Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16/05/2024, 06:32
Behavioral task
behavioral1
Sample
b1b6bcce37ebbc4e0d1bb8dcb5c2cb80_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
b1b6bcce37ebbc4e0d1bb8dcb5c2cb80_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
b1b6bcce37ebbc4e0d1bb8dcb5c2cb80_NeikiAnalytics.exe
-
Size
384KB
-
MD5
b1b6bcce37ebbc4e0d1bb8dcb5c2cb80
-
SHA1
530176fe77ba97285cee72d03e03e3c87998d205
-
SHA256
e6635e4f11b4d211eabc861e61518bbc55f15e2ec7feed03b5c434127ead3133
-
SHA512
bc1cda94d0bdb28b54cb40f978ffa451ebc002590b9f4d41086dca87dba5253d11658f48e1f37ee347cda17cb78851be143c461b2b27cb1bd106d0edab6e91cc
-
SSDEEP
6144:+jRelzTV9dip1/pui6yYPaIGckjh/xaSfBJKFbhD7sYQpui6yYPaIGck7/DiuoHN:llzndiplpV6yYPMLnfBJKFbhDwBpV6y+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aggpdnpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifdlng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhddh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaednh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oekehomj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eodicd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghacfmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppcmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qiiahgjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlphbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lnjcomcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opaqpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nijpdfhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpidki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mebnic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkbkpcpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mnhnfckm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ielclkhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgnjqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eldbkbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lkbpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lehdhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlggjlep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbhfke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppfomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gblkoham.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfidqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohcdhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqmamm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpmjcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Agbbgqhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngeljh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaheeecg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpbalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knhjjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Agolnbok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laodmoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddppmclb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmdgbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjaddn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iacjjacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igceej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngjlpmnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idmlniea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Albjnplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fedfgejh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jefpeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nffccejb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nknkeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhkipdeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgfgkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fapgblob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnhnfckm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Elieipej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afgmodel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhgnaehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adfbpega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgnjqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obkcajde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phcleoho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbpbgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqcmcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daofpchf.