Analysis
-
max time kernel
98s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 14:37
Behavioral task
behavioral1
Sample
6118ca212a293399e8563f26eea8bb70_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6118ca212a293399e8563f26eea8bb70_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
6118ca212a293399e8563f26eea8bb70_NeikiAnalytics.exe
-
Size
386KB
-
MD5
6118ca212a293399e8563f26eea8bb70
-
SHA1
775630627830aaa4e1328e512c18d704d835fb32
-
SHA256
0e2d71cdc8d9897285b424a17f5f2cc81e94f4afad220aca9a40477814db4fb2
-
SHA512
8da018971578154e54894f259d490fad66a0f4c43769794c5ec745009e6bc52d296824201661f0df7fd7aad31f452c1be609a52fbb59d7fa16b182d16043f00e
-
SSDEEP
12288:1U498irCZYE6YYBHpd0uD319ZvSntnhp352SCdL:i498irCyE6YYBHpd0uD319ZvSntnhp3c
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acjclpcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecgcfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkgpbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojopad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhidjpqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dboigi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bochmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqnaim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edhjqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkgnfhnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioambknl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lflgmqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccdnjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecjhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcmnpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odmgcgbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddbcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdcliikj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hildmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deoaid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhgjblfq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gokdeeec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chbnia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjjnifbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glgcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Camphf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgeihcme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpghkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Addaif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odocigqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qhlkilba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fijkdmhn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnnmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olckbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbajbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icnklbmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Febgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klljnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hloqml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbimoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gblngpbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjmoag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edhakj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjjiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dijbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdqejn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkleeplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeddnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glbjggof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000023276-6.dat family_berbew behavioral2/files/0x00080000000233eb-14.dat family_berbew behavioral2/files/0x00070000000233ed-23.dat family_berbew behavioral2/files/0x00070000000233f1-38.dat family_berbew behavioral2/files/0x00070000000233f3-45.dat family_berbew behavioral2/files/0x00070000000233f5-51.dat family_berbew behavioral2/files/0x00070000000233f7-59.dat family_berbew behavioral2/files/0x00070000000233f9-70.dat family_berbew behavioral2/files/0x00070000000233fb-78.dat family_berbew behavioral2/files/0x00070000000233fd-85.dat family_berbew behavioral2/files/0x0007000000023401-99.dat family_berbew behavioral2/files/0x000700000002340f-148.dat family_berbew behavioral2/files/0x0007000000023415-168.dat family_berbew behavioral2/files/0x000700000002341b-190.dat family_berbew behavioral2/files/0x0007000000023423-217.dat