Analysis
-
max time kernel
149s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 14:12
Behavioral task
behavioral1
Sample
56aa3bbcb9c7d771385f7acdd49925c0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
56aa3bbcb9c7d771385f7acdd49925c0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
56aa3bbcb9c7d771385f7acdd49925c0_NeikiAnalytics.exe
-
Size
384KB
-
MD5
56aa3bbcb9c7d771385f7acdd49925c0
-
SHA1
d66eef602cd1845e778a07a4786fcbe4d109c149
-
SHA256
0a26e302dee31f93340d8673ec3dad5d6793ca80be22baf9d28b4582a87bd70f
-
SHA512
86fc0f2df2b7db42c317576b815707a5137c23ed5035403defc2c980b9c9021310d7e0837150bb30f2d9beb6189474b52e89ebc008130a76015ed654e2599408
-
SSDEEP
6144:OZagEbTpui6yYPaIGckjh/xaSfBJKFbhD7sYQpui6yYPaIGck7/DiuoH3ygNbbks:OWpV6yYPMLnfBJKFbhDwBpV6yYP0riuw
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chpada32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfpojead.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfedoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bemlmgnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkjmlk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohnohn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Injmcmej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opqofe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbpgbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kboljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edhakj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdmmeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnlkedai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Offnhpfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kechmoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phedhmhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fijkdmhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjdkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chglab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdnjgmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igbalblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmcojh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldjhpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cibmlmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffnknafg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndcdmikd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mimpolee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lndham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckmonl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibaeen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnmopk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neafjdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Digehphc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpdcag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pchlpfjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjohde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hienlpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlegnjbm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmpijp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkkcge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eidbij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jglklggl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bojomm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmdgikhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjdkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Locbfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afjeceml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdcbom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcbmka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmdfonj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnbdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iikhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amodep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncabfkqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihgnkkbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdpkflfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhmbqm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckeimm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Milidebi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmdjapgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkpmdbfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikndgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnbklm32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000900000002297e-6.dat