Analysis
-
max time kernel
141s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 13:22
Behavioral task
behavioral1
Sample
547516405f114b08d4f9aaba92201c47510e7bf0bfb51197c8cedaa4a6fb6352_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
547516405f114b08d4f9aaba92201c47510e7bf0bfb51197c8cedaa4a6fb6352_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
547516405f114b08d4f9aaba92201c47510e7bf0bfb51197c8cedaa4a6fb6352_NeikiAnalytics.exe
-
Size
192KB
-
MD5
e4e3d6e8f98e37974bd4b5aca3737900
-
SHA1
1ff87185a0ee43868b6a8bb9a9f41c51e299dbb1
-
SHA256
547516405f114b08d4f9aaba92201c47510e7bf0bfb51197c8cedaa4a6fb6352
-
SHA512
3fd07d7b9ad2a58cdb9a2e15a592d0ad8bd291b43147c128f3678d797cf7e3f885b985739b5ee874ccd43292cd34529cd44b509a264639f5359bb12b6d73e702
-
SSDEEP
3072:DZZyePqpx8CqJ0K+AeRC2qOQpq3HNr5GnV54c4NthaeKU3d5vEiLqsC6vxfdwtP4:DmeSpWCqGRzqO+uNk54t3haeTFLel6ZX
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lndfchdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Homcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iaqapggb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnmbjnlm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coegih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjkhme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifqoehhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndbefkjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlbcoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbijinfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmolbene.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqiibjlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Binhnomg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjopbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfcnka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcdepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hchihhng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgnmpbec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knphfklg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbphcpog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppoijn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaqapggb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngbgmpcq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkmjaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cifmoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcnkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbphglbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gammbfqa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hchihhng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iafgob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ammnhilb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhcdlgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppeipfdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heochp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndfqlnno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djgbmffn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnfehm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkjfloeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chfegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opefdo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajlpepbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chebcmna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gflapl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baegibae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmpcdfll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efgehe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncdgmkio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcbgfhii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pndhhnda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gknkkmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nalgbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhicoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Blchmdff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmfhbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjfgealk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Abimhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mljficpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fgpplf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgbkgmao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apcllk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkmjaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khonkogj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acpkbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkeedk32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0008000000023253-6.dat