family_berbew behavioral2/files/0x0007000000023427-232.dat family_berbew behavioral2/files/0x0007000000023490-569.dat family_berbew behavioral2/files/0x00070000000234a0-617.dat family_berbew behavioral2/files/0x00070000000234c4-730.dat family_berbew behavioral2/files/0x00070000000234d7-785.dat family_berbew behavioral2/files/0x00070000000234df-809.dat family_berbew behavioral2/files/0x00070000000234ee-856.dat family_berbew behavioral2/files/0x00070000000234f8-887.dat family_berbew behavioral2/files/0x0007000000023508-935.dat family_berbew behavioral2/files/0x0007000000023512-965.dat family_berbew behavioral2/files/0x0007000000023518-976.dat family_berbew behavioral2/files/0x0008000000023516-984.dat family_berbew behavioral2/files/0x000700000002350e-953.dat family_berbew behavioral2/files/0x000700000002350c-947.dat family_berbew behavioral2/files/0x0007000000023527-1027.dat family_berbew behavioral2/files/0x00070000000234f4-875.dat family_berbew behavioral2/files/0x00070000000234f2-869.dat family_berbew behavioral2/files/0x00070000000234d0-767.dat family_berbew behavioral2/files/0x00070000000234c8-742.dat family_berbew behavioral2/files/0x00070000000234bc-707.dat family_berbew behavioral2/files/0x00070000000234aa-647.dat family_berbew behavioral2/files/0x000700000002349c-605.dat family_berbew behavioral2/files/0x0007000000023494-581.dat family_berbew behavioral2/files/0x0007000000023425-225.dat family_berbew behavioral2/files/0x0007000000023421-211.dat family_berbew behavioral2/files/0x000700000002341f-204.dat family_berbew behavioral2/files/0x000700000002341d-197.dat family_berbew behavioral2/files/0x0007000000023419-183.dat family_berbew behavioral2/files/0x0007000000023417-176.dat family_berbew behavioral2/files/0x0007000000023413-162.dat family_berbew behavioral2/files/0x0007000000023411-155.dat family_berbew behavioral2/files/0x000700000002340d-141.dat family_berbew behavioral2/files/0x000700000002340b-134.dat family_berbew behavioral2/files/0x0007000000023409-127.dat family_berbew behavioral2/files/0x0007000000023407-120.dat family_berbew behavioral2/files/0x0007000000023405-113.dat family_berbew behavioral2/files/0x0007000000023403-106.dat family_berbew behavioral2/files/0x00070000000233ff-92.dat family_berbew behavioral2/files/0x00070000000233ef-31.dat family_berbew behavioral2/files/0x0007000000023552-1162.dat family_berbew behavioral2/files/0x000700000002356d-1246.dat family_berbew behavioral2/files/0x0007000000023573-1265.dat family_berbew behavioral2/files/0x000700000002357b-1291.dat family_berbew behavioral2/files/0x0007000000023585-1324.dat family_berbew behavioral2/files/0x000700000002359a-1384.dat family_berbew behavioral2/files/0x00070000000235ae-1450.dat family_berbew behavioral2/files/0x0008000000023598-1552.dat family_berbew behavioral2/files/0x00070000000235ec-1666.dat family_berbew behavioral2/files/0x00070000000235fc-1716.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1356 Nnaikd32.exe 932 Nbmelbid.exe 3232 Ogjmdigk.exe 3924 Ojhiqefo.exe 5008 Ondeac32.exe 3604 Oboaabga.exe 3600 Odnnnnfe.exe 436 Ocqnij32.exe 2924 Ogljjiei.exe 2640 Ojjffddl.exe 4944 Onfbfc32.exe 2292 Oqdoboli.exe 2584 Odpjcm32.exe 1220 Occkojkm.exe 1524 Okjbpglo.exe 560 Ojmcld32.exe 4672 Obdkma32.exe 4188 Oqgkhnjf.exe 2140 Odbgim32.exe 3340 Ogaceh32.exe 1328 Ojopad32.exe 5116 Obfhba32.exe 4728 Odednmpm.exe 3576 Ocgdji32.exe 3840 Ogcpjhoq.exe 408 Onmhgb32.exe 812 Oqkdcn32.exe 2704 Odgqdlnj.exe 4932 Pgemphmn.exe 3484 Pkaiqf32.exe 1632 Pnpemb32.exe 2296 Pqnaim32.exe 5032 Peimil32.exe 4408 Pclneicb.exe 4452 Pghieg32.exe 4908 Pjffbc32.exe 1828 Pnbbbabh.exe 4324 Pbmncp32.exe 4224 Peljol32.exe 1628 Pcojkhap.exe 5072 Pgjfkg32.exe 1656 Pjhbgb32.exe 2184 Pndohaqe.exe 2604 Pbpjhp32.exe 1704 Pabkdmpi.exe 2628 Pcagphom.exe 2940 Pgmcqggf.exe 3920 Pkhoae32.exe 4832 Pnfkma32.exe 1740 Pbbgnpgl.exe 3648 Peqcjkfp.exe 2672 Pcccfh32.exe 2120 Pgopffec.exe 3964 Pjmlbbdg.exe 3504 Pbddcoei.exe 2892 Pagdol32.exe 916 Qcepkg32.exe 2744 Qkmhlekj.exe 900 Qjpiha32.exe 644 Qnkdhpjn.exe 2220 Qajadlja.exe 5020 Qeemej32.exe 3492 Qgciaf32.exe 4296 Qloebdig.