Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-05-2024 08:22
Behavioral task
behavioral1
Sample
a9bebac977bbcc1866b9503aed7d0f80_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
a9bebac977bbcc1866b9503aed7d0f80_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
a9bebac977bbcc1866b9503aed7d0f80_NeikiAnalytics.exe
-
Size
384KB
-
MD5
a9bebac977bbcc1866b9503aed7d0f80
-
SHA1
d601f67fea4dd834171617b566f25bbbd885e513
-
SHA256
d36f32e87d7a50560ee863eeb11c0305d36f0fe85dc6b951d78c791f866e223d
-
SHA512
dfa53ecd2503505e482b3e6f3dbf82eb63ac8390386957aa6d5ad9d1653717e8c99e6b0bedfba0e086fb8e2667c38ef97822350e2bd053fa1a6711d86359403d
-
SSDEEP
6144:Qp8azTYaT15f7o+STYaT15fsnoW6B1S6Kvw2fV9rU+Lw6gYviIajJsnIfvJPNF7:QHTYapJoTYapbt1S3vwyjrU+LKYAJII5
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padccpal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmgalkcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elacliin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmccqbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcbfbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcbnpgkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpjmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioiidfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgoopkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oagoep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amafgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnoiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmfcop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdeaelok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qigebglj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkilka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmqmpdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbofmcij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcfbdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghdgfbkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofkha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmkhjncg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keeeje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obbdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gockgdeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khabghdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibejdjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alaqjaaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klmbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Embkbdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpboinpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibejdjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lohccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngealejo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfbnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phcleoho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnnjfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgiked32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpajbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odgodl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndmecgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfepod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpicle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imaapa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhhkapeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qogbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgoboc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhfefgkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmnnkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icfbkded.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmmbge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmhmlbkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlfmbibo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmejllia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fncpef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kilgoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lncfcgeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blipno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqncaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohncbdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alqnah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djjjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goqnae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmnahilc.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000b0000000155e2-5.dat family_berbew behavioral1/files/0x0008000000015c5d-18.dat family_berbew behavioral1/files/0x0007000000015c7c-37.dat family_berbew behavioral1/files/0x0009000000015d88-51.dat family_berbew behavioral1/files/0x0005000000018698-71.dat family_berbew behavioral1/files/0x0006000000018ae8-90.dat family_berbew behavioral1/files/0x0006000000018b33-106.dat family_berbew behavioral1/files/0x0006000000018b42-118.dat family_berbew behavioral1/files/0x0006000000018b6a-134.dat family_berbew behavioral1/files/0x0006000000018b96-148.dat family_berbew behavioral1/files/0x0006000000018d06-157.dat family_berbew behavioral1/files/0x00050000000192f4-171.dat family_berbew behavioral1/files/0x0005000000019333-185.dat family_berbew behavioral1/files/0x0005000000019377-207.dat family_berbew behavioral1/files/0x00050000000193b0-219.dat family_berbew behavioral1/files/0x000500000001946b-227.dat family_berbew behavioral1/files/0x00050000000194a4-247.dat family_berbew behavioral1/memory/912-251-0x0000000000220000-0x0000000000255000-memory.dmp family_berbew behavioral1/files/0x00040000000194d8-260.dat family_berbew behavioral1/files/0x00050000000194ee-280.dat family_berbew behavioral1/files/0x0005000000019547-312.dat family_berbew behavioral1/files/0x00050000000195a8-347.dat family_berbew behavioral1/files/0x00050000000195aa-356.dat family_berbew behavioral1/files/0x00050000000195a2-332.dat family_berbew behavioral1/memory/1000-329-0x0000000000220000-0x0000000000255000-memory.dmp family_berbew behavioral1/files/0x000500000001959c-321.dat family_berbew behavioral1/files/0x000500000001950c-302.dat family_berbew behavioral1/files/0x00050000000194f2-290.dat family_berbew behavioral1/memory/2972-286-0x0000000000220000-0x0000000000255000-memory.dmp family_berbew behavioral1/files/0x00050000000194e8-269.dat family_berbew behavioral1/files/0x0005000000019473-238.dat family_berbew behavioral1/files/0x00050000000195ff-369.dat family_berbew behavioral1/files/0x00050000000196d8-379.dat family_berbew behavioral1/files/0x0005000000019cba-409.dat family_berbew behavioral1/files/0x000500000001a31e-469.dat family_berbew behavioral1/files/0x000500000001a3c5-480.dat family_berbew behavioral1/files/0x000500000001a3cd-489.dat family_berbew behavioral1/files/0x000500000001a40b-501.dat family_berbew behavioral1/files/0x000500000001a42b-513.dat family_berbew behavioral1/files/0x000500000001a432-523.dat family_berbew behavioral1/files/0x000500000001a445-545.dat family_berbew behavioral1/files/0x000500000001a449-555.dat family_berbew behavioral1/files/0x000500000001a44d-567.dat family_berbew behavioral1/files/0x000500000001a451-578.dat family_berbew behavioral1/files/0x000500000001a455-588.dat family_berbew behavioral1/files/0x000500000001a459-599.dat family_berbew behavioral1/files/0x000500000001a461-621.dat family_berbew behavioral1/files/0x000500000001a465-632.dat family_berbew behavioral1/files/0x000500000001a46a-643.dat family_berbew behavioral1/files/0x000500000001a46e-656.dat family_berbew behavioral1/files/0x000500000001a472-671.dat family_berbew behavioral1/files/0x000500000001a47b-701.dat family_berbew behavioral1/files/0x000500000001a488-724.dat family_berbew behavioral1/files/0x000500000001a4b0-738.dat family_berbew behavioral1/files/0x000500000001c652-773.dat family_berbew behavioral1/files/0x000500000001c6f9-786.dat family_berbew behavioral1/files/0x000500000001c721-800.dat family_berbew behavioral1/files/0x000500000001c82b-815.dat family_berbew behavioral1/files/0x000500000001c82f-827.dat family_berbew behavioral1/files/0x000500000001c834-841.dat family_berbew behavioral1/files/0x000500000001c841-880.dat family_berbew behavioral1/files/0x000500000001c845-897.dat family_berbew behavioral1/files/0x000500000001c849-906.dat family_berbew behavioral1/files/0x000500000001c84d-916.