d6fdb30e2ff982f8e871d7f9a097245126b5ffc8f6e91fb4c23d47a21335fc686ed75a68b2bd6d070b5d6
-
SSDEEP
24576:C3ufvr4B9f01ZmQvrb91v92W9C05wkEPSOdKkrzEoxrC9toC9Dq9onk8:C3gkB9f0VP91v92W805IPSOdKgzEoxrS
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmmfmbhn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcnejk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfffjqdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjqjih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nqklmpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hboagf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgikfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjeddggd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njljefql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gameonno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jkdnpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laalifad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gjapmdid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmqgnhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lnjjdgee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgidml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maaepd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngcgcjnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpofpdgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efneehef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmfbjnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijdeiaio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiibkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmgdgjek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcqjfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibjqcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iakaql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfffjqdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdjfcecp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmbklj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkfkfohj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgnnhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mglack32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffjdqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gqikdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcnnaikp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hccglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iapjlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmnaakne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldmlpbbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Digkijmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckhdk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fflaff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fqaeco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjfihc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgdbkohf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgfoan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Digkijmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gjjjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfhqbe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijdhiaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjbke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqklmpdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebploj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmmhjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmlnbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcekkjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjfihc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Habnjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdeiaio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lddbqa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjhqjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndbnboqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbllkh32.exe -
Malware Dropper & Backdoor - Berbew 52 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000023283-6.dat family_berbew behavioral2/files/0x000700000002341e-15.dat family_berbew behavioral2/files/0x0007000000023421-23.dat family_berbew behavioral2/files/0x0007000000023423-25.dat family_berbew behavioral2/files/0x0007000000023425-39.dat family_berbew behavioral2/files/0x0007000000023427-47.dat family_berbew behavioral2/files/0x0007000000023429-55.dat family_berbew behavioral2/files/0x000700000002342b-62.dat family_berbew behavioral2/files/0x000700000002342d-71.dat family_berbew behavioral2/files/0x0007000000023423-31.dat family_berbew behavioral2/files/0x000700000002342f-79.dat family_berbew behavioral2/files/0x000800000002341b-88.dat family_berbew behavioral2/files/0x000700000002343d-129.dat family_berbew behavioral2/files/0x000700000002343d-135.dat family_berbew behavioral2/files/0x000700000002343f-143.dat