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jcioiood.exe Jpnchp32.exe File created C:\Windows\SysWOW64\Idodkeom.dll Mnebeogl.exe File created C:\Windows\SysWOW64\Aadifclh.exe Anfmjhmd.exe File created C:\Windows\SysWOW64\Lnjnqh32.exe Kcejco32.exe File opened for modification C:\Windows\SysWOW64\Geohklaa.exe Gbalopbn.exe File created C:\Windows\SysWOW64\Mmhjbhod.dll Alabgd32.exe File created C:\Windows\SysWOW64\Fjiepeok.dll Edemkd32.exe File opened for modification C:\Windows\SysWOW64\Cmjemflb.exe Cioilg32.exe File opened for modification C:\Windows\SysWOW64\Dojcgi32.exe Dllfkn32.exe File created C:\Windows\SysWOW64\Lingibiq.exe Lbdolh32.exe File created C:\Windows\SysWOW64\Pgopffec.exe Pcccfh32.exe File created C:\Windows\SysWOW64\Jedeph32.exe Jbeidl32.exe File opened for modification C:\Windows\SysWOW64\Lingibiq.exe Lbdolh32.exe File opened for modification C:\Windows\SysWOW64\Amjillkj.exe Qklmpalf.exe File created C:\Windows\SysWOW64\Ojhpimhp.exe Process not Found File created C:\Windows\SysWOW64\Ipenkiei.dll Dhnnep32.exe File created C:\Windows\SysWOW64\Ehiffj32.dll Gijekg32.exe File opened for modification C:\Windows\SysWOW64\Gkmlofol.exe Ghopckpi.exe File created C:\Windows\SysWOW64\Kednfemc.dll Fpeafcfa.exe File opened for modification C:\Windows\SysWOW64\Ikbfgppo.exe Ipmbjgpi.exe File created C:\Windows\SysWOW64\Bgfeip32.dll Cohkokgj.exe File created C:\Windows\SysWOW64\Dmdjce32.dll Kppici32.exe File opened for modification C:\Windows\SysWOW64\Ckedalaj.exe Clbceo32.exe File opened for modification C:\Windows\SysWOW64\Dhfajjoj.exe Cegdnopg.exe File created C:\Windows\SysWOW64\Pghdbegp.dll Acocaf32.exe File opened for modification C:\Windows\SysWOW64\Ihphkl32.exe Iqipio32.exe File opened for modification C:\Windows\SysWOW64\Oodcdb32.exe Ohkkhhmh.exe File opened for modification C:\Windows\SysWOW64\Epmmqheb.exe Emoadlfo.exe File created C:\Windows\SysWOW64\Cihdpk32.dll Nchjdo32.exe File opened for modification C:\Windows\SysWOW64\Molelb32.exe Medqcmki.exe File opened for modification C:\Windows\SysWOW64\Gpnmbl32.exe Fmpqfq32.exe File created C:\Windows\SysWOW64\Enfioebm.dll Pjmlbbdg.exe File created C:\Windows\SysWOW64\Gdeqhl32.exe Gfbploob.exe File created C:\Windows\SysWOW64\Oendmdab.dll Jpppnp32.exe File created C:\Windows\SysWOW64\Neffpj32.exe Nchjdo32.exe File created C:\Windows\SysWOW64\Bfhadc32.exe Bidqko32.exe File created C:\Windows\SysWOW64\Pdbeojmh.dll Process not Found File opened for modification C:\Windows\SysWOW64\Abngjnmo.exe Ajfoiqll.exe File created C:\Windows\SysWOW64\Kcdgbkil.dll Liimncmf.exe File opened for modification C:\Windows\SysWOW64\Eofbch32.exe Ekjfcipa.exe File opened for modification C:\Windows\SysWOW64\Oloahhki.exe Odhifjkg.exe File created C:\Windows\SysWOW64\Oeeape32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Conclk32.exe Ckcgkldl.exe File created C:\Windows\SysWOW64\Jpenfp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dnmhpg32.exe Dkokcl32.exe File created C:\Windows\SysWOW64\Aocfbi32.dll Afjeceml.exe File opened for modification C:\Windows\SysWOW64\Obfhba32.exe Ojopad32.exe File created C:\Windows\SysWOW64\Ghaddm32.dll Cajcbgml.exe File created C:\Windows\SysWOW64\Jnnpdg32.exe Jfbkpd32.exe File created C:\Windows\SysWOW64\Cepkeokh.dll Ojhiqefo.exe File opened for modification C:\Windows\SysWOW64\Llgjjnlj.exe Liimncmf.exe File created C:\Windows\SysWOW64\Alqjpi32.exe Aakebqbj.exe File opened for modification C:\Windows\SysWOW64\Dikihe32.exe Dbqqkkbo.exe File created C:\Windows\SysWOW64\Abakhdbk.dll Idfaefkd.exe File created C:\Windows\SysWOW64\Blafme32.dll Iciaqc32.exe File created C:\Windows\SysWOW64\Egdagc32.dll Process not Found File created C:\Windows\SysWOW64\Hckjacjg.exe Hkdbpe32.exe File created C:\Windows\SysWOW64\Edhakj32.exe Eolhbc32.exe File created C:\Windows\SysWOW64\Alelqb32.exe Adndoe32.exe File created C:\Windows\SysWOW64\Bhbcfbjk.exe Bdgged32.exe File created C:\Windows\SysWOW64\Djkahqga.dll Kikame32.exe File created C:\Windows\SysWOW64\Bihjjl32.dll Aobilkcl.exe File created C:\Windows\SysWOW64\Mgaokl32.exe Mcecjmkl.exe File opened for modification C:\Windows\SysWOW64\Jlednamo.exe Jmbdbd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11820 11972 Process not Found 1300 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnpamkc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojjffddl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olgemcli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndflak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmbmibhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llgjjnlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccdcfha.dll" Qoifflkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pojcjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mohjdmko.dll" Mjmoag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogcpjhoq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oqkdcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbefaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bddjpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcejco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odqjbebh.dll" Hmcojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcppfaka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdepgkgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckfphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmqcck32.dll" Molelb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hifpcjin.dll" Fkihnmhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Laqhhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alqjpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dihlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfioebm.dll" Pjmlbbdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkdbpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlaegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnneheln.dll" Hncmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emmkiclm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qeodhjmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aelcfilb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipknlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ambgef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfhhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebdcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfgeem32.dll" Pghieg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Daolnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iqpfjnba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbmncp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdfoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqqpck32.dll" Fnnjmbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehljfnpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccoecbmi.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nognnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbnimm32.dll" Kdmqmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfllfd32.dll" Kjjiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Camjdd32.dll" Oqkdcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpflfc32.dll" Anpncp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocaegbjb.dll" Ikcmbfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoonaj32.dll" Inbqhhfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcfahbpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobkhf32.dll" Alpbecod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhfppabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeape32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cghane32.dll" Cdnmfclj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cecenn32.dll" Doeiljfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnonbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faaigehd.dll" Mnphmkji.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1972 wrote to memory of 1356 1972 6118ca212a293399e8563f26eea8bb70_NeikiAnalytics.exe 83 PID 1972 wrote to memory of 1356 1972 6118ca212a293399e8563f26eea8bb70_NeikiAnalytics.exe 83 PID 1972 wrote to memory of 1356 1972 6118ca212a293399e8563f26eea8bb70_NeikiAnalytics.exe 83 PID 1356 wrote to memory of 932 1356 Nnaikd32.exe 84 PID 1356 wrote to memory of 932 1356 Nnaikd32.exe 84 PID 1356 wrote to memory of 932 1356 Nnaikd32.exe 84 PID 932 wrote to memory of 3232 932 Nbmelbid.exe 86 PID 932 wrote to memory of 3232 932 Nbmelbid.exe 86 PID 932 wrote to memory of 3232 932 Nbmelbid.exe 86 PID 3232 wrote to memory of 3924 3232 Ogjmdigk.exe 87 PID 3232 wrote to memory of 3924 3232 Ogjmdigk.exe 87 PID 3232 wrote to memory of 3924 3232 Ogjmdigk.exe 87 PID 3924 wrote to memory of 5008 3924 Ojhiqefo.exe 88 PID 3924 wrote to memory of 5008 3924 Ojhiqefo.exe 88 PID 3924 wrote to memory of 5008 3924 Ojhiqefo.exe 88 PID 5008 wrote to memory of 3604 5008 Ondeac32.exe 89 PID 5008 wrote to memory of 3604 5008 Ondeac32.exe 89 PID 5008 wrote to memory of 3604 5008 Ondeac32.exe 89 PID 3604 wrote to memory of 3600 3604 Oboaabga.exe 90 PID 3604 wrote to memory of 3600 3604 Oboaabga.exe 90 PID 3604 wrote to memory of 3600 3604 Oboaabga.exe 90 PID 3600 wrote to memory of 436 3600 Odnnnnfe.exe 91 PID 3600 wrote to memory of 436 3600 Odnnnnfe.exe 91 PID 3600 wrote to memory of 436 3600 Odnnnnfe.exe 91 PID 436 wrote to memory of 2924 436 Ocqnij32.exe 92 PID 436 wrote to memory of 2924 436 Ocqnij32.exe 92 PID 436 wrote to memory of 2924 436 Ocqnij32.exe 