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2276 Nhdocl32.exe 2896 Ndpicm32.exe 2552 Nmhmlbkk.exe 2676 Odgodl32.exe 2664 Olbchn32.exe 2840 Ooclji32.exe 1492 Padeldeo.exe 1652 Pqkobqhd.exe 1068 Pqnlhpfb.exe 2188 Pcnejk32.exe 2004 Qcqaok32.exe 1700 Qogbdl32.exe 1180 Aibcba32.exe 1572 Aeidgbaf.exe 1196 Abmdafpp.exe 324 Akhfoldn.exe 548 Bagkmb32.exe 912 Bjoofhgc.exe 1160 Bffpki32.exe 1812 Bmbemb32.exe 2972 Clgbno32.exe 1620 Cebcmdlg.exe 2264 Cdgpnqpo.exe 2080 Cifelgmd.exe 1000 Dgjfek32.exe 2244 Dbafjlaa.exe 2160 Dgoopkgh.exe 2828 Dakmfh32.exe 2612 Ekcaonhe.exe 2620 Egjbdo32.exe 2440 Gfmgelil.exe 2364 Hibjbgbh.exe 392 Hdlkcdog.exe 1084 Hmeolj32.exe 2384 Hhjcic32.exe 940 Iinmfk32.exe 2700 Ibfaopoi.exe 1100 Imleli32.exe 2272 Imnbbi32.exe 2220 Ifffkncm.exe 1060 Ioakoq32.exe 3064 Iigpli32.exe 1804 Jodhdp32.exe 1352 Jlhhndno.exe 1648 Jofejpmc.exe 2808 Jkmeoa32.exe 2040 Jpjngh32.exe 672 Jkpbdq32.exe 2368 Jdhgnf32.exe 2300 Jkbojpna.exe 1616 Jnpkflne.exe 2888 Kcmcoblm.exe 2164 Klehgh32.exe 2932 Khlili32.exe 756 Kpcqnf32.exe 2648 Kjleflod.exe 1116 Kohnoc32.exe 2636 Khabghdl.exe 2380 Knnkpobc.exe 1656 Khcomhbi.exe 1896 Lnpgeopa.exe 2060 Lqncaj32.exe 1784 Lkdhoc32.exe 1696 Lqqpgj32.exe -
Loads dropped DLL 64 IoCs
pid Process 1368 a9bebac977bbcc1866b9503aed7d0f80_NeikiAnalytics.exe 1368 a9bebac977bbcc1866b9503aed7d0f80_NeikiAnalytics.exe 2276 Nhdocl32.exe 2276 Nhdocl32.exe 2896 Ndpicm32.exe 2896 Ndpicm32.exe 2552 Nmhmlbkk.exe 2552 Nmhmlbkk.exe 2676 Odgodl32.exe 2676 Odgodl32.exe 2664 Olbchn32.exe 2664 Olbchn32.exe 2840 Ooclji32.exe 2840 Ooclji32.exe 1492 Padeldeo.exe 1492 Padeldeo.exe 1652 Pqkobqhd.exe 1652 Pqkobqhd.exe 1068 Pqnlhpfb.exe 1068 Pqnlhpfb.exe 2188 Pcnejk32.exe 2188 Pcnejk32.exe 2004 Qcqaok32.exe 2004 Qcqaok32.exe 1700 Qogbdl32.exe 1700 Qogbdl32.exe 1180 Aibcba32.exe 1180 Aibcba32.exe 1572 Aeidgbaf.exe 1572 Aeidgbaf.exe 1196 Abmdafpp.exe 1196 Abmdafpp.exe 324 Akhfoldn.exe 324 Akhfoldn.exe 548 Bagkmb32.exe 548 Bagkmb32.exe 912 Bjoofhgc.exe 912 Bjoofhgc.exe 1160 Bffpki32.exe 1160 Bffpki32.exe 1812 Bmbemb32.exe 1812 Bmbemb32.exe 2972 Clgbno32.exe 2972 Clgbno32.exe 1620 Cebcmdlg.exe 1620 Cebcmdlg.exe 2264 Cdgpnqpo.exe 2264 Cdgpnqpo.exe 2080 Cifelgmd.exe 2080 Cifelgmd.exe 1000 Dgjfek32.exe 1000 Dgjfek32.exe 2244 Dbafjlaa.exe 2244 Dbafjlaa.exe 1716 Dpgcip32.exe 1716 Dpgcip32.exe 2828 Dakmfh32.exe 2828 Dakmfh32.exe 2612 Ekcaonhe.exe 2612 Ekcaonhe.exe 2620 Egjbdo32.exe 2620 Egjbdo32.exe 2440 Gfmgelil.exe 2440 Gfmgelil.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Nqokpd32.exe Njeccjcd.exe File created C:\Windows\SysWOW64\Qndhjl32.dll Epbbkf32.exe File created C:\Windows\SysWOW64\Aqfnlp32.dll Qigebglj.exe File opened for modification C:\Windows\SysWOW64\Fkilka32.exe Felcbk32.exe File opened for modification C:\Windows\SysWOW64\Nobndj32.exe Mkdioh32.exe File opened for modification C:\Windows\SysWOW64\Lbafdlod.exe Lclicpkm.exe File created C:\Windows\SysWOW64\Egcfdn32.exe Dmmbge32.exe File created C:\Windows\SysWOW64\Alqnah32.exe Aakjdo32.exe File created C:\Windows\SysWOW64\Hjlemlnk.exe Hofqpc32.exe File created C:\Windows\SysWOW64\Khmggg32.dll Cebcmdlg.exe File opened for modification C:\Windows\SysWOW64\Nidmfh32.exe Nnoiio32.exe File created C:\Windows\SysWOW64\Ekpiomqg.dll Andjgidl.exe File opened for modification C:\Windows\SysWOW64\Flcojeak.exe Fbkjap32.exe File opened for modification C:\Windows\SysWOW64\Hhmhcigh.exe Glfgnh32.exe File created C:\Windows\SysWOW64\Ebaijflc.dll Eknmhk32.exe File created C:\Windows\SysWOW64\Kneoni32.dll Djjjga32.exe File opened for modification C:\Windows\SysWOW64\Jihdnk32.exe Jnbpqb32.exe File opened for modification C:\Windows\SysWOW64\Hkahgk32.exe Hfepod32.exe File opened for modification C:\Windows\SysWOW64\Cglalbbi.exe Cncmcm32.exe File created C:\Windows\SysWOW64\Moeeelhn.exe Mndhnd32.exe File created C:\Windows\SysWOW64\Aadobccg.exe Qbobaf32.exe File opened for modification C:\Windows\SysWOW64\Iigpli32.exe Ioakoq32.exe File created C:\Windows\SysWOW64\Jhogdg32.dll Cebeem32.exe File created C:\Windows\SysWOW64\Kbfheikj.dll Kmegjdad.exe File created C:\Windows\SysWOW64\Goqnae32.exe Gehiioaj.exe File opened for modification C:\Windows\SysWOW64\Okhefl32.exe Ncamen32.exe File opened for modification C:\Windows\SysWOW64\Hnnjfo32.exe Hagianlf.exe File created C:\Windows\SysWOW64\Qhincn32.exe Pehebbbh.exe File created C:\Windows\SysWOW64\Ddppmclb.exe Dkgldm32.exe File opened for modification C:\Windows\SysWOW64\Ahbekjcf.exe Afdiondb.exe File created C:\Windows\SysWOW64\Jfehcipm.dll Koipglep.exe File created C:\Windows\SysWOW64\Njpihk32.exe Ndcapd32.exe File opened for modification C:\Windows\SysWOW64\Fpdkpiik.exe Fglfgd32.exe File created C:\Windows\SysWOW64\Ojceef32.exe Nobndj32.exe File created C:\Windows\SysWOW64\Dgoopkgh.exe Dbafjlaa.exe