Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 13:07
Behavioral task
behavioral1
Sample
51be61dad2d1c1386f98460ed3b2687393183f2f9b33f0b0075ebd943153761f_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
51be61dad2d1c1386f98460ed3b2687393183f2f9b33f0b0075ebd943153761f_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
51be61dad2d1c1386f98460ed3b2687393183f2f9b33f0b0075ebd943153761f_NeikiAnalytics.exe
-
Size
448KB
-
MD5
b0b0cf6c714a34f3a1ba9c37548ecb80
-
SHA1
164b0878ac561187c8709c4d367d8562733d9116
-
SHA256
51be61dad2d1c1386f98460ed3b2687393183f2f9b33f0b0075ebd943153761f
-
SHA512
47a7e936333c2c5f3bfe306005b49f8e7dc90a97bd07927ff70f526e3d1ed4fd7fd7a8a9be59148f1d4fe2ef4446cd401e0b907256dc586234b73fb1b8e8b7a7
-
SSDEEP
6144:DW9Ki887aOl3BzrUmKyIxLfYeOO9UmKyIxLiajOEjXP3HBsR4/0ePGSzxC:DWLV7aOlxzr3cOK3TajRfXFMKNxC
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehedfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahkobekf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgflqkdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmfclm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oocmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pekbga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijhodq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lekehdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkaopp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcmlfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oimkbaed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icnpmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dakbckbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpccdlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oljaccjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amcmpodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhjckcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adapgfqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaogak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbocea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghaliknf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Joiccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhfedm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iapjlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fckajehi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dopigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hghoeqmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phcomcng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hecmijim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hclakimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bebblb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieliebnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjapmdid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmdedo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ednaqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnolfdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edmclccp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnfipekh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmfmmcbo.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000600000002327c-6.dat family_berbew behavioral2/files/0x00070000000233fe-14.dat family_berbew behavioral2/files/0x0007000000023400-22.dat family_berbew behavioral2/files/0x0007000000023402-30.dat family_berbew behavioral2/files/0x0007000000023404-39.dat family_berbew behavioral2/files/0x0007000000023406-46.dat family_berbew behavioral2/files/0x0007000000023408-54.dat family_berbew behavioral2/files/0x000700000002340a-62.dat family_berbew behavioral2/files/0x000700000002340c-71.dat family_berbew behavioral2/files/0x000700000002340e-78.dat family_berbew behavioral2/files/0x0007000000023410-86.dat family_berbew behavioral2/files/0x0007000000023412-93.dat family_berbew behavioral2/files/0x0007000000023414-102.dat family_berbew behavioral2/files/0x0007000000023416-110.dat family_berbew behavioral2/files/0x0007000000023418-118.dat family_berbew behavioral2/files/0x000700000002341a-126.dat family_berbew behavioral2/files/0x000700000002341c-134.dat