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000b0000000155e2-5.dat family_berbew behavioral1/files/0x0008000000015c5d-19.dat family_berbew behavioral1/files/0x0007000000015c7c-33.dat family_berbew behavioral1/files/0x0009000000015d88-48.dat family_berbew behavioral1/memory/2552-55-0x00000000001B0000-0x00000000001E6000-memory.dmp family_berbew behavioral1/files/0x0005000000018698-63.dat family_berbew behavioral1/files/0x00050000000186a0-77.dat family_berbew behavioral1/files/0x0006000000018ae8-91.dat family_berbew behavioral1/files/0x0006000000018b33-107.dat family_berbew behavioral1/files/0x0006000000018b42-118.dat family_berbew behavioral1/files/0x0006000000018b6a-132.dat family_berbew behavioral1/files/0x0006000000018b96-145.dat family_berbew behavioral1/files/0x0006000000018d06-158.dat family_berbew behavioral1/files/0x00050000000192f4-178.dat family_berbew behavioral1/files/0x0005000000019333-186.dat family_berbew behavioral1/memory/824-193-0x0000000000220000-0x0000000000256000-memory.dmp family_berbew behavioral1/memory/824-192-0x0000000000220000-0x0000000000256000-memory.dmp family_berbew behavioral1/files/0x0005000000019377-201.dat family_berbew behavioral1/memory/2720-207-0x0000000000220000-0x0000000000256000-memory.dmp family_berbew behavioral1/files/0x00050000000193b0-216.dat family_berbew behavioral1/files/0x000500000001946b-231.dat family_berbew behavioral1/files/0x0005000000019473-243.dat family_berbew behavioral1/files/0x00050000000194a4-252.dat family_berbew behavioral1/files/0x00040000000194d8-263.dat family_berbew behavioral1/files/0x00050000000194e8-271.dat family_berbew behavioral1/memory/2788-284-0x0000000000300000-0x0000000000336000-memory.dmp family_berbew behavioral1/files/0x00050000000194ee-281.dat family_berbew behavioral1/files/0x00050000000194f2-291.dat family_berbew behavioral1/files/0x000500000001950c-303.dat family_berbew behavioral1/files/0x0005000000019547-313.dat family_berbew behavioral1/files/0x000500000001959c-324.dat family_berbew behavioral1/files/0x00050000000195a2-335.dat family_berbew behavioral1/files/0x00050000000195a6-346.dat family_berbew behavioral1/memory/1584-350-0x00000000002A0000-0x00000000002D6000-memory.dmp family_berbew behavioral1/files/0x00050000000195a8-357.dat family_berbew behavioral1/files/0x00050000000195aa-370.dat family_berbew behavioral1/files/0x00050000000195ff-379.dat family_berbew behavioral1/files/0x00050000000196d8-390.dat family_berbew behavioral1/files/0x0005000000019bd6-401.dat family_berbew behavioral1/memory/2428-404-0x0000000000250000-0x0000000000286000-memory.dmp family_berbew behavioral1/memory/2428-405-0x0000000000250000-0x0000000000286000-memory.dmp family_berbew behavioral1/files/0x0005000000019bd8-412.dat family_berbew behavioral1/memory/2840-415-0x0000000000220000-0x0000000000256000-memory.dmp family_berbew behavioral1/files/0x0005000000019cba-422.dat family_berbew behavioral1/memory/1116-432-0x0000000000220000-0x0000000000256000-memory.dmp family_berbew behavioral1/memory/636-438-0x0000000000220000-0x0000000000256000-memory.dmp family_berbew behavioral1/files/0x0005000000019d4d-434.dat family_berbew behavioral1/files/0x0005000000019f42-445.dat family_berbew behavioral1/files/0x000500000001a00c-459.dat family_berbew behavioral1/memory/2004-471-0x0000000000220000-0x0000000000256000-memory.dmp family_berbew behavioral1/files/0x000500000001a04c-468.dat family_berbew behavioral1/files/0x000500000001a31e-481.dat family_berbew behavioral1/files/0x000500000001a3c5-494.dat family_berbew behavioral1/files/0x000500000001a3cd-503.dat family_berbew behavioral1/files/0x000500000001a40b-515.dat family_berbew behavioral1/files/0x000500000001a42b-527.dat family_berbew behavioral1/files/0x000500000001a432-538.dat family_berbew behavioral1/files/0x000500000001a441-551.dat family_berbew behavioral1/files/0x000500000001a445-561.dat family_berbew behavioral1/files/0x000500000001a449-571.dat family_berbew behavioral1/files/0x000500000001a44d-580.dat family_berbew behavioral1/files/0x000500000001a451-596.dat family_berbew behavioral1/files/0x000500000001a455-604.dat family_berbew behavioral1/files/0x000500000001a459-615.