Analysis
-
max time kernel
94s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 03:29
Behavioral task
behavioral1
Sample
df87b4b0ce50eac6603317557dbb4cb0_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
df87b4b0ce50eac6603317557dbb4cb0_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
df87b4b0ce50eac6603317557dbb4cb0_NEIKI.exe
-
Size
199KB
-
MD5
df87b4b0ce50eac6603317557dbb4cb0
-
SHA1
07e984aafcb8949bc11c974ab4c2e2a7e802ff9c
-
SHA256
f314bc5b1ce971160c37f8079dab8e068f52cd4b0e0b84c6589b542ac8cf9c68
-
SHA512
d49ff7ee8a821d52f1ef7dc2868bbfc344d8ac9e0d3416c0216a7830ef98dc27e6c0ede4d2f9626720c215cc9310b971ba9b587ac94c0c45c6dd07e32af20520
-
SSDEEP
6144:mmKjibCFxRSZSCZj81+jq4peBK034YOmFz1h:wOGF6ZSCG1+jheBbOmFxh
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlmllkja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edihepnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeidoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkoggkjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hobkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhijqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oimkbaed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpqiemge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpckjfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dabhdinj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najceeoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooqqdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pchlpfjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnjejjgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnlbojee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcojkhap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iijaka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpgeee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Milidebi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkicaahi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoogfnnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjffbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbmcbime.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efafgifc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqgkhnjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhadc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjghcfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkomneim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknmla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknpmdfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjeomld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnohlgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbghfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoolbinc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdmnlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llgjjnlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feapkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpbmco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmkfhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ognpebpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngedij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mipcob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfhdlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmpgldhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klngdpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdbmhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgnemjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acocaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglgjeci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gigheh32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0008000000022f51-7.dat family_berbew behavioral2/files/0x00080000000233eb-16.dat family_berbew behavioral2/files/0x00070000000233ed-24.dat family_berbew behavioral2/files/0x00070000000233ef-31.dat family_berbew behavioral2/files/0x00070000000233f1-39.dat family_berbew behavioral2/files/0x00070000000233f3-47.dat family_berbew behavioral2/files/0x00070000000233f5-50.dat family_berbew behavioral2/files/0x00070000000233f7-63.dat family_berbew behavioral2/files/0x00070000000233f9-72.dat family_berbew behavioral2/files/0x00070000000233fb-79.dat family_berbew behavioral2/files/0x00070000000233fd-87.dat family_berbew behavioral2/files/0x00070000000233ff-95.dat family_berbew behavioral2/files/0x0007000000023401-103.dat