family_berbew behavioral2/files/0x00080000000233fa-143.dat family_berbew behavioral2/files/0x000700000002341f-150.dat family_berbew behavioral2/files/0x0007000000023421-158.dat family_berbew behavioral2/files/0x0007000000023423-166.dat family_berbew behavioral2/files/0x0007000000023425-174.dat family_berbew behavioral2/files/0x0007000000023428-182.dat family_berbew behavioral2/files/0x000700000002342a-191.dat family_berbew behavioral2/files/0x000700000002342c-197.dat family_berbew behavioral2/files/0x000700000002342e-207.dat family_berbew behavioral2/files/0x0007000000023430-215.dat family_berbew behavioral2/files/0x0007000000023432-222.dat family_berbew behavioral2/files/0x0007000000023434-230.dat family_berbew behavioral2/files/0x0007000000023436-238.dat family_berbew behavioral2/files/0x0007000000023438-246.dat family_berbew behavioral2/files/0x000700000002343a-254.dat family_berbew behavioral2/files/0x0007000000023449-299.dat family_berbew behavioral2/files/0x000700000002344e-317.dat family_berbew behavioral2/files/0x0007000000023458-346.dat family_berbew behavioral2/files/0x0007000000023460-371.dat family_berbew behavioral2/files/0x0007000000023464-383.dat family_berbew behavioral2/files/0x000700000002346e-413.dat family_berbew behavioral2/files/0x0007000000023476-437.dat family_berbew behavioral2/files/0x0007000000023492-520.dat family_berbew behavioral2/files/0x0007000000023499-545.dat family_berbew behavioral2/files/0x00070000000234c8-707.dat family_berbew behavioral2/files/0x00070000000234d0-733.dat family_berbew behavioral2/files/0x00070000000234da-768.dat family_berbew behavioral2/files/0x00070000000234e4-802.dat family_berbew behavioral2/files/0x00070000000234f4-858.dat family_berbew behavioral2/files/0x0007000000023500-899.dat family_berbew behavioral2/files/0x0007000000023508-920.dat family_berbew behavioral2/files/0x000700000002350e-939.dat family_berbew behavioral2/files/0x0007000000023510-947.dat family_berbew behavioral2/files/0x0007000000023516-963.dat family_berbew behavioral2/files/0x0007000000023523-1011.dat family_berbew behavioral2/files/0x0007000000023527-1024.dat family_berbew behavioral2/files/0x000700000002352d-1045.dat family_berbew behavioral2/files/0x000700000002353d-1097.dat family_berbew behavioral2/files/0x0007000000023555-1183.dat family_berbew behavioral2/files/0x0007000000023568-1240.dat family_berbew behavioral2/files/0x000700000002356e-1257.dat family_berbew behavioral2/files/0x0007000000023574-1279.dat family_berbew behavioral2/files/0x000700000002357a-1297.dat family_berbew behavioral2/files/0x0007000000023580-1319.dat family_berbew behavioral2/files/0x0007000000023590-1368.dat family_berbew behavioral2/files/0x00070000000235a1-1424.dat family_berbew behavioral2/files/0x00070000000235c8-1591.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4284 Befmfngc.exe 2860 Bpladg32.exe 1952 Booaodnd.exe 4040 Bammlomg.exe 1896 Bidemmnj.exe 400 Blennh32.exe 1668 Bbofkbbh.exe 1020 Bemcgmak.exe 3752 Bhlocipo.exe 2252 Bbacqape.exe 5044 Clihig32.exe 724 Ceblbm32.exe 1152 Caimgncj.exe 4036 Cpjmee32.exe 2424 Cakjmm32.exe 3528 Chebighd.exe 1556 Ccjfgphj.exe 4420 Clckpf32.exe 4848 Cekohk32.exe 2376 Dlegeemh.exe 4084 Denlnk32.exe 4456 Dlgdkeje.exe 4536 Dadlclim.exe 3676 Dljqpd32.exe 4028 Dohmlp32.exe 1372 Dhqaefng.exe 3688 Dfdbojmq.exe 4380 Dhcnke32.exe 2604 Dakbckbe.exe 4572 Epmcab32.exe 3092 Eckonn32.exe 1360 Elccfc32.exe 2824 Ebploj32.exe 3876 Ehjdldfl.exe 4600 Eqalmafo.exe 3308 Eodlho32.exe 3788 Efneehef.exe 544 Elhmablc.exe 2712 Eqciba32.exe 4412 Ecbenm32.exe 1548 Efpajh32.exe 1384 Ehonfc32.exe 548 Eoifcnid.exe 3848 Ecdbdl32.exe 412 Ffbnph32.exe 4544 Fmmfmbhn.exe 1604 Fokbim32.exe 3204 Fbioei32.exe 2344 Ficgacna.exe 1536 Fmocba32.exe 4812 Fomonm32.exe 3956 Ffggkgmk.exe 3396 Fmapha32.exe 1148 Fopldmcl.exe 2024 Fjepaecb.exe 1180 Fmclmabe.exe 4392 Fobiilai.exe 432 Fbqefhpm.exe 1356 Fijmbb32.exe 1664 Fodeolof.exe 3972 Gcpapkgp.exe 3660 Gjjjle32.exe 3324 Gqdbiofi.exe 4644 Gbenqg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Klkfenfk.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mgloefco.exe Process not Found File created C:\Windows\SysWOW64\Adkqoohc.