family_berbew behavioral2/files/0x0008000000023256-14.dat family_berbew behavioral2/files/0x0007000000023258-22.dat family_berbew behavioral2/files/0x000700000002325a-30.dat family_berbew behavioral2/files/0x000700000002325c-38.dat family_berbew behavioral2/files/0x000700000002325e-46.dat family_berbew behavioral2/files/0x0007000000023260-53.dat family_berbew behavioral2/files/0x0007000000023262-62.dat family_berbew behavioral2/files/0x0007000000023264-71.dat family_berbew behavioral2/files/0x0007000000023266-79.dat family_berbew behavioral2/files/0x0007000000023268-82.dat family_berbew behavioral2/files/0x000700000002326a-96.dat family_berbew behavioral2/files/0x000700000002326c-105.dat family_berbew behavioral2/files/0x000700000002326e-114.dat family_berbew behavioral2/files/0x0007000000023270-122.dat family_berbew behavioral2/files/0x0007000000023272-132.dat family_berbew behavioral2/files/0x0007000000023275-140.dat family_berbew behavioral2/files/0x0007000000023277-150.dat family_berbew behavioral2/files/0x0007000000023279-159.dat family_berbew behavioral2/files/0x000700000002327b-168.dat family_berbew behavioral2/files/0x000700000002327d-177.dat family_berbew behavioral2/files/0x000700000002327f-186.dat family_berbew behavioral2/files/0x0007000000023281-196.dat family_berbew behavioral2/files/0x0007000000023283-205.dat family_berbew behavioral2/files/0x0007000000023285-214.dat family_berbew behavioral2/files/0x0007000000023287-223.dat family_berbew behavioral2/files/0x0007000000023289-231.dat family_berbew behavioral2/files/0x000700000002328b-242.dat family_berbew behavioral2/files/0x000700000002328d-249.dat family_berbew behavioral2/files/0x000700000002328f-258.dat family_berbew behavioral2/files/0x0007000000023291-267.dat family_berbew behavioral2/files/0x0007000000023293-275.dat family_berbew behavioral2/files/0x0007000000023297-287.dat family_berbew behavioral2/files/0x000700000002329d-307.dat family_berbew behavioral2/files/0x00070000000232a5-335.dat family_berbew behavioral2/files/0x00070000000232a9-349.dat family_berbew behavioral2/files/0x00070000000232bc-419.dat family_berbew behavioral2/files/0x00070000000232c6-454.dat family_berbew behavioral2/files/0x00070000000232ce-482.dat family_berbew behavioral2/files/0x00070000000232d4-503.dat family_berbew behavioral2/files/0x00070000000232de-538.dat family_berbew behavioral2/files/0x00070000000232e2-552.dat family_berbew behavioral2/files/0x00070000000232e4-560.dat family_berbew behavioral2/files/0x00070000000232ec-586.dat family_berbew behavioral2/files/0x00070000000232f0-600.dat family_berbew behavioral2/files/0x00070000000232fa-636.dat family_berbew behavioral2/files/0x0007000000023309-684.dat family_berbew behavioral2/files/0x000700000002330d-698.dat family_berbew behavioral2/files/0x000700000002331b-747.dat family_berbew behavioral2/files/0x0007000000023321-768.dat family_berbew behavioral2/files/0x000700000002332b-802.dat family_berbew behavioral2/files/0x0007000000023337-844.dat family_berbew behavioral2/files/0x0007000000023340-872.dat family_berbew behavioral2/files/0x000700000002334e-921.dat family_berbew behavioral2/files/0x0007000000023354-942.dat family_berbew behavioral2/files/0x000700000002335c-970.dat family_berbew behavioral2/files/0x000700000002338b-1124.dat family_berbew behavioral2/files/0x0007000000023391-1144.dat family_berbew behavioral2/files/0x0007000000023393-1152.dat family_berbew behavioral2/files/0x000700000002339f-1193.dat family_berbew behavioral2/files/0x00070000000233a5-1213.dat family_berbew behavioral2/files/0x00070000000233b5-1262.dat family_berbew behavioral2/files/0x00070000000233c0-1290.dat family_berbew behavioral2/files/0x00070000000233cc-1325.