92 PID 2924 wrote to memory of 2640 2924 Ogljjiei.exe 93 PID 2924 wrote to memory of 2640 2924 Ogljjiei.exe 93 PID 2924 wrote to memory of 2640 2924 Ogljjiei.exe 93 PID 2640 wrote to memory of 4944 2640 Ojjffddl.exe 94 PID 2640 wrote to memory of 4944 2640 Ojjffddl.exe 94 PID 2640 wrote to memory of 4944 2640 Ojjffddl.exe 94 PID 4944 wrote to memory of 2292 4944 Onfbfc32.exe 95 PID 4944 wrote to memory of 2292 4944 Onfbfc32.exe 95 PID 4944 wrote to memory of 2292 4944 Onfbfc32.exe 95 PID 2292 wrote to memory of 2584 2292 Oqdoboli.exe 96 PID 2292 wrote to memory of 2584 2292 Oqdoboli.exe 96 PID 2292 wrote to memory of 2584 2292 Oqdoboli.exe 96 PID 2584 wrote to memory of 1220 2584 Odpjcm32.exe 97 PID 2584 wrote to memory of 1220 2584 Odpjcm32.exe 97 PID 2584 wrote to memory of 1220 2584 Odpjcm32.exe 97 PID 1220 wrote to memory of 1524 1220 Occkojkm.exe 98 PID 1220 wrote to memory of 1524 1220 Occkojkm.exe 98 PID 1220 wrote to memory of 1524 1220 Occkojkm.exe 98 PID 1524 wrote to memory of 560 1524 Okjbpglo.exe 99 PID 1524 wrote to memory of 560 1524 Okjbpglo.exe 99 PID 1524 wrote to memory of 560 1524 Okjbpglo.exe 99 PID 560 wrote to memory of 4672 560 Ojmcld32.exe 100 PID 560 wrote to memory of 4672 560 Ojmcld32.exe 100 PID 560 wrote to memory of 4672 560 Ojmcld32.exe 100 PID 4672 wrote to memory of 4188 4672 Obdkma32.exe 101 PID 4672 wrote to memory of 4188 4672 Obdkma32.exe 101 PID 4672 wrote to memory of 4188 4672 Obdkma32.exe 101 PID 4188 wrote to memory of 2140 4188 Oqgkhnjf.exe 102 PID 4188 wrote to memory of 2140 4188 Oqgkhnjf.exe 102 PID 4188 wrote to memory of 2140 4188 Oqgkhnjf.exe 102 PID 2140 wrote to memory of 3340 2140 Odbgim32.exe 103 PID 2140 wrote to memory of 3340 2140 Odbgim32.exe 103 PID 2140 wrote to memory of 3340 2140 Odbgim32.exe 103 PID 3340 wrote to memory of 1328 3340 Ogaceh32.exe 104 PID 3340 wrote to memory of 1328 3340 Ogaceh32.exe 104 PID 3340 wrote to memory of 1328 3340 Ogaceh32.exe 104 PID 1328 wrote to memory of 5116 1328 Ojopad32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\6118ca212a293399e8563f26eea8bb70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6118ca212a293399e8563f26eea8bb70_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe23⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe24⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe25⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:3840 -
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe27⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:812 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe29⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe30⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe31⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe32⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe34⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe35⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4452 -
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe37⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe38⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:4324 -
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe40⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe41⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe42⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Pjhbgb32.exeC:\Windows\system32\Pjhbgb32.exe43⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe44⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe45⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe46⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe47⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe48⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe49⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe50⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Pbbgnpgl.exeC:\Windows\system32\Pbbgnpgl.exe51⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe52⤵
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe54⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3964 -
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe56⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe57⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe58⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe59⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe60⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe61⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe62⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe63⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe64⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe65⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe66⤵PID:1128
