Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
13/05/2024, 22:39
Behavioral task
behavioral1
Sample
2d1998ffcaaf50b7c8884da0d9be74e0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
2d1998ffcaaf50b7c8884da0d9be74e0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
2d1998ffcaaf50b7c8884da0d9be74e0_NeikiAnalytics.exe
-
Size
208KB
-
MD5
2d1998ffcaaf50b7c8884da0d9be74e0
-
SHA1
55dbbfc30d90145a38889f113a0455455f9defb2
-
SHA256
b6d111ffea7eba0c2b11a7ed380a5e51cd3cf9ff1df548d13aac2f43fa7be672
-
SHA512
a744332825d0a32378bd31a51ce3784cfd25e22cf39c879c9b147d06cc892dba7e94f3dfeff164ea22e805243ea4090cb5bf4c33e3a97a41671ef122f5d59894
-
SSDEEP
6144:9rI7LFCoDX4EYtCwGtMtkiXOoloMr1JeSldqP7+x55KmC:KQChtMtkM71r1MSXqPix55Kx
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkljak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lifjnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onholckc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndokbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nemcjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amddjegd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgdokkfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afmhck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjjnae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkomneim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikpaldog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpjjac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpoefk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kipabjil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oklkdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpbbch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anpncp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqkdcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heocnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oponmilc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cddecc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malgcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000c00000002343a-6.dat family_berbew behavioral2/files/0x0007000000023444-14.dat family_berbew behavioral2/files/0x0007000000023446-22.dat family_berbew behavioral2/files/0x0007000000023448-30.dat family_berbew behavioral2/files/0x000700000002344a-39.dat family_berbew behavioral2/files/0x000700000002344c-46.dat family_berbew behavioral2/files/0x000700000002344e-54.dat family_berbew behavioral2/files/0x0007000000023450-62.dat family_berbew behavioral2/files/0x0007000000023452-70.dat family_berbew behavioral2/files/0x0007000000023454-73.dat family_berbew behavioral2/files/0x0007000000023456-86.dat family_berbew behavioral2/files/0x0007000000023458-94.dat family_berbew behavioral2/files/0x000700000002345b-102.dat family_berbew behavioral2/files/0x000700000002345d-110.dat family_berbew behavioral2/files/0x000700000002345f-118.dat family_berbew behavioral2/files/0x0007000000023461-126.dat family_berbew behavioral2/files/0x0007000000023463-134.dat family_berbew behavioral2/files/0x0007000000023465-142.dat family_berbew behavioral2/files/0x0007000000023467-150.dat family_berbew behavioral2/files/0x0007000000023469-158.dat family_berbew behavioral2/files/0x000700000002346b-166.dat family_berbew behavioral2/files/0x000700000002346d-174.dat family_berbew behavioral2/files/0x0008000000023441-182.dat family_berbew behavioral2/files/0x0007000000023470-190.dat family_berbew behavioral2/files/0x0007000000023472-198.dat family_berbew behavioral2/files/0x0007000000023474-206.dat family_berbew behavioral2/files/0x0007000000023477-214.dat family_berbew behavioral2/files/0x0007000000023479-223.dat family_berbew behavioral2/files/0x000700000002347b-230.dat family_berbew behavioral2/files/0x000700000002347d-239.dat family_berbew behavioral2/files/0x000700000002347f-247.dat family_berbew behavioral2/files/0x0007000000023481-253.dat family_berbew behavioral2/files/0x0007000000023487-269.dat family_berbew behavioral2/files/0x00070000000234b6-412.dat family_berbew behavioral2/files/0x00070000000234c0-437.dat family_berbew behavioral2/files/0x00070000000234d2-490.dat family_berbew behavioral2/files/0x00070000000234de-527.dat family_berbew behavioral2/files/0x0007000000023501-650.dat family_berbew behavioral2/files/0x0007000000023507-670.dat family_berbew behavioral2/files/0x000700000002350e-696.dat family_berbew behavioral2/files/0x0007000000023535-828.dat family_berbew behavioral2/files/0x0007000000023557-939.dat family_berbew behavioral2/files/0x0007000000023560-973.dat family_berbew behavioral2/files/0x000700000002356a-1005.dat family_berbew behavioral2/files/0x0007000000023570-1026.dat family_berbew behavioral2/files/0x0007000000023576-1046.dat family_berbew behavioral2/files/0x000700000002357a-1060.dat family_berbew behavioral2/files/0x0007000000023587-1099.dat family_berbew behavioral2/files/0x000700000002358f-1126.dat