family_berbew behavioral2/files/0x0007000000023441-150.dat family_berbew behavioral2/files/0x0007000000023443-157.dat family_berbew behavioral2/files/0x0007000000023445-164.dat family_berbew behavioral2/files/0x0007000000023447-170.dat family_berbew behavioral2/files/0x000700000002344b-185.dat family_berbew behavioral2/files/0x0007000000023451-206.dat family_berbew behavioral2/files/0x0007000000023455-219.dat family_berbew behavioral2/files/0x0007000000023457-227.dat family_berbew behavioral2/files/0x000700000002345b-241.dat family_berbew behavioral2/files/0x00070000000234c7-575.dat family_berbew behavioral2/files/0x00070000000234cb-588.dat family_berbew behavioral2/files/0x00070000000234f1-702.dat family_berbew behavioral2/files/0x00070000000234f7-719.dat family_berbew behavioral2/files/0x00070000000234fb-732.dat family_berbew behavioral2/files/0x0009000000023390-898.dat family_berbew behavioral2/files/0x000700000002354b-1018.dat family_berbew behavioral2/files/0x000700000002355d-1074.dat family_berbew behavioral2/files/0x0007000000023553-1044.dat family_berbew behavioral2/files/0x0007000000023542-989.dat family_berbew behavioral2/files/0x0009000000023385-874.dat family_berbew behavioral2/files/0x000700000002351c-827.dat family_berbew behavioral2/files/0x000700000002350f-791.dat family_berbew behavioral2/files/0x00070000000234ed-689.dat family_berbew behavioral2/files/0x00070000000234e9-677.dat family_berbew behavioral2/files/0x00070000000234df-647.dat family_berbew behavioral2/files/0x00070000000234d9-629.dat family_berbew behavioral2/files/0x00070000000234d1-604.dat family_berbew behavioral2/files/0x0007000000023459-234.dat family_berbew behavioral2/files/0x0007000000023453-213.dat family_berbew behavioral2/files/0x000700000002344f-199.dat family_berbew behavioral2/files/0x000700000002344d-192.dat family_berbew behavioral2/files/0x0007000000023449-178.dat family_berbew behavioral2/files/0x000700000002343b-127.dat family_berbew behavioral2/files/0x0007000000023439-119.dat family_berbew behavioral2/files/0x0007000000023437-111.dat family_berbew behavioral2/files/0x0007000000023435-103.dat family_berbew behavioral2/files/0x0007000000023433-96.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 5076 Cpofpdgd.exe 3080 Digkijmd.exe 4952 Dhlhjf32.exe 776 Dofpgqji.exe 3680 Dadlclim.exe 3752 Dljqpd32.exe 372 Dcdimopp.exe 1816 Debeijoc.exe 3864 Dllmfd32.exe 2684 Ebploj32.exe 4712 Eqalmafo.exe 2032 Efneehef.exe 4332 Ecbenm32.exe 4272 Ehonfc32.exe 4924 Eqfeha32.exe 3504 Fbgbpihg.exe 5004 Fjnjqfij.exe 2976 Fmmfmbhn.exe 1428 Fbioei32.exe 1036 Fjqgff32.exe 1020 Fmocba32.exe 4748 Fomonm32.exe 3512 Fbllkh32.exe 2552 Fjcclf32.exe 3708 Fmapha32.exe 3368 Fckhdk32.exe 1588 Ffjdqg32.exe 1860 Fihqmb32.exe 3908 Fqohnp32.exe 5112 Fcnejk32.exe 3696 Fflaff32.exe 2376 Fijmbb32.exe 3144 Fqaeco32.exe 4428 Gbcakg32.exe 3344 Gjjjle32.exe 364 Gimjhafg.exe 1400 Gqdbiofi.exe 3652 Gcbnejem.exe 4064 Gfqjafdq.exe 4464 Giofnacd.exe 4076 Gqfooodg.exe 1644 Gcekkjcj.exe 896 Gfcgge32.exe 1184 Giacca32.exe 1924 Gqikdn32.exe 4984 Gjapmdid.exe 3748 Gmoliohh.exe 3916 Gqkhjn32.exe 1084 Gcidfi32.exe 4296 Gfhqbe32.exe 1256 Gifmnpnl.exe 4920 Gameonno.exe 2184 Gppekj32.exe 2636 Hboagf32.exe 3276 Hjfihc32.exe 1936 Hihicplj.exe 2128 Hapaemll.exe 2064 Hcnnaikp.exe 1944 Hfljmdjc.exe 3128 Hmfbjnbp.exe 468 Habnjm32.exe 4364 Hcqjfh32.exe 2448 Hfofbd32.exe 32 Himcoo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eqfeha32.exe Ehonfc32.exe File opened for modification C:\Windows\SysWOW64\Hfljmdjc.exe Hcnnaikp.exe File opened for modification C:\Windows\SysWOW64\Nnjbke32.exe Nklfoi32.exe File created C:\Windows\SysWOW64\Kaemnhla.exe Kkkdan32.exe File created C:\Windows\SysWOW64\Lddbqa32.exe Lphfpbdi.exe File created C:\Windows\SysWOW64\Ebploj32.exe Dllmfd32.exe File opened for modification C:\Windows\SysWOW64\Gcidfi32.exe Gqkhjn32.exe File opened for modification C:\Windows\SysWOW64\Jpjqhgol.exe Jjmhppqd.exe File created C:\Windows\SysWOW64\Nphqml32.dll Kmegbjgn.exe File opened for modification C:\Windows\SysWOW64\Gqikdn32.exe Giacca32.exe File created C:\Windows\SysWOW64\Fomonm32.exe Fmocba32.exe File opened for modification C:\Windows\SysWOW64\Ipldfi32.exe Hmmhjm32.exe File opened for modification C:\Windows\SysWOW64\Lijdhiaa.exe Lgkhlnbn.exe File created C:\Windows\SysWOW64\Mgghhlhq.exe Mpmokb32.exe File created C:\Windows\SysWOW64\Digkijmd.exe Cpofpdgd.exe File created C:\Windows\SysWOW64\Jaljgidl.exe Jidbflcj.exe File created C:\Windows\SysWOW64\Nkncdifl.exe Ngcgcjnc.exe File opened for modification C:\Windows\SysWOW64\Dofpgqji.exe Dhlhjf32.exe File created C:\Windows\SysWOW64\Jcgaen32.dll Ehonfc32.exe File created C:\Windows\SysWOW64\Hjfihc32.exe Hboagf32.exe File created C:\Windows\SysWOW64\Khehmdgi.dll Lkiqbl32.exe File created C:\Windows\SysWOW64\Fmocba32.exe Fjqgff32.exe File opened for modification C:\Windows\SysWOW64\Imbaemhc.exe Ijdeiaio.exe File