Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
17/05/2024, 04:56 UTC
Behavioral task
behavioral1
Sample
acdc03f43eef384aaea6ff8dfa901df0_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
acdc03f43eef384aaea6ff8dfa901df0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
acdc03f43eef384aaea6ff8dfa901df0_NeikiAnalytics.exe
-
Size
356KB
-
MD5
acdc03f43eef384aaea6ff8dfa901df0
-
SHA1
62dda407c8dac038ec577e2de0740e2eac3d4836
-
SHA256
8e141d06740e9b2e46d4b0a73d9b39900129156cb799cb4b82bc09db455b9ab0
-
SHA512
26d0a36f19908989887f68817f8206244db3d7038503b234d45acab22cdb3a6981f4c1ee7a086f2a20b469b87d33f2fec916d15ffd49b05bba7babd9fd8c041c
-
SSDEEP
6144:n0WhE6wu2+r3qc5EQpui6yYPaIGckjh/xaSfBJKFbhD7sYQpui6yYPaIGckZqBy/:0Odw1+L+QpV6yYPMLnfBJKFbhDwBpV6O
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jkdnpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkpnlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndidbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlegeemh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbnhphbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmmocpjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jaimbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcggpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gifmnpnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laefdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpdelajl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngedij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fomonm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hihicplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgekbljc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mamleegg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmccchkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mamleegg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmhbpba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffbnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fqhbmqqg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcpllo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mglack32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkjjij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cchiaqjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mahbje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkbchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Maohkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mciobn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cekohk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqmlhpla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mnfipekh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkfkfohj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacbfdao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fomonm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfljmdjc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjmoibog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iabgaklg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hippdo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kphmie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpjjod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjnjqfij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcnejk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcggpj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjfihc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpemacql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgbnmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqklmpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idacmfkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkkdan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lnjjdgee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nqfbaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfkoeppq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kilhgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kacphh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdaldd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbqefhpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfcgge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmkdlkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jplmmfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdcijcke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqfbaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jiikak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkpnlm32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000b000000023414-6.dat