Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 14:15
Behavioral task
behavioral1
Sample
0ce383c87c80515ae25b35b818f82cf0_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
0ce383c87c80515ae25b35b818f82cf0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
0ce383c87c80515ae25b35b818f82cf0_NeikiAnalytics.exe
-
Size
302KB
-
MD5
0ce383c87c80515ae25b35b818f82cf0
-
SHA1
e3f0acb496f10a0f5493fff331115ae0a0e17641
-
SHA256
18dd4d57ed69ae46f36219762bb4435da00e6940bfb5683cf4cadad246c712bb
-
SHA512
f546dd3207f3b9c32c017754e87e9839375a9d9c0a2949b9b6436f26877b0369b33c35dfa2b1492515b6b7275326380f7d0bd9cd3fa73d7020c694b2b9c997b5
-
SSDEEP
6144:G1Hd52PCmyps1ZL7GNlighD4lTjZXvEQo9dfEORRAgnIlY1:G1Hd58Cmys3v8lXhuT9XvEhdfEmwlY1
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpihai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jigollag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kagichjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgbgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hofdacke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbmhlihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmoliohh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbhkac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeidoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fohoigfh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkopnh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kboljk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lffhfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lnhmng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggqoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbhoqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlopkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cidncj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacbfdao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekacmjgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcllonma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlmllkja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jangmibi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chmeobkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Echknh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhemmlhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aniajnnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhgjblfq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jblpek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmnpgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fijmbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcpllo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baicac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcqjfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijdhiaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dakbckbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kipabjil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Acjjfggb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddbbeade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kepelfam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgllfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjoankoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qmmnjfnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcnnaikp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daekdooc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkapp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcckif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdhmnlcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbeqmoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogjmdigk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klljnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojgbfocc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elbmlmml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnnanphk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Delnin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbdmpqcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbpem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlednamo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Klgqcqkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idacmfkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcggpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpjqhgol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aelcfilb.