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2276 Lpedeg32.exe 2916 Ljabkeaf.exe 2552 Mmdgbp32.exe 2432 Mikhgqbi.exe 2192 Nbhfke32.exe 2876 Nledoj32.exe 1480 Nemhhpmp.exe 848 Odgodl32.exe 1068 Onocmadb.exe 2008 Olgmcmgh.exe 1936 Peanbblf.exe 1704 Pqnlhpfb.exe 824 Qoeeolig.exe 2720 Aggpdnpj.exe 2436 Badnhbce.exe 672 Bjallg32.exe 2768 Ciifbchf.exe 3068 Cljodo32.exe 1564 Danmmd32.exe 1792 Ddnfop32.exe 2788 Dgoopkgh.exe 1820 Dojddmec.exe 2892 Degiggjm.exe 1412 Enbnkigh.exe 2036 Egmojnlf.exe 2352 Edqocbkp.exe 1584 Ejpdai32.exe 2828 Fhgnge32.exe 2620 Fcmben32.exe 2520 Fgadda32.exe 2596 Gqiimfam.exe 2428 Gpabcbdb.exe 2840 Gaqomeke.exe 1116 Gildahhp.exe 636 Hnkion32.exe 1084 Hnmeen32.exe 2572 Hdlkcdog.exe 2004 Hhjcic32.exe 2228 Ijklknbn.exe 2216 Ijmipn32.exe 2204 Ifdjeoep.exe 1540 Ifffkncm.exe 2792 Ielclkhe.exe 792 Jabdql32.exe 2268 Jlhhndno.exe 2984 Jpjngh32.exe 2328 Jjbbpmgo.exe 1824 Jckgicnp.exe 1664 Jlckbh32.exe 828 Knbhlkkc.exe 2492 Kgkleabc.exe 2860 Khlili32.exe 2684 Khoebi32.exe 1616 Kbgjkn32.exe 2932 Kbigpn32.exe 2648 Lnpgeopa.exe 2664 Ldjpbign.exe 2516 Lbnpkmfg.exe 868 Lkfddc32.exe 1692 Micklk32.exe 1016 Miehak32.exe 1756 Mfihkoal.exe 2716 Macilmnk.exe 1632 Mlhnifmq.exe -
Loads dropped DLL 64 IoCs
pid Process 1368 b1b6bcce37ebbc4e0d1bb8dcb5c2cb80_NeikiAnalytics.exe 1368 b1b6bcce37ebbc4e0d1bb8dcb5c2cb80_NeikiAnalytics.exe 2276 Lpedeg32.exe 2276 Lpedeg32.exe 2916 Ljabkeaf.exe 2916 Ljabkeaf.exe 2552 Mmdgbp32.exe 2552 Mmdgbp32.exe 2432 Mikhgqbi.exe 2432 Mikhgqbi.exe 2192 Nbhfke32.exe 2192 Nbhfke32.exe 2876 Nledoj32.exe 2876 Nledoj32.exe 1480 Nemhhpmp.exe 1480 Nemhhpmp.exe 848 Odgodl32.exe 848 Odgodl32.exe 1068 Onocmadb.exe 1068 Onocmadb.exe 2008 Olgmcmgh.exe 2008 Olgmcmgh.exe 1936 Peanbblf.exe 1936 Peanbblf.exe 1704 Pqnlhpfb.exe 1704 Pqnlhpfb.exe 824 Qoeeolig.exe 824 Qoeeolig.exe 2720 Aggpdnpj.exe 2720 Aggpdnpj.exe 2436 Badnhbce.exe 2436 Badnhbce.exe 672 Bjallg32.exe 672 Bjallg32.exe 2768 Ciifbchf.exe 2768 Ciifbchf.exe 3068 Cljodo32.exe 3068 Cljodo32.exe 1564 Danmmd32.exe 1564 Danmmd32.exe 1792 Ddnfop32.exe 1792 Ddnfop32.exe 2788 Dgoopkgh.exe 2788 Dgoopkgh.exe 1820 Dojddmec.exe 1820 Dojddmec.exe 2892 Degiggjm.exe 2892 Degiggjm.exe 1412 Enbnkigh.exe 1412 Enbnkigh.exe 2036 Egmojnlf.exe 2036 Egmojnlf.exe 2352 Edqocbkp.exe 2352 Edqocbkp.exe 1584 Ejpdai32.exe 1584 Ejpdai32.exe 2828 Fhgnge32.exe 2828 Fhgnge32.exe 2620 Fcmben32.exe 2620 Fcmben32.exe 2520 Fgadda32.exe 2520 Fgadda32.exe 2596 Gqiimfam.exe 2596 Gqiimfam.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lpnmgdli.exe Lcjlnpmo.exe File created C:\Windows\SysWOW64\Pkjphcff.exe Oemgplgo.exe File opened for modification C:\Windows\SysWOW64\Blfapfpg.exe Agihgp32.exe File opened for modification C:\Windows\SysWOW64\Cffjagko.exe Cgqmpkfg.exe File opened for modification C:\Windows\SysWOW64\Gpabcbdb.exe Gqiimfam.exe File created C:\Windows\SysWOW64\Clpabm32.exe Ciohqa32.exe File created C:\Windows\SysWOW64\Eoeadjbl.dll Ngeljh32.exe File opened for modification C:\Windows\SysWOW64\Fmnopp32.exe Fchkbg32.exe File opened for modification C:\Windows\SysWOW64\Khnapkjg.exe Kdphjm32.exe File opened for modification C:\Windows\SysWOW64\Mqehjecl.exe Mhjcec32.exe File created C:\Windows\SysWOW64\Fhecgqad.dll Ofobgc32.exe File created C:\Windows\SysWOW64\Bfjkphjd.exe Appbcn32.exe File created C:\Windows\SysWOW64\Lgapeogq.dll Hfhcoj32.exe File created C:\Windows\SysWOW64\Aeojbkal.dll Dpeiligo.exe File created C:\Windows\SysWOW64\Gobdahei.dll Kgclio32.exe File created C:\Windows\SysWOW64\Epnhpglg.exe Dahkok32.exe File created C:\Windows\SysWOW64\Hcjdjiqp.dll Fdgdji32.exe File opened for modification C:\Windows\SysWOW64\Lbnpkmfg.exe Ldjpbign.exe File created C:\Windows\SysWOW64\Imahkg32.exe Ihdpbq32.exe File created C:\Windows\SysWOW64\Emfenggg.dll Nmabjfek.exe File created C:\Windows\SysWOW64\Pgjkggck.dll Mebnic32.exe File opened for modification C:\Windows\SysWOW64\Mfmqmgbm.exe Mdldeo32.exe File created C:\Windows\SysWOW64\Bmpcfg32.dll Aqmamm32.exe File opened for modification C:\Windows\SysWOW64\Lboiol32.exe Lpnmgdli.exe File opened for modification C:\Windows\SysWOW64\Bfdenafn.exe Bqgmfkhg.exe File created C:\Windows\SysWOW64\Bnfoepmg.dll Egebjmdn.exe File opened for modification C:\Windows\SysWOW64\Gbjojh32.exe Gbhbdi32.exe File created C:\Windows\SysWOW64\Ooabmbbe.exe Objaha32.exe File created C:\Windows\SysWOW64\Hbggif32.exe Hkmollme.exe File created C:\Windows\SysWOW64\Efmckpko.exe Emeobj32.exe File opened for modification C:\Windows\SysWOW64\Jckgicnp.exe