family_berbew behavioral2/files/0x0007000000023595-1146.dat family_berbew behavioral2/files/0x000700000002359b-1166.dat family_berbew behavioral2/files/0x00070000000235c0-1336.dat family_berbew behavioral2/files/0x00070000000235c4-1349.dat family_berbew behavioral2/files/0x00070000000235e5-1452.dat family_berbew behavioral2/files/0x00070000000235e7-1459.dat family_berbew behavioral2/files/0x00070000000235f5-1506.dat family_berbew behavioral2/files/0x000700000002362b-1677.dat family_berbew behavioral2/files/0x000700000002364a-1794.dat family_berbew behavioral2/files/0x0007000000023654-1828.dat family_berbew behavioral2/files/0x00070000000236d5-2269.dat family_berbew behavioral2/files/0x000700000002370a-2433.dat family_berbew behavioral2/files/0x0007000000023710-2451.dat family_berbew behavioral2/files/0x0007000000023712-2459.dat family_berbew behavioral2/files/0x000700000002371e-2497.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3264 Ijkljp32.exe 3288 Jpgdbg32.exe 3108 Jbfpobpb.exe 4808 Jfaloa32.exe 2912 Jpjqhgol.exe 2100 Jbhmdbnp.exe 3096 Jaimbj32.exe 2876 Jbkjjblm.exe 2652 Jidbflcj.exe 2716 Jaljgidl.exe 1412 Jbmfoa32.exe 3956 Jigollag.exe 1880 Jpaghf32.exe 4572 Jbocea32.exe 2924 Kmegbjgn.exe 448 Kaqcbi32.exe 4604 Kkihknfg.exe 1996 Kmgdgjek.exe 404 Kpepcedo.exe 1556 Kinemkko.exe 4696 Kphmie32.exe 4012 Kbfiep32.exe 4040 Kipabjil.exe 1636 Kpjjod32.exe 1860 Kgdbkohf.exe 3952 Kibnhjgj.exe 3364 Kajfig32.exe 3344 Kdhbec32.exe 388 Kkbkamnl.exe 3300 Lmqgnhmp.exe 3232 Lpocjdld.exe 1528 Lgikfn32.exe 4496 Lpappc32.exe 3092 Ldmlpbbj.exe 1884 Lkgdml32.exe 1976 Lnepih32.exe 4412 Lpcmec32.exe 3908 Lcbiao32.exe 3972 Lkiqbl32.exe 2308 Lnhmng32.exe 384 Lpfijcfl.exe 1616 Ldaeka32.exe 3864 Lgpagm32.exe 2084 Ljnnch32.exe 1188 Lnjjdgee.exe 3868 Lphfpbdi.exe 4200 Lcgblncm.exe 3704 Lgbnmm32.exe 4292 Mjqjih32.exe 5044 Mnlfigcc.exe 1924 Mpkbebbf.exe 3144 Mciobn32.exe 1440 Mgekbljc.exe 3612 Mkpgck32.exe 3964 Mnocof32.exe 1640 Mpmokb32.exe 1472 Mdiklqhm.exe 2304 Mgghhlhq.exe 5072 Mkbchk32.exe 460 Mamleegg.exe 3804 Mpolqa32.exe 4516 Mcnhmm32.exe 4600 Mjhqjg32.exe 2684 Maohkd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fhccdhqf.dll Kfankifm.exe File created C:\Windows\SysWOW64\Ghilmi32.dll Ceckcp32.exe File created C:\Windows\SysWOW64\Gdgfce32.exe Gahjgj32.exe File opened for modification C:\Windows\SysWOW64\Hpofii32.exe Process not Found File created C:\Windows\SysWOW64\Hglipp32.exe Hdnldd32.exe File opened for modification C:\Windows\SysWOW64\Pqcjepfo.exe Pjjahe32.exe File created C:\Windows\SysWOW64\Impjjbmh.dll Amhfkopc.exe File created C:\Windows\SysWOW64\Gmdjapgb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jjgchm32.exe Process not Found File created C:\Windows\SysWOW64\Eemnff32.dll Process not Found File created C:\Windows\SysWOW64\Mglpdp32.dll Process not Found File created C:\Windows\SysWOW64\Jcoiaikp.dll Process not Found File opened for modification C:\Windows\SysWOW64\Maaepd32.exe Mjjmog32.exe File opened for modification C:\Windows\SysWOW64\Fckajehi.exe Fhemmlhc.exe File created C:\Windows\SysWOW64\Dlaebn32.dll Jgfdmlcm.exe File created C:\Windows\SysWOW64\Dmdnjdgj.dll Diicml32.exe File created C:\Windows\SysWOW64\Abjfai32.dll Process not Found File created C:\Windows\SysWOW64\Jlgoek32.exe Process not Found File created C:\Windows\SysWOW64\Eegdfm32.dll Acocaf32.exe File created C:\Windows\SysWOW64\Ngknngal.dll Gododflk.exe File created C:\Windows\SysWOW64\Ceacpg32.dll Ipknlb32.exe File opened for modification C:\Windows\SysWOW64\Ifihif32.exe Inbqhhfj.exe File created C:\Windows\SysWOW64\Jkimho32.exe Process not Found File created C:\Windows\SysWOW64\Lciibdmj.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kkbkamnl.exe Kdhbec32.exe File created C:\Windows\SysWOW64\Hbpphi32.exe Hoadkn32.exe File created C:\Windows\SysWOW64\Kmnoab32.dll Kelkaj32.exe File created C:\Windows\SysWOW64\Achgjc32.dll Kjhcjq32.exe File opened for modification C:\Windows\SysWOW64\Kinmcg32.exe Kecabifp.exe File created C:\Windows\SysWOW64\Jlolpq32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jaljgidl.exe Jidbflcj.exe File opened for modification C:\Windows\SysWOW64\Ekemhj32.exe Ehgqln32.exe File created C:\Windows\SysWOW64\Madnnmem.dll Liddbc32.exe File created C:\Windows\SysWOW64\Idhmabfb.dll Jdedak32.exe File opened for modification C:\Windows\SysWOW64\Jngbjd32.exe Process not Found File created C:\Windows\SysWOW64\Lfebfnqn.dll Process not Found File created C:\Windows\SysWOW64\Hifcgion.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mjjmog32.exe Mkgmcjld.exe File created C:\Windows\SysWOW64\Gcfqfc32.exe Gokdeeec.exe File created C:\Windows\SysWOW64\Mhagfo32.dll Fggfnc32.exe File created C:\Windows\SysWOW64\Mbedga32.exe Mpghkf32.exe File created C:\Windows\SysWOW64\Qdphngfl.exe Process not Found File created C:\Windows\SysWOW64\Kafkmp32.dll Process not Found File created C:\Windows\SysWOW64\Hapfpelh.dll Process not Found File opened for modification C:\Windows\SysWOW64\Gicinj32.exe Gdhmnlcj.exe File created C:\Windows\SysWOW64\Hledan32.dll Jmbdbd32.exe File created C:\Windows\SysWOW64\Hcaihm32.dll Mnlnbl32.exe File opened for modification C:\Windows\SysWOW64\Hkicaahi.