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000023298-6.dat family_berbew behavioral2/files/0x0007000000023428-14.dat family_berbew behavioral2/files/0x000700000002342a-22.dat family_berbew behavioral2/files/0x000700000002342c-30.dat family_berbew behavioral2/files/0x000700000002342e-39.dat family_berbew behavioral2/files/0x0007000000023430-46.dat family_berbew behavioral2/files/0x0007000000023432-54.dat family_berbew behavioral2/files/0x0007000000023434-62.dat family_berbew behavioral2/files/0x0007000000023436-70.dat family_berbew behavioral2/files/0x0007000000023438-78.dat family_berbew behavioral2/files/0x000700000002343a-86.dat family_berbew behavioral2/files/0x000700000002343c-94.dat family_berbew behavioral2/files/0x000700000002343e-102.dat family_berbew behavioral2/files/0x0007000000023440-110.dat family_berbew behavioral2/files/0x0007000000023442-118.dat family_berbew behavioral2/files/0x0007000000023444-126.dat family_berbew behavioral2/files/0x0007000000023446-135.dat family_berbew behavioral2/files/0x0007000000023448-142.dat family_berbew behavioral2/files/0x0008000000023424-150.dat family_berbew behavioral2/files/0x000700000002344b-158.dat family_berbew behavioral2/files/0x000700000002344d-166.dat family_berbew behavioral2/files/0x000700000002344f-175.dat family_berbew behavioral2/files/0x0007000000023451-183.dat family_berbew behavioral2/files/0x0007000000023453-190.dat family_berbew behavioral2/files/0x0007000000023455-198.dat family_berbew behavioral2/files/0x0007000000023458-207.dat family_berbew behavioral2/files/0x000700000002345a-215.dat family_berbew behavioral2/files/0x000700000002345c-223.dat family_berbew behavioral2/files/0x000700000002345e-230.dat family_berbew behavioral2/files/0x0007000000023460-237.dat family_berbew behavioral2/files/0x0007000000023464-250.dat family_berbew behavioral2/files/0x0007000000023462-244.dat family_berbew behavioral2/files/0x00070000000234c0-575.dat family_berbew behavioral2/files/0x00070000000234d4-645.dat family_berbew behavioral2/files/0x0007000000023516-869.dat family_berbew behavioral2/files/0x0007000000023545-1023.dat family_berbew behavioral2/files/0x000700000002354b-1044.dat family_berbew behavioral2/files/0x0007000000023557-1082.dat family_berbew behavioral2/files/0x0007000000023565-1129.dat family_berbew behavioral2/files/0x0007000000023573-1176.dat family_berbew behavioral2/files/0x000700000002358d-1263.dat family_berbew behavioral2/files/0x0007000000023591-1277.dat family_berbew behavioral2/files/0x00070000000235b8-1400.dat family_berbew behavioral2/files/0x00070000000235c1-1433.dat family_berbew behavioral2/files/0x00070000000235e1-1531.dat family_berbew behavioral2/files/0x00070000000235f8-1605.dat family_berbew behavioral2/files/0x00070000000235ff-1625.dat family_berbew behavioral2/files/0x000700000002360d-1672.dat family_berbew behavioral2/files/0x000700000002360f-1680.dat family_berbew behavioral2/files/0x0007000000023614-1692.dat family_berbew behavioral2/files/0x00080000000235c6-1713.dat family_berbew behavioral2/files/0x000700000002362e-1770.dat family_berbew behavioral2/files/0x0007000000023635-1804.dat family_berbew behavioral2/files/0x0007000000023637-1811.dat family_berbew behavioral2/files/0x0007000000023652-1907.dat family_berbew behavioral2/files/0x00070000000236a8-2191.dat family_berbew behavioral2/files/0x00070000000236c7-2286.dat family_berbew behavioral2/files/0x00070000000236cd-2307.dat family_berbew behavioral2/files/0x00070000000236e9-2396.dat family_berbew behavioral2/files/0x00070000000236ed-2410.dat family_berbew behavioral2/files/0x00070000000236f5-2437.dat family_berbew behavioral2/files/0x00070000000236f9-2450.dat family_berbew behavioral2/files/0x0007000000023701-2476.dat family_berbew behavioral2/files/0x0007000000023709-2500.