family_berbew behavioral2/files/0x0007000000023493-15.dat family_berbew behavioral2/files/0x0007000000023496-23.dat family_berbew behavioral2/files/0x0007000000023498-30.dat family_berbew behavioral2/files/0x000700000002349a-38.dat family_berbew behavioral2/files/0x000700000002349c-46.dat family_berbew behavioral2/files/0x000700000002349e-54.dat family_berbew behavioral2/files/0x00070000000234a0-63.dat family_berbew behavioral2/files/0x00070000000234a2-70.dat family_berbew behavioral2/files/0x00070000000234a6-87.dat family_berbew behavioral2/files/0x00070000000234ae-115.dat family_berbew behavioral2/files/0x00070000000234b4-137.dat family_berbew behavioral2/files/0x00070000000234b6-144.dat family_berbew behavioral2/files/0x00070000000234ba-158.dat family_berbew behavioral2/files/0x00070000000234be-172.dat family_berbew behavioral2/files/0x00070000000234c6-200.dat family_berbew behavioral2/files/0x00070000000234ca-213.dat family_berbew behavioral2/files/0x00070000000234d0-235.dat family_berbew behavioral2/files/0x00070000000234ce-228.dat family_berbew behavioral2/files/0x00070000000234cc-221.dat family_berbew behavioral2/files/0x00070000000234c8-207.dat family_berbew behavioral2/files/0x00070000000234c4-193.dat family_berbew behavioral2/files/0x00070000000234c2-186.dat family_berbew behavioral2/files/0x00070000000234c0-179.dat family_berbew behavioral2/files/0x00070000000234bc-165.dat family_berbew behavioral2/files/0x00070000000234b8-151.dat family_berbew behavioral2/files/0x00070000000234b2-130.dat family_berbew behavioral2/files/0x00070000000234b0-123.dat family_berbew behavioral2/files/0x00070000000234ac-109.dat family_berbew behavioral2/files/0x00070000000234aa-102.dat family_berbew behavioral2/files/0x00070000000234a8-95.dat family_berbew behavioral2/files/0x00070000000234a4-79.dat family_berbew behavioral2/files/0x0007000000023561-678.dat family_berbew behavioral2/files/0x0007000000023577-743.dat family_berbew behavioral2/files/0x000c000000023405-845.dat family_berbew behavioral2/files/0x00070000000235a9-900.dat family_berbew behavioral2/files/0x00070000000235bd-962.dat family_berbew behavioral2/files/0x00070000000235cb-1003.dat family_berbew behavioral2/files/0x00070000000235e9-1102.dat family_berbew behavioral2/files/0x00070000000235ef-1122.dat family_berbew behavioral2/files/0x0007000000023601-1183.dat family_berbew behavioral2/files/0x0007000000023605-1197.dat family_berbew behavioral2/files/0x0007000000023620-1283.dat family_berbew behavioral2/files/0x0007000000023638-1359.dat family_berbew behavioral2/files/0x000700000002363c-1373.dat family_berbew behavioral2/files/0x0007000000023642-1393.dat family_berbew behavioral2/files/0x0007000000023658-1450.dat family_berbew behavioral2/files/0x0007000000023681-1581.dat family_berbew behavioral2/files/0x0007000000023697-1657.dat family_berbew behavioral2/files/0x000700000002369e-1678.dat family_berbew behavioral2/files/0x00070000000236b2-1739.dat family_berbew behavioral2/files/0x00070000000236b6-1752.dat family_berbew behavioral2/files/0x00070000000236d1-1855.dat family_berbew behavioral2/files/0x00070000000236f7-1986.dat family_berbew behavioral2/files/0x000700000002370b-2050.dat family_berbew behavioral2/files/0x0007000000023725-2138.dat family_berbew behavioral2/files/0x0007000000023731-2179.dat family_berbew behavioral2/files/0x0007000000023739-2207.dat family_berbew behavioral2/files/0x0007000000023749-2258.dat family_berbew behavioral2/files/0x000700000002375a-2310.dat family_berbew behavioral2/files/0x0007000000023760-2330.dat family_berbew behavioral2/files/0x0007000000023766-2349.dat family_berbew behavioral2/files/0x000700000002376e-2376.dat family_berbew behavioral2/files/0x0007000000023776-2401.