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hiacacpg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cfnjpfcl.exe Process not Found File created C:\Windows\SysWOW64\Kipkhdeq.exe Kfankifm.exe File created C:\Windows\SysWOW64\Ibifekgh.dll Hdkidohn.exe File created C:\Windows\SysWOW64\Ihbdplfi.exe Iqklon32.exe File created C:\Windows\SysWOW64\Dpdaepai.exe Process not Found File opened for modification C:\Windows\SysWOW64\Peahgl32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Likcilhh.exe Lflgmqhd.exe File created C:\Windows\SysWOW64\Gmcdffmq.exe Gigheh32.exe File opened for modification C:\Windows\SysWOW64\Mebcop32.exe Process not Found File created C:\Windows\SysWOW64\Jpgdbg32.exe Ijkljp32.exe File opened for modification C:\Windows\SysWOW64\Ldaeka32.exe Lpfijcfl.exe File created C:\Windows\SysWOW64\Bebboiqi.dll Mjjmog32.exe File created C:\Windows\SysWOW64\Anphnl32.dll Glebhjlg.exe File created C:\Windows\SysWOW64\Iokgal32.exe Igcoqocb.exe File created C:\Windows\SysWOW64\Kpcjgnhb.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 18640 18620 Process not Found 2071 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ekemhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gbgdlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmehdam.dll" Hpmpnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnkcb32.dll" Ijkljp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll" Afhohlbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jkodhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emekpbca.dll" Qcdbfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofcmimpk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flakaffp.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbjodaqj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehojko32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhdlom32.dll" Fdnjgmle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kinmcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkogiikb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memcpg32.dll" Jidklf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ikaggmii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Knippe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbblob32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pndohaqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aeniabfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbdmhm32.dll" Jnkcogno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kkhpdcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjbog32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ceoibflm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Opakbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmhbagkn.dll" Nhlpfgbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pnihcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddmhja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nplkmckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgadgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hekcnknf.dll" Pjmlbbdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jklliiom.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeccjdie.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lkgdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elogmm32.dll" Jbeidl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Podmkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpnbog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ljdceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcebldil.dll" Nimbkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Piphgq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kphmie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjonng32.dll" Pkhjph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllhjc32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Phedhmhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jidklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Edmclccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdclcbj.dll" Efmmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjfni32.dll" Ihnkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfjjlc32.