family_berbew behavioral2/files/0x0007000000023403-111.dat family_berbew behavioral2/files/0x0007000000023405-119.dat family_berbew behavioral2/files/0x0007000000023407-127.dat family_berbew behavioral2/files/0x0007000000023409-136.dat family_berbew behavioral2/files/0x000700000002340b-143.dat family_berbew behavioral2/files/0x00080000000233e9-151.dat family_berbew behavioral2/files/0x000700000002340e-154.dat family_berbew behavioral2/files/0x0008000000023410-167.dat family_berbew behavioral2/files/0x0007000000023413-175.dat family_berbew behavioral2/files/0x0007000000023415-183.dat family_berbew behavioral2/files/0x000b00000002335c-191.dat family_berbew behavioral2/files/0x0007000000023418-199.dat family_berbew behavioral2/files/0x000700000002341a-207.dat family_berbew behavioral2/files/0x000700000002341c-215.dat family_berbew behavioral2/files/0x0007000000023420-225.dat family_berbew behavioral2/files/0x000700000002341e-224.dat family_berbew behavioral2/files/0x0007000000023422-239.dat family_berbew behavioral2/files/0x0007000000023424-247.dat family_berbew behavioral2/files/0x0007000000023426-255.dat family_berbew behavioral2/files/0x000700000002342a-263.dat family_berbew behavioral2/files/0x0007000000023432-283.dat family_berbew behavioral2/files/0x0007000000023444-337.dat family_berbew behavioral2/files/0x0007000000023450-373.dat family_berbew behavioral2/files/0x0007000000023454-385.dat family_berbew behavioral2/files/0x000700000002345c-409.dat family_berbew behavioral2/files/0x0007000000023460-422.dat family_berbew behavioral2/files/0x000700000002346a-451.dat family_berbew behavioral2/files/0x0007000000023474-481.dat family_berbew behavioral2/files/0x0007000000023478-493.dat family_berbew behavioral2/files/0x0007000000023482-523.dat family_berbew behavioral2/files/0x000700000002348a-549.dat family_berbew behavioral2/files/0x000700000002348c-556.dat family_berbew behavioral2/files/0x0007000000023490-568.dat family_berbew behavioral2/files/0x0007000000023496-589.dat family_berbew behavioral2/files/0x00070000000234a0-624.dat family_berbew behavioral2/files/0x00070000000234b6-701.dat family_berbew behavioral2/files/0x00070000000234c2-742.dat family_berbew behavioral2/files/0x00070000000234c8-763.dat family_berbew behavioral2/files/0x00070000000234cc-777.dat family_berbew behavioral2/files/0x00070000000234d4-805.dat family_berbew behavioral2/files/0x00070000000234da-826.dat family_berbew behavioral2/files/0x00070000000234de-840.dat family_berbew behavioral2/files/0x00070000000234e4-860.dat family_berbew behavioral2/files/0x00070000000234e8-874.dat family_berbew behavioral2/files/0x00070000000234ea-882.dat family_berbew behavioral2/files/0x0007000000023510-1010.dat family_berbew behavioral2/files/0x0007000000023516-1031.dat family_berbew behavioral2/files/0x000700000002351e-1059.dat family_berbew behavioral2/files/0x0007000000023524-1080.dat family_berbew behavioral2/files/0x0007000000023530-1121.dat family_berbew behavioral2/files/0x0007000000023538-1149.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3408 Jaimbj32.exe 1384 Jjbako32.exe 4180 Jaljgidl.exe 404 Jdjfcecp.exe 2956 Jkdnpo32.exe 3260 Jdmcidam.exe 3360 Jiikak32.exe 4528 Kdopod32.exe 1216 Kkihknfg.exe 2204 Kmgdgjek.exe 4116 Kbdmpqcb.exe 2992 Kmjqmi32.exe 624 Kbfiep32.exe 2028 Kipabjil.exe 2284 Kcifkp32.exe 972 Kibnhjgj.exe 952 Kajfig32.exe 3956 Kkbkamnl.exe 2692 Ldkojb32.exe 840 Lkdggmlj.exe 780 Laopdgcg.exe 2128 Lcpllo32.exe 1768 Lkgdml32.exe 3376 Ldohebqh.exe 1996 Lkiqbl32.exe 5044 Lpfijcfl.exe 4260 Ljnnch32.exe 428 Laefdf32.exe 4440 Lddbqa32.exe 4832 Mpkbebbf.exe 644 Mgekbljc.exe 2820 Majopeii.exe 4932 Mkbchk32.exe 748 Mpolqa32.exe 4048 Mcnhmm32.exe 4956 Mjhqjg32.exe 1992 Mpaifalo.exe 4524 Mcpebmkb.exe 876 Mkgmcjld.exe 3104 Maaepd32.exe 700 Mcbahlip.exe 2828 Njljefql.exe 2612 Ndbnboqb.exe 2296 Njogjfoj.exe 3964 Nnjbke32.exe 4580 Ncgkcl32.exe 1392 Njacpf32.exe 3252 Ncihikcg.exe 3568 Ngedij32.exe 4124 Njcpee32.exe 4272 Ncldnkae.exe 3504 Njfmke32.exe 3140 Okeieh32.exe 2264 Ondeac32.exe 3880 Ocqnij32.exe 1568 Ogljjiei.exe 3604 Obangb32.exe 4740 Onholckc.exe 1968 Oqgkhnjf.exe 3624 Ojopad32.exe 3220 Oqihnn32.exe 3280 Ojalgcnd.exe 852 Obidhaog.exe 2924 Oqkdcn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hlkolh32.dll Bahmfj32.exe File created C:\Windows\SysWOW64\Dedkdcie.exe Dceohhja.exe File created C:\Windows\SysWOW64\Higchddh.dll Dceohhja.exe File created C:\Windows\SysWOW64\Nahgoe32.exe