family_berbew behavioral2/files/0x0007000000023423-14.dat family_berbew behavioral2/files/0x0007000000023425-17.dat family_berbew behavioral2/files/0x0007000000023425-23.dat family_berbew behavioral2/files/0x0007000000023427-30.dat family_berbew behavioral2/files/0x0007000000023429-38.dat family_berbew behavioral2/files/0x000700000002342d-55.dat family_berbew behavioral2/files/0x000700000002342b-47.dat family_berbew behavioral2/files/0x000700000002342f-63.dat family_berbew behavioral2/files/0x0007000000023433-78.dat family_berbew behavioral2/files/0x0007000000023435-88.dat family_berbew behavioral2/files/0x000700000002343b-114.dat family_berbew behavioral2/files/0x000700000002343d-122.dat family_berbew behavioral2/files/0x000700000002343f-134.dat family_berbew behavioral2/files/0x0007000000023443-150.dat family_berbew behavioral2/files/0x000800000002341f-168.dat family_berbew behavioral2/files/0x000700000002344a-185.dat family_berbew behavioral2/files/0x000700000002344c-194.dat family_berbew behavioral2/files/0x0007000000023454-231.dat family_berbew behavioral2/files/0x0007000000023456-237.dat family_berbew behavioral2/files/0x000700000002345a-255.dat family_berbew behavioral2/files/0x0007000000023475-345.dat family_berbew behavioral2/files/0x0007000000023498-475.dat family_berbew behavioral2/files/0x00070000000234b1-564.dat family_berbew behavioral2/files/0x00070000000234b5-576.dat family_berbew behavioral2/files/0x00070000000234b9-592.dat family_berbew behavioral2/files/0x00070000000234c7-637.dat family_berbew behavioral2/files/0x00070000000234d3-676.dat family_berbew behavioral2/files/0x0007000000023503-833.dat family_berbew behavioral2/files/0x0007000000023511-881.dat family_berbew behavioral2/files/0x000700000002357f-1297.dat family_berbew behavioral2/files/0x0007000000023604-1751.dat family_berbew behavioral2/files/0x0007000000023626-1867.dat family_berbew behavioral2/files/0x000700000002363e-1946.dat family_berbew behavioral2/files/0x000700000002364e-2002.dat family_berbew behavioral2/files/0x000700000002364c-1994.dat family_berbew behavioral2/files/0x000700000002361e-1839.dat family_berbew behavioral2/files/0x000700000002360e-1787.dat family_berbew behavioral2/files/0x000700000002360c-1779.dat family_berbew behavioral2/files/0x0007000000023600-1737.dat family_berbew behavioral2/files/0x00070000000235e8-1656.dat family_berbew behavioral2/files/0x00070000000235e6-1648.dat family_berbew behavioral2/files/0x00070000000235e2-1635.dat family_berbew behavioral2/files/0x00070000000235e0-1627.dat family_berbew behavioral2/files/0x00070000000235d4-1586.dat family_berbew behavioral2/files/0x00070000000235d0-1573.dat family_berbew behavioral2/files/0x000a0000000233a0-1560.dat family_berbew behavioral2/files/0x00080000000235b3-1512.dat family_berbew behavioral2/files/0x00070000000235be-1491.dat family_berbew behavioral2/files/0x00070000000235b6-1472.dat family_berbew behavioral2/files/0x00080000000235ae-1459.dat family_berbew behavioral2/files/0x00070000000235a9-1433.dat family_berbew behavioral2/files/0x00070000000235a3-1412.dat family_berbew behavioral2/files/0x000700000002359f-1399.dat family_berbew behavioral2/files/0x000700000002359b-1387.dat family_berbew behavioral2/files/0x000700000002358d-1340.dat family_berbew behavioral2/files/0x0007000000023579-1274.dat family_berbew behavioral2/files/0x0007000000023574-1260.dat family_berbew behavioral2/files/0x00080000000233af-1240.dat family_berbew behavioral2/files/0x000700000002356b-1173.dat family_berbew behavioral2/files/0x0007000000023563-1146.dat family_berbew behavioral2/files/0x000700000002354f-1082.dat family_berbew behavioral2/files/0x000700000002354b-1068.dat family_berbew behavioral2/files/0x0007000000023537-1008.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2776 Bikkml32.exe 1440 Cpedjf32.exe 2352 Clldogdc.exe 888 Cpjmee32.exe 2196 Cchiaqjm.exe 5080 Cefemliq.exe 4964 Chebighd.exe 2100 Clqnjf32.exe 3568 Cidncj32.exe 4412 Cpofpdgd.exe 2408 Ccmclp32.exe 1756 Cekohk32.exe 4372 Dlegeemh.exe 680 Dcopbp32.exe 1620 Denlnk32.exe 3112 Dhlhjf32.exe 3820 Dadlclim.exe 4688 Dpemacql.exe 1624 Dagiil32.exe 4920 Djnaji32.exe 404 Dllmfd32.exe 2540 Dphifcoi.exe 4208 Dcfebonm.exe 2432 Dfdbojmq.exe 3332 Djpnohej.exe 4808 Domfgpca.exe 4320 Dakbckbe.exe 4080 Ehekqe32.exe 60 Eckonn32.exe 1012 Ebnoikqb.exe 1536 Ejegjh32.exe 3480 Elccfc32.exe 388 Eoapbo32.exe 3308 Eflhoigi.exe 3688 Ehjdldfl.exe 2068 Eleplc32.exe 3268 Eodlho32.exe 1872 Ebbidj32.exe 1940 Ehlaaddj.exe 4480 Eofinnkf.exe 2428 Ebeejijj.exe 2572 Ejlmkgkl.exe 2928 Emjjgbjp.exe 2712 Ecdbdl32.exe 3444 Ffbnph32.exe 4104 Fjnjqfij.exe 2096 Fhajlc32.exe 3048 Fqhbmqqg.exe 5104 Fcgoilpj.exe 2016 Ffekegon.exe 116 Fjqgff32.exe 4324 Fmocba32.exe 1944 Fomonm32.exe 3524 Fbllkh32.exe 316 Fjcclf32.exe 2384 Fmapha32.exe 3284 Fqmlhpla.exe 3172 Fbnhphbp.exe 3008 Fjepaecb.exe 2888 Fihqmb32.exe 2104 Fqohnp32.exe 3012 Fcnejk32.exe 4100 Fbqefhpm.exe 4708 Fjhmgeao.