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4048 wrote to memory of 3264 4048 2d1998ffcaaf50b7c8884da0d9be74e0_NeikiAnalytics.exe 85 PID 4048 wrote to memory of 3264 4048 2d1998ffcaaf50b7c8884da0d9be74e0_NeikiAnalytics.exe 85 PID 4048 wrote to memory of 3264 4048 2d1998ffcaaf50b7c8884da0d9be74e0_NeikiAnalytics.exe 85 PID 3264 wrote to memory of 3288 3264 Ijkljp32.exe 86 PID 3264 wrote to memory of 3288 3264 Ijkljp32.exe 86 PID 3264 wrote to memory of 3288 3264 Ijkljp32.exe 86 PID 3288 wrote to memory of 3108 3288 Jpgdbg32.exe 87 PID 3288 wrote to memory of 3108 3288 Jpgdbg32.exe 87 PID 3288 wrote to memory of 3108 3288 Jpgdbg32.exe 87 PID 3108 wrote to memory of 4808 3108 Jbfpobpb.exe 88 PID 3108 wrote to memory of 4808 3108 Jbfpobpb.exe 88 PID 3108 wrote to memory of 4808 3108 Jbfpobpb.exe 88 PID 4808 wrote to memory of 2912 4808 Jfaloa32.exe 89 PID 4808 wrote to memory of 2912 4808 Jfaloa32.exe 89 PID 4808 wrote to memory of 2912 4808 Jfaloa32.exe 89 PID 2912 wrote to memory of 2100 2912 Jpjqhgol.exe 90 PID 2912 wrote to memory of 2100 2912 Jpjqhgol.exe 90 PID 2912 wrote to memory of 2100 2912 Jpjqhgol.exe 90 PID 2100 wrote to memory of 3096 2100 Jbhmdbnp.exe 92 PID 2100 wrote to memory of 3096 2100 Jbhmdbnp.exe 92 PID 2100 wrote to memory of 3096 2100 Jbhmdbnp.exe 92 PID 3096 wrote to memory of 2876 3096 Jaimbj32.exe 93 PID 3096 wrote to memory of 2876 3096 Jaimbj32.exe 93 PID 3096 wrote to memory of 2876 3096 Jaimbj32.exe 93 PID 2876 wrote to memory of 2652 2876 Jbkjjblm.exe 94 PID 2876 wrote to memory of 2652 2876 Jbkjjblm.exe 94 PID 2876 wrote to memory of 2652 2876 Jbkjjblm.exe 94 PID 2652 wrote to memory of 2716 2652 Jidbflcj.exe 95 PID 2652 wrote to memory of 2716 2652 Jidbflcj.exe 95 PID 2652 wrote to memory of 2716 2652 Jidbflcj.exe 95 PID 2716 wrote to memory of 1412 2716 Jaljgidl.exe 96 PID 2716 wrote to memory of 1412 2716 Jaljgidl.exe 96 PID 2716 wrote to memory of 1412 2716 Jaljgidl.exe 96 PID 1412 wrote to memory of 3956 1412 Jbmfoa32.exe 97 PID 1412 wrote to memory of 3956 1412 Jbmfoa32.exe 97 PID 1412 wrote to memory of 3956 1412 Jbmfoa32.exe 97 PID 3956 wrote to memory of 1880 3956 Jigollag.exe 98 PID 3956 wrote to memory of 1880 3956 Jigollag.exe 98 PID 3956 wrote to memory of 1880 3956 Jigollag.exe 98 PID 1880 wrote to memory of 4572 1880 Jpaghf32.exe 99 PID 1880 wrote to memory of 4572 1880 Jpaghf32.exe 99 PID 1880 wrote to memory of 4572 1880 Jpaghf32.exe 99 PID 4572 wrote to memory of 2924 4572 Jbocea32.exe 100 PID 4572 wrote to memory of 2924 4572 Jbocea32.exe 100 PID 4572 wrote to memory of 2924 4572 Jbocea32.exe 100 PID 2924 wrote to memory of 448 2924 Kmegbjgn.exe 101 PID 2924 wrote to memory of 448 2924 Kmegbjgn.exe 101 PID 2924 wrote to memory of 448 2924 Kmegbjgn.exe 101 PID 448 wrote to memory of 4604 448 Kaqcbi32.exe 103 PID 448 wrote to memory of 4604 448 Kaqcbi32.exe 103 PID 448 wrote to memory of 4604 448 Kaqcbi32.exe 103 PID 4604 wrote to memory of 1996 4604 Kkihknfg.exe 104 PID 4604 wrote to memory of 1996 4604 Kkihknfg.exe 104 PID 4604 wrote to memory of 1996 4604 Kkihknfg.exe 104 PID 1996 wrote to memory of 404 1996 Kmgdgjek.exe 105 PID 1996 wrote to memory of 404 1996 Kmgdgjek.exe 105 PID 1996 wrote to memory of 404 1996 Kmgdgjek.exe 105 PID 404 wrote to memory of 1556 404 Kpepcedo.exe 106 PID 404 wrote to memory of 1556 404 Kpepcedo.exe 106 PID 404 wrote to memory of 1556 404 Kpepcedo.exe 106 PID 1556 wrote to memory of 4696 1556 Kinemkko.exe 107 PID 1556 wrote to memory of 4696 1556 Kinemkko.exe 107 PID 1556 wrote to memory of 4696 1556 Kinemkko.exe 107 PID 4696 wrote to memory of 4012 4696 Kphmie32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d1998ffcaaf50b7c8884da0d9be74e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2d1998ffcaaf50b7c8884da0d9be74e0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Jaimbj32.exeC:\Windows\system32\Jaimbj32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Jidbflcj.exeC:\Windows\system32\Jidbflcj.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Jigollag.exeC:\Windows\system32\Jigollag.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe23⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe25⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe26⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe27⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe28⤵
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3344 -
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe30⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe31⤵
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe32⤵
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe33⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe34⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe35⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe37⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe38⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe39⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe40⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe41⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:384 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe43⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe44⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe45⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe46⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe47⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe48⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe49⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe50⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe51⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe52⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe53⤵