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3696 Anbkio32.exe 5036 Ahkobekf.exe 1524 Abpcon32.exe 1268 Abbpem32.exe 3320 Aealah32.exe 1740 Bahmfj32.exe 3528 Bjpaooda.exe 4592 Beeflhdh.exe 3992 Bjbndobo.exe 2860 Bbifelba.exe 552 Balfaiil.exe 4120 Bdkcmdhp.exe 4104 Bjdkjo32.exe 3576 Bblckl32.exe 3840 Baocghgi.exe 3340 Bdmpcdfm.exe 1056 Bhikcb32.exe 2596 Bjghpn32.exe 2308 Bbnpqk32.exe 1488 Bemlmgnp.exe 4916 Bhkhibmc.exe 3996 Blfdia32.exe 4052 Boepel32.exe 2796 Cacmah32.exe 4460 Ceoibflm.exe 4584 Chmeobkq.exe 3864 Cliaoq32.exe 1804 Cogmkl32.exe 4068 Cafigg32.exe 4996 Cddecc32.exe 508 Chpada32.exe 3956 Clkndpag.exe 4544 Cknnpm32.exe 1172 Cbefaj32.exe 2632 Cahfmgoo.exe 1308 Cecbmf32.exe 1648 Chbnia32.exe 4684 Clnjjpod.exe 4152 Ckpjfm32.exe 4212 Cbgbgj32.exe 1732 Cajcbgml.exe 4616 Cdiooblp.exe 1972 Chdkoa32.exe 1612 Clpgpp32.exe 748 Conclk32.exe 1728 Cehkhecb.exe 2816 Chghdqbf.exe 4136 Clbceo32.exe 5056 Doqpak32.exe 3060 Dbllbibl.exe 1976 Dekhneap.exe 4908 Ddmhja32.exe 4336 Dhidjpqc.exe 4940 Dkgqfl32.exe 2928 Docmgjhp.exe 1460 Daaicfgd.exe 4900 Demecd32.exe 4700 Dhkapp32.exe 3680 Dlgmpogj.exe 3080 Dkjmlk32.exe 1436 Dbaemi32.exe 1760 Dadeieea.exe 4220 Deoaid32.exe 2132 Dhnnep32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cgjjdf32.exe Bjfjka32.exe File created C:\Windows\SysWOW64\Lpcqcc32.dll Hbpgbo32.exe File created C:\Windows\SysWOW64\Dbbffdlq.exe Dkhnjk32.exe File created C:\Windows\SysWOW64\Offnhpfo.exe Oaifpi32.exe File opened for modification C:\Windows\SysWOW64\Bogkmgba.exe Bhmbqm32.exe File opened for modification C:\Windows\SysWOW64\Lldfjh32.exe Lifjnm32.exe File created C:\Windows\SysWOW64\Oemefcap.exe Oocmii32.exe File created C:\Windows\SysWOW64\Dadeieea.exe Dbaemi32.exe File created C:\Windows\SysWOW64\Fdjlic32.dll Oponmilc.exe File created C:\Windows\SysWOW64\Ialqkblh.dll Gddinf32.exe File created C:\Windows\SysWOW64\Nlkfjqib.dll Nnicid32.exe File created C:\Windows\SysWOW64\Fechomko.exe Fbelcblk.exe File opened for modification C:\Windows\SysWOW64\Lmgfda32.exe Lbabgh32.exe File opened for modification C:\Windows\SysWOW64\Mdmnlj32.exe Mpablkhc.exe File created C:\Windows\SysWOW64\Dfnjafap.exe Ddonekbl.exe File created C:\Windows\SysWOW64\Fdlgcl32.dll Qcaofebg.exe File opened for modification C:\Windows\SysWOW64\Eleiam32.exe Eekaebcm.exe File created C:\Windows\SysWOW64\Icahfh32.dll Knbbep32.exe File opened for modification C:\Windows\SysWOW64\Igpdfb32.exe Idahjg32.exe File opened for modification C:\Windows\SysWOW64\Doaneiop.exe Digehphc.exe File created C:\Windows\SysWOW64\Jocefm32.exe Jekqmhia.exe File created C:\Windows\SysWOW64\Ikfabm32.exe Ikcdlmgf.exe File created C:\Windows\SysWOW64\Jgpmmp32.exe Jdaaaeqg.exe File opened for modification C:\Windows\SysWOW64\Ljhnlb32.exe Lcnfohmi.exe File opened for modification C:\Windows\SysWOW64\Ihdafkdg.exe Ikndgg32.exe File opened for modification C:\Windows\SysWOW64\Jdaaaeqg.exe Jnhidk32.exe File created C:\Windows\SysWOW64\Mjfmcmai.dll Ckmonl32.exe File created C:\Windows\SysWOW64\Elkllcbh.dll Dfnbgc32.exe File opened for modification C:\Windows\SysWOW64\Ojomcopk.exe Nceefd32.exe File opened for modification C:\Windows\SysWOW64\Bmngqdpj.exe Bjokdipf.exe File created C:\Windows\SysWOW64\Dcmann32.dll Ngdfdmdi.exe File opened for modification C:\Windows\SysWOW64\Gigheh32.exe Fkbkdkpp.exe File opened for modification C:\Windows\SysWOW64\Ahgjejhd.exe Ackbmcjl.exe File created C:\Windows\SysWOW64\Gkjcgjio.dll Jocefm32.exe File created C:\Windows\SysWOW64\Fqplhmkl.dll Jbhfjljd.exe File opened for modification C:\Windows\SysWOW64\Bnhjohkb.exe Bfabnjjp.exe File opened for modification C:\Windows\SysWOW64\Balpgb32.exe Bjagjhnc.exe File created C:\Windows\SysWOW64\Lbnngbbn.exe Locbfd32.exe File created C:\Windows\SysWOW64\Cgqlcg32.exe Cpfcfmlp.exe File created C:\Windows\SysWOW64\Jidpnp32.dll Cogmkl32.exe File created C:\Windows\SysWOW64\Pnakhkol.exe Pfjcgn32.exe File created C:\Windows\SysWOW64\Accailfj.dll Idhnkf32.exe File created C:\Windows\SysWOW64\Llgmeiqa.dll Mgclpkac.exe File created