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dgcifj32.dll Mdkhapfj.exe File opened for modification C:\Windows\SysWOW64\Denlnk32.exe Dcopbp32.exe File created C:\Windows\SysWOW64\Gpkqnp32.dll Gpnhekgl.exe File created C:\Windows\SysWOW64\Kacphh32.exe Kilhgk32.exe File created C:\Windows\SysWOW64\Bheenp32.dll Lgpagm32.exe File opened for modification C:\Windows\SysWOW64\Gcekkjcj.exe Goiojk32.exe File created C:\Windows\SysWOW64\Dbcjkf32.dll Jdjfcecp.exe File opened for modification C:\Windows\SysWOW64\Lmccchkn.exe Liggbi32.exe File created C:\Windows\SysWOW64\Mcklgm32.exe Mdiklqhm.exe File created C:\Windows\SysWOW64\Cnacjn32.dll Mcnhmm32.exe File created C:\Windows\SysWOW64\Pmcglkid.dll Fqaeco32.exe File opened for modification C:\Windows\SysWOW64\Jaimbj32.exe Jibeql32.exe File opened for modification C:\Windows\SysWOW64\Lnjjdgee.exe Lklnhlfb.exe File opened for modification C:\Windows\SysWOW64\Mdiklqhm.exe Mpmokb32.exe File created C:\Windows\SysWOW64\Inomojol.dll Eofinnkf.exe File created C:\Windows\SysWOW64\Ghmfdf32.dll Jplmmfmi.exe File created C:\Windows\SysWOW64\Njcqqgjb.dll Mpolqa32.exe File created C:\Windows\SysWOW64\Nggqoj32.exe Ncldnkae.exe File created C:\Windows\SysWOW64\Gmmocpjk.exe Gjocgdkg.exe File opened for modification C:\Windows\SysWOW64\Hclakimb.exe Gppekj32.exe File opened for modification C:\Windows\SysWOW64\Hibljoco.exe Hjolnb32.exe File created C:\Windows\SysWOW64\Kdaldd32.exe Kpepcedo.exe File opened for modification C:\Windows\SysWOW64\Cidncj32.exe Clqnjf32.exe File created C:\Windows\SysWOW64\Fkindkmi.dll Dcopbp32.exe File created C:\Windows\SysWOW64\Haggelfd.exe Hippdo32.exe File created C:\Windows\SysWOW64\Ehlaaddj.exe Ebbidj32.exe File created C:\Windows\SysWOW64\Mlmpolji.dll Hbhdmd32.exe File created C:\Windows\SysWOW64\Ipegmg32.exe Iabgaklg.exe File created C:\Windows\SysWOW64\Jdcpcf32.exe Jpgdbg32.exe File created C:\Windows\SysWOW64\Lgkhlnbn.exe Lcpllo32.exe File opened for modification C:\Windows\SysWOW64\Mcklgm32.exe Mdiklqhm.exe File created C:\Windows\SysWOW64\Cpjmee32.exe Clldogdc.exe File opened for modification C:\Windows\SysWOW64\Gfcgge32.exe Gcekkjcj.exe File created C:\Windows\SysWOW64\Cknpkhch.dll Njcpee32.exe File created C:\Windows\SysWOW64\Hapaemll.exe Hihicplj.exe File created C:\Windows\SysWOW64\Ibadbaha.dll Haggelfd.exe File opened for modification C:\Windows\SysWOW64\Iapjlk32.exe Imdnklfp.exe File created C:\Windows\SysWOW64\Ihaoimoh.dll Kgbefoji.exe File created C:\Windows\SysWOW64\Lkiqbl32.exe Lgneampk.exe File opened for modification C:\Windows\SysWOW64\Ngcgcjnc.exe Ncgkcl32.exe File created C:\Windows\SysWOW64\Fqohnp32.exe Fihqmb32.exe File created C:\Windows\SysWOW64\Mghpbg32.dll Kgphpo32.exe File opened for modification C:\Windows\SysWOW64\Kgbefoji.exe Kbfiep32.exe File created C:\Windows\SysWOW64\Iljnde32.dll Jiikak32.exe File created C:\Windows\SysWOW64\Dadlclim.exe Dhlhjf32.exe File created C:\Windows\SysWOW64\Fjhmgeao.exe Fbqefhpm.exe File created C:\Windows\SysWOW64\Lppaheqp.dll Jmbklj32.exe File created C:\Windows\SysWOW64\Maohkd32.exe Mjhqjg32.exe File opened for modification C:\Windows\SysWOW64\Kdopod32.exe Kpccnefa.exe File created C:\Windows\SysWOW64\Hjhfnccl.exe Hfljmdjc.exe File created C:\Windows\SysWOW64\Hbhdmd32.exe Hpihai32.exe File opened for modification C:\Windows\SysWOW64\Ldkojb32.exe Lalcng32.exe File opened for modification C:\Windows\SysWOW64\Laalifad.exe Lnepih32.exe File created C:\Windows\SysWOW64\Lpcioj32.dll Hclakimb.exe File created C:\Windows\SysWOW64\Egqcbapl.dll Mgnnhk32.exe File created C:\Windows\SysWOW64\Lfmona32.dll Dakbckbe.exe File created C:\Windows\SysWOW64\Qfiapa32.dll Fbllkh32.exe File created C:\Windows\SysWOW64\Fijmbb32.exe Fjhmgeao.exe File created C:\Windows\SysWOW64\Hlcqelac.dll Gidphq32.exe File created C:\Windows\SysWOW64\Cgfgaq32.dll Nkncdifl.exe File created C:\Windows\SysWOW64\Llebfo32.dll Fhajlc32.exe File created C:\Windows\SysWOW64\Hihicplj.exe Hjfihc32.exe File opened for modification C:\Windows\SysWOW64\Hpbaqj32.exe Hapaemll.exe File created C:\Windows\SysWOW64\Honckk32.dll Hmfbjnbp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9104 