Jjbbpmgo.exe File opened for modification C:\Windows\SysWOW64\Hmkeke32.exe Gepafc32.exe File created C:\Windows\SysWOW64\Fpgnoo32.exe Eebibf32.exe File opened for modification C:\Windows\SysWOW64\Inlkik32.exe Iimfld32.exe File opened for modification C:\Windows\SysWOW64\Mdgkjopd.exe Mgcjpkak.exe File created C:\Windows\SysWOW64\Mmmjebjg.dll Lpnmgdli.exe File created C:\Windows\SysWOW64\Jonedp32.dll Amfognic.exe File created C:\Windows\SysWOW64\Cgknkqan.dll Locjhqpa.exe File opened for modification C:\Windows\SysWOW64\Dojddmec.exe Dgoopkgh.exe File created C:\Windows\SysWOW64\Mgglgc32.dll Knbhlkkc.exe File opened for modification C:\Windows\SysWOW64\Blqmid32.exe Bfgdmjlp.exe File opened for modification C:\Windows\SysWOW64\Plndcmmj.exe Pcbookpp.exe File created C:\Windows\SysWOW64\Kjnmgq32.dll Ldjpbign.exe File opened for modification C:\Windows\SysWOW64\Kdpfadlm.exe Knfndjdp.exe File created C:\Windows\SysWOW64\Fhgppnan.exe Fmnopp32.exe File created C:\Windows\SysWOW64\Oqelhkhc.dll Hieiqo32.exe File created C:\Windows\SysWOW64\Ppcmfn32.exe Opaqpn32.exe File created C:\Windows\SysWOW64\Fhhbif32.exe Fpmned32.exe File created C:\Windows\SysWOW64\Fodgkp32.exe Fapgblob.exe File created C:\Windows\SysWOW64\Degiggjm.exe Dojddmec.exe File opened for modification C:\Windows\SysWOW64\Andgop32.exe Adlcfjgh.exe File created C:\Windows\SysWOW64\Ikdngobg.dll Fgjjad32.exe File created C:\Windows\SysWOW64\Knbhlkkc.exe Jlckbh32.exe File opened for modification C:\Windows\SysWOW64\Lnjldf32.exe Lngpog32.exe File created C:\Windows\SysWOW64\Mnifja32.exe Meabakda.exe File created C:\Windows\SysWOW64\Gcmcebkc.exe Gmqkml32.exe File created C:\Windows\SysWOW64\Edqocbkp.exe Egmojnlf.exe File created C:\Windows\SysWOW64\Bjbndpmd.exe Bchfhfeh.exe File opened for modification C:\Windows\SysWOW64\Joblkegc.exe Iifghk32.exe File created C:\Windows\SysWOW64\Fhkhip32.dll Mgbaml32.exe File created C:\Windows\SysWOW64\Qhkipdeb.exe Qaapcj32.exe File opened for modification C:\Windows\SysWOW64\Ahhaobfe.exe Adjhicpo.exe File created C:\Windows\SysWOW64\Pjjkfe32.exe Pcpbik32.exe File opened for modification C:\Windows\SysWOW64\Pcbookpp.exe Pjjkfe32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3436 2700 WerFault.exe 593 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dojddmec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fkecij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bqgmfkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hailie32.dll" Qaapcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hnkdnqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlanmb32.dll" Cgqmpkfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dklddhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Blqmid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dojddmec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmimme32.dll" Ffaaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgngaoal.dll" Jggoqimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gehiioaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Genlgnhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Olpilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mbqkiind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eebibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipcibkff.dll" Degiggjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbjdnlob.dll" Ihglhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbkdn32.dll" Qdncmgbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hjaeba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ioeclg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffbmfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfllknkp.dll" Omcifpnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Elcpbigl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njeccjcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cqaiph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekmeeno.dll" Gibbgmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nnjicjbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mebgijei.dll" Jcqlkjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chggdoee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Doecog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fgadda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchqdi32.dll" Bbeded32