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2128 Oplfkeob.exe 1932 Qaqegecm.exe 3220 Qacameaj.exe 788 Adcjop32.exe 2260 Aagkhd32.exe 2800 Amnlme32.exe 3852 Aaldccip.exe 5060 Bkgeainn.exe 1624 Baegibae.exe 2584 Bgelgi32.exe 3820 Chfegk32.exe 3720 Caageq32.exe 2344 Dgcihgaj.exe 3368 Dkcndeen.exe 5028 Doagjc32.exe 3636 Eqgmmk32.exe 4460 Eqiibjlj.exe 3344 Egened32.exe 2224 Fbmohmoh.exe 4704 Filapfbo.exe 1496 Fkmjaa32.exe 1540 Galoohke.exe 3640 Gihpkd32.exe 468 Glhimp32.exe 2644 Ghojbq32.exe 2472 Hahokfag.exe 228 Hnlodjpa.exe 4420 Hnnljj32.exe 3428 Hehdfdek.exe 4104 Hbnaeh32.exe 2672 Ilibdmgp.exe 2404 Ieccbbkn.exe 4628 Iamamcop.exe 4056 Jbojlfdp.exe 3084 Jikoopij.exe 2728 Jhplpl32.exe 4384 Khbiello.exe 4620 Kplmliko.exe 3004 Klbnajqc.exe 1104 Klekfinp.exe 4988 Kcapicdj.exe 2416 Lcclncbh.exe 4356 Laiipofp.exe 212 Legben32.exe 1384 Lancko32.exe 4036 Mhjhmhhd.exe 4876 Mjnnbk32.exe 436 Mokfja32.exe 2116 Nfgklkoc.exe 4660 Nfihbk32.exe 988 Nbphglbe.exe 2976 Nfnamjhk.exe 4580 Nqfbpb32.exe 4596 Oiagde32.exe 4400 Ojqcnhkl.exe 4992 Ocihgnam.exe 880 Oqmhqapg.exe 5084 Omdieb32.exe 3984 Oflmnh32.exe 4208 Pfojdh32.exe 3608 Ppgomnai.exe 2864 Pidlqb32.exe 2040 Pfhmjf32.exe 3356 Qppaclio.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mhjhmhhd.exe Lancko32.exe File created C:\Windows\SysWOW64\Flekihpc.exe Fcmgpbjc.exe File created C:\Windows\SysWOW64\Bpncbp32.dll Lcealh32.exe File created C:\Windows\SysWOW64\Klbnajqc.exe Kplmliko.exe File created C:\Windows\SysWOW64\Jbkbkbfo.exe Jhcmbm32.exe File created C:\Windows\SysWOW64\Djjemlhf.exe Dqbadf32.exe File created C:\Windows\SysWOW64\Aecloegl.dll Dbllkohi.exe File opened for modification C:\Windows\SysWOW64\Hcedmkmp.exe Hgocgjgk.exe File created C:\Windows\SysWOW64\Hgocgjgk.exe Gkhbbi32.exe File created C:\Windows\SysWOW64\Fpopekeb.dll Eebgqe32.exe File created C:\Windows\SysWOW64\Obfpejcl.exe Ojkkah32.exe File created C:\Windows\SysWOW64\Pilgnb32.exe Ppccemjk.exe File opened for modification C:\Windows\SysWOW64\Eghimo32.exe Enoddi32.exe File opened for modification C:\Windows\SysWOW64\Ldqfddml.exe Lkhbko32.exe File created C:\Windows\SysWOW64\Aacjofkp.exe Algbfo32.exe File created C:\Windows\SysWOW64\Pilpfm32.exe Pmeoqlpl.exe File created C:\Windows\SysWOW64\Cdomkjem.dll Flpbnh32.exe File created C:\Windows\SysWOW64\Ajodef32.exe Anhcpeon.exe File opened for modification C:\Windows\SysWOW64\Hikkdc32.exe Hkgnalep.exe File created C:\Windows\SysWOW64\Pnimia32.dll Bodano32.exe File created C:\Windows\SysWOW64\Noqofdlj.exe Ndkjik32.exe File opened for modification C:\Windows\SysWOW64\Eihcln32.exe Ehifak32.exe File created C:\Windows\SysWOW64\Afdmjk32.dll Kppbejka.exe File created C:\Windows\SysWOW64\Ihhmgaqb.exe Ifipmo32.exe File opened for modification C:\Windows\SysWOW64\Kgkfil32.exe Kpanmb32.exe File created C:\Windows\SysWOW64\Ikmcccpb.dll Kbapdfkb.exe File opened for modification C:\Windows\SysWOW64\Egened32.exe Eqiibjlj.exe File opened for modification C:\Windows\SysWOW64\Ecoaijio.exe Dmbiackg.exe File created C:\Windows\SysWOW64\Ilfjfdhp.dll Pfpidk32.exe File opened for modification C:\Windows\SysWOW64\Mhmmieil.exe Mfmpob32.exe File created C:\Windows\SysWOW64\Dcdifdem.exe Dhndil32.exe File created C:\Windows\SysWOW64\Laanbjdf.dll Ljffccjh.exe File created C:\Windows\SysWOW64\Khlinedh.exe Kkhidaeo.exe File created C:\Windows\SysWOW64\Ldkhlcnb.exe Lefkkg32.exe File created C:\Windows\SysWOW64\Obkahddl.exe Odgqopeb.exe File opened for modification C:\Windows\SysWOW64\Defheg32.exe Ddekmo32.exe File created C:\Windows\SysWOW64\Bfnafolo.dll Mopeofjl.exe File created C:\Windows\SysWOW64\Jgonal32.dll Hmbpbk32.exe File opened for modification C:\Windows\SysWOW64\Ihcclb32.exe Ijpcbn32.exe File created C:\Windows\SysWOW64\Epjfehbd.exe Efdbhpbn.exe File created C:\Windows\SysWOW64\Pdgkicol.dll Pnbifmla.exe File created C:\Windows\SysWOW64\Fhllni32.exe Flekihpc.exe File opened for modification C:\Windows\SysWOW64\Gplged32.exe Ghqeihbb.exe File