created C:\Windows\SysWOW64\Lihoogdd.dll Idofhfmm.exe File created C:\Windows\SysWOW64\Ogaodjbe.dll Fjnjqfij.exe File created C:\Windows\SysWOW64\Kmgdgjek.exe Kkihknfg.exe File opened for modification C:\Windows\SysWOW64\Nklfoi32.exe Ndbnboqb.exe File created C:\Windows\SysWOW64\Cgfgaq32.dll Nkncdifl.exe File created C:\Windows\SysWOW64\Lknjmkdo.exe Lddbqa32.exe File created C:\Windows\SysWOW64\Fjnjqfij.exe Fbgbpihg.exe File opened for modification C:\Windows\SysWOW64\Fjcclf32.exe Fbllkh32.exe File opened for modification C:\Windows\SysWOW64\Kmlnbi32.exe Kgbefoji.exe File created C:\Windows\SysWOW64\Ldaeka32.exe Laciofpa.exe File created C:\Windows\SysWOW64\Mjcgohig.exe Mgekbljc.exe File created C:\Windows\SysWOW64\Gqdbiofi.exe Gimjhafg.exe File created C:\Windows\SysWOW64\Honckk32.dll Hmfbjnbp.exe File created C:\Windows\SysWOW64\Kbdmpqcb.exe Kpepcedo.exe File created C:\Windows\SysWOW64\Mgekbljc.exe Mdfofakp.exe File created C:\Windows\SysWOW64\Hfachc32.exe Hccglh32.exe File opened for modification C:\Windows\SysWOW64\Ndbnboqb.exe Nacbfdao.exe File created C:\Windows\SysWOW64\Fmapha32.exe Fjcclf32.exe File created C:\Windows\SysWOW64\Ekfnlmai.dll Fqohnp32.exe File opened for modification C:\Windows\SysWOW64\Lphfpbdi.exe Lnjjdgee.exe File created C:\Windows\SysWOW64\Njcqqgjb.dll Mjeddggd.exe File created C:\Windows\SysWOW64\Kdffocib.exe Kmlnbi32.exe File opened for modification C:\Windows\SysWOW64\Kgdbkohf.exe Kdffocib.exe File created C:\Windows\SysWOW64\Nqklmpdd.exe Nnmopdep.exe File created C:\Windows\SysWOW64\Cfjbmnlq.dll Fihqmb32.exe File created C:\Windows\SysWOW64\Hpbjkl32.dll Fcnejk32.exe File created C:\Windows\SysWOW64\Mngoghpn.dll Gameonno.exe File created C:\Windows\SysWOW64\Kpccnefa.exe Kmegbjgn.exe File created C:\Windows\SysWOW64\Ffjdqg32.exe Fckhdk32.exe File created C:\Windows\SysWOW64\Geekfi32.dll Himcoo32.exe File opened for modification C:\Windows\SysWOW64\Hmmhjm32.exe Hjolnb32.exe File opened for modification C:\Windows\SysWOW64\Maohkd32.exe Mjhqjg32.exe File opened for modification C:\Windows\SysWOW64\Mcbahlip.exe Maaepd32.exe File opened for modification C:\Windows\SysWOW64\Gbcakg32.exe Fqaeco32.exe File opened for modification C:\Windows\SysWOW64\Iiibkn32.exe Ijfboafl.exe File created C:\Windows\SysWOW64\Ogijli32.dll Lgkhlnbn.exe File opened for modification C:\Windows\SysWOW64\Mjcgohig.exe Mgekbljc.exe File opened for modification C:\Windows\SysWOW64\Lpocjdld.exe Lmqgnhmp.exe File created C:\Windows\SysWOW64\Liggbi32.exe Lgikfn32.exe File opened for modification C:\Windows\SysWOW64\Laalifad.exe Lijdhiaa.exe File created C:\Windows\SysWOW64\Geegicjl.dll Mglack32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6380 6180 WerFault.exe 258 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kaemnhla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmqgnhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmocba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll" Ijfboafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgdbkohf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll" Lknjmkdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mcbahlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll" Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibooqjdb.dll" Hfofbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iiibkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll" Nklfoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll" Mjjmog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ipldfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mdmegp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndbnboqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmocba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gifmnpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hcnnaikp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Himcoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hadkpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll" Kdffocib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll" Lgkhlnbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll" Lcbiao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dllmfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fqaeco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll" Nqklmpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll" Njcpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gqdbiofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcbljie.dll" Ijdeiaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iakaql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll" Iiibkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fomonm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gjjjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll" Iikopmkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nacbfdao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