File created C:\Windows\SysWOW64\Lkdhoc32.exe Lqncaj32.exe File created C:\Windows\SysWOW64\Paodbg32.dll Ncnngfna.exe File created C:\Windows\SysWOW64\Pbmmpj32.dll Dmijfmfi.exe File created C:\Windows\SysWOW64\Ffbhcq32.dll Aejlnmkm.exe File created C:\Windows\SysWOW64\Ieibdnnp.exe Igebkiof.exe File opened for modification C:\Windows\SysWOW64\Jpbcek32.exe Ieibdnnp.exe File created C:\Windows\SysWOW64\Ohlhijgh.dll Jcikog32.exe File created C:\Windows\SysWOW64\Mjpkqonj.exe Lcfbdd32.exe File opened for modification C:\Windows\SysWOW64\Mhcmedli.exe Llmmpcfe.exe File created C:\Windows\SysWOW64\Hdpcokdo.exe Gockgdeh.exe File created C:\Windows\SysWOW64\Ijjnkj32.dll Kapohbfp.exe File opened for modification C:\Windows\SysWOW64\Pnfnajed.exe Piieicgl.exe File opened for modification C:\Windows\SysWOW64\Imleli32.exe Ibfaopoi.exe File created C:\Windows\SysWOW64\Ippbdn32.dll Ngealejo.exe File created C:\Windows\SysWOW64\Nloone32.dll Cjakccop.exe File created C:\Windows\SysWOW64\Hljaigmo.exe Hjlemlnk.exe File created C:\Windows\SysWOW64\Ldcinhie.dll Odedge32.exe File opened for modification C:\Windows\SysWOW64\Pmkhjncg.exe Pdbdqh32.exe File opened for modification C:\Windows\SysWOW64\Cjakccop.exe Ceebklai.exe File opened for modification C:\Windows\SysWOW64\Cogfqe32.exe Cmhjdiap.exe File created C:\Windows\SysWOW64\Kaholp32.exe Keango32.exe File created C:\Windows\SysWOW64\Kaemmggl.dll Lmhbgpia.exe File created C:\Windows\SysWOW64\Omcifpnp.exe Odjdmjgo.exe File created C:\Windows\SysWOW64\Eodicd32.exe Ehjqgjmp.exe File opened for modification C:\Windows\SysWOW64\Ijibng32.exe Heliepmn.exe File opened for modification C:\Windows\SysWOW64\Eemnnn32.exe Edlafebn.exe File created C:\Windows\SysWOW64\Lhioglih.dll Hgiked32.exe File opened for modification C:\Windows\SysWOW64\Gqaafn32.exe Gnbejb32.exe File opened for modification C:\Windows\SysWOW64\Imodkadq.exe Icfpbl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3668 2568 WerFault.exe 642 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfqnol32.dll" Qgjccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aebmjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhmofo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdlkcdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll" Cjakccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnhjgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plhodp32.dll" Fobkfqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllbljej.dll" Hibjbgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhdlad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnibcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dahkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Allgoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkepinpk.dll" Jofejpmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jofejpmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbhbdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdcpkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icmongda.dll" Ieajkfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll" Cenljmgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjedmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjnkgi32.dll" Lljipmdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Halcmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fglfgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdjljpnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmgalkcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njdqka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmkeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllnnkld.dll" Imodkadq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djlfma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goqnae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgddam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egjbdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oninhgae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhehaf32.dll" Hgeelf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oonldcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpeqncja.dll" Hmkeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmepgp32.dll" Hifpke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoblnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmaebf32.dll" Jdcpkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcnejk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aekeef32.dll" Gjjmijme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfbnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqdhpbib.dll" Mgmdapml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfehcipm.dll" Koipglep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqfbdfga.dll" Occjjnap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnbpqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkmeoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdojinhb.dll" Lkfddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niplmn32.dll" Mngjeamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neghkn32.dll" Jbhcim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phcilf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfffifgk.dll" Jelfdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpbcek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfeepelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofphfof.dll" Fkpjnkig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iakgefqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phcleoho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clgbno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cifelgmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blkjkflb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kflafbak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aahimb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnpgeopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olpilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acblbcob.dll" Dahkok32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1368 wrote to memory of 2276 1368 a9bebac977bbcc1866b9503aed7d0f80_NeikiAnalytics.exe 28 PID 1368 wrote to memory of 2276 1368 a9bebac977bbcc1866b9503aed7d0f80_NeikiAnalytics.exe 28 PID 1368 wrote to memory of 2276 1368 a9bebac977bbcc1866b9503aed7d0f80_NeikiAnalytics.exe 28 PID 1368 wrote to memory of 2276 1368 a9bebac977bbcc1866b9503aed7d0f80_NeikiAnalytics.exe 28 PID 2276 wrote to memory of 2896 2276 Nhdocl32.exe 29 PID 2276 wrote to memory of 2896 2276 Nhdocl32.exe 29 PID 2276 wrote to memory of 2896 2276 Nhdocl32.exe 29 PID 2276 wrote to memory of 2896 2276 Nhdocl32.exe 29 PID 2896 wrote to memory of 2552 2896 Ndpicm32.exe 432 PID 2896 wrote to memory of 2552 2896 Ndpicm32.exe 432 PID 2896 wrote to memory of 2552 2896 Ndpicm32.exe 432 PID 2896 wrote to memory of 2552 2896 Ndpicm32.exe 432 PID 2552 wrote to memory of 2676 2552 Nmhmlbkk.exe 31 PID 2552 wrote to memory of 2676 2552 Nmhmlbkk.exe 31 PID 2552 wrote to memory of 2676 2552 Nmhmlbkk.exe 31 PID 2552 wrote to memory of 2676 2552 Nmhmlbkk.exe 31 PID 2676 wrote to memory of 2664 2676 Odgodl32.exe 32 PID 2676 wrote to memory of 2664 2676 Odgodl32.exe 32 PID 2676 wrote to memory of 2664 2676 Odgodl32.exe 32 PID 2676 wrote to memory of 2664 2676 Odgodl32.exe 32 PID 2664 wrote to memory of 2840 2664 Olbchn32.exe 33 PID 2664 wrote to memory of 2840 2664 Olbchn32.exe 33 PID 2664 wrote to memory of 2840 2664 Olbchn32.exe 33 PID 2664 wrote to memory of 2840 2664 Olbchn32.exe 33 PID 2840 wrote to memory of 1492 2840 Ooclji32.exe 34 PID 2840 wrote to memory of 1492 2840 Ooclji32.exe 34 PID 2840 wrote to memory of 1492 2840 Ooclji32.exe 34 PID 2840 wrote to memory of 1492 2840 Ooclji32.exe 34 PID 1492 wrote to memory of 1652 1492 Padeldeo.exe 35 PID 1492 wrote to memory of 1652 1492 Padeldeo.exe 35 PID 1492 wrote to memory of 1652 1492 Padeldeo.exe 35 PID 1492 wrote to memory of 1652 1492 Padeldeo.exe 35 PID 1652 wrote to memory of 1068 1652 Pqkobqhd.exe 36 PID 1652 wrote to memory of 1068 1652 Pqkobqhd.exe 36 PID 1652 wrote to memory of 1068 1652 Pqkobqhd.exe 36 PID 1652 wrote to memory of 1068 1652 Pqkobqhd.exe 36 PID 1068 wrote to memory of 2188 1068 Pqnlhpfb.exe 37 PID 1068 wrote to memory of 2188 1068 Pqnlhpfb.exe 37 PID 1068 wrote to memory of 2188 1068 Pqnlhpfb.exe 37 PID 1068 wrote to memory of 2188 1068 Pqnlhpfb.exe 37 PID 2188 wrote to memory of 2004 2188 Pcnejk32.exe 38 PID 2188 wrote to memory of 2004 2188 Pcnejk32.exe 38 PID 2188 wrote to memory of 2004 2188 Pcnejk32.exe 38 PID 2188 wrote to memory of 2004 2188 Pcnejk32.exe 38 PID 2004 wrote to memory of 1700 2004 Qcqaok32.exe 396 PID 2004 wrote to memory of 1700 2004 Qcqaok32.exe 396 PID 2004 wrote to memory of 1700 2004 Qcqaok32.exe 396 PID 