Nojjcj32.exe File created C:\Windows\SysWOW64\Inbhocbm.dll Bbiado32.exe File opened for modification C:\Windows\SysWOW64\Aajohjon.exe Process not Found File created C:\Windows\SysWOW64\Qfoaecol.dll Process not Found File created C:\Windows\SysWOW64\Ecppdbpl.dll Jkdnpo32.exe File created C:\Windows\SysWOW64\Genaegmo.dll Dhpjkojk.exe File created C:\Windows\SysWOW64\Bfddbh32.dll Afoeiklb.exe File opened for modification C:\Windows\SysWOW64\Lpbopfag.exe Lhkgoiqe.exe File opened for modification C:\Windows\SysWOW64\Mbighjdd.exe Mjbogmdb.exe File opened for modification C:\Windows\SysWOW64\Kkgiimng.exe Kcpahpmd.exe File opened for modification C:\Windows\SysWOW64\Olkhmi32.exe Ojllan32.exe File created C:\Windows\SysWOW64\Idnljnaa.dll Amgapeea.exe File opened for modification C:\Windows\SysWOW64\Chjaol32.exe Belebq32.exe File created C:\Windows\SysWOW64\Pnpban32.dll Kenggi32.exe File opened for modification C:\Windows\SysWOW64\Ohkbbn32.exe Oaajed32.exe File opened for modification C:\Windows\SysWOW64\Ilccoh32.exe Inqbclob.exe File created C:\Windows\SysWOW64\Bjmjdbam.dll Pgllfp32.exe File opened for modification C:\Windows\SysWOW64\Jfgdkd32.exe Jkaqnk32.exe File created C:\Windows\SysWOW64\Gkiaej32.exe Gdoihpbk.exe File created C:\Windows\SysWOW64\Ipmbjgpi.exe Ikpjbq32.exe File created C:\Windows\SysWOW64\Jobfelii.dll Process not Found File created C:\Windows\SysWOW64\Ncnofeof.exe Process not Found File created C:\Windows\SysWOW64\Coegoe32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Acgolj32.exe Qlmgopjq.exe File created C:\Windows\SysWOW64\Cimcan32.exe Cglgjeci.exe File created C:\Windows\SysWOW64\Jiooia32.dll Mngegmbc.exe File created C:\Windows\SysWOW64\Ondeac32.exe Okeieh32.exe File opened for modification C:\Windows\SysWOW64\Cahfmgoo.exe Clkndpag.exe File created C:\Windows\SysWOW64\Mnbcedcn.dll Icnpmp32.exe File created C:\Windows\SysWOW64\Fdgjllic.dll Poaqemao.exe File created C:\Windows\SysWOW64\Aogiap32.exe Process not Found File created C:\Windows\SysWOW64\Bkjiao32.exe Process not Found File created C:\Windows\SysWOW64\Bkjhib32.dll Anbkio32.exe File opened for modification C:\Windows\SysWOW64\Mplhql32.exe Megdccmb.exe File created C:\Windows\SysWOW64\Bppfmigl.exe Bifmqo32.exe File opened for modification C:\Windows\SysWOW64\Iqbbpm32.exe Indfca32.exe File created C:\Windows\SysWOW64\Jhndljll.exe Jbdlop32.exe File created C:\Windows\SysWOW64\Ikpjbq32.exe Idfaefkd.exe File opened for modification C:\Windows\SysWOW64\Paiogf32.exe Process not Found File created C:\Windows\SysWOW64\Cglbhhga.exe Process not Found File created C:\Windows\SysWOW64\Gelaijjp.dll Njfmke32.exe File created C:\Windows\SysWOW64\Ifclaeem.dll Ondeac32.exe File opened for modification C:\Windows\SysWOW64\Bcebhoii.exe Bagflcje.exe File created C:\Windows\SysWOW64\Gjmgfljg.dll Lcnmin32.exe File created C:\Windows\SysWOW64\Cdmfllhn.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ddpeoafg.exe Daaicfgd.exe File created C:\Windows\SysWOW64\Icgjmapi.exe Ikpaldog.exe File created C:\Windows\SysWOW64\Dfdcmnil.dll Lbqklb32.exe File opened for modification C:\Windows\SysWOW64\Meefofek.exe Mjpbam32.exe File created C:\Windows\SysWOW64\Oldamm32.exe Oifeab32.exe File created C:\Windows\SysWOW64\Qfghnikc.dll Lklbdm32.exe File created C:\Windows\SysWOW64\Pellipfm.dll Lkdggmlj.exe File created C:\Windows\SysWOW64\Dkjmlk32.exe Ddpeoafg.exe File opened for modification C:\Windows\SysWOW64\Ifllil32.exe Icnpmp32.exe File created C:\Windows\SysWOW64\Feapkk32.exe Fnjhjn32.exe File created C:\Windows\SysWOW64\Ooiolbic.dll Qqffjo32.exe File opened for modification C:\Windows\SysWOW64\Fkkeclfh.exe Fdamgb32.exe File created C:\Windows\SysWOW64\Lfebfnqn.dll Process not Found File created C:\Windows\SysWOW64\Enqjamin.dll Jjopcb32.exe File opened for modification C:\Windows\SysWOW64\Palbgl32.exe Process not Found File created C:\Windows\SysWOW64\Bdimkqnb.dll Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 10952 4980 Process not Found 1449 