Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 13:21
Behavioral task
behavioral1
Sample
31e00efda5730a285dd5f396ed99a720_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
31e00efda5730a285dd5f396ed99a720_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
31e00efda5730a285dd5f396ed99a720_NeikiAnalytics.exe
-
Size
276KB
-
MD5
31e00efda5730a285dd5f396ed99a720
-
SHA1
456c032dc97749f2f9b5a20c3ae40e4e511789bd
-
SHA256
18469ee1605b6a8e5c1337cc393572327e84609b0f72cb41abb2cc0361ba0765
-
SHA512
0fea73715f95a192109ab253765f26b24a2c3bfb41230da0658c24597505872e1aed462f55ac62724fd9cfc912c57ccd192877d32a5ac96a03966b329d8f43a1
-
SSDEEP
3072:Xr/VycXY0tMgbDd1AZoUBW3FJeRuaWNXmgu+tAcrbFAJc+RsUi1aVDkOvhJjvJuP:XrBfMgfdWZHEFJ7aWN1rtMsQBOSGaF+
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmikeaap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eefhjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkmchi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmomlnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpihcgoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlklkgei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Medqcmki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfefkkqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdkcde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnnmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkqkhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbjmhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkmchi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpbbch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emnbdioi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpdfnolo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbeqmoji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaompd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnmcjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ginnfgop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcifkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbeidl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fggocmhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgkelj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mehcdfch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkhkjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdgljmcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhbimf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leadnm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjjlkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjffdalb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpqkad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opogbbig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjecpkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjmfjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahmlgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cknnpm32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0008000000022f51-7.dat family_berbew behavioral2/files/0x000700000002340b-9.dat family_berbew behavioral2/files/0x000700000002340f-30.dat family_berbew behavioral2/files/0x000700000002340d-23.dat family_berbew behavioral2/files/0x0007000000023411-38.dat family_berbew behavioral2/files/0x0007000000023413-46.dat family_berbew behavioral2/files/0x0007000000023415-54.dat family_berbew behavioral2/files/0x0007000000023417-57.dat family_berbew behavioral2/files/0x0007000000023419-70.dat family_berbew behavioral2/files/0x000700000002341b-78.dat family_berbew behavioral2/files/0x000700000002341d-87.dat family_berbew behavioral2/files/0x000700000002341f-96.dat family_berbew behavioral2/files/0x0007000000023421-104.dat family_berbew behavioral2/files/0x0007000000023423-112.dat family_berbew behavioral2/files/0x0007000000023425-121.dat family_berbew behavioral2/files/0x0007000000023427-130.dat family_berbew behavioral2/files/0x0007000000023429-139.dat family_berbew behavioral2/files/0x0008000000023407-148.dat family_berbew behavioral2/files/0x000700000002342c-156.dat family_berbew behavioral2/files/0x000700000002342e-164.dat family_berbew behavioral2/files/0x0007000000023430-176.dat family_berbew behavioral2/files/0x0007000000023432-182.dat family_berbew behavioral2/files/0x0007000000023434-191.dat family_berbew behavioral2/files/0x0007000000023436-200.dat family_berbew behavioral2/files/0x0007000000023439-209.dat family_berbew behavioral2/files/0x000700000002343b-219.dat family_berbew behavioral2/files/0x000700000002343d-227.dat family_berbew behavioral2/files/0x000700000002343f-237.dat family_berbew behavioral2/files/0x0007000000023441-248.dat family_berbew behavioral2/files/0x0007000000023443-254.dat family_berbew behavioral2/files/0x0007000000023445-263.dat family_berbew behavioral2/files/0x0007000000023447-272.dat family_berbew behavioral2/files/0x0007000000023461-361.dat family_berbew behavioral2/files/0x000700000002346f-408.dat family_berbew behavioral2/files/0x000700000002347e-462.dat family_berbew behavioral2/files/0x0007000000023495-538.dat family_berbew behavioral2/files/0x00070000000234d3-800.dat family_berbew behavioral2/files/0x00070000000234d7-815.dat family_berbew behavioral2/files/0x00070000000234db-828.dat