8916 WerFault.exe 394 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ejegjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fjhmgeao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honckk32.dll" Hmfbjnbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jigollag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Laefdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dadlclim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fqhbmqqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbamkcqa.dll" Hihicplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiphogop.dll" Idacmfkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjpeepnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll" Jigollag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcklgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll" Njogjfoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eckonn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hjhfnccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll" Lkiqbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ejegjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpemacql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eoapbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbijmok.dll" Goiojk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkiobic.dll" Haidklda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kilhgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Clqnjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmihm32.dll" Iiibkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll" Mgghhlhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fqaeco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nceonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll" Mdpalp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfcpncdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mciobn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gcggpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fjepaecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hjmoibog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iakaql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll" Kilhgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll" Kmnjhioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll" Liggbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpmokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjebnamp.dll" Ehjdldfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll" Nnmopdep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll" Jjbako32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hapaemll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnkcb32.dll" Jaedgjjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jmkdlkph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jangmibi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njcpee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Imihfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll" Mpkbebbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll" Kkpnlm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fcgoilpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kdhbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aamgnn32.dll" Bikkml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hjfihc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iffmccbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jpgdbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll" Lcpllo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lgpagm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nkqpjidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Domfgpca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jigollag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmkpqcp.dll" Dcfebonm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll" Kgphpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jibeql32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3248 wrote to memory of 2776 3248 acdc03f43eef384aaea6ff8dfa901df0_NeikiAnalytics.exe 83 PID 3248 wrote to memory of 2776 3248 acdc03f43eef384aaea6ff8dfa901df0_NeikiAnalytics.exe 83 PID 3248 wrote to memory of 2776 3248 acdc03f43eef384aaea6ff8dfa901df0_NeikiAnalytics.exe 83 PID 2776 wrote to memory of 1440 2776 Bikkml32.exe 84 PID 2776 wrote to memory of 1440 2776 Bikkml32.exe 84 PID 2776 wrote to memory of 1440 2776 Bikkml32.exe 84 PID 1440 wrote to memory of 2352 1440 Cpedjf32.exe 85 PID 1440 wrote to memory of 2352 1440 Cpedjf32.exe 