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fhgppnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pbdfgilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojojafnk.dll" Inlkik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfmeccao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Epeekmjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnkpfm32.dll" Pmehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcfoeb32.dll" Pdbmfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qnghel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmnopp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fhhbif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qhkkim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cnhhge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhlfoln.dll" Bgibnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dgcmod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Emeobj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ljabkeaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Khoebi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfhcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gobdahei.dll" Kgclio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncfalqpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Docopbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Blkmdodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieocod32.dll" Ncnngfna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oqgjdbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgqmpkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncniim32.dll" Lnpgeopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oaqbln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dklddhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll" Bchfhfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghlaj32.dll" Mqehjecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmpofck.dll" Daaenlng.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1368 wrote to memory of 2276 1368 b1b6bcce37ebbc4e0d1bb8dcb5c2cb80_NeikiAnalytics.exe 28 PID 1368 wrote to memory of 2276 1368 b1b6bcce37ebbc4e0d1bb8dcb5c2cb80_NeikiAnalytics.exe 28 PID 1368 wrote to memory of 2276 1368 b1b6bcce37ebbc4e0d1bb8dcb5c2cb80_NeikiAnalytics.exe 28 PID 1368 wrote to memory of 2276 1368 b1b6bcce37ebbc4e0d1bb8dcb5c2cb80_NeikiAnalytics.exe 28 PID 2276 wrote to memory of 2916 2276 Lpedeg32.exe 29 PID 2276 wrote to memory of 2916 2276 Lpedeg32.exe 29 PID 2276 wrote to memory of 2916 2276 Lpedeg32.exe 29 PID 2276 wrote to memory of 2916 2276 Lpedeg32.exe 29 PID 2916 wrote to memory of 2552 2916 Ljabkeaf.exe 30 PID 2916 wrote to memory of 2552 2916 Ljabkeaf.exe 30 PID 2916 wrote to memory of 2552 2916 Ljabkeaf.exe 30 PID 2916 wrote to memory of 2552 2916 Ljabkeaf.exe 30 PID 2552 wrote to memory of 2432 2552 Mmdgbp32.exe 31 PID 2552 wrote to memory of 2432 2552 Mmdgbp32.exe 31 PID 2552 wrote to memory of 2432 2552 Mmdgbp32.exe 31 PID 2552 wrote to memory of 2432 2552 Mmdgbp32.exe 31 PID 2432 wrote to memory of 2192 2432 Mikhgqbi.exe 32 PID 2432 wrote to memory of 2192 2432 Mikhgqbi.exe 32 PID 2432 wrote to memory of 2192 2432 Mikhgqbi.exe 32 PID 2432 wrote to memory of 2192 2432 Mikhgqbi.exe 32 PID 2192 wrote to memory of 2876 2192 Nbhfke32.exe 33 PID 2192 wrote to memory of 2876 2192 Nbhfke32.exe 33 PID 2192 wrote to memory of 2876 2192 Nbhfke32.exe 33 PID 2192 wrote to memory of 2876 2192 Nbhfke32.exe 33 PID 2876 wrote to memory of 1480 2876 Nledoj32.exe 34 PID 2876 wrote to memory of 1480 2876 Nledoj32.exe 34 PID 2876 wrote to memory of 1480 2876 Nledoj32.exe 34 PID 2876 wrote to memory of 1480 2876 Nledoj32.exe 34 PID 1480 wrote to memory of 848 1480 Nemhhpmp.exe 35 PID 1480 wrote to memory of 848 1480 Nemhhpmp.exe 35 PID 1480 wrote to memory of 848 1480 Nemhhpmp.exe 35 PID 1480 wrote to memory of 848 1480 Nemhhpmp.exe 35 PID 848 wrote to memory of 1068 848 Odgodl32.exe 36 PID 848 wrote to memory of 1068 848 Odgodl32.exe 36 PID 848 wrote to memory of 1068 848 Odgodl32.exe 36 PID 848 wrote to memory of 1068 848 Odgodl32.exe 36 PID 1068 wrote to memory of 2008 1068 Onocmadb.exe 37 PID 1068 wrote to memory of 2008 1068 Onocmadb.exe 37 PID 1068 wrote to memory of 2008 1068 Onocmadb.exe 37 PID 1068 wrote to memory of 2008 1068 Onocmadb.exe 37 PID 2008 wrote to memory of 1936 2008 Olgmcmgh.exe 38 PID 2008 wrote to memory of 1936 