-
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2716 -
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe68⤵PID:2368
-
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe69⤵PID:4544
-
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe70⤵PID:4340
-
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe71⤵
- Drops file in System32 directory
PID:4576 -
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe72⤵
- Modifies registry class
PID:3532 -
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe73⤵PID:3064
-
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe74⤵PID:3644
-
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe75⤵PID:780
-
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe76⤵
- Drops file in System32 directory
PID:4704 -
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe77⤵PID:3864
-
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe78⤵
- Modifies registry class
PID:3704 -
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe79⤵
- Drops file in System32 directory
PID:668 -
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe80⤵PID:420
-
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe81⤵PID:3220
-
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe82⤵PID:460
-
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe83⤵PID:3496
-
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe84⤵PID:4680
-
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe85⤵PID:4140
-
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe86⤵PID:1200
-
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe87⤵PID:3448
-
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe88⤵PID:4872
-
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe89⤵PID:1460
-
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe90⤵PID:2248
-
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe91⤵PID:5048
-
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe92⤵PID:3976
-
C:\Windows\SysWOW64\Clkndpag.exeC:\Windows\system32\Clkndpag.exe93⤵PID:3620
-
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe94⤵
- Modifies registry class
PID:4444 -
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe95⤵PID:1160
-
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2312 -
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe97⤵PID:5156
-
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe98⤵
- Drops file in System32 directory
PID:5196 -
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe99⤵PID:5236
-
C:\Windows\SysWOW64\Chdkoa32.exeC:\Windows\system32\Chdkoa32.exe100⤵PID:5276
-
C:\Windows\SysWOW64\Ckcgkldl.exeC:\Windows\system32\Ckcgkldl.exe101⤵
- Drops file in System32 directory
PID:5316 -
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe102⤵PID:5352
-
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5400 -
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe104⤵PID:5448
-
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe105⤵
- Drops file in System32 directory
PID:5500 -
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe106⤵PID:5544
-
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe107⤵PID:5584
-
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe108⤵
- Modifies registry class
PID:5624 -
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe109⤵PID:5668
-
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5712 -
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe111⤵PID:5756
-
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe112⤵PID:5800
-
C:\Windows\SysWOW64\Dboigi32.exeC:\Windows\system32\Dboigi32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5844 -
C:\Windows\SysWOW64\Demecd32.exeC:\Windows\system32\Demecd32.exe114⤵PID:5904
-
C:\Windows\SysWOW64\Ddpeoafg.exeC:\Windows\system32\Ddpeoafg.exe115⤵PID:5944
-
C:\Windows\SysWOW64\Dlgmpogj.exeC:\Windows\system32\Dlgmpogj.exe116⤵PID:5988
-
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe117⤵PID:6028
-
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe118⤵
- Modifies registry class
PID:6068 -
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6112 -
C:\Windows\SysWOW64\Dhnnep32.exeC:\Windows\system32\Dhnnep32.exe120⤵
- Drops file in System32 directory
PID:5140 -
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe121⤵PID:5188
-
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe122⤵PID:5260
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-