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojopad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfabnjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abgiapmj.dll" Pgkelj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhpqaiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pflplnlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjbpaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkconn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Copkngdi.dll" Lfjjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjjdmoc.dll" Iakiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbqaei32.dll" Dmdhcddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dimenegi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kajfig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkkgmlcm.dll" Ghpocngo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Indfca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogklelna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddadpdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbghfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjebhadm.dll" Qohpkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkgiimng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afinioip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdkdgchl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqnpfi32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjpefo32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njfmke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acmflf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Molelb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccgajfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdecba32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfembo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miifeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll" Amgapeea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll" Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illddp32.dll" Lclpdncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cagobalc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gigheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajbmdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckoph32.dll" Hlambk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlambk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojjolnaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnjnnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgppmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjopcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lldopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Achegd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehjgecbe.dll" Pgmcqggf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keakgpko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpqkad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gigmlgok.dll" Ijadbdoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocqnij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehimanbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hffcmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjmkoeqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcbdco32.dll" Cahfmgoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knalji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekcpbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfooa32.dll" Hfklhhcl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4328 wrote to memory of 3408 4328 df87b4b0ce50eac6603317557dbb4cb0_NEIKI.exe 80 PID 4328 wrote to memory of 3408 4328 df87b4b0ce50eac6603317557dbb4cb0_NEIKI.exe 80 PID 4328 wrote to memory of 3408 4328 df87b4b0ce50eac6603317557dbb4cb0_NEIKI.exe 80 PID 3408 wrote to memory of 1384 3408 Jaimbj32.exe 81 PID 3408 wrote to memory of 1384 3408 Jaimbj32.exe 81 PID 3408 wrote to memory of 1384 3408 Jaimbj32.exe 81 PID 1384 wrote to memory of 4180 1384 Jjbako32.exe 83 PID 1384 wrote to memory of 4180 1384 Jjbako32.exe 83 PID 1384 wrote to memory of 4180 1384 Jjbako32.exe 83 PID 4180 wrote to memory of 404 4180 Jaljgidl.exe 84 PID 4180 wrote to memory of 404 4180 Jaljgidl.exe 84 PID 4180 wrote to memory of 404 4180 Jaljgidl.exe 84 PID 404 wrote to memory of 2956 404 Jdjfcecp.exe 86 PID 404 wrote to memory of 2956 404 Jdjfcecp.exe 86 PID 404 wrote to memory of 2956 404 Jdjfcecp.exe 86 PID 2956 wrote to memory of 3260 2956 Jkdnpo32.exe 88 PID 2956 wrote to memory of 3260 2956 Jkdnpo32.exe 88 PID 2956 wrote to memory of 3260 2956 Jkdnpo32.exe 88 PID 3260 wrote to memory of 3360 3260 Jdmcidam.exe 89 PID 3260 wrote to memory of 3360 3260 Jdmcidam.exe 89 PID 3260 wrote to memory of 3360 3260 Jdmcidam.exe 89 PID 3360 wrote to memory of 4528 3360 Jiikak32.exe 90 PID 3360 wrote to memory of 4528 3360 Jiikak32.exe 90 PID 3360 wrote to memory of 4528 3360 Jiikak32.exe 90 PID 4528 