2004 wrote to memory of 1700 2004 Qcqaok32.exe 396 PID 1700 wrote to memory of 1180 1700 Qogbdl32.exe 40 PID 1700 wrote to memory of 1180 1700 Qogbdl32.exe 40 PID 1700 wrote to memory of 1180 1700 Qogbdl32.exe 40 PID 1700 wrote to memory of 1180 1700 Qogbdl32.exe 40 PID 1180 wrote to memory of 1572 1180 Aibcba32.exe 41 PID 1180 wrote to memory of 1572 1180 Aibcba32.exe 41 PID 1180 wrote to memory of 1572 1180 Aibcba32.exe 41 PID 1180 wrote to memory of 1572 1180 Aibcba32.exe 41 PID 1572 wrote to memory of 1196 1572 Aeidgbaf.exe 403 PID 1572 wrote to memory of 1196 1572 Aeidgbaf.exe 403 PID 1572 wrote to memory of 1196 1572 Aeidgbaf.exe 403 PID 1572 wrote to memory of 1196 1572 Aeidgbaf.exe 403 PID 1196 wrote to memory of 324 1196 Abmdafpp.exe 43 PID 1196 wrote to memory of 324 1196 Abmdafpp.exe 43 PID 1196 wrote to memory of 324 1196 Abmdafpp.exe 43 PID 1196 wrote to memory of 324 1196 Abmdafpp.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9bebac977bbcc1866b9503aed7d0f80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a9bebac977bbcc1866b9503aed7d0f80_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Ndpicm32.exeC:\Windows\system32\Ndpicm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Nmhmlbkk.exeC:\Windows\system32\Nmhmlbkk.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Pcnejk32.exeC:\Windows\system32\Pcnejk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Qcqaok32.exeC:\Windows\system32\Qcqaok32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Qogbdl32.exeC:\Windows\system32\Qogbdl32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Aibcba32.exeC:\Windows\system32\Aibcba32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Aeidgbaf.exeC:\Windows\system32\Aeidgbaf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Abmdafpp.exeC:\Windows\system32\Abmdafpp.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:324 -
C:\Windows\SysWOW64\Bagkmb32.exeC:\Windows\system32\Bagkmb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:548 -
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:912 -
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1160 -
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Cebcmdlg.exeC:\Windows\system32\Cebcmdlg.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Cdgpnqpo.exeC:\Windows\system32\Cdgpnqpo.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Cifelgmd.exeC:\Windows\system32\Cifelgmd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1000 -
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Dgoopkgh.exeC:\Windows\system32\Dgoopkgh.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe29⤵
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Dakmfh32.exeC:\Windows\system32\Dakmfh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Ekcaonhe.exeC:\Windows\system32\Ekcaonhe.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Hibjbgbh.exeC:\Windows\system32\Hibjbgbh.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Hdlkcdog.exeC:\Windows\system32\Hdlkcdog.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:392 -
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe36⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe37⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Iinmfk32.exeC:\Windows\system32\Iinmfk32.exe38⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Imleli32.exeC:\Windows\system32\Imleli32.exe40⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe41⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe42⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1060 -
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe44⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe45⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Jlhhndno.exeC:\Windows\system32\Jlhhndno.exe46⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe49⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Jkpbdq32.exeC:\Windows\system32\Jkpbdq32.exe50⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe51⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe52⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe53⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe54⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe55⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe56⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe57⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe58⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe59⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Khabghdl.exeC:\Windows\system32\Khabghdl.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe61⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Khcomhbi.exeC:\Windows\system32\Khcomhbi.exe62⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe65⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe66⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe67⤵