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ampaho32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lknjmkdo.exe Lcgblncm.exe File opened for modification C:\Windows\SysWOW64\Cfmajipb.exe Bcoenmao.exe File created C:\Windows\SysWOW64\Lbqklb32.exe Lpbopfag.exe File created C:\Windows\SysWOW64\Lhclbphg.dll Fckajehi.exe File created C:\Windows\SysWOW64\Nolgijpk.exe Nkqkhk32.exe File created C:\Windows\SysWOW64\Kfmcjh32.dll Iohjlmeg.exe File opened for modification C:\Windows\SysWOW64\Lnqeqd32.exe Lidmhmnp.exe File opened for modification C:\Windows\SysWOW64\Jqlefl32.exe Jnmijq32.exe File created C:\Windows\SysWOW64\Qcjdoc32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Omegjomb.exe Process not Found File created C:\Windows\SysWOW64\Mkeebhjc.dll Kmjqmi32.exe File opened for modification C:\Windows\SysWOW64\Fafkecel.exe Fcckif32.exe File created C:\Windows\SysWOW64\Bfkedibe.exe Bclhhnca.exe File created C:\Windows\SysWOW64\Mgccelpk.dll Process not Found File created C:\Windows\SysWOW64\Ahgcjddh.exe Process not Found File created C:\Windows\SysWOW64\Anclbkbp.exe Process not Found File created C:\Windows\SysWOW64\Hbobifpp.dll Process not Found File created C:\Windows\SysWOW64\Kphmie32.exe Kmjqmi32.exe File created C:\Windows\SysWOW64\Jmheim32.dll Process not Found File created C:\Windows\SysWOW64\Plmell32.dll Process not Found File created C:\Windows\SysWOW64\Pkaiqf32.exe Pcjapi32.exe File created C:\Windows\SysWOW64\Naoncahj.dll Hfnphn32.exe File created C:\Windows\SysWOW64\Jbgoof32.exe Joiccj32.exe File opened for modification C:\Windows\SysWOW64\Mnfnlf32.exe Process not Found File created C:\Windows\SysWOW64\Lcimdh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ahofoogd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cliaoq32.exe Cdainc32.exe File created C:\Windows\SysWOW64\Hnodaecc.exe Hjchaf32.exe File created C:\Windows\SysWOW64\Kcbnnpka.exe Process not Found File created C:\Windows\SysWOW64\Lpacnb32.dll Gmoliohh.exe File created C:\Windows\SysWOW64\Nbefdijg.exe Nknobkje.exe File opened for modification C:\Windows\SysWOW64\Jppnpjel.exe Process not Found File created C:\Windows\SysWOW64\Pknqoc32.exe Process not Found File created C:\Windows\SysWOW64\Galoohke.exe Process not Found File created C:\Windows\SysWOW64\Ocmconhk.exe Opogbbig.exe File created C:\Windows\SysWOW64\Pchlpfjb.exe Pkadoiip.exe File opened for modification C:\Windows\SysWOW64\Afgacokc.exe Process not Found File created C:\Windows\SysWOW64\Lfbped32.exe Process not Found File created C:\Windows\SysWOW64\Gabfbmnl.dll Process not Found File created C:\Windows\SysWOW64\Ppmeid32.dll Hfachc32.exe File created C:\Windows\SysWOW64\Pnfeqknj.dll Gkoiefmj.exe File created C:\Windows\SysWOW64\Dhmgki32.exe Daconoae.exe File opened for modification C:\Windows\SysWOW64\Cpljehpo.exe Process not Found File created C:\Windows\SysWOW64\Cdaile32.exe Process not Found File created C:\Windows\SysWOW64\Kncfca32.dll Fbqefhpm.exe File created C:\Windows\SysWOW64\Mdiklqhm.exe Majopeii.exe File created C:\Windows\SysWOW64\Joekag32.exe Process not Found File created C:\Windows\SysWOW64\Dhbmpk32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hkdjfb32.exe Process not Found File created C:\Windows\SysWOW64\Pcleml32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Iefphb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qjbena32.exe Qgciaf32.exe File opened for modification C:\Windows\SysWOW64\Edpnfo32.exe Eemnjbaj.exe File created C:\Windows\SysWOW64\Gkaopp32.exe Ghbbcd32.exe File created C:\Windows\SysWOW64\Dijbno32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Agimkk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jfpojead.exe Jnifigpa.exe File created C:\Windows\SysWOW64\Famcfn32.dll Process not Found File created C:\Windows\SysWOW64\Onnmdcjm.exe Process not Found File created C:\Windows\SysWOW64\Oikmnf32.dll Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 8088 7992 Process not Found 2057 