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe54⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe55⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe56⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe57⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe58⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe59⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe60⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe61⤵
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe62⤵
- Executes dropped EXE
PID:3804 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe63⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe64⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe65⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe66⤵PID:1100
-
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe67⤵PID:3064
-
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe68⤵
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe69⤵
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe70⤵PID:4424
-
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe71⤵PID:4796
-
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe72⤵PID:3164
-
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe73⤵PID:2948
-
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe74⤵PID:4608
-
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe75⤵PID:4900
-
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe76⤵PID:880
-
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe77⤵PID:800
-
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe78⤵PID:4408
-
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe79⤵PID:1476
-
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe80⤵PID:3788
-
C:\Windows\SysWOW64\Nkncdifl.exeC:\Windows\system32\Nkncdifl.exe81⤵PID:3844
-
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe82⤵PID:1096
-
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe83⤵PID:4112
-
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe84⤵PID:2624
-
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe85⤵PID:4148
-
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe86⤵PID:540
-
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe87⤵PID:2572
-
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe88⤵PID:3260
-
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe89⤵PID:5124
-
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe90⤵PID:5176
-
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe91⤵PID:5228
-
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe92⤵PID:5272
-
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe93⤵PID:5316
-
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe94⤵PID:5360
-
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe95⤵PID:5404
-
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe96⤵PID:5448
-
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe97⤵PID:5492
-
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe98⤵PID:5536
-
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe99⤵PID:5580
-
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe100⤵PID:5624
-
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe101⤵PID:5668
-
C:\Windows\SysWOW64\Onholckc.exeC:\Windows\system32\Onholckc.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5708 -
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe103⤵PID:5756
-
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe104⤵PID:5800
-
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe105⤵PID:5852
-
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe106⤵PID:5900
-
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe107⤵PID:5944
-
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe108⤵PID:5988
-
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe109⤵PID:6024
-
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe110⤵PID:6064
-
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe111⤵PID:6112
-
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe112⤵PID:4580
-
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5196 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe114⤵PID:5188
-
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe115⤵PID:5300
-
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe116⤵PID:5380
-
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe117⤵PID:5440
-
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe118⤵PID:5532
-
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe119⤵PID:5600
-
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe120⤵PID:5660
-
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe121⤵PID:5744
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-