family_berbew behavioral2/files/0x000900000001e92c-998.dat family_berbew behavioral2/files/0x000700000002352a-1087.dat family_berbew behavioral2/files/0x0007000000023532-1112.dat family_berbew behavioral2/files/0x000700000002355e-1282.dat family_berbew behavioral2/files/0x000700000002357a-1377.dat family_berbew behavioral2/files/0x00070000000235b2-1569.dat family_berbew behavioral2/files/0x00070000000235bc-1603.dat family_berbew behavioral2/files/0x00070000000235c6-1637.dat family_berbew behavioral2/files/0x00070000000235c8-1645.dat family_berbew behavioral2/files/0x00070000000235cc-1658.dat family_berbew behavioral2/files/0x00070000000235d0-1672.dat family_berbew behavioral2/files/0x00070000000235e3-1734.dat family_berbew behavioral2/files/0x00070000000235ef-1775.dat family_berbew behavioral2/files/0x00070000000235f7-1802.dat family_berbew behavioral2/files/0x000700000002360f-1884.dat family_berbew behavioral2/files/0x0007000000023623-1953.dat family_berbew behavioral2/files/0x0007000000023627-1967.dat family_berbew behavioral2/files/0x0007000000023648-2069.dat family_berbew behavioral2/files/0x000700000002364c-2084.dat family_berbew behavioral2/files/0x0007000000023658-2121.dat family_berbew behavioral2/files/0x0007000000023668-2176.dat family_berbew behavioral2/files/0x000700000002366e-2197.dat family_berbew behavioral2/files/0x0007000000023678-2230.dat family_berbew behavioral2/files/0x0007000000023682-2267.dat family_berbew behavioral2/files/0x0007000000023688-2288.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4380 Kagichjo.exe 764 Kdffocib.exe 4800 Kcifkp32.exe 5000 Kkpnlm32.exe 3440 Liekmj32.exe 4296 Lalcng32.exe 3344 Lcmofolg.exe 2472 Liggbi32.exe 2592 Lpappc32.exe 4596 Lcpllo32.exe 1744 Lcbiao32.exe 5036 Lkiqbl32.exe 2100 Lcdegnep.exe 2852 Lnjjdgee.exe 4064 Lgbnmm32.exe 1608 Mjqjih32.exe 5060 Mkpgck32.exe 3688 Majopeii.exe 4512 Mkbchk32.exe 3468 Mnapdf32.exe 2580 Mdkhapfj.exe 4080 Mncmjfmk.exe 3576 Mkgmcjld.exe 2324 Mdpalp32.exe 2220 Nnhfee32.exe 4592 Nacbfdao.exe 2076 Nceonl32.exe 3912 Nqiogp32.exe 4456 Ncgkcl32.exe 4448 Ndghmo32.exe 4912 Ncihikcg.exe 2812 Ncldnkae.exe 1800 Nqpego32.exe 4208 Ncnadk32.exe 1220 Okeieh32.exe 2240 Oqbamo32.exe 5016 Odnnnnfe.exe 2136 Okhfjh32.exe 3276 Onfbfc32.exe 1444 Oqdoboli.exe 1756 Odpjcm32.exe 1596 Ojmcld32.exe 2508 Obdkma32.exe 2252 Ocegdjij.exe 3208 Okloegjl.exe 2040 Onklabip.exe 2224 Odednmpm.exe 984 Ojalgcnd.exe 3388 Oqkdcn32.exe 3268 Pcjapi32.exe 1236 Pkaiqf32.exe 4732 Pjdilcla.exe 492 Pnpemb32.exe 3360 Pqnaim32.exe 4404 Peimil32.exe 4520 Pnbbbabh.exe 496 Peljol32.exe 2452 Pkfblfab.exe 1752 Pndohaqe.exe 3960 Pabkdmpi.exe 3364 Pgmcqggf.exe 1268 Pjkombfj.exe 4364 Pnfkma32.exe 1540 Paegjl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cibmlmeb.exe Cgqqdeod.exe File created C:\Windows\SysWOW64\Liabph32.dll Process not Found File created C:\Windows\SysWOW64\Phajna32.exe Process not Found File created C:\Windows\SysWOW64\Cacckp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fgoakc32.exe Process not Found File created C:\Windows\SysWOW64\Pcbdco32.dll Cdfbibnb.exe File opened for modification C:\Windows\SysWOW64\Fdglmkeg.exe Fplpll32.exe File created C:\Windows\SysWOW64\Ackhdo32.dll Gfokoelp.exe File created C:\Windows\SysWOW64\Ieidhh32.exe Process not Found File created C:\Windows\SysWOW64\Blfdia32.exe Bemlmgnp.exe File created C:\Windows\SysWOW64\Egohdegl.exe Process not Found File created C:\Windows\SysWOW64\Ehndnh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Keifdpif.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kiphjo32.exe Process not Found File created C:\Windows\SysWOW64\Cdfbibnb.exe Cbefaj32.exe File created C:\Windows\SysWOW64\Bnpppgdj.exe Bgehcmmm.exe File created C:\Windows\SysWOW64\Pbehoafp.dll Qjlnnemp.exe File created C:\Windows\SysWOW64\Abcgjd32.dll Lhmmjbkf.exe File opened for modification C:\Windows\SysWOW64\Aomifecf.exe Ahcajk32.exe File created C:\Windows\SysWOW64\Cdpcal32.exe Process not Found File created C:\Windows\SysWOW64\Dhidjpqc.exe Ddmhja32.exe File created C:\Windows\SysWOW64\Maodigil.exe Mnphmkji.exe File opened for modification C:\Windows\SysWOW64\Klcekpdo.exe Process not Found File created C:\Windows\SysWOW64\Ncnkogdb.dll Bnnjen32.exe File created C:\Windows\SysWOW64\Naekcf32.dll Ognpebpj.exe File opened for modification C:\Windows\SysWOW64\Ddadpdmn.exe Dmglcj32.exe File created C:\Windows\SysWOW64\Pdpjda32.dll Knflpoqf.exe File opened for modification C:\Windows\SysWOW64\Kheekkjl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ppdbgncl.exe Process not Found File created C:\Windows\SysWOW64\Emhldnkj.exe Egnchd32.exe File opened for modification C:\Windows\SysWOW64\Gpmomo32.exe Process not Found File created C:\Windows\SysWOW64\Dkoggkjo.exe Dhpjkojk.exe File created C:\Windows\SysWOW64\Gahcmd32.exe Giqkkf32.exe File opened for modification C:\Windows\SysWOW64\Hppeim32.exe Process not Found File created C:\Windows\SysWOW64\Dipidh32.dll Gekcaj32.exe File created C:\Windows\SysWOW64\Jjqehkaf.dll Dhkapp32.exe File created C:\Windows\SysWOW64\Jefbfgig.exe Jlnnmb32.exe File created C:\Windows\SysWOW64\Cammjakm.