85 PID 1440 wrote to memory of 2352 1440 Cpedjf32.exe 85 PID 2352 wrote to memory of 888 2352 Clldogdc.exe 86 PID 2352 wrote to memory of 888 2352 Clldogdc.exe 86 PID 2352 wrote to memory of 888 2352 Clldogdc.exe 86 PID 888 wrote to memory of 2196 888 Cpjmee32.exe 87 PID 888 wrote to memory of 2196 888 Cpjmee32.exe 87 PID 888 wrote to memory of 2196 888 Cpjmee32.exe 87 PID 2196 wrote to memory of 5080 2196 Cchiaqjm.exe 88 PID 2196 wrote to memory of 5080 2196 Cchiaqjm.exe 88 PID 2196 wrote to memory of 5080 2196 Cchiaqjm.exe 88 PID 5080 wrote to memory of 4964 5080 Cefemliq.exe 89 PID 5080 wrote to memory of 4964 5080 Cefemliq.exe 89 PID 5080 wrote to memory of 4964 5080 Cefemliq.exe 89 PID 4964 wrote to memory of 2100 4964 Chebighd.exe 91 PID 4964 wrote to memory of 2100 4964 Chebighd.exe 91 PID 4964 wrote to memory of 2100 4964 Chebighd.exe 91 PID 2100 wrote to memory of 3568 2100 Clqnjf32.exe 93 PID 2100 wrote to memory of 3568 2100 Clqnjf32.exe 93 PID 2100 wrote to memory of 3568 2100 Clqnjf32.exe 93 PID 3568 wrote to memory of 4412 3568 Cidncj32.exe 94 PID 3568 wrote to memory of 4412 3568 Cidncj32.exe 94 PID 3568 wrote to memory of 4412 3568 Cidncj32.exe 94 PID 4412 wrote to memory of 2408 4412 Cpofpdgd.exe 95 PID 4412 wrote to memory of 2408 4412 Cpofpdgd.exe 95 PID 4412 wrote to memory of 2408 4412 Cpofpdgd.exe 95 PID 2408 wrote to memory of 1756 2408 Ccmclp32.exe 96 PID 2408 wrote to memory of 1756 2408 Ccmclp32.exe 96 PID 2408 wrote to memory of 1756 2408 Ccmclp32.exe 96 PID 1756 wrote to memory of 4372 1756 Cekohk32.exe 97 PID 1756 wrote to memory of 4372 1756 Cekohk32.exe 97 PID 1756 wrote to memory of 4372 1756 Cekohk32.exe 97 PID 4372 wrote to memory of 680 4372 Dlegeemh.exe 99 PID 4372 wrote to memory of 680 4372 Dlegeemh.exe 99 PID 4372 wrote to memory of 680 4372 Dlegeemh.exe 99 PID 680 wrote to memory of 1620 680 Dcopbp32.exe 100 PID 680 wrote to memory of 1620 680 Dcopbp32.exe 100 PID 680 wrote to memory of 1620 680 Dcopbp32.exe 100 PID 1620 wrote to memory of 3112 1620 Denlnk32.exe 101 PID 1620 wrote to memory of 3112 1620 Denlnk32.exe 101 PID 1620 wrote to memory of 3112 1620 Denlnk32.exe 101 PID 3112 wrote to memory of 3820 3112 Dhlhjf32.exe 103 PID 3112 wrote to memory of 3820 3112 Dhlhjf32.exe 103 PID 3112 wrote to memory of 3820 3112 Dhlhjf32.exe 103 PID 3820 wrote to memory of 4688 3820 Dadlclim.exe 104 PID 3820 wrote to memory of 4688 3820 Dadlclim.exe 104 PID 3820 wrote to memory of 4688 3820 Dadlclim.exe 104 PID 4688 wrote to memory of 1624 4688 Dpemacql.exe 105 PID 4688 wrote to memory of 1624 4688 Dpemacql.exe 105 PID 4688 wrote to memory of 1624 4688 Dpemacql.exe 105 PID 1624 wrote to memory of 4920 1624 Dagiil32.exe 106 PID 1624 wrote to memory of 4920 1624 Dagiil32.exe 106 PID 1624 wrote to memory of 4920 1624 Dagiil32.exe 106 PID 4920 wrote to memory of 404 4920 Djnaji32.exe 107 PID 4920 wrote to memory of 404 4920 Djnaji32.exe 107 PID 4920 wrote to memory of 404 4920 Djnaji32.exe 107 PID 404 wrote to memory of 2540 404 Dllmfd32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\acdc03f43eef384aaea6ff8dfa901df0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\acdc03f43eef384aaea6ff8dfa901df0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\Bikkml32.exeC:\Windows\system32\Bikkml32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Cpedjf32.exeC:\Windows\system32\Cpedjf32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Clldogdc.exeC:\Windows\system32\Clldogdc.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Cpjmee32.exeC:\Windows\system32\Cpjmee32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\Cchiaqjm.exeC:\Windows\system32\Cchiaqjm.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Cefemliq.exeC:\Windows\system32\Cefemliq.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\Chebighd.exeC:\Windows\system32\Chebighd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Clqnjf32.exeC:\Windows\system32\Clqnjf32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Cidncj32.exeC:\Windows\system32\Cidncj32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\Cpofpdgd.exeC:\Windows\system32\Cpofpdgd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Ccmclp32.exeC:\Windows\system32\Ccmclp32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Cekohk32.exeC:\Windows\system32\Cekohk32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Dlegeemh.exeC:\Windows\system32\Dlegeemh.