created C:\Windows\SysWOW64\Mpchbhjl.exe Mjfoja32.exe File opened for modification C:\Windows\SysWOW64\Mpchbhjl.exe Mjfoja32.exe File created C:\Windows\SysWOW64\Bdgfpe32.dll Gknkkmmj.exe File created C:\Windows\SysWOW64\Cacdlf32.dll Ikgpmc32.exe File created C:\Windows\SysWOW64\Hqdehm32.dll Nkjqme32.exe File created C:\Windows\SysWOW64\Gohlkq32.dll Pfhmjf32.exe File opened for modification C:\Windows\SysWOW64\Mihikgod.exe Mldhacpj.exe File created C:\Windows\SysWOW64\Gfimpfmj.exe Fhemfbnq.exe File created C:\Windows\SysWOW64\Egkddo32.exe Dncpkjoc.exe File created C:\Windows\SysWOW64\Hmbqdiko.dll Bpmobi32.exe File opened for modification C:\Windows\SysWOW64\Laacmbkm.exe Lncjgddf.exe File created C:\Windows\SysWOW64\Nbfeoohe.exe Ndbefkjk.exe File created C:\Windows\SysWOW64\Hmalih32.dll Cknnjcmo.exe File opened for modification C:\Windows\SysWOW64\Homadjin.exe Hfemkdbm.exe File opened for modification C:\Windows\SysWOW64\Qajhigcj.exe Qlmopqdc.exe File opened for modification C:\Windows\SysWOW64\Pidlqb32.exe Ppgomnai.exe File created C:\Windows\SysWOW64\Llimgb32.exe Lacijjgi.exe File created C:\Windows\SysWOW64\Jifabb32.exe Jgedjjki.exe File opened for modification C:\Windows\SysWOW64\Kiajck32.exe Koiejemn.exe File created C:\Windows\SysWOW64\Ncmoej32.dll Ldqfddml.exe File opened for modification C:\Windows\SysWOW64\Bodano32.exe Bekmei32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6932 5160 WerFault.exe 973 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nemchn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Olqqdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pngbam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qlmopqdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggajho32.dll" Pbifol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dilmeida.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiljgjpp.dll" Ofmbkipk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngbdgb.dll" Cnealfkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ldkfno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehbpho32.dll" Olmficce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Foenplji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cipebqij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nenjng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aidehpea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fepmgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Goadfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjmnoo32.dll" Pilgnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mejijcea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Palkgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gccmaack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmndkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkgdc32.dll" Jakkplbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gpelchhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpikla32.dll" Gdeqaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbgfhnhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naapmhbn.dll" Mlgjhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbjcplhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nlnkgbhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddjnng32.dll" Hdfapjbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bhppap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajmladbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Emdaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjeaqc32.dll" Haclio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Khlinedh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hchqbkkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bodano32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efjbne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cqkkcghn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnimia32.dll" Bodano32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hnkhjdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qckfid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcfeffcd.dll" Khonkogj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ldgnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Komoed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbofelbi.dll" Aphegjhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akchlk32.dll" Pcjaio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kdalni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hnlodjpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lcnkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmnnlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gkeakl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aochpj32.dll" Kfggbope.