gameonno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hboagf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klfbpcko.dll" Eqalmafo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfnlmai.dll" Fqohnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lnjjdgee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpjqhgol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll" Jidbflcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nacbfdao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fjcclf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mdfofakp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kmlnbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mahbje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nnjbke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gjjjle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gqikdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll" Lijdhiaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nqklmpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hndnbj32.dll" Fmocba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gqfooodg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jkfkfohj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmegbjgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll" Kgdbkohf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll" Lnjjdgee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll" Mdkhapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hifqbnpb.dll" Gfqjafdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gmoliohh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mjjmog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fbgbpihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmeac32.dll" Jplmmfmi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1616 wrote to memory of 5076 1616 67766a96f77c08af351e490df1db8560_NeikiAnalytics.exe 82 PID 1616 wrote to memory of 5076 1616 67766a96f77c08af351e490df1db8560_NeikiAnalytics.exe 82 PID 1616 wrote to memory of 5076 1616 67766a96f77c08af351e490df1db8560_NeikiAnalytics.exe 82 PID 5076 wrote to memory of 3080 5076 Cpofpdgd.exe 83 PID 5076 wrote to memory of 3080 5076 Cpofpdgd.exe 83 PID 5076 wrote to memory of 3080 5076 Cpofpdgd.exe 83 PID 3080 wrote to memory of 4952 3080 Digkijmd.exe 84 PID 3080 wrote to memory of 4952 3080 Digkijmd.exe 84 PID 3080 wrote to memory of 4952 3080 Digkijmd.exe 84 PID 4952 wrote to memory of 776 4952 Dhlhjf32.exe 85 PID 4952 wrote to memory of 776 4952 Dhlhjf32.exe 85 PID 4952 wrote to memory of 776 4952 Dhlhjf32.exe 85 PID 776 wrote to memory of 3680 776 Dofpgqji.exe 86 PID 776 wrote to memory of 3680 776 Dofpgqji.exe 86 PID 776 wrote to memory of 3680 776 Dofpgqji.exe 86 PID 3680 wrote to memory of 3752 3680 Dadlclim.exe 87 PID 3680 wrote to memory of 3752 3680 Dadlclim.exe 87 PID 3680 wrote to memory of 3752 3680 Dadlclim.exe 87 PID 3752 wrote to memory of 372 3752 Dljqpd32.exe 88 PID 3752 wrote to memory of 372 3752 Dljqpd32.exe 88 PID 3752 wrote to memory of 372 3752 Dljqpd32.exe 88 PID 372 wrote to memory of 1816 372 Dcdimopp.exe 89 PID 372 wrote to memory of 1816 372 Dcdimopp.exe 89 PID 372 wrote to memory of 1816 372 Dcdimopp.exe 89 PID 1816 wrote to memory of 3864 1816 Debeijoc.exe 90 PID 1816 wrote to memory of 3864 1816 Debeijoc.exe 90 PID 1816 wrote to memory of 3864 1816 Debeijoc.exe 90 PID 3864 wrote to memory of 2684 3864 Dllmfd32.exe 92 PID 3864 wrote to memory of 2684 3864 Dllmfd32.exe 92 PID 3864 wrote to memory of 2684 3864 Dllmfd32.exe 92 PID 2684 wrote to memory of 4712 2684 Ebploj32.exe 93 PID 2684 wrote to memory of 4712 2684 Ebploj32.exe 93 PID 2684 wrote to memory of 4712 2684 Ebploj32.exe 93 PID 4712 wrote to memory of 2032 4712 Eqalmafo.exe 94 PID 4712 wrote to memory of 2032 4712 Eqalmafo.exe 94 PID 4712 wrote to memory of 2032 4712 Eqalmafo.exe 94 PID 2032 wrote to memory of 4332 2032 Efneehef.exe 96 PID 2032 wrote to memory of 4332 2032 Efneehef.exe 96 PID 2032 wrote to memory of 4332 2032 Efneehef.exe 96 PID 4332 wrote to memory of 4272 4332 Ecbenm32.exe 97 PID 4332 wrote to memory of 4272 4332 Ecbenm32.exe 97 PID 4332 wrote to memory of 4272 4332 Ecbenm32.exe 97 PID 4272 wrote to memory of 4924 4272 Ehonfc32.exe 98 PID 4272 wrote to memory of 4924 4272 Ehonfc32.exe 98 PID 4272 wrote to memory of 4924 4272 Ehonfc32.exe 98 PID 4924 wrote to memory of 3504 4924 Eqfeha32.exe 99 PID 4924 wrote to memory of 3504 4924 Eqfeha32.exe 99 PID 4924 wrote to memory of 3504 4924 Eqfeha32.exe 99 PID 3504 wrote to memory of 5004 3504 Fbgbpihg.exe 100 PID 3504 wrote to memory of 5004 3504 Fbgbpihg.exe 100 PID 3504 wrote to memory of 5004 3504 Fbgbpihg.exe 100 PID 5004 wrote to memory of 2976 5004 Fjnjqfij.exe 101 PID 5004 wrote to memory of 2976 5004 Fjnjqfij.exe 101 PID 5004 wrote to memory of 2976 5004 Fjnjqfij.exe 101 PID 2976 wrote to memory of 1428 2976 Fmmfmbhn.exe 102 