2008 Olgmcmgh.exe 38 PID 2008 wrote to memory of 1936 2008 Olgmcmgh.exe 38 PID 2008 wrote to memory of 1936 2008 Olgmcmgh.exe 38 PID 1936 wrote to memory of 1704 1936 Peanbblf.exe 39 PID 1936 wrote to memory of 1704 1936 Peanbblf.exe 39 PID 1936 wrote to memory of 1704 1936 Peanbblf.exe 39 PID 1936 wrote to memory of 1704 1936 Peanbblf.exe 39 PID 1704 wrote to memory of 824 1704 Pqnlhpfb.exe 40 PID 1704 wrote to memory of 824 1704 Pqnlhpfb.exe 40 PID 1704 wrote to memory of 824 1704 Pqnlhpfb.exe 40 PID 1704 wrote to memory of 824 1704 Pqnlhpfb.exe 40 PID 824 wrote to memory of 2720 824 Qoeeolig.exe 41 PID 824 wrote to memory of 2720 824 Qoeeolig.exe 41 PID 824 wrote to memory of 2720 824 Qoeeolig.exe 41 PID 824 wrote to memory of 2720 824 Qoeeolig.exe 41 PID 2720 wrote to memory of 2436 2720 Aggpdnpj.exe 42 PID 2720 wrote to memory of 2436 2720 Aggpdnpj.exe 42 PID 2720 wrote to memory of 2436 2720 Aggpdnpj.exe 42 PID 2720 wrote to memory of 2436 2720 Aggpdnpj.exe 42 PID 2436 wrote to memory of 672 2436 Badnhbce.exe 43 PID 2436 wrote to memory of 672 2436 Badnhbce.exe 43 PID 2436 wrote to memory of 672 2436 Badnhbce.exe 43 PID 2436 wrote to memory of 672 2436 Badnhbce.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1b6bcce37ebbc4e0d1bb8dcb5c2cb80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b1b6bcce37ebbc4e0d1bb8dcb5c2cb80_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Lpedeg32.exeC:\Windows\system32\Lpedeg32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Ljabkeaf.exeC:\Windows\system32\Ljabkeaf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Mmdgbp32.exeC:\Windows\system32\Mmdgbp32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Mikhgqbi.exeC:\Windows\system32\Mikhgqbi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Nbhfke32.exeC:\Windows\system32\Nbhfke32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Nledoj32.exeC:\Windows\system32\Nledoj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Nemhhpmp.exeC:\Windows\system32\Nemhhpmp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Peanbblf.exeC:\Windows\system32\Peanbblf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Qoeeolig.exeC:\Windows\system32\Qoeeolig.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\Aggpdnpj.exeC:\Windows\system32\Aggpdnpj.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:672 -
C:\Windows\SysWOW64\Ciifbchf.exeC:\Windows\system32\Ciifbchf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Cljodo32.exeC:\Windows\system32\Cljodo32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Danmmd32.exeC:\Windows\system32\Danmmd32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1564 -
C:\Windows\SysWOW64\Ddnfop32.exeC:\Windows\system32\Ddnfop32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\Dgoopkgh.exeC:\Windows\system32\Dgoopkgh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Dojddmec.exeC:\Windows\system32\Dojddmec.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Enbnkigh.exeC:\Windows\system32\Enbnkigh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1412 -
C:\Windows\SysWOW64\Egmojnlf.exeC:\Windows\system32\Egmojnlf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Edqocbkp.exeC:\Windows\system32\Edqocbkp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Ejpdai32.exeC:\Windows\system32\Ejpdai32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Fhgnge32.exeC:\Windows\system32\Fhgnge32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Fcmben32.exeC:\Windows\system32\Fcmben32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe33⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Gaqomeke.exeC:\Windows\system32\Gaqomeke.exe34⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Gildahhp.exeC:\Windows\system32\Gildahhp.exe35⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe36⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Hnmeen32.exeC:\Windows\system32\Hnmeen32.exe37⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Hdlkcdog.exeC:\Windows\system32\Hdlkcdog.exe38⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe39⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe40⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe41⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Ifdjeoep.exeC:\Windows\system32\Ifdjeoep.exe42⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe43⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe45⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Jlhhndno.exeC:\Windows\system32\Jlhhndno.exe46⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe47⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe49⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe52⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe53⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe55⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe56⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe59⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe60⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe61⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe62⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe63⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe64⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Mlhnifmq.exeC:\Windows\system32\Mlhnifmq.exe65⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Meabakda.exeC:\Windows\system32\Meabakda.exe66⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Mnifja32.exeC:\Windows\system32\Mnifja32.exe67⤵PID:2996
-
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe68⤵PID:1376
-
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe69⤵PID:1784
-
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe70⤵PID:1968
-
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe71⤵PID:2080
-
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe72⤵PID:1760
-
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe73⤵PID:2084
-
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe74⤵PID:2748
-
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe75⤵PID:2524
-
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe76⤵PID:2500
-
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe77⤵PID:2400
-
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:392 -
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe79⤵PID:1304
-
C:\Windows\SysWOW64\Omcifpnp.exeC:\Windows\system32\Omcifpnp.exe80⤵
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Oaqbln32.exeC:\Windows\system32\Oaqbln32.exe81⤵
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe82⤵PID:2320
-
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1764 -
C:\Windows\SysWOW64\Pgpgjepk.exeC:\Windows\system32\Pgpgjepk.exe84⤵PID:1296
-
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe85⤵PID:3016
-
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe86⤵PID:2964
-
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe87⤵PID:756
-
C:\Windows\SysWOW64\Pegqpacp.exeC:\Windows\system32\Pegqpacp.exe88⤵PID:1336
-
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe89⤵PID:684
-
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe90⤵PID:1020
-
C:\Windows\SysWOW64\Qkibcg32.exeC:\Windows\system32\Qkibcg32.exe91⤵PID:320
-
C:\Windows\SysWOW64\Agpcihcf.exeC:\Windows\system32\Agpcihcf.exe92⤵PID:2116
-
C:\Windows\SysWOW64\Acfdnihk.exeC:\Windows\system32\Acfdnihk.exe93⤵PID:2056
-
C:\Windows\SysWOW64\Aqjdgmgd.exeC:\Windows\system32\Aqjdgmgd.exe94⤵PID:2164
-
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2772 -
C:\Windows\SysWOW64\Aqmamm32.exeC:\Windows\system32\Aqmamm32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe97⤵PID:3032
-
C:\Windows\SysWOW64\Ajgbkbjp.exeC:\Windows\system32\Ajgbkbjp.exe98⤵PID:2292
-
C:\Windows\SysWOW64\Amfognic.exeC:\Windows\system32\Amfognic.exe99⤵
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe100⤵PID:1780
-
C:\Windows\SysWOW64\Bbeded32.exeC:\Windows\system32\Bbeded32.exe101⤵
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe102⤵PID:1904
-
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe103⤵PID:1900
-
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe104⤵PID:324
-
C:\Windows\SysWOW64\Bkbaii32.exeC:\Windows\system32\Bkbaii32.exe105⤵PID:1684
-
C:\Windows\SysWOW64\Bgibnj32.exeC:\Windows\system32\Bgibnj32.exe106⤵
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe107⤵PID:1676
-
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe108⤵PID:1508
-
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe109⤵PID:2888
-
C:\Windows\SysWOW64\Cbepdhgc.exeC:\Windows\system32\Cbepdhgc.exe110⤵PID:2548
-
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe111⤵
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Clpabm32.exeC:\Windows\system32\Clpabm32.exe112⤵PID:1492
-
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe113⤵PID:948
-