C:\Windows\SysWOW64\Lblldc32.dll Iebngial.exe File created C:\Windows\SysWOW64\Pjkakfla.dll Lcdciiec.exe File opened for modification C:\Windows\SysWOW64\Neoieenp.exe Nlfelogp.exe File created C:\Windows\SysWOW64\Gdaklmfn.dll Fijkdmhn.exe File created C:\Windows\SysWOW64\Cddecc32.exe Cafigg32.exe File created C:\Windows\SysWOW64\Gfpcgpae.exe Gofkje32.exe File created C:\Windows\SysWOW64\Lflpengd.dll Jjjpnlbd.exe File created C:\Windows\SysWOW64\Pkpmdbfd.exe Pdfehh32.exe File opened for modification C:\Windows\SysWOW64\Cdnmfclj.exe Cndeii32.exe File opened for modification C:\Windows\SysWOW64\Fpdcag32.exe Fligqhga.exe File created C:\Windows\SysWOW64\Ccbadp32.exe Cmhigf32.exe File created C:\Windows\SysWOW64\Giidol32.dll Pnifekmd.exe File created C:\Windows\SysWOW64\Eeanii32.dll Jpgmha32.exe File created C:\Windows\SysWOW64\Ddmaok32.exe Danecp32.exe File created C:\Windows\SysWOW64\Ploija32.dll Aobilkcl.exe File created C:\Windows\SysWOW64\Bjbalpnl.dll Dmglcj32.exe File created C:\Windows\SysWOW64\Lpbopfag.exe Llgcph32.exe File created C:\Windows\SysWOW64\Jiopcppf.dll Jbeidl32.exe File created C:\Windows\SysWOW64\Ncfpbegh.dll Idgojc32.exe File created C:\Windows\SysWOW64\Lnbklm32.exe Lghcocol.exe File opened for modification C:\Windows\SysWOW64\Hemdlj32.exe Hoclopne.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10148 6852 Process not Found 1125 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bbdhiojo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeoe32.dll" Cfigpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jedeph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbhpb32.dll" Kqbkfkal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Onocomdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehkga32.dll" Nndjndbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imllmfjk.dll" Ohgoaehe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qlggjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebejfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Feoodn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bhkhibmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpjlklok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pplobcpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eiahnnph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Moobbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndokbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll" Qffbbldm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fkbkdkpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdmqp32.dll" Lnpofnhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eiobceef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mibijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Conclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncnaabfm.dll" Jmmjgejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlpokp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pddhbipj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmjdjgjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chlaag32.dll" Lnqeqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gbeejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfepj32.dll" Aggegh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kljibbol.dll" Bhcjqinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkpmdbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pdpmpdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hheoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gicinj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jlednamo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egijmegb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll" Cmnpgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chqogq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kgflcifg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbpflbpa.dll" Offnhpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgkbp32.dll" Pcjiff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mkjnfkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gododflk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ijcjmmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ffnknafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennioe32.dll" Hlegnjbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpmdfonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggmgbckd.dll" Nojjcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckeimm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Micoed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcoobn32.dll" Olgncmim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nnicid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aehgnied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfoeejd.dll" Ocohmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hoiafcic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knfeeimj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ilghlc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cobkhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbinq32.dll" Kbhoqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Igpdfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcbdco32.dll" Cecbmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fjjnifbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodapf32.dll" Lddgmbpb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1840 wrote to memory of 3696 1840 56aa3bbcb9c7d771385f7acdd49925c0_NeikiAnalytics.exe 82 PID 1840 wrote to memory of 3696 1840 56aa3bbcb9c7d771385f7acdd49925c0_NeikiAnalytics.exe 82 PID 1840 wrote to memory of 3696 1840 56aa3bbcb9c7d771385f7acdd49925c0_NeikiAnalytics.exe 82 PID 3696 wrote to memory of 5036 3696 Anbkio32.exe 83 PID 3696 wrote to memory of 5036 3696 Anbkio32.exe 83 PID 3696 wrote to memory of 5036 3696 Anbkio32.exe 83 PID 5036 wrote to memory of 1524 5036 Ahkobekf.exe 84 PID 5036 wrote to memory of 1524 5036 Ahkobekf.exe 84 PID 5036 wrote to memory of 1524 5036 Ahkobekf.exe 84 PID 1524 wrote to memory of 1268 1524 Abpcon32.exe 85 PID 1524 wrote to memory of 1268 1524 Abpcon32.exe 85 PID 1524 wrote to memory of 1268 1524 Abpcon32.exe 85 PID 1268 wrote to memory of 3320 1268 Abbpem32.exe 86 PID 1268 wrote to memory of 3320 1268 Abbpem32.exe 86 PID 1268 wrote to memory of 3320 1268 Abbpem32.exe 86 PID 3320 wrote to memory of 1740 3320 Aealah32.exe 87 PID 3320 wrote to memory of 1740 3320 Aealah32.exe 87 PID 3320 wrote to memory of 1740 3320 Aealah32.exe 87 PID 1740 wrote to memory of 3528 1740 Bahmfj32.exe 88 PID 1740 wrote to memory of 3528 1740 Bahmfj32.exe 88 PID 1740 wrote to memory of 3528 1740 Bahmfj32.exe 88 PID 3528 wrote to memory of 4592 3528 Bjpaooda.exe 89 PID 3528 wrote to memory of 4592 3528 Bjpaooda.exe 89 PID 3528 wrote to memory of 4592 3528 Bjpaooda.exe 89 PID 4592 wrote to memory of 3992 4592 Beeflhdh.exe 91 PID 4592 wrote to memory of 3992 4592 Beeflhdh.exe 91 PID 4592 wrote to memory of 3992 4592 Beeflhdh.exe 91 PID 3992 wrote to memory of 2860 3992 Bjbndobo.exe 92 PID 3992 wrote to memory of 2860 3992 Bjbndobo.exe 92 PID 3992 wrote to memory of 2860 3992 Bjbndobo.exe 92 PID 2860 wrote to memory of 552 2860 Bbifelba.exe 93 PID 2860 wrote to memory of 552 2860 Bbifelba.exe 93 PID 2860 wrote to memory of 552 2860 Bbifelba.exe 93 PID 552 wrote to memory of 4120 552 Balfaiil.exe 94 PID 552 wrote to memory of 4120 552 Balfaiil.exe 94 PID 552 wrote to memory of 4120 552 Balfaiil.exe 94 PID 4120 wrote to memory of 4104 4120 Bdkcmdhp.exe 95 PID 4120 wrote to memory of 4104 4120 Bdkcmdhp.exe 95 PID 4120 wrote to memory of 4104 4120 Bdkcmdhp.exe 95 PID 4104 wrote to memory of 3576 4104 Bjdkjo32.exe 96 PID 4104 wrote to memory of 3576 4104 Bjdkjo32.exe 96 PID 4104 wrote to memory of 3576 4104 Bjdkjo32.exe 96 PID 3576 wrote to memory of 3840 3576 Bblckl32.exe 97 PID 3576 wrote to memory of 3840 3576 Bblckl32.exe 97 PID 3576 wrote to memory of 3840 3576 Bblckl32.exe 97 PID 3840 wrote to memory of 3340 3840 Baocghgi.exe 98 PID 3840 wrote to memory of 3340 3840 Baocghgi.exe 98 PID 3840 wrote to memory of 3340 3840 Baocghgi.exe 98 PID 3340 wrote to memory of 1056 3340 Bdmpcdfm.exe 99 PID 3340 wrote to memory of 1056 3340 Bdmpcdfm.exe 99 