PID 2976 wrote to memory of 1428 2976 Fmmfmbhn.exe 102 PID 2976 wrote to memory of 1428 2976 Fmmfmbhn.exe 102 PID 1428 wrote to memory of 1036 1428 Fbioei32.exe 103 PID 1428 wrote to memory of 1036 1428 Fbioei32.exe 103 PID 1428 wrote to memory of 1036 1428 Fbioei32.exe 103 PID 1036 wrote to memory of 1020 1036 Fjqgff32.exe 104 PID 1036 wrote to memory of 1020 1036 Fjqgff32.exe 104 PID 1036 wrote to memory of 1020 1036 Fjqgff32.exe 104 PID 1020 wrote to memory of 4748 1020 Fmocba32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\67766a96f77c08af351e490df1db8560_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\67766a96f77c08af351e490df1db8560_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Cpofpdgd.exeC:\Windows\system32\Cpofpdgd.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Digkijmd.exeC:\Windows\system32\Digkijmd.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\Dhlhjf32.exeC:\Windows\system32\Dhlhjf32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Dofpgqji.exeC:\Windows\system32\Dofpgqji.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Dadlclim.exeC:\Windows\system32\Dadlclim.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\Dljqpd32.exeC:\Windows\system32\Dljqpd32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Dcdimopp.exeC:\Windows\system32\Dcdimopp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\Debeijoc.exeC:\Windows\system32\Debeijoc.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Dllmfd32.exeC:\Windows\system32\Dllmfd32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\Ebploj32.exeC:\Windows\system32\Ebploj32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Eqalmafo.exeC:\Windows\system32\Eqalmafo.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\Efneehef.exeC:\Windows\system32\Efneehef.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Ecbenm32.exeC:\Windows\system32\Ecbenm32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\Ehonfc32.exeC:\Windows\system32\Ehonfc32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\Eqfeha32.exeC:\Windows\system32\Eqfeha32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\Fbgbpihg.exeC:\Windows\system32\Fbgbpihg.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Fjnjqfij.exeC:\Windows\system32\Fjnjqfij.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Fmmfmbhn.exeC:\Windows\system32\Fmmfmbhn.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Fbioei32.exeC:\Windows\system32\Fbioei32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:4748 -
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3512 -
C:\Windows\SysWOW64\Fjcclf32.exeC:\Windows\system32\Fjcclf32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Fmapha32.exeC:\Windows\system32\Fmapha32.exe26⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Fckhdk32.exeC:\Windows\system32\Fckhdk32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3368 -
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1860 -
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3908 -
C:\Windows\SysWOW64\Fcnejk32.exeC:\Windows\system32\Fcnejk32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5112 -
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe33⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Fqaeco32.exeC:\Windows\system32\Fqaeco32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3144 -
C:\Windows\SysWOW64\Gbcakg32.exeC:\Windows\system32\Gbcakg32.exe35⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Gjjjle32.exeC:\Windows\system32\Gjjjle32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3344 -
C:\Windows\SysWOW64\Gimjhafg.exeC:\Windows\system32\Gimjhafg.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:364 -
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1400 -
C:\Windows\SysWOW64\Gcbnejem.exeC:\Windows\system32\Gcbnejem.exe39⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Gfqjafdq.exeC:\Windows\system32\Gfqjafdq.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:4064 -
C:\Windows\SysWOW64\Giofnacd.exeC:\Windows\system32\Giofnacd.exe41⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Gqfooodg.exeC:\Windows\system32\Gqfooodg.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:4076 -
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Gfcgge32.exeC:\Windows\system32\Gfcgge32.exe44⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1184 -
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Gjapmdid.exeC:\Windows\system32\Gjapmdid.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Gmoliohh.exeC:\Windows\system32\Gmoliohh.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:3748 -
C:\Windows\SysWOW64\Gqkhjn32.exeC:\Windows\system32\Gqkhjn32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3916 -
C:\Windows\SysWOW64\Gcidfi32.exeC:\Windows\system32\Gcidfi32.exe50⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Gifmnpnl.exeC:\Windows\system32\Gifmnpnl.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Gameonno.exeC:\Windows\system32\Gameonno.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4920 -