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2672 Cidncj32.exe 4532 Ccmclp32.exe 840 Cekohk32.exe 3124 Dpacfd32.exe 2428 Dcopbp32.exe 1744 Dabpnlkp.exe 5104 Dcalgo32.exe 5008 Djlddi32.exe 5032 Dpemacql.exe 4116 Dcdimopp.exe 3532 Dllmfd32.exe 4236 Daifnk32.exe 2412 Dlojkddn.exe 2580 Dakbckbe.exe 4232 Elagacbk.exe 1036 Ebnoikqb.exe 980 Elccfc32.exe 3996 Eoapbo32.exe 3960 Eleplc32.exe 3832 Ehlaaddj.exe 1436 Ecbenm32.exe 4508 Emjjgbjp.exe 888 Ecdbdl32.exe 1916 Fqhbmqqg.exe 5092 Fcgoilpj.exe 3932 Fjqgff32.exe 4636 Fmocba32.exe 4652 Fomonm32.exe 2840 Fjcclf32.exe 4448 Fifdgblo.exe 3676 Fqmlhpla.exe 2556 Fckhdk32.exe 2736 Ffjdqg32.exe 1944 Fobiilai.exe 836 Fbqefhpm.exe 3104 Fflaff32.exe 1092 Fijmbb32.exe 1880 Gcpapkgp.exe 368 Gjjjle32.exe 900 Gqdbiofi.exe 4604 Giofnacd.exe 1104 Goiojk32.exe 4364 Gbgkfg32.exe 2424 Gjocgdkg.exe 4344 Gqikdn32.exe 3428 Gcggpj32.exe 384 Gfedle32.exe 2676 Gmoliohh.exe 3340 Gpnhekgl.exe 4400 Gfhqbe32.exe 1384 Gmaioo32.exe 2640 Gppekj32.exe 2980 Hboagf32.exe 4932 Hihicplj.exe 4064 Hapaemll.exe 3300 Hcnnaikp.exe 2692 Hjhfnccl.exe 3964 Habnjm32.exe 1348 Hcqjfh32.exe 4464 Hjjbcbqj.exe 4488 Hadkpm32.exe 844 Hccglh32.exe 2240 Hbeghene.exe 412 Hippdo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eleiam32.exe Ednaqo32.exe File created C:\Windows\SysWOW64\Ffjdqg32.exe Fckhdk32.exe File created C:\Windows\SysWOW64\Nqmhbpba.exe Njcpee32.exe File opened for modification C:\Windows\SysWOW64\Blfdia32.exe Bemlmgnp.exe File created C:\Windows\SysWOW64\Ecmeig32.exe Ekemhj32.exe File opened for modification C:\Windows\SysWOW64\Pqnaim32.exe Pnpemb32.exe File created C:\Windows\SysWOW64\Hdhpgj32.dll Dhfajjoj.exe File opened for modification C:\Windows\SysWOW64\Jdcpcf32.exe Iinlemia.exe File opened for modification C:\Windows\SysWOW64\Elbmlmml.exe Eeidoc32.exe File created C:\Windows\SysWOW64\Heapdjlp.exe Hbbdholl.exe File created C:\Windows\SysWOW64\Ffimfqgm.exe Fckajehi.exe File created C:\Windows\SysWOW64\Ipnalhii.exe Impepm32.exe File created C:\Windows\SysWOW64\Lcgblncm.exe Lphfpbdi.exe File created C:\Windows\SysWOW64\Qnnanphk.exe Qgciaf32.exe File opened for modification C:\Windows\SysWOW64\Fkalchij.exe Flnlhk32.exe File created C:\Windows\SysWOW64\Knkffk32.dll Fchddejl.exe File created C:\Windows\SysWOW64\Lfjhbihm.dll Chmndlge.exe File created C:\Windows\SysWOW64\Opocad32.dll Hjolnb32.exe File created C:\Windows\SysWOW64\Mglack32.exe Mdmegp32.exe File opened for modification C:\Windows\SysWOW64\Kmnjhioc.exe Kkpnlm32.exe File opened for modification C:\Windows\SysWOW64\Megdccmb.exe Mlopkm32.exe File created C:\Windows\SysWOW64\Lffhfh32.exe Klqcioba.exe File created C:\Windows\SysWOW64\Gppekj32.exe Gmaioo32.exe File created C:\Windows\SysWOW64\Hijooifk.exe Heocnk32.exe File opened for modification C:\Windows\SysWOW64\Klqcioba.exe Kmncnb32.exe File opened for modification C:\Windows\SysWOW64\Ampkof32.exe Qmmnjfnl.exe File created C:\Windows\SysWOW64\Fphbondi.dll Ebnoikqb.exe File opened for modification C:\Windows\SysWOW64\Lphfpbdi.exe Laefdf32.exe File created C:\Windows\SysWOW64\Nepgjaeg.exe Mlhbal32.exe File created C:\Windows\SysWOW64\Pgllfp32.exe Pjhlml32.exe File created C:\Windows\SysWOW64\Oimhnoch.dll Kkpnlm32.exe File created C:\Windows\SysWOW64\Kkbkamnl.exe Kgfoan32.exe File created C:\Windows\SysWOW64\Aqppkd32.exe Aeiofcji.exe File opened for modification C:\Windows\SysWOW64\Ecandfpd.exe Ekjfcipa.exe File opened for modification C:\Windows\SysWOW64\Cekohk32.exe Ccmclp32.exe File created C:\Windows\SysWOW64\Nmfgdeof.dll Obdkma32.exe File created C:\Windows\SysWOW64\Cegjejoc.dll Daaicfgd.exe File created C:\Windows\SysWOW64\Jgefkimp.dll Mlefklpj.exe File opened for modification C:\Windows\SysWOW64\Dfknkg32.exe Dhhnpjmh.exe File created C:\Windows\SysWOW64\Eagncfoj.dll Gppekj32.exe File created C:\Windows\SysWOW64\Jbfpobpb.exe Jdcpcf32.exe File created C:\Windows\SysWOW64\Hchcofhp.dll Ogljjiei.exe File opened for modification C:\Windows\SysWOW64\Ojmcld32.exe Okjbpglo.exe File created C:\Windows\SysWOW64\Lejfpelg.dll Hopnqdan.exe File opened for modification C:\Windows\SysWOW64\Hfcicmqp.exe Hoiafcic.exe File created C:\Windows\SysWOW64\Nggqoj32.exe Nqmhbpba.exe File opened for modification C:\Windows\SysWOW64\Bhikcb32.exe Bejogg32.exe File created C:\Windows\SysWOW64\Klimip32.exe Kikame32.exe File opened for modification C:\Windows\SysWOW64\Dknpmdfc.exe Dhocqigp.exe File created C:\Windows\SysWOW64\Gfkfpo32.dll Klqcioba.exe File created C:\Windows\SysWOW64\Ipqnahgf.exe Iiffen32.exe File created C:\Windows\SysWOW64\Kbapjafe.exe Kpccnefa.exe File created C:\Windows\SysWOW64\Hfifmnij.exe Hopnqdan.exe File created C:\Windows\SysWOW64\Kdnidn32.exe Klgqcqkl.exe File created C:\Windows\SysWOW64\Imgkql32.exe Ifmcdblq.exe File opened for modification C:\Windows\SysWOW64\Njacpf32.exe Ncgkcl32.exe File opened for modification C:\Windows\SysWOW64\Hbhdmd32.exe Hpihai32.exe File created C:\Windows\SysWOW64\Lijdhiaa.exe Lgkhlnbn.exe File opened for