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqhhdgfp.dll" Cgdlfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmkpipaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kfmejopp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cdjblf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amnioced.dll" Mphamg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjgemi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pgbkgmao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afockelf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgbkqgep.dll" Mfhpilbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amagqp32.dll" Djjemlhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Apcead32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jcefgeif.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3176 wrote to memory of 2128 3176 547516405f114b08d4f9aaba92201c47510e7bf0bfb51197c8cedaa4a6fb6352_NeikiAnalytics.exe 92 PID 3176 wrote to memory of 2128 3176 547516405f114b08d4f9aaba92201c47510e7bf0bfb51197c8cedaa4a6fb6352_NeikiAnalytics.exe 92 PID 3176 wrote to memory of 2128 3176 547516405f114b08d4f9aaba92201c47510e7bf0bfb51197c8cedaa4a6fb6352_NeikiAnalytics.exe 92 PID 2128 wrote to memory of 1932 2128 Oplfkeob.exe 93 PID 2128 wrote to memory of 1932 2128 Oplfkeob.exe 93 PID 2128 wrote to memory of 1932 2128 Oplfkeob.exe 93 PID 1932 wrote to memory of 3220 1932 Qaqegecm.exe 94 PID 1932 wrote to memory of 3220 1932 Qaqegecm.exe 94 PID 1932 wrote to memory of 3220 1932 Qaqegecm.exe 94 PID 3220 wrote to memory of 788 3220 Qacameaj.exe 95 PID 3220 wrote to memory of 788 3220 Qacameaj.exe 95 PID 3220 wrote to memory of 788 3220 Qacameaj.exe 95 PID 788 wrote to memory of 2260 788 Adcjop32.exe 96 PID 788 wrote to memory of 2260 788 Adcjop32.exe 96 PID 788 wrote to memory of 2260 788 Adcjop32.exe 96 PID 2260 wrote to memory of 2800 2260 Aagkhd32.exe 97 PID 2260 wrote to memory of 2800 2260 Aagkhd32.exe 97 PID 2260 wrote to memory of 2800 2260 Aagkhd32.exe 97 PID 2800 wrote to memory of 3852 2800 Amnlme32.exe 98 PID 2800 wrote to memory of 3852 2800 Amnlme32.exe 98 PID 2800 wrote to memory of 3852 2800 Amnlme32.exe 98 PID 3852 wrote to memory of 5060 3852 Aaldccip.exe 99 PID 3852 wrote to memory of 5060 3852 Aaldccip.exe 99 PID 3852 wrote to memory of 5060 3852 Aaldccip.exe 99 PID 5060 wrote to memory of 1624 5060 Bkgeainn.exe 100 PID 5060 wrote to memory of 1624 5060 Bkgeainn.exe 100 PID 5060 wrote to memory of 1624 5060 Bkgeainn.exe 100 PID 1624 wrote to memory of 2584 1624 Baegibae.exe 101 PID 1624 wrote to memory of 2584 1624 Baegibae.exe 101 PID 1624 wrote to memory of 2584 1624 Baegibae.exe 101 PID 2584 wrote to memory of 3820 2584 Bgelgi32.exe 102 PID 2584 wrote to memory of 3820 2584 Bgelgi32.exe 102 PID 2584 wrote to memory of 3820 2584 Bgelgi32.exe 102 PID 3820 wrote to memory of 3720 3820 Chfegk32.exe 103 PID 3820 wrote to memory of 3720 3820 Chfegk32.exe 103 PID 3820 wrote to memory of 3720 3820 Chfegk32.exe 103 PID 3720 wrote to memory of 2344 3720 Caageq32.exe 104 PID 3720 wrote to memory of 2344 3720 Caageq32.exe 104 PID 3720 wrote to memory of 2344 3720 Caageq32.exe 104 PID 2344 wrote to memory of 3368 2344 Dgcihgaj.exe 105 PID 2344 wrote to memory of 3368 2344 Dgcihgaj.exe 105 PID 2344 wrote to memory of 3368 2344 Dgcihgaj.exe 105 PID 3368 wrote to memory of 5028 3368 Dkcndeen.exe 106 PID 3368 wrote to memory of 5028 3368 Dkcndeen.exe 106 PID 3368 wrote to memory of 5028 3368 Dkcndeen.exe 106 PID 5028 wrote to memory of 3636 5028 Doagjc32.exe 107 PID 5028 wrote