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe54⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Hjfihc32.exeC:\Windows\system32\Hjfihc32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe57⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Hapaemll.exeC:\Windows\system32\Hapaemll.exe58⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Hcnnaikp.exeC:\Windows\system32\Hcnnaikp.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe60⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Hmfbjnbp.exeC:\Windows\system32\Hmfbjnbp.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3128 -
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:32 -
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe66⤵
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3952 -
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe68⤵PID:4048
-
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe69⤵PID:532
-
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe70⤵
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:932 -
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe72⤵
- Modifies registry class
PID:4452 -
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4344 -
C:\Windows\SysWOW64\Ijaida32.exeC:\Windows\system32\Ijaida32.exe74⤵PID:5032
-
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe75⤵PID:1940
-
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5124 -
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe77⤵PID:5160
-
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe78⤵PID:5196
-
C:\Windows\SysWOW64\Ijdeiaio.exeC:\Windows\system32\Ijdeiaio.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5236 -
C:\Windows\SysWOW64\Imbaemhc.exeC:\Windows\system32\Imbaemhc.exe80⤵PID:5272
-
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe81⤵PID:5304
-
C:\Windows\SysWOW64\Ibojncfj.exeC:\Windows\system32\Ibojncfj.exe82⤵PID:5340
-
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:5376 -
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5412 -
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5448 -
C:\Windows\SysWOW64\Idofhfmm.exeC:\Windows\system32\Idofhfmm.exe86⤵
- Drops file in System32 directory
PID:5556 -
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe87⤵
- Modifies registry class
PID:5716 -
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe88⤵
- Drops file in System32 directory
PID:5764 -
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe89⤵
- Modifies registry class
PID:5812 -
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe90⤵PID:5852
-
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5896 -
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe92⤵
- Modifies registry class
PID:5936 -
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5984 -
C:\Windows\SysWOW64\Jidbflcj.exeC:\Windows\system32\Jidbflcj.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:6028 -
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe95⤵PID:6068
-
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6112 -
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:884 -
C:\Windows\SysWOW64\Jmbklj32.exeC:\Windows\system32\Jmbklj32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5244 -
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe99⤵PID:5180
-
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe100⤵PID:440
-
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe103⤵PID:5052
-
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe104⤵
- Drops file in System32 directory
PID:3280 -
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3604 -
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe106⤵
- Drops file in System32 directory
PID:5480 -
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe107⤵PID:756
-
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe108⤵
- Drops file in System32 directory
PID:3424 -
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe109⤵
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe110⤵PID:2160
-
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe111⤵
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5468 -
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:5504 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5628 -
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe115⤵PID:5908
-
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe116⤵PID:5476
-
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5472 -
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6100 -
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe119⤵PID:5296
-
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5184 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe121⤵PID:4660
-
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe122⤵PID:6016
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-