PID 3340 wrote to memory of 1056 3340 Bdmpcdfm.exe 99 PID 1056 wrote to memory of 2596 1056 Bhikcb32.exe 100 PID 1056 wrote to memory of 2596 1056 Bhikcb32.exe 100 PID 1056 wrote to memory of 2596 1056 Bhikcb32.exe 100 PID 2596 wrote to memory of 2308 2596 Bjghpn32.exe 101 PID 2596 wrote to memory of 2308 2596 Bjghpn32.exe 101 PID 2596 wrote to memory of 2308 2596 Bjghpn32.exe 101 PID 2308 wrote to memory of 1488 2308 Bbnpqk32.exe 102 PID 2308 wrote to memory of 1488 2308 Bbnpqk32.exe 102 PID 2308 wrote to memory of 1488 2308 Bbnpqk32.exe 102 PID 1488 wrote to memory of 4916 1488 Bemlmgnp.exe 103 PID 1488 wrote to memory of 4916 1488 Bemlmgnp.exe 103 PID 1488 wrote to memory of 4916 1488 Bemlmgnp.exe 103 PID 4916 wrote to memory of 3996 4916 Bhkhibmc.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\56aa3bbcb9c7d771385f7acdd49925c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\56aa3bbcb9c7d771385f7acdd49925c0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Bjpaooda.exeC:\Windows\system32\Bjpaooda.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\Blfdia32.exeC:\Windows\system32\Blfdia32.exe23⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe24⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe25⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe26⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe27⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe28⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4068 -
C:\Windows\SysWOW64\Cddecc32.exeC:\Windows\system32\Cddecc32.exe31⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:508 -
C:\Windows\SysWOW64\Clkndpag.exeC:\Windows\system32\Clkndpag.exe33⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe34⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe35⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe36⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1308 -
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe38⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe39⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe40⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe41⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe42⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe43⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Chdkoa32.exeC:\Windows\system32\Chdkoa32.exe44⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe45⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:748 -
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe47⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe48⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe49⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe50⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe51⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe52⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe53⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe54⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe55⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe56⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe57⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Demecd32.exeC:\Windows\system32\Demecd32.exe58⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe59⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Dlgmpogj.exeC:\Windows\system32\Dlgmpogj.exe60⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Dbaemi32.exeC:\Windows\system32\Dbaemi32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1436 -
C:\Windows\SysWOW64\Dadeieea.exeC:\Windows\system32\Dadeieea.exe63⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe64⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Dhnnep32.exeC:\Windows\system32\Dhnnep32.exe65⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe66⤵PID:4496
-
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe67⤵PID:3228
-
C:\Windows\SysWOW64\Dccbbhld.exeC:\Windows\system32\Dccbbhld.exe68⤵PID:4440
-
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe69⤵PID:3496
-
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe70⤵PID:1988
-
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe71⤵PID:1892