to memory of 3636 5028 Doagjc32.exe 107 PID 5028 wrote to memory of 3636 5028 Doagjc32.exe 107 PID 3636 wrote to memory of 4460 3636 Eqgmmk32.exe 108 PID 3636 wrote to memory of 4460 3636 Eqgmmk32.exe 108 PID 3636 wrote to memory of 4460 3636 Eqgmmk32.exe 108 PID 4460 wrote to memory of 3344 4460 Eqiibjlj.exe 109 PID 4460 wrote to memory of 3344 4460 Eqiibjlj.exe 109 PID 4460 wrote to memory of 3344 4460 Eqiibjlj.exe 109 PID 3344 wrote to memory of 2224 3344 Egened32.exe 110 PID 3344 wrote to memory of 2224 3344 Egened32.exe 110 PID 3344 wrote to memory of 2224 3344 Egened32.exe 110 PID 2224 wrote to memory of 4704 2224 Fbmohmoh.exe 111 PID 2224 wrote to memory of 4704 2224 Fbmohmoh.exe 111 PID 2224 wrote to memory of 4704 2224 Fbmohmoh.exe 111 PID 4704 wrote to memory of 1496 4704 Filapfbo.exe 112 PID 4704 wrote to memory of 1496 4704 Filapfbo.exe 112 PID 4704 wrote to memory of 1496 4704 Filapfbo.exe 112 PID 1496 wrote to memory of 1540 1496 Fkmjaa32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\547516405f114b08d4f9aaba92201c47510e7bf0bfb51197c8cedaa4a6fb6352_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\547516405f114b08d4f9aaba92201c47510e7bf0bfb51197c8cedaa4a6fb6352_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\Oplfkeob.exeC:\Windows\system32\Oplfkeob.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Qaqegecm.exeC:\Windows\system32\Qaqegecm.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Qacameaj.exeC:\Windows\system32\Qacameaj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Adcjop32.exeC:\Windows\system32\Adcjop32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\Aagkhd32.exeC:\Windows\system32\Aagkhd32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Amnlme32.exeC:\Windows\system32\Amnlme32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Aaldccip.exeC:\Windows\system32\Aaldccip.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\Bkgeainn.exeC:\Windows\system32\Bkgeainn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Baegibae.exeC:\Windows\system32\Baegibae.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Bgelgi32.exeC:\Windows\system32\Bgelgi32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Chfegk32.exeC:\Windows\system32\Chfegk32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\Caageq32.exeC:\Windows\system32\Caageq32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\Dgcihgaj.exeC:\Windows\system32\Dgcihgaj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Dkcndeen.exeC:\Windows\system32\Dkcndeen.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\Doagjc32.exeC:\Windows\system32\Doagjc32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Eqgmmk32.exeC:\Windows\system32\Eqgmmk32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\Eqiibjlj.exeC:\Windows\system32\Eqiibjlj.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Egened32.exeC:\Windows\system32\Egened32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\Fbmohmoh.exeC:\Windows\system32\Fbmohmoh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Filapfbo.exeC:\Windows\system32\Filapfbo.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\Fkmjaa32.exeC:\Windows\system32\Fkmjaa32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Galoohke.exeC:\Windows\system32\Galoohke.exe23⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Gihpkd32.exeC:\Windows\system32\Gihpkd32.exe24⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Glhimp32.exeC:\Windows\system32\Glhimp32.exe25⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Ghojbq32.exeC:\Windows\system32\Ghojbq32.exe26⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Hahokfag.exeC:\Windows\system32\Hahokfag.exe27⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Hnlodjpa.exeC:\Windows\system32\Hnlodjpa.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:228 -