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\Dcopbp32.exeC:\Windows\system32\Dcopbp32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\Denlnk32.exeC:\Windows\system32\Denlnk32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Dhlhjf32.exeC:\Windows\system32\Dhlhjf32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\Dadlclim.exeC:\Windows\system32\Dadlclim.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\Dpemacql.exeC:\Windows\system32\Dpemacql.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\Dagiil32.exeC:\Windows\system32\Dagiil32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Djnaji32.exeC:\Windows\system32\Djnaji32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Dllmfd32.exeC:\Windows\system32\Dllmfd32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Dphifcoi.exeC:\Windows\system32\Dphifcoi.exe23⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Dcfebonm.exeC:\Windows\system32\Dcfebonm.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:4208 -
C:\Windows\SysWOW64\Dfdbojmq.exeC:\Windows\system32\Dfdbojmq.exe25⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Djpnohej.exeC:\Windows\system32\Djpnohej.exe26⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Domfgpca.exeC:\Windows\system32\Domfgpca.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:4808 -
C:\Windows\SysWOW64\Dakbckbe.exeC:\Windows\system32\Dakbckbe.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4320 -
C:\Windows\SysWOW64\Ehekqe32.exeC:\Windows\system32\Ehekqe32.exe29⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Eckonn32.exeC:\Windows\system32\Eckonn32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:60 -
C:\Windows\SysWOW64\Ebnoikqb.exeC:\Windows\system32\Ebnoikqb.exe31⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Elccfc32.exeC:\Windows\system32\Elccfc32.exe33⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Eoapbo32.exeC:\Windows\system32\Eoapbo32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:388 -
C:\Windows\SysWOW64\Eflhoigi.exeC:\Windows\system32\Eflhoigi.exe35⤵
- Executes dropped EXE
PID:3308 -
C:\Windows\SysWOW64\Ehjdldfl.exeC:\Windows\system32\Ehjdldfl.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:3688 -
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe37⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Eodlho32.exeC:\Windows\system32\Eodlho32.exe38⤵
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Ebbidj32.exeC:\Windows\system32\Ebbidj32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Ehlaaddj.exeC:\Windows\system32\Ehlaaddj.exe40⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Eofinnkf.exeC:\Windows\system32\Eofinnkf.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4480 -
C:\Windows\SysWOW64\Ebeejijj.exeC:\Windows\system32\Ebeejijj.exe42⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Ejlmkgkl.exeC:\Windows\system32\Ejlmkgkl.exe43⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Emjjgbjp.exeC:\Windows\system32\Emjjgbjp.exe44⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Ecdbdl32.exeC:\Windows\system32\Ecdbdl32.exe45⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Fjnjqfij.exeC:\Windows\system32\Fjnjqfij.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Fhajlc32.exeC:\Windows\system32\Fhajlc32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Fqhbmqqg.exeC:\Windows\system32\Fqhbmqqg.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:5104 -
C:\Windows\SysWOW64\Ffekegon.exeC:\Windows\system32\Ffekegon.exe51⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe52⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe53⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3524 -
C:\Windows\SysWOW64\Fjcclf32.exeC:\Windows\system32\Fjcclf32.exe56⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Fmapha32.exeC:\Windows\system32\Fmapha32.exe57⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Fjepaecb.exeC:\Windows\system32\Fjepaecb.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe62⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Fcnejk32.exeC:\Windows\system32\Fcnejk32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Fbqefhpm.exeC:\Windows\system32\Fbqefhpm.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4100 -
C:\Windows\SysWOW64\Fjhmgeao.exeC:\Windows\system32\Fjhmgeao.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4708 -
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe66⤵PID:5040
-
C:\Windows\SysWOW64\Fqaeco32.exeC:\Windows\system32\Fqaeco32.exe67⤵
- Drops file in System32 directory
- Modifies registry class
PID:3104 -
C:\Windows\SysWOW64\Gfnnlffc.exeC:\Windows\system32\Gfnnlffc.exe68⤵PID:1404
-
C:\Windows\SysWOW64\Gimjhafg.exeC:\Windows\system32\Gimjhafg.exe69⤵PID:4692