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pedlgbkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqibbo32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ondeac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbbmhgf.dll" Balfaiil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlncan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnhpoamf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhpjkojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kiejmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffbnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clhkicgk.dll" Gdcdbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opngmi32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lejfpelg.dll" Hckjacjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnmoekkn.dll" Cimcan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkbmh32.dll" Nliaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edhakj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jefjbddd.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Booaodnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggmlbfpm.dll" Dhcnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndghmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dccbbhld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjjhbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Molelb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeddnh32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lknjmkdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chdkoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qqffjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbngpi32.dll" Cfcqpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadofijl.dll" Gjlfbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocegdjij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddcqedkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hckjacjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aabmqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjlkge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampillfk.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcfqfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jodjhkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchign32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Maaepd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkfblfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikcmbfcj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 388 wrote to memory of 4284 388 51be61dad2d1c1386f98460ed3b2687393183f2f9b33f0b0075ebd943153761f_NeikiAnalytics.exe 86 PID 388 wrote to memory of 4284 388 51be61dad2d1c1386f98460ed3b2687393183f2f9b33f0b0075ebd943153761f_NeikiAnalytics.exe 86 PID 388 wrote to memory of 4284 388 51be61dad2d1c1386f98460ed3b2687393183f2f9b33f0b0075ebd943153761f_NeikiAnalytics.exe 86 PID 4284 wrote to memory of 2860 4284 Befmfngc.exe 87 PID 4284 wrote to memory of 2860 4284 Befmfngc.exe 87 PID 4284 wrote to memory of 2860 4284 Befmfngc.exe 87 PID 2860 wrote to memory of 1952 2860 Bpladg32.exe 88 PID 2860 wrote to memory of 1952 2860 Bpladg32.exe 88 PID 2860 wrote to memory of 1952 2860 Bpladg32.exe 88 PID 1952 wrote to memory of 4040 1952 Booaodnd.exe 89 PID 1952 wrote to memory of 4040 1952 Booaodnd.exe 89 PID 1952 wrote to memory of 4040 1952 Booaodnd.exe 89 PID 4040 wrote to memory of 1896 4040 Bammlomg.exe 90 PID 4040 wrote to memory of 1896 4040 Bammlomg.exe 90 PID 4040 wrote to memory of 1896 4040 Bammlomg.exe 90 PID 1896 wrote to memory of 400 1896 Bidemmnj.exe 91 PID 1896 wrote to memory of 400 1896 Bidemmnj.exe 91 PID 1896 wrote to memory of 400 1896 Bidemmnj.exe 91 PID 400 wrote to memory of 1668 400 Blennh32.exe 92 PID 400 wrote to memory of 1668 400 Blennh32.exe 92 PID 400 wrote to memory of 1668 400 Blennh32.exe 92 PID 1668 wrote to memory of 1020 1668 Bbofkbbh.exe 94 PID 1668 wrote to memory of 1020 1668 Bbofkbbh.exe 94 PID 1668 wrote to memory of 1020 1668 Bbofkbbh.exe 94 PID 1020 wrote to memory of 3752 1020 Bemcgmak.exe 95 PID 1020 wrote to memory of 3752 1020 Bemcgmak.exe 95 PID 1020 wrote to memory of 3752 1020 Bemcgmak.exe 95 PID 3752 wrote to memory of 2252 3752 Bhlocipo.exe 96 PID 3752 wrote to memory of 2252 3752 Bhlocipo.exe 96 PID 3752 wrote to memory of 2252 3752 