C:\Windows\SysWOW64\Hnnljj32.exeC:\Windows\system32\Hnnljj32.exe29⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Hehdfdek.exeC:\Windows\system32\Hehdfdek.exe30⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Hbnaeh32.exeC:\Windows\system32\Hbnaeh32.exe31⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Ilibdmgp.exeC:\Windows\system32\Ilibdmgp.exe32⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Ieccbbkn.exeC:\Windows\system32\Ieccbbkn.exe33⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Iamamcop.exeC:\Windows\system32\Iamamcop.exe34⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Jbojlfdp.exeC:\Windows\system32\Jbojlfdp.exe35⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Jikoopij.exeC:\Windows\system32\Jikoopij.exe36⤵
- Executes dropped EXE
PID:3084 -
C:\Windows\SysWOW64\Jhplpl32.exeC:\Windows\system32\Jhplpl32.exe37⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Khbiello.exeC:\Windows\system32\Khbiello.exe38⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Kplmliko.exeC:\Windows\system32\Kplmliko.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4620 -
C:\Windows\SysWOW64\Klbnajqc.exeC:\Windows\system32\Klbnajqc.exe40⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Klekfinp.exeC:\Windows\system32\Klekfinp.exe41⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Kcapicdj.exeC:\Windows\system32\Kcapicdj.exe42⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Lcclncbh.exeC:\Windows\system32\Lcclncbh.exe43⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Laiipofp.exeC:\Windows\system32\Laiipofp.exe44⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Legben32.exeC:\Windows\system32\Legben32.exe45⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Lancko32.exeC:\Windows\system32\Lancko32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1384 -
C:\Windows\SysWOW64\Mhjhmhhd.exeC:\Windows\system32\Mhjhmhhd.exe47⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Mjnnbk32.exeC:\Windows\system32\Mjnnbk32.exe48⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Mokfja32.exeC:\Windows\system32\Mokfja32.exe49⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Nfgklkoc.exeC:\Windows\system32\Nfgklkoc.exe50⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Nfihbk32.exeC:\Windows\system32\Nfihbk32.exe51⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Nbphglbe.exeC:\Windows\system32\Nbphglbe.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Nfnamjhk.exeC:\Windows\system32\Nfnamjhk.exe53⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Nqfbpb32.exeC:\Windows\system32\Nqfbpb32.exe54⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Oiagde32.exeC:\Windows\system32\Oiagde32.exe55⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Ojqcnhkl.exeC:\Windows\system32\Ojqcnhkl.exe56⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Ocihgnam.exeC:\Windows\system32\Ocihgnam.exe57⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Oqmhqapg.exeC:\Windows\system32\Oqmhqapg.exe58⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Omdieb32.exeC:\Windows\system32\Omdieb32.exe59⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Oflmnh32.exeC:\Windows\system32\Oflmnh32.exe60⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Pfojdh32.exeC:\Windows\system32\Pfojdh32.exe61⤵
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\Ppgomnai.exeC:\Windows\system32\Ppgomnai.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3608 -
C:\Windows\SysWOW64\Pidlqb32.exeC:\Windows\system32\Pidlqb32.exe63⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Pfhmjf32.exeC:\Windows\system32\Pfhmjf32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Qppaclio.exeC:\Windows\system32\Qppaclio.exe65⤵
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\Qmdblp32.exeC:\Windows\system32\Qmdblp32.exe66⤵PID:4184
-
C:\Windows\SysWOW64\Amfobp32.exeC:\Windows\system32\Amfobp32.exe67⤵PID:3000
-
C:\Windows\SysWOW64\Afockelf.exeC:\Windows\system32\Afockelf.exe68⤵
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Apggckbf.exeC:\Windows\system32\Apggckbf.exe69⤵PID:4536
-
C:\Windows\SysWOW64\Ajmladbl.exeC:\Windows\system32\Ajmladbl.exe70⤵
- Modifies registry class
PID:4016 -
C:\Windows\SysWOW64\Adepji32.exeC:\Windows\system32\Adepji32.exe71⤵PID:2680
-
C:\Windows\SysWOW64\Aplaoj32.exeC:\Windows\system32\Aplaoj32.exe72⤵PID:2996
-
C:\Windows\SysWOW64\Aidehpea.exeC:\Windows\system32\Aidehpea.exe73⤵