-
C:\Windows\SysWOW64\Dllfkn32.exeC:\Windows\system32\Dllfkn32.exe72⤵PID:4476
-
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe73⤵PID:2256
-
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe74⤵PID:5060
-
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe75⤵PID:1860
-
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe76⤵PID:4924
-
C:\Windows\SysWOW64\Dhbgqohi.exeC:\Windows\system32\Dhbgqohi.exe77⤵PID:1984
-
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe78⤵PID:4024
-
C:\Windows\SysWOW64\Eaklidoi.exeC:\Windows\system32\Eaklidoi.exe79⤵PID:1020
-
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe80⤵
- Drops file in System32 directory
PID:772 -
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe81⤵PID:3444
-
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe82⤵PID:224
-
C:\Windows\SysWOW64\Febgea32.exeC:\Windows\system32\Febgea32.exe83⤵PID:2528
-
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe84⤵PID:2296
-
C:\Windows\SysWOW64\Foabofnn.exeC:\Windows\system32\Foabofnn.exe85⤵PID:4828
-
C:\Windows\SysWOW64\Fcmnpe32.exeC:\Windows\system32\Fcmnpe32.exe86⤵PID:4600
-
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:396 -
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe88⤵PID:1828
-
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe89⤵
- Modifies registry class
PID:5088 -
C:\Windows\SysWOW64\Gfngap32.exeC:\Windows\system32\Gfngap32.exe90⤵PID:3472
-
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe91⤵PID:4364
-
C:\Windows\SysWOW64\Gkkojgao.exeC:\Windows\system32\Gkkojgao.exe92⤵PID:4088
-
C:\Windows\SysWOW64\Gofkje32.exeC:\Windows\system32\Gofkje32.exe93⤵
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe94⤵PID:2360
-
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe95⤵PID:1492
-
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe96⤵PID:1832
-
C:\Windows\SysWOW64\Gmlhii32.exeC:\Windows\system32\Gmlhii32.exe97⤵PID:4656
-
C:\Windows\SysWOW64\Gokdeeec.exeC:\Windows\system32\Gokdeeec.exe98⤵PID:4408
-
C:\Windows\SysWOW64\Gbiaapdf.exeC:\Windows\system32\Gbiaapdf.exe99⤵PID:3568
-
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe100⤵PID:4472
-
C:\Windows\SysWOW64\Gicinj32.exeC:\Windows\system32\Gicinj32.exe101⤵
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Gkaejf32.exeC:\Windows\system32\Gkaejf32.exe102⤵PID:2752
-
C:\Windows\SysWOW64\Gcimkc32.exeC:\Windows\system32\Gcimkc32.exe103⤵PID:5128
-
C:\Windows\SysWOW64\Gfgjgo32.exeC:\Windows\system32\Gfgjgo32.exe104⤵PID:5164
-
C:\Windows\SysWOW64\Gdjjckag.exeC:\Windows\system32\Gdjjckag.exe105⤵PID:5220
-
C:\Windows\SysWOW64\Hopnqdan.exeC:\Windows\system32\Hopnqdan.exe106⤵PID:5260
-
C:\Windows\SysWOW64\Hbnjmp32.exeC:\Windows\system32\Hbnjmp32.exe107⤵PID:5300
-
C:\Windows\SysWOW64\Hmcojh32.exeC:\Windows\system32\Hmcojh32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5340 -
C:\Windows\SysWOW64\Hobkfd32.exeC:\Windows\system32\Hobkfd32.exe109⤵PID:5380
-
C:\Windows\SysWOW64\Hbpgbo32.exeC:\Windows\system32\Hbpgbo32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5420 -
C:\Windows\SysWOW64\Hijooifk.exeC:\Windows\system32\Hijooifk.exe111⤵PID:5464
-
C:\Windows\SysWOW64\Hkikkeeo.exeC:\Windows\system32\Hkikkeeo.exe112⤵PID:5508
-
C:\Windows\SysWOW64\Hcpclbfa.exeC:\Windows\system32\Hcpclbfa.exe113⤵PID:5544
-
C:\Windows\SysWOW64\Hbbdholl.exeC:\Windows\system32\Hbbdholl.exe114⤵PID:5588
-
C:\Windows\SysWOW64\Heapdjlp.exeC:\Windows\system32\Heapdjlp.exe115⤵PID:5628
-
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe116⤵PID:5668
-
C:\Windows\SysWOW64\Hofdacke.exeC:\Windows\system32\Hofdacke.exe117⤵PID:5708
-
C:\Windows\SysWOW64\Hbeqmoji.exeC:\Windows\system32\Hbeqmoji.exe118⤵PID:5744
-
C:\Windows\SysWOW64\Hecmijim.exeC:\Windows\system32\Hecmijim.exe119⤵PID:5788
-
C:\Windows\SysWOW64\Hmjdjgjo.exeC:\Windows\system32\Hmjdjgjo.exe120⤵
- Modifies registry class
PID:5828 -
C:\Windows\SysWOW64\Hoiafcic.exeC:\Windows\system32\Hoiafcic.exe121⤵
- Modifies registry class
PID:5864 -
C:\Windows\SysWOW64\Hbgmcnhf.exeC:\Windows\system32\Hbgmcnhf.exe122⤵PID:5916
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-