Bhlocipo.exe 96 PID 2252 wrote to memory of 5044 2252 Bbacqape.exe 97 PID 2252 wrote to memory of 5044 2252 Bbacqape.exe 97 PID 2252 wrote to memory of 5044 2252 Bbacqape.exe 97 PID 5044 wrote to memory of 724 5044 Clihig32.exe 98 PID 5044 wrote to memory of 724 5044 Clihig32.exe 98 PID 5044 wrote to memory of 724 5044 Clihig32.exe 98 PID 724 wrote to memory of 1152 724 Ceblbm32.exe 99 PID 724 wrote to memory of 1152 724 Ceblbm32.exe 99 PID 724 wrote to memory of 1152 724 Ceblbm32.exe 99 PID 1152 wrote to memory of 4036 1152 Caimgncj.exe 100 PID 1152 wrote to memory of 4036 1152 Caimgncj.exe 100 PID 1152 wrote to memory of 4036 1152 Caimgncj.exe 100 PID 4036 wrote to memory of 2424 4036 Cpjmee32.exe 101 PID 4036 wrote to memory of 2424 4036 Cpjmee32.exe 101 PID 4036 wrote to memory of 2424 4036 Cpjmee32.exe 101 PID 2424 wrote to memory of 3528 2424 Cakjmm32.exe 103 PID 2424 wrote to memory of 3528 2424 Cakjmm32.exe 103 PID 2424 wrote to memory of 3528 2424 Cakjmm32.exe 103 PID 3528 wrote to memory of 1556 3528 Chebighd.exe 104 PID 3528 wrote to memory of 1556 3528 Chebighd.exe 104 PID 3528 wrote to memory of 1556 3528 Chebighd.exe 104 PID 1556 wrote to memory of 4420 1556 Ccjfgphj.exe 105 PID 1556 wrote to memory of 4420 1556 Ccjfgphj.exe 105 PID 1556 wrote to memory of 4420 1556 Ccjfgphj.exe 105 PID 4420 wrote to memory of 4848 4420 Clckpf32.exe 106 PID 4420 wrote to memory of 4848 4420 Clckpf32.exe 106 PID 4420 wrote to memory of 4848 4420 Clckpf32.exe 106 PID 4848 wrote to memory of 2376 4848 Cekohk32.exe 107 PID 4848 wrote to memory of 2376 4848 Cekohk32.exe 107 PID 4848 wrote to memory of 2376 4848 Cekohk32.exe 107 PID 2376 wrote to memory of 4084 2376 Dlegeemh.exe 108 PID 2376 wrote to memory of 4084 2376 Dlegeemh.exe 108 PID 2376 wrote to memory of 4084 2376 Dlegeemh.exe 108 PID 4084 wrote to memory of 4456 4084 Denlnk32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\51be61dad2d1c1386f98460ed3b2687393183f2f9b33f0b0075ebd943153761f_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\51be61dad2d1c1386f98460ed3b2687393183f2f9b33f0b0075ebd943153761f_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\Befmfngc.exeC:\Windows\system32\Befmfngc.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\Bpladg32.exeC:\Windows\system32\Bpladg32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Booaodnd.exeC:\Windows\system32\Booaodnd.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Bammlomg.exeC:\Windows\system32\Bammlomg.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\Bidemmnj.exeC:\Windows\system32\Bidemmnj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Blennh32.exeC:\Windows\system32\Blennh32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Bbofkbbh.exeC:\Windows\system32\Bbofkbbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Bemcgmak.exeC:\Windows\system32\Bemcgmak.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Bhlocipo.exeC:\Windows\system32\Bhlocipo.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Bbacqape.exeC:\Windows\system32\Bbacqape.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Clihig32.exeC:\Windows\system32\Clihig32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Ceblbm32.exeC:\Windows\system32\Ceblbm32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\Caimgncj.exeC:\Windows\system32\Caimgncj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Cpjmee32.exeC:\Windows\system32\Cpjmee32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\Cakjmm32.exeC:\Windows\system32\Cakjmm32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Chebighd.exeC:\Windows\system32\Chebighd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Ccjfgphj.exeC:\Windows\system32\Ccjfgphj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Clckpf32.exeC:\Windows\system32\Clckpf32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\Cekohk32.exeC:\Windows\system32\Cekohk32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Dlegeemh.exeC:\Windows\system32\Dlegeemh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Denlnk32.exeC:\Windows\system32\Denlnk32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\Dlgdkeje.exeC:\Windows\system32\Dlgdkeje.exe23⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Dadlclim.exeC:\Windows\system32\Dadlclim.exe24⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Dljqpd32.exeC:\Windows\system32\Dljqpd32.exe25⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Dohmlp32.exeC:\Windows\system32\Dohmlp32.exe26⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\Dhqaefng.exeC:\Windows\system32\Dhqaefng.exe27⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Dfdbojmq.exeC:\Windows\system32\Dfdbojmq.exe28⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Dhcnke32.exeC:\Windows\system32\Dhcnke32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4380 -
C:\Windows\SysWOW64\Dakbckbe.exeC:\Windows\system32\Dakbckbe.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Epmcab32.exeC:\Windows\system32\Epmcab32.exe31⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Eckonn32.exeC:\Windows\system32\Eckonn32.exe32⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Elccfc32.exeC:\Windows\system32\Elccfc32.exe33⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Ebploj32.exeC:\Windows\system32\Ebploj32.exe34⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Ehjdldfl.exeC:\Windows\system32\Ehjdldfl.exe35⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Eqalmafo.exeC:\Windows\system32\Eqalmafo.exe36⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Eodlho32.exeC:\Windows\system32\Eodlho32.exe37⤵
- Executes dropped EXE
PID:3308 -
C:\Windows\SysWOW64\Efneehef.exeC:\Windows\system32\Efneehef.exe38⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\Elhmablc.exeC:\Windows\system32\Elhmablc.exe39⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Eqciba32.exeC:\Windows\system32\Eqciba32.exe40⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Ecbenm32.exeC:\Windows\system32\Ecbenm32.exe41⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe42⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Ehonfc32.exeC:\Windows\system32\Ehonfc32.exe43⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Eoifcnid.exeC:\Windows\system32\Eoifcnid.exe44⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Ecdbdl32.exeC:\Windows\system32\Ecdbdl32.exe45⤵
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:412 -
C:\Windows\SysWOW64\Fmmfmbhn.exeC:\Windows\system32\Fmmfmbhn.exe47⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe48⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Fbioei32.exeC:\Windows\system32\Fbioei32.exe49⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Ficgacna.exeC:\Windows\system32\Ficgacna.exe50⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe51⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe52⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe53⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Fmapha32.exeC:\Windows\system32\Fmapha32.exe54⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Fopldmcl.exeC:\Windows\system32\Fopldmcl.exe55⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Fjepaecb.exeC:\Windows\system32\Fjepaecb.exe56⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Fmclmabe.exeC:\Windows\system32\Fmclmabe.exe57⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe58⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Fbqefhpm.exeC:\Windows\system32\Fbqefhpm.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:432 -
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe60⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe61⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Gcpapkgp.exeC:\Windows\system32\Gcpapkgp.exe62⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Gjjjle32.exeC:\Windows\system32\Gjjjle32.exe63⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe64⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Gbenqg32.exeC:\Windows\system32\Gbenqg32.exe65⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Gjlfbd32.exeC:\Windows\system32\Gjlfbd32.exe66⤵
- Modifies registry class
PID:4280 -
C:\Windows\SysWOW64\Goiojk32.exeC:\Windows\system32\Goiojk32.exe67⤵PID:4832
-
C:\Windows\SysWOW64\Gbgkfg32.exeC:\Windows\system32\Gbgkfg32.exe68⤵PID:3068
-