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Ajdbac32.exeC:\Windows\system32\Ajdbac32.exe74⤵PID:3076
-
C:\Windows\SysWOW64\Bjfogbjb.exeC:\Windows\system32\Bjfogbjb.exe75⤵PID:2852
-
C:\Windows\SysWOW64\Bdocph32.exeC:\Windows\system32\Bdocph32.exe76⤵PID:3340
-
C:\Windows\SysWOW64\Bmggingc.exeC:\Windows\system32\Bmggingc.exe77⤵PID:3588
-
C:\Windows\SysWOW64\Binhnomg.exeC:\Windows\system32\Binhnomg.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5176 -
C:\Windows\SysWOW64\Bfaigclq.exeC:\Windows\system32\Bfaigclq.exe79⤵PID:5220
-
C:\Windows\SysWOW64\Cajjjk32.exeC:\Windows\system32\Cajjjk32.exe80⤵PID:5264
-
C:\Windows\SysWOW64\Cdjblf32.exeC:\Windows\system32\Cdjblf32.exe81⤵
- Modifies registry class
PID:5308 -
C:\Windows\SysWOW64\Ckggnp32.exeC:\Windows\system32\Ckggnp32.exe82⤵PID:5352
-
C:\Windows\SysWOW64\Cdolgfbp.exeC:\Windows\system32\Cdolgfbp.exe83⤵PID:5400
-
C:\Windows\SysWOW64\Cpfmlghd.exeC:\Windows\system32\Cpfmlghd.exe84⤵PID:5444
-
C:\Windows\SysWOW64\Dkkaiphj.exeC:\Windows\system32\Dkkaiphj.exe85⤵PID:5496
-
C:\Windows\SysWOW64\Ddcebe32.exeC:\Windows\system32\Ddcebe32.exe86⤵PID:5548
-
C:\Windows\SysWOW64\Dpjfgf32.exeC:\Windows\system32\Dpjfgf32.exe87⤵PID:5600
-
C:\Windows\SysWOW64\Dgdncplk.exeC:\Windows\system32\Dgdncplk.exe88⤵PID:5652
-
C:\Windows\SysWOW64\Dajbaika.exeC:\Windows\system32\Dajbaika.exe89⤵PID:5700
-
C:\Windows\SysWOW64\Dkbgjo32.exeC:\Windows\system32\Dkbgjo32.exe90⤵PID:5764
-
C:\Windows\SysWOW64\Dcnlnaom.exeC:\Windows\system32\Dcnlnaom.exe91⤵PID:5824
-
C:\Windows\SysWOW64\Dncpkjoc.exeC:\Windows\system32\Dncpkjoc.exe92⤵
- Drops file in System32 directory
PID:5872 -
C:\Windows\SysWOW64\Egkddo32.exeC:\Windows\system32\Egkddo32.exe93⤵PID:5924
-
C:\Windows\SysWOW64\Epdime32.exeC:\Windows\system32\Epdime32.exe94⤵PID:6000
-
C:\Windows\SysWOW64\Egnajocq.exeC:\Windows\system32\Egnajocq.exe95⤵PID:6060
-
C:\Windows\SysWOW64\Eaceghcg.exeC:\Windows\system32\Eaceghcg.exe96⤵PID:6124
-
C:\Windows\SysWOW64\Enjfli32.exeC:\Windows\system32\Enjfli32.exe97⤵PID:5164
-
C:\Windows\SysWOW64\Ecgodpgb.exeC:\Windows\system32\Ecgodpgb.exe98⤵PID:5244
-
C:\Windows\SysWOW64\Ecikjoep.exeC:\Windows\system32\Ecikjoep.exe99⤵PID:5300
-
C:\Windows\SysWOW64\Eqmlccdi.exeC:\Windows\system32\Eqmlccdi.exe100⤵PID:5392
-
C:\Windows\SysWOW64\Fqphic32.exeC:\Windows\system32\Fqphic32.exe101⤵PID:5492
-
C:\Windows\SysWOW64\Fqbeoc32.exeC:\Windows\system32\Fqbeoc32.exe102⤵PID:5572
-
C:\Windows\SysWOW64\Fkgillpj.exeC:\Windows\system32\Fkgillpj.exe103⤵PID:5620
-
C:\Windows\SysWOW64\Fdpnda32.exeC:\Windows\system32\Fdpnda32.exe104⤵PID:5724
-
C:\Windows\SysWOW64\Gnohnffc.exeC:\Windows\system32\Gnohnffc.exe105⤵PID:5816
-
C:\Windows\SysWOW64\Gbpnjdkg.exeC:\Windows\system32\Gbpnjdkg.exe106⤵PID:5900
-
C:\Windows\SysWOW64\Gkhbbi32.exeC:\Windows\system32\Gkhbbi32.exe107⤵
- Drops file in System32 directory
PID:5976 -
C:\Windows\SysWOW64\Hgocgjgk.exeC:\Windows\system32\Hgocgjgk.exe108⤵
- Drops file in System32 directory
PID:6116 -
C:\Windows\SysWOW64\Hcedmkmp.exeC:\Windows\system32\Hcedmkmp.exe109⤵PID:5152
-
C:\Windows\SysWOW64\Hnkhjdle.exeC:\Windows\system32\Hnkhjdle.exe110⤵
- Modifies registry class
PID:5288 -
C:\Windows\SysWOW64\Hchqbkkm.exeC:\Windows\system32\Hchqbkkm.exe111⤵
- Modifies registry class
PID:5432 -
C:\Windows\SysWOW64\Hkaeih32.exeC:\Windows\system32\Hkaeih32.exe112⤵PID:5556
-
C:\Windows\SysWOW64\Hcljmj32.exeC:\Windows\system32\Hcljmj32.exe113⤵PID:5692
-
C:\Windows\SysWOW64\Ielfgmnj.exeC:\Windows\system32\Ielfgmnj.exe114⤵PID:5804
-
C:\Windows\SysWOW64\Iabglnco.exeC:\Windows\system32\Iabglnco.exe115⤵PID:5964
-
C:\Windows\SysWOW64\Infhebbh.exeC:\Windows\system32\Infhebbh.exe116⤵PID:6108
-
C:\Windows\SysWOW64\Ilkhog32.exeC:\Windows\system32\Ilkhog32.exe117⤵PID:5296
-
C:\Windows\SysWOW64\Icfmci32.exeC:\Windows\system32\Icfmci32.exe118⤵PID:5512
-
C:\Windows\SysWOW64\Ijpepcfj.exeC:\Windows\system32\Ijpepcfj.exe119⤵PID:5808
-
C:\Windows\SysWOW64\Ijbbfc32.exeC:\Windows\system32\Ijbbfc32.exe120⤵PID:6096
-
C:\Windows\SysWOW64\Jlanpfkj.exeC:\Windows\system32\Jlanpfkj.exe121⤵PID:5372
-
C:\Windows\SysWOW64\Jblflp32.exeC:\Windows\system32\Jblflp32.exe122⤵PID:5680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-