modification C:\Windows\SysWOW64\Dllfkn32.exe Dddojq32.exe File created C:\Windows\SysWOW64\Demecd32.exe Daaicfgd.exe File created C:\Windows\SysWOW64\Dkjmlk32.exe Dhkapp32.exe File opened for modification C:\Windows\SysWOW64\Ekhjmiad.exe Eleiam32.exe File created C:\Windows\SysWOW64\Kpihae32.dll Gdhmnlcj.exe File opened for modification C:\Windows\SysWOW64\Gpnhekgl.exe Gmoliohh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12536 12460 WerFault.exe 609 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qkmhlekj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klohnjkj.dll" Qnnanphk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chbnia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkjmlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jdmcidam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll" Laopdgcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jcgbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll" Nggjdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlopkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll" Pmoahijl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcjkaiib.dll" Andgoobc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jdmcidam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Goiojk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iledokkp.dll" Ildkgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ligqhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Echknh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gfpcgpae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmjqmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll" Kdcijcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll" Dhhnpjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekppcpp.dll" Hmmhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Doeiljfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ecbenm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cmqmma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Elccfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aklmno32.dll" Aacckjaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll" Aqppkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qecppkdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ekemhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijmanlfp.dll" Fohoigfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fjcclf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Odbgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cklaknjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dllmfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ifmcdblq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll" Cjmgfgdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ampkof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehlaaddj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kefkme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibojncfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pgefeajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmljl32.dll" Ahmlgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicplccq.dll" Bemlmgnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fhgjblfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jidbflcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ojmcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjmif32.dll" Djlddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcbdco32.dll" Cecbmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bhaebcen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadbk32.dll" Fhemmlhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ifgbnlmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfgkmfoj.dll" Gkkojgao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bejogg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnepdqjg.dll" Elppfmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gfhqbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll" Bnhjohkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll" Ojgbfocc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffimfqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiglalpk.dll" Abbpem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Deanodkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fckhdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lolncpam.dll" Gbgkfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcfkp32.dll" Hccglh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3108 