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lcbiao32.exe Lcpllo32.exe File opened for modification C:\Windows\SysWOW64\Jedeph32.exe Jbeidl32.exe File created C:\Windows\SysWOW64\Pmfhig32.exe Pdkcde32.exe File created C:\Windows\SysWOW64\Mblkhq32.exe Mlbbkfoq.exe File created C:\Windows\SysWOW64\Cpeohh32.exe Cmfclm32.exe File created C:\Windows\SysWOW64\Lqmmmmph.exe Process not Found File created C:\Windows\SysWOW64\Qoelkp32.exe Process not Found File created C:\Windows\SysWOW64\Pjaleemj.exe Process not Found File created C:\Windows\SysWOW64\Olpppj32.dll Hkdbpe32.exe File created C:\Windows\SysWOW64\Ffcgdbco.dll Inpccihl.exe File created C:\Windows\SysWOW64\Hpfcdojl.exe Hjlkge32.exe File opened for modification C:\Windows\SysWOW64\Fmkgkapm.exe Fipkjb32.exe File opened for modification C:\Windows\SysWOW64\Mbgeqmjp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pjaleemj.exe Process not Found File created C:\Windows\SysWOW64\Lnohlokp.dll Mkpgck32.exe File opened for modification C:\Windows\SysWOW64\Qjpiha32.exe Qgallfcq.exe File created C:\Windows\SysWOW64\Hjjgia32.dll Agffge32.exe File created C:\Windows\SysWOW64\Cliaoq32.exe Chmeobkq.exe File opened for modification C:\Windows\SysWOW64\Mchhggno.exe Mgagbf32.exe File opened for modification C:\Windows\SysWOW64\Pgflqkdd.exe Poodpmca.exe File opened for modification C:\Windows\SysWOW64\Ehnglm32.exe Eofbch32.exe File created C:\Windows\SysWOW64\Goedpofl.exe Ghklce32.exe File created C:\Windows\SysWOW64\Poaqemao.exe Phhhhc32.exe File opened for modification C:\Windows\SysWOW64\Ipkdek32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Aaepqjpd.exe Ajkhdp32.exe File created C:\Windows\SysWOW64\Ajdhcbgd.dll Bejogg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13892 16052 Process not Found 1696 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oemefcap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aoofle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimgpahk.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcjnoece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjehk32.dll" Edpnfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akqgne32.dll" Ajcdnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdamgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehgqln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiidnkam.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfngdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghdbegp.dll" Ajiknpjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlklkgei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plpodked.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiejmbkl.dll" Onklabip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aalebkhm.dll" Lldopb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmlcbbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkhfob32.dll" Mblkhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agdhbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afmfkjol.dll" Aakebqbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bheffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpqjglii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijegcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddgkpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpdhkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Migjoaaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqknkedi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdcajc32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipknlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdabcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phelcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egcjff32.dll" Dfmcfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdpmbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnhejgh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnjoi32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijcoimpn.dll" Gfpcgpae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdepgkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glengm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcgbdc32.dll" Gljgbllj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkebndc.dll" Hcpclbfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhihdcbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdjpll32.dll" Fdccbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdcemd.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjokdipf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpcfmkff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmpqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Beeflhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bejogg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddmhja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhpjkojk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qalnjkgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcddpdpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inpccihl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3708 wrote to memory of 4380 3708 31e00efda5730a285dd5f396ed99a720_NeikiAnalytics.exe 82 PID 3708 wrote to memory of 4380 3708 31e00efda5730a285dd5f396ed99a720_NeikiAnalytics.exe 82 PID 3708 wrote to memory of 4380 3708 