C:\Windows\SysWOW64\Gjocgdkg.exeC:\Windows\system32\Gjocgdkg.exe69⤵PID:3112
-
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe70⤵PID:2500
-
C:\Windows\SysWOW64\Gcggpj32.exeC:\Windows\system32\Gcggpj32.exe71⤵PID:2520
-
C:\Windows\SysWOW64\Gbjhlfhb.exeC:\Windows\system32\Gbjhlfhb.exe72⤵PID:1036
-
C:\Windows\SysWOW64\Gjapmdid.exeC:\Windows\system32\Gjapmdid.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4288 -
C:\Windows\SysWOW64\Gmoliohh.exeC:\Windows\system32\Gmoliohh.exe74⤵
- Drops file in System32 directory
PID:4264 -
C:\Windows\SysWOW64\Gpnhekgl.exeC:\Windows\system32\Gpnhekgl.exe75⤵PID:2280
-
C:\Windows\SysWOW64\Gbldaffp.exeC:\Windows\system32\Gbldaffp.exe76⤵PID:1680
-
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe77⤵PID:4972
-
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe78⤵PID:1840
-
C:\Windows\SysWOW64\Hclakimb.exeC:\Windows\system32\Hclakimb.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:888 -
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe80⤵PID:4404
-
C:\Windows\SysWOW64\Hmdedo32.exeC:\Windows\system32\Hmdedo32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1884 -
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe82⤵PID:4476
-
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe83⤵PID:3984
-
C:\Windows\SysWOW64\Hikfip32.exeC:\Windows\system32\Hikfip32.exe84⤵PID:2988
-
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe85⤵PID:5128
-
C:\Windows\SysWOW64\Hbckbepg.exeC:\Windows\system32\Hbckbepg.exe86⤵PID:5176
-
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe87⤵PID:5212
-
C:\Windows\SysWOW64\Hpgkkioa.exeC:\Windows\system32\Hpgkkioa.exe88⤵PID:5256
-
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe89⤵
- Drops file in System32 directory
PID:5300 -
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe90⤵PID:5340
-
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe91⤵PID:5416
-
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5452 -
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe93⤵PID:5504
-
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe94⤵PID:5564
-
C:\Windows\SysWOW64\Ijhodq32.exeC:\Windows\system32\Ijhodq32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5628 -
C:\Windows\SysWOW64\Imgkql32.exeC:\Windows\system32\Imgkql32.exe96⤵PID:5676
-
C:\Windows\SysWOW64\Ipegmg32.exeC:\Windows\system32\Ipegmg32.exe97⤵PID:5736
-
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe98⤵PID:5784
-
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe99⤵PID:5832
-
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe100⤵PID:5880
-
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe101⤵PID:5940
-
C:\Windows\SysWOW64\Jdcpcf32.exeC:\Windows\system32\Jdcpcf32.exe102⤵PID:6016
-
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe103⤵PID:6064
-
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe104⤵PID:6124
-
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe105⤵PID:5136
-
C:\Windows\SysWOW64\Jdemhe32.exeC:\Windows\system32\Jdemhe32.exe106⤵PID:5208
-
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe107⤵PID:5284
-
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe108⤵PID:5348
-
C:\Windows\SysWOW64\Jaimbj32.exeC:\Windows\system32\Jaimbj32.exe109⤵PID:5440
-
C:\Windows\SysWOW64\Jdhine32.exeC:\Windows\system32\Jdhine32.exe110⤵PID:5540
-
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe111⤵PID:5604
-
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe112⤵PID:5724
-
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe113⤵PID:5808
-
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe114⤵PID:5936
-
C:\Windows\SysWOW64\Jmbklj32.exeC:\Windows\system32\Jmbklj32.exe115⤵PID:6012
-
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6120 -
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe117⤵PID:5168
-
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe118⤵PID:5612
-
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe119⤵PID:5796
-
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe120⤵PID:5872
-
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe121⤵PID:6108
-
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe122⤵PID:5140
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-