wrote to memory of 2672 3108 0ce383c87c80515ae25b35b818f82cf0_NeikiAnalytics.exe 84 PID 3108 wrote to memory of 2672 3108 0ce383c87c80515ae25b35b818f82cf0_NeikiAnalytics.exe 84 PID 3108 wrote to memory of 2672 3108 0ce383c87c80515ae25b35b818f82cf0_NeikiAnalytics.exe 84 PID 2672 wrote to memory of 4532 2672 Cidncj32.exe 85 PID 2672 wrote to memory of 4532 2672 Cidncj32.exe 85 PID 2672 wrote to memory of 4532 2672 Cidncj32.exe 85 PID 4532 wrote to memory of 840 4532 Ccmclp32.exe 86 PID 4532 wrote to memory of 840 4532 Ccmclp32.exe 86 PID 4532 wrote to memory of 840 4532 Ccmclp32.exe 86 PID 840 wrote to memory of 3124 840 Cekohk32.exe 87 PID 840 wrote to memory of 3124 840 Cekohk32.exe 87 PID 840 wrote to memory of 3124 840 Cekohk32.exe 87 PID 3124 wrote to memory of 2428 3124 Dpacfd32.exe 88 PID 3124 wrote to memory of 2428 3124 Dpacfd32.exe 88 PID 3124 wrote to memory of 2428 3124 Dpacfd32.exe 88 PID 2428 wrote to memory of 1744 2428 Dcopbp32.exe 89 PID 2428 wrote to memory of 1744 2428 Dcopbp32.exe 89 PID 2428 wrote to memory of 1744 2428 Dcopbp32.exe 89 PID 1744 wrote to memory of 5104 1744 Dabpnlkp.exe 90 PID 1744 wrote to memory of 5104 1744 Dabpnlkp.exe 90 PID 1744 wrote to memory of 5104 1744 Dabpnlkp.exe 90 PID 5104 wrote to memory of 5008 5104 Dcalgo32.exe 91 PID 5104 wrote to memory of 5008 5104 Dcalgo32.exe 91 PID 5104 wrote to memory of 5008 5104 Dcalgo32.exe 91 PID 5008 wrote to memory of 5032 5008 Djlddi32.exe 92 PID 5008 wrote to memory of 5032 5008 Djlddi32.exe 92 PID 5008 wrote to memory of 5032 5008 Djlddi32.exe 92 PID 5032 wrote to memory of 4116 5032 Dpemacql.exe 93 PID 5032 wrote to memory of 4116 5032 Dpemacql.exe 93 PID 5032 wrote to memory of 4116 5032 Dpemacql.exe 93 PID 4116 wrote to memory of 3532 4116 Dcdimopp.exe 94 PID 4116 wrote to memory of 3532 4116 Dcdimopp.exe 94 PID 4116 wrote to memory of 3532 4116 Dcdimopp.exe 94 PID 3532 wrote to memory of 4236 3532 Dllmfd32.exe 95 PID 3532 wrote to memory of 4236 3532 Dllmfd32.exe 95 PID 3532 wrote to memory of 4236 3532 Dllmfd32.exe 95 PID 4236 wrote to memory of 2412 4236 Daifnk32.exe 96 PID 4236 wrote to memory of 2412 4236 Daifnk32.exe 96 PID 4236 wrote to memory of 2412 4236 Daifnk32.exe 96 PID 2412 wrote to memory of 2580 2412 Dlojkddn.exe 97 PID 2412 wrote to memory of 2580 2412 Dlojkddn.exe 97 PID 2412 wrote to memory of 2580 2412 Dlojkddn.exe 97 PID 2580 wrote to memory of 4232 2580 Dakbckbe.exe 98 PID 2580 wrote to memory of 4232 2580 Dakbckbe.exe 98 PID 2580 wrote to memory of 4232 2580 Dakbckbe.exe 98 PID 4232 wrote to memory of 1036 4232 Elagacbk.exe 99 PID 4232 wrote to memory of 1036 4232 Elagacbk.exe 99 PID 4232 wrote to memory of 1036 4232 Elagacbk.exe 99 PID 1036 wrote to memory of 980 1036 Ebnoikqb.exe 100 PID 1036 wrote to memory of 980 1036 Ebnoikqb.exe 100 PID 1036 wrote to memory of 980 1036 Ebnoikqb.exe 100 PID 980 wrote to memory of 3996 980 Elccfc32.exe 101 PID 980 wrote to memory of 3996 980 Elccfc32.exe 101 PID 980 wrote to memory of 3996 980 Elccfc32.exe 101 PID 3996 wrote to memory of 3960 3996 Eoapbo32.exe 103 PID 3996 wrote to memory of 3960 3996 Eoapbo32.exe 103 PID 3996 wrote to memory of 3960 3996 Eoapbo32.exe 103 PID 3960 wrote to memory of 3832 3960 Eleplc32.exe 104 PID 3960 wrote to memory of 3832 3960 Eleplc32.exe 104 PID 3960 wrote to memory of 3832 3960 Eleplc32.exe 104 PID 3832 wrote to memory of 1436 3832 Ehlaaddj.exe 106 PID 3832 wrote to memory of 1436 3832 Ehlaaddj.exe 106 PID 3832 wrote to memory of 1436 3832 Ehlaaddj.exe 106 PID 1436 wrote to memory of 4508 1436 Ecbenm32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ce383c87c80515ae25b35b818f82cf0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0ce383c87c80515ae25b35b818f82cf0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\Cidncj32.exeC:\Windows\system32\Cidncj32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Ccmclp32.exeC:\Windows\system32\Ccmclp32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Cekohk32.exeC:\Windows\system32\Cekohk32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Dpacfd32.exeC:\Windows\system32\Dpacfd32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\Dcopbp32.exeC:\Windows\system32\Dcopbp32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Dabpnlkp.exeC:\Windows\system32\Dabpnlkp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Dcalgo32.exeC:\Windows\system32\Dcalgo32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Djlddi32.exeC:\Windows\system32\Djlddi32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Dpemacql.exeC:\Windows\system32\Dpemacql.