-
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe70⤵PID:3644
-
C:\Windows\SysWOW64\Gcbnejem.exeC:\Windows\system32\Gcbnejem.exe71⤵PID:2260
-
C:\Windows\SysWOW64\Gfqjafdq.exeC:\Windows\system32\Gfqjafdq.exe72⤵PID:3872
-
C:\Windows\SysWOW64\Giofnacd.exeC:\Windows\system32\Giofnacd.exe73⤵PID:2644
-
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe74⤵PID:732
-
C:\Windows\SysWOW64\Goiojk32.exeC:\Windows\system32\Goiojk32.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe76⤵
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Gfcgge32.exeC:\Windows\system32\Gfcgge32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2400 -
C:\Windows\SysWOW64\Gjocgdkg.exeC:\Windows\system32\Gjocgdkg.exe78⤵
- Drops file in System32 directory
PID:4288 -
C:\Windows\SysWOW64\Gmmocpjk.exeC:\Windows\system32\Gmmocpjk.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:952 -
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe80⤵PID:1436
-
C:\Windows\SysWOW64\Gcggpj32.exeC:\Windows\system32\Gcggpj32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Gbjhlfhb.exeC:\Windows\system32\Gbjhlfhb.exe82⤵PID:4000
-
C:\Windows\SysWOW64\Gjapmdid.exeC:\Windows\system32\Gjapmdid.exe83⤵PID:2964
-
C:\Windows\SysWOW64\Gidphq32.exeC:\Windows\system32\Gidphq32.exe84⤵
- Drops file in System32 directory
PID:3668 -
C:\Windows\SysWOW64\Gmoliohh.exeC:\Windows\system32\Gmoliohh.exe85⤵PID:5136
-
C:\Windows\SysWOW64\Gpnhekgl.exeC:\Windows\system32\Gpnhekgl.exe86⤵
- Drops file in System32 directory
PID:5180 -
C:\Windows\SysWOW64\Gbldaffp.exeC:\Windows\system32\Gbldaffp.exe87⤵PID:5224
-
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe88⤵PID:5264
-
C:\Windows\SysWOW64\Gifmnpnl.exeC:\Windows\system32\Gifmnpnl.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5304 -
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe90⤵PID:5344
-
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe91⤵
- Drops file in System32 directory
PID:5388 -
C:\Windows\SysWOW64\Hclakimb.exeC:\Windows\system32\Hclakimb.exe92⤵
- Drops file in System32 directory
PID:5424 -
C:\Windows\SysWOW64\Hfjmgdlf.exeC:\Windows\system32\Hfjmgdlf.exe93⤵PID:5472
-
C:\Windows\SysWOW64\Hjfihc32.exeC:\Windows\system32\Hjfihc32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5516 -
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5556 -
C:\Windows\SysWOW64\Hapaemll.exeC:\Windows\system32\Hapaemll.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:5600 -
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe97⤵PID:5652
-
C:\Windows\SysWOW64\Hcnnaikp.exeC:\Windows\system32\Hcnnaikp.exe98⤵PID:5696
-
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5740 -
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe100⤵
- Modifies registry class
PID:5784 -
C:\Windows\SysWOW64\Hmfbjnbp.exeC:\Windows\system32\Hmfbjnbp.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:5820 -
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe102⤵PID:5892
-
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe103⤵PID:5948
-
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe104⤵PID:5992
-
C:\Windows\SysWOW64\Hjjbcbqj.exeC:\Windows\system32\Hjjbcbqj.exe105⤵PID:6040
-
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe106⤵PID:6084
-
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe107⤵PID:6128
-
C:\Windows\SysWOW64\Hbeghene.exeC:\Windows\system32\Hbeghene.exe108⤵PID:5144
-
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe109⤵PID:5204
-
C:\Windows\SysWOW64\Hjmoibog.exeC:\Windows\system32\Hjmoibog.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5284 -
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe112⤵
- Drops file in System32 directory
PID:5412 -
C:\Windows\SysWOW64\Hpihai32.exeC:\Windows\system32\Hpihai32.exe113⤵
- Drops file in System32 directory
PID:5504 -
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe114⤵
- Drops file in System32 directory
PID:5580 -
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe115⤵
- Modifies registry class
PID:5644 -
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe116⤵
- Drops file in System32 directory
PID:5732 -
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe117⤵PID:5804
-
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe118⤵
- Modifies registry class
PID:5872 -
C:\Windows\SysWOW64\Icgqggce.exeC:\Windows\system32\Icgqggce.exe119⤵PID:5964
-
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe120⤵PID:6028
-
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe121⤵
- Modifies registry class
PID:6104
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-