31e00efda5730a285dd5f396ed99a720_NeikiAnalytics.exe 82 PID 4380 wrote to memory of 764 4380 Kagichjo.exe 83 PID 4380 wrote to memory of 764 4380 Kagichjo.exe 83 PID 4380 wrote to memory of 764 4380 Kagichjo.exe 83 PID 764 wrote to memory of 4800 764 Kdffocib.exe 84 PID 764 wrote to memory of 4800 764 Kdffocib.exe 84 PID 764 wrote to memory of 4800 764 Kdffocib.exe 84 PID 4800 wrote to memory of 5000 4800 Kcifkp32.exe 85 PID 4800 wrote to memory of 5000 4800 Kcifkp32.exe 85 PID 4800 wrote to memory of 5000 4800 Kcifkp32.exe 85 PID 5000 wrote to memory of 3440 5000 Kkpnlm32.exe 86 PID 5000 wrote to memory of 3440 5000 Kkpnlm32.exe 86 PID 5000 wrote to memory of 3440 5000 Kkpnlm32.exe 86 PID 3440 wrote to memory of 4296 3440 Liekmj32.exe 87 PID 3440 wrote to memory of 4296 3440 Liekmj32.exe 87 PID 3440 wrote to memory of 4296 3440 Liekmj32.exe 87 PID 4296 wrote to memory of 3344 4296 Lalcng32.exe 88 PID 4296 wrote to memory of 3344 4296 Lalcng32.exe 88 PID 4296 wrote to memory of 3344 4296 Lalcng32.exe 88 PID 3344 wrote to memory of 2472 3344 Lcmofolg.exe 89 PID 3344 wrote to memory of 2472 3344 Lcmofolg.exe 89 PID 3344 wrote to memory of 2472 3344 Lcmofolg.exe 89 PID 2472 wrote to memory of 2592 2472 Liggbi32.exe 90 PID 2472 wrote to memory of 2592 2472 Liggbi32.exe 90 PID 2472 wrote to memory of 2592 2472 Liggbi32.exe 90 PID 2592 wrote to memory of 4596 2592 Lpappc32.exe 91 PID 2592 wrote to memory of 4596 2592 Lpappc32.exe 91 PID 2592 wrote to memory of 4596 2592 Lpappc32.exe 91 PID 4596 wrote to memory of 1744 4596 Lcpllo32.exe 93 PID 4596 wrote to memory of 1744 4596 Lcpllo32.exe 93 PID 4596 wrote to memory of 1744 4596 Lcpllo32.exe 93 PID 1744 wrote to memory of 5036 1744 Lcbiao32.exe 94 PID 1744 wrote to memory of 5036 1744 Lcbiao32.exe 94 PID 1744 wrote to memory of 5036 1744 Lcbiao32.exe 94 PID 5036 wrote to memory of 2100 5036 Lkiqbl32.exe 95 PID 5036 wrote to memory of 2100 5036 Lkiqbl32.exe 95 PID 5036 wrote to memory of 2100 5036 Lkiqbl32.exe 95 PID 2100 wrote to memory of 2852 2100 Lcdegnep.exe 97 PID 2100 wrote to memory of 2852 2100 Lcdegnep.exe 97 PID 2100 wrote to memory of 2852 2100 Lcdegnep.exe 97 PID 2852 wrote to memory of 4064 2852 Lnjjdgee.exe 98 PID 2852 wrote to memory of 4064 2852 Lnjjdgee.exe 98 PID 2852 wrote to memory of 4064 2852 Lnjjdgee.exe 98 PID 4064 wrote to memory of 1608 4064 Lgbnmm32.exe 99 PID 4064 wrote to memory of 1608 4064 Lgbnmm32.exe 99 PID 4064 wrote to memory of 1608 4064 Lgbnmm32.exe 99 PID 1608 wrote to memory of 5060 1608 Mjqjih32.exe 101 PID 1608 wrote to memory of 5060 1608 Mjqjih32.exe 101 PID 1608 wrote to memory of 5060 1608 Mjqjih32.exe 101 PID 5060 wrote to memory of 3688 5060 Mkpgck32.exe 102 PID 5060 wrote to memory of 3688 5060 Mkpgck32.exe 102 PID 5060 wrote to memory of 3688 5060 Mkpgck32.exe 102 PID 3688 wrote to memory of 4512 3688 Majopeii.exe 103 PID 3688 wrote to memory of 4512 3688 Majopeii.exe 103 PID 3688 wrote to memory of 4512 3688 Majopeii.exe 103 PID 4512 wrote to memory of 3468 4512 Mkbchk32.exe 104 PID 4512 wrote to memory of 3468 4512 Mkbchk32.exe 104 PID 4512 wrote to memory of 3468 4512 Mkbchk32.exe 104 PID 3468 wrote to memory of 2580 3468 Mnapdf32.exe 105 PID 3468 wrote to memory of 2580 3468 Mnapdf32.exe 105 PID 3468 wrote to memory of 2580 3468 Mnapdf32.exe 105 PID 2580 wrote to memory of 4080 2580 Mdkhapfj.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\31e00efda5730a285dd5f396ed99a720_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\31e00efda5730a285dd5f396ed99a720_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Liekmj32.exeC:\Windows\system32\Liekmj32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe23⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe24⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe25⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe26⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe27⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe28⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe29⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe30⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe31⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe32⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe33⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe34⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe35⤵
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe36⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Oqbamo32.exeC:\Windows\system32\Oqbamo32.exe37⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe38⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe39⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe40⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe41⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe42⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe43⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe44⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe45⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe46⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe48⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe49⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe50⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe51⤵