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Dcdimopp.exeC:\Windows\system32\Dcdimopp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\Dllmfd32.exeC:\Windows\system32\Dllmfd32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Daifnk32.exeC:\Windows\system32\Daifnk32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\Dlojkddn.exeC:\Windows\system32\Dlojkddn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Dakbckbe.exeC:\Windows\system32\Dakbckbe.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Elagacbk.exeC:\Windows\system32\Elagacbk.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\Ebnoikqb.exeC:\Windows\system32\Ebnoikqb.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Elccfc32.exeC:\Windows\system32\Elccfc32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\Eoapbo32.exeC:\Windows\system32\Eoapbo32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Ehlaaddj.exeC:\Windows\system32\Ehlaaddj.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\Ecbenm32.exeC:\Windows\system32\Ecbenm32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Emjjgbjp.exeC:\Windows\system32\Emjjgbjp.exe23⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Ecdbdl32.exeC:\Windows\system32\Ecdbdl32.exe24⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Fqhbmqqg.exeC:\Windows\system32\Fqhbmqqg.exe25⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe26⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe27⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe28⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe29⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Fjcclf32.exeC:\Windows\system32\Fjcclf32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe31⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe32⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Fckhdk32.exeC:\Windows\system32\Fckhdk32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe34⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe35⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Fbqefhpm.exeC:\Windows\system32\Fbqefhpm.exe36⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe37⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Gcpapkgp.exeC:\Windows\system32\Gcpapkgp.exe39⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Gjjjle32.exeC:\Windows\system32\Gjjjle32.exe40⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe41⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Giofnacd.exeC:\Windows\system32\Giofnacd.exe42⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Goiojk32.exeC:\Windows\system32\Goiojk32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Gbgkfg32.exeC:\Windows\system32\Gbgkfg32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4364 -
C:\Windows\SysWOW64\Gjocgdkg.exeC:\Windows\system32\Gjocgdkg.exe45⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe46⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Gcggpj32.exeC:\Windows\system32\Gcggpj32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Gfedle32.exeC:\Windows\system32\Gfedle32.exe48⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Gmoliohh.exeC:\Windows\system32\Gmoliohh.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Gpnhekgl.exeC:\Windows\system32\Gpnhekgl.exe50⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:4400 -
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1384 -
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe54⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe55⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Hapaemll.exeC:\Windows\system32\Hapaemll.exe56⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Hcnnaikp.exeC:\Windows\system32\Hcnnaikp.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe58⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe59⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Hjjbcbqj.exeC:\Windows\system32\Hjjbcbqj.exe61⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe62⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Hbeghene.exeC:\Windows\system32\Hbeghene.exe64⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe65⤵