wrote to memory of 1216 4528 Kdopod32.exe 91 PID 4528 wrote to memory of 1216 4528 Kdopod32.exe 91 PID 4528 wrote to memory of 1216 4528 Kdopod32.exe 91 PID 1216 wrote to memory of 2204 1216 Kkihknfg.exe 92 PID 1216 wrote to memory of 2204 1216 Kkihknfg.exe 92 PID 1216 wrote to memory of 2204 1216 Kkihknfg.exe 92 PID 2204 wrote to memory of 4116 2204 Kmgdgjek.exe 93 PID 2204 wrote to memory of 4116 2204 Kmgdgjek.exe 93 PID 2204 wrote to memory of 4116 2204 Kmgdgjek.exe 93 PID 4116 wrote to memory of 2992 4116 Kbdmpqcb.exe 94 PID 4116 wrote to memory of 2992 4116 Kbdmpqcb.exe 94 PID 4116 wrote to memory of 2992 4116 Kbdmpqcb.exe 94 PID 2992 wrote to memory of 624 2992 Kmjqmi32.exe 95 PID 2992 wrote to memory of 624 2992 Kmjqmi32.exe 95 PID 2992 wrote to memory of 624 2992 Kmjqmi32.exe 95 PID 624 wrote to memory of 2028 624 Kbfiep32.exe 96 PID 624 wrote to memory of 2028 624 Kbfiep32.exe 96 PID 624 wrote to memory of 2028 624 Kbfiep32.exe 96 PID 2028 wrote to memory of 2284 2028 Kipabjil.exe 97 PID 2028 wrote to memory of 2284 2028 Kipabjil.exe 97 PID 2028 wrote to memory of 2284 2028 Kipabjil.exe 97 PID 2284 wrote to memory of 972 2284 Kcifkp32.exe 98 PID 2284 wrote to memory of 972 2284 Kcifkp32.exe 98 PID 2284 wrote to memory of 972 2284 Kcifkp32.exe 98 PID 972 wrote to memory of 952 972 Kibnhjgj.exe 99 PID 972 wrote to memory of 952 972 Kibnhjgj.exe 99 PID 972 wrote to memory of 952 972 Kibnhjgj.exe 99 PID 952 wrote to memory of 3956 952 Kajfig32.exe 100 PID 952 wrote to memory of 3956 952 Kajfig32.exe 100 PID 952 wrote to memory of 3956 952 Kajfig32.exe 100 PID 3956 wrote to memory of 2692 3956 Kkbkamnl.exe 101 PID 3956 wrote to memory of 2692 3956 Kkbkamnl.exe 101 PID 3956 wrote to memory of 2692 3956 Kkbkamnl.exe 101 PID 2692 wrote to memory of 840 2692 Ldkojb32.exe 102 PID 2692 wrote to memory of 840 2692 Ldkojb32.exe 102 PID 2692 wrote to memory of 840 2692 Ldkojb32.exe 102 PID 840 wrote to memory of 780 840 Lkdggmlj.exe 103 PID 840 wrote to memory of 780 840 Lkdggmlj.exe 103 PID 840 wrote to memory of 780 840 Lkdggmlj.exe 103 PID 780 wrote to memory of 2128 780 Laopdgcg.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\df87b4b0ce50eac6603317557dbb4cb0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\df87b4b0ce50eac6603317557dbb4cb0_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\Jaimbj32.exeC:\Windows\system32\Jaimbj32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe23⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe24⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe25⤵
- Executes dropped EXE
PID:3376 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe26⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe27⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe28⤵
- Executes dropped EXE
PID:4260 -
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe29⤵
- Executes dropped EXE
PID:428 -
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe30⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe31⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe32⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe33⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe34⤵PID:4508
-
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe35⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe36⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe37⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe38⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe39⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe40⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe41⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe42⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe43⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe44⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe45⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe46⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe47⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe48⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe49⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe50⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe52⤵
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe53⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3504 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3140 -
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:3880 -