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1344 -
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe69⤵PID:1952
-
C:\Windows\SysWOW64\Lmjnak32.exeC:\Windows\system32\Lmjnak32.exe70⤵PID:1584
-
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2624 -
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe72⤵PID:2340
-
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:976 -
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe74⤵PID:2420
-
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe75⤵PID:3032
-
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe76⤵PID:2904
-
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe77⤵PID:1092
-
C:\Windows\SysWOW64\Mlfacfpc.exeC:\Windows\system32\Mlfacfpc.exe78⤵PID:1088
-
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe79⤵PID:2580
-
C:\Windows\SysWOW64\Mngjeamd.exeC:\Windows\system32\Mngjeamd.exe80⤵
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Meabakda.exeC:\Windows\system32\Meabakda.exe81⤵PID:3000
-
C:\Windows\SysWOW64\Mlkjne32.exeC:\Windows\system32\Mlkjne32.exe82⤵PID:684
-
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe83⤵PID:2504
-
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe84⤵PID:3036
-
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe85⤵PID:2640
-
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe86⤵PID:1396
-
C:\Windows\SysWOW64\Njdqka32.exeC:\Windows\system32\Njdqka32.exe87⤵
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1992 -
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1816 -
C:\Windows\SysWOW64\Nfkapb32.exeC:\Windows\system32\Nfkapb32.exe90⤵PID:2780
-
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2428 -
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe92⤵PID:928
-
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe93⤵PID:1688
-
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe94⤵PID:2284
-
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1900 -
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe96⤵PID:1724
-
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe97⤵PID:2728
-
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe98⤵
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe99⤵
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Omcifpnp.exeC:\Windows\system32\Omcifpnp.exe100⤵PID:904
-
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe101⤵PID:1708
-
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe102⤵PID:1916
-
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe103⤵PID:2196
-
C:\Windows\SysWOW64\Poklngnf.exeC:\Windows\system32\Poklngnf.exe104⤵PID:1672
-
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe105⤵PID:2924
-
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe106⤵PID:1848
-
C:\Windows\SysWOW64\Bnldjekl.exeC:\Windows\system32\Bnldjekl.exe107⤵PID:1676
-
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe108⤵PID:2176
-
C:\Windows\SysWOW64\Cfeepelg.exeC:\Windows\system32\Cfeepelg.exe109⤵
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe110⤵PID:1512
-
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe111⤵PID:3012
-
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe112⤵PID:2560
-
C:\Windows\SysWOW64\Eggndi32.exeC:\Windows\system32\Eggndi32.exe113⤵PID:1200
-
C:\Windows\SysWOW64\Emagacdm.exeC:\Windows\system32\Emagacdm.exe114⤵PID:616
-
C:\Windows\SysWOW64\Eelkeeah.exeC:\Windows\system32\Eelkeeah.exe115⤵PID:824
-
C:\Windows\SysWOW64\Ecploipa.exeC:\Windows\system32\Ecploipa.exe116⤵PID:1272
-
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe117⤵PID:2020
-
C:\Windows\SysWOW64\Eogmcjef.exeC:\Windows\system32\Eogmcjef.exe118⤵PID:1748
-
C:\Windows\SysWOW64\Eeaepd32.exeC:\Windows\system32\Eeaepd32.exe119⤵PID:1016
-
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe120⤵
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Fkpjnkig.exeC:\Windows\system32\Fkpjnkig.exe121⤵
- Modifies registry class
PID:2408
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-