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe52⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe53⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe54⤵
- Executes dropped EXE
PID:492 -
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe55⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe56⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe57⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe58⤵
- Executes dropped EXE
PID:496 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe59⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe60⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe61⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe62⤵
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe63⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe64⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe65⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe66⤵PID:4612
-
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe67⤵PID:2924
-
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe68⤵PID:2348
-
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe69⤵PID:2396
-
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe70⤵PID:1252
-
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe71⤵PID:5020
-
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe72⤵
- Drops file in System32 directory
PID:4756 -
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe73⤵PID:2412
-
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe74⤵PID:2676
-
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe75⤵PID:3864
-
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe76⤵PID:3232
-
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe77⤵PID:3240
-
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe78⤵PID:4024
-
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe79⤵
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe80⤵PID:4032
-
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe81⤵
- Drops file in System32 directory
PID:4856 -
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe82⤵PID:3260
-
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe83⤵PID:3052
-
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe84⤵PID:4956
-
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe85⤵PID:3236
-
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe86⤵PID:3736
-
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe87⤵PID:1512
-
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe88⤵PID:2548
-
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe89⤵PID:2868
-
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe90⤵PID:4280
-
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe91⤵PID:4148
-
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe92⤵PID:5128
-
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe93⤵
- Modifies registry class
PID:5176 -
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe94⤵PID:5220
-
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe95⤵PID:5264
-
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5304 -
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe97⤵
- Drops file in System32 directory
PID:5344 -
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe98⤵PID:5388
-
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe99⤵PID:5428
-
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe100⤵PID:5476
-
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe101⤵PID:5516
-
C:\Windows\SysWOW64\Bjpaooda.exeC:\Windows\system32\Bjpaooda.exe102⤵PID:5564
-
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe103⤵PID:5604
-
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe104⤵
- Modifies registry class
PID:5652 -
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe105⤵PID:5692
-
C:\Windows\SysWOW64\Blpnib32.exeC:\Windows\system32\Blpnib32.exe106⤵PID:5736
-
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe107⤵
- Drops file in System32 directory
PID:5780 -
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe108⤵PID:5824
-
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe109⤵PID:5856
-
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe110⤵PID:5920
-
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe111⤵PID:5976
-
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe112⤵
- Drops file in System32 directory
- Modifies registry class
PID:6040 -
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe113⤵PID:6084
-
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe114⤵PID:6136
-
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe115⤵PID:5156
-
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe116⤵
- Drops file in System32 directory
PID:5256 -
C:\Windows\SysWOW64\Blfdia32.exeC:\Windows\system32\Blfdia32.exe117⤵PID:5292
-
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe118⤵PID:5376
-
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe119⤵PID:5452
-
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe120⤵PID:5524
-
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe121⤵
- Drops file in System32 directory
PID:5576 -
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe122⤵PID:5660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-