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe58⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe59⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Onholckc.exeC:\Windows\system32\Onholckc.exe60⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:3624 -
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe63⤵
- Executes dropped EXE
PID:3220 -
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe64⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe65⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe66⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe67⤵PID:752
-
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe68⤵PID:1008
-
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4472 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4732 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe71⤵PID:4000
-
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe72⤵PID:3168
-
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe73⤵
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe74⤵PID:1404
-
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe75⤵PID:4996
-
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe76⤵PID:3248
-
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe77⤵PID:5100
-
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe78⤵PID:3740
-
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe79⤵PID:2132
-
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe80⤵PID:2272
-
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe81⤵PID:1156
-
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe82⤵PID:436
-
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe83⤵
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe84⤵
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3576 -
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe86⤵PID:8
-
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe87⤵PID:3668
-
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe88⤵PID:3700
-
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe89⤵PID:1468
-
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe90⤵PID:4944
-
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe91⤵PID:1552
-
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe92⤵
- Drops file in System32 directory
PID:3364 -
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe93⤵PID:3372
-
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe94⤵PID:1972
-
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe95⤵PID:4880
-
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe96⤵PID:4952
-
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe97⤵PID:3476
-
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe98⤵PID:1920
-
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe99⤵PID:3512
-
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe100⤵PID:1980
-
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe101⤵PID:2720
-
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe102⤵PID:4608
-
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe103⤵PID:3796
-
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe104⤵PID:1376
-
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe105⤵PID:1740
-
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe106⤵PID:3216
-
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe107⤵PID:5128
-
C:\Windows\SysWOW64\Blfdia32.exeC:\Windows\system32\Blfdia32.exe108⤵PID:5172
-
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe109⤵PID:5216
-
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe110⤵PID:5256
-
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe111⤵PID:5300
-
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe112⤵PID:5344
-
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe113⤵PID:5384
-
C:\Windows\SysWOW64\Cddecc32.exeC:\Windows\system32\Cddecc32.exe114⤵PID:5432
-
C:\Windows\SysWOW64\Clkndpag.exeC:\Windows\system32\Clkndpag.exe115⤵
- Drops file in System32 directory
PID:5476 -
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe116⤵
- Modifies registry class
PID:5520 -
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe117⤵PID:5564
-
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe118⤵PID:5608
-
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe119⤵PID:5652
-
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe120⤵PID:5700
-
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe121⤵PID:5740
-
C:\Windows\SysWOW64\Cbjoljdo.exeC:\Windows\system32\Cbjoljdo.exe122⤵PID:5788
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-