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\Hpihai32.exeC:\Windows\system32\Hpihai32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:8 -
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe67⤵PID:4492
-
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe68⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe69⤵
- Modifies registry class
PID:3892 -
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe70⤵PID:4272
-
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe71⤵PID:2064
-
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe72⤵
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Ipnalhii.exeC:\Windows\system32\Ipnalhii.exe73⤵PID:4028
-
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe74⤵PID:4172
-
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe75⤵
- Drops file in System32 directory
PID:3156 -
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe76⤵PID:1480
-
C:\Windows\SysWOW64\Ibojncfj.exeC:\Windows\system32\Ibojncfj.exe77⤵
- Modifies registry class
PID:4852 -
C:\Windows\SysWOW64\Imdnklfp.exeC:\Windows\system32\Imdnklfp.exe78⤵PID:1540
-
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe79⤵PID:5164
-
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:5228 -
C:\Windows\SysWOW64\Imgkql32.exeC:\Windows\system32\Imgkql32.exe81⤵PID:5268
-
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5312 -
C:\Windows\SysWOW64\Ifopiajn.exeC:\Windows\system32\Ifopiajn.exe83⤵PID:5352
-
C:\Windows\SysWOW64\Iinlemia.exeC:\Windows\system32\Iinlemia.exe84⤵
- Drops file in System32 directory
PID:5388 -
C:\Windows\SysWOW64\Jdcpcf32.exeC:\Windows\system32\Jdcpcf32.exe85⤵
- Drops file in System32 directory
PID:5432 -
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe86⤵PID:5472
-
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe87⤵PID:5512
-
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5556 -
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe89⤵PID:5600
-
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe90⤵PID:5640
-
C:\Windows\SysWOW64\Jdhine32.exeC:\Windows\system32\Jdhine32.exe91⤵PID:5692
-
C:\Windows\SysWOW64\Jidbflcj.exeC:\Windows\system32\Jidbflcj.exe92⤵
- Modifies registry class
PID:5736 -
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe93⤵PID:5772
-
C:\Windows\SysWOW64\Jfhbppbc.exeC:\Windows\system32\Jfhbppbc.exe94⤵PID:5824
-
C:\Windows\SysWOW64\Jigollag.exeC:\Windows\system32\Jigollag.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5868 -
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5912 -
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe97⤵
- Modifies registry class
PID:5956 -
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe98⤵PID:6004
-
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe99⤵PID:6048
-
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe100⤵
- Drops file in System32 directory
PID:6092 -
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe101⤵PID:6124
-
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe102⤵PID:5148
-
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe103⤵PID:2096
-
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe104⤵PID:5264
-
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5024 -
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe106⤵PID:5408
-
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe107⤵
- Modifies registry class
PID:5536 -
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe108⤵PID:5624
-
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe109⤵
- Modifies registry class
PID:5668 -
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe110⤵PID:5764
-
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5832 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5908 -
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe113⤵PID:5940
-
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe114⤵PID:6032
-
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe115⤵
- Drops file in System32 directory
PID:6116 -
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe116⤵PID:5152
-
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe117⤵PID:5256
-
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe118⤵PID:5344
-
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe119⤵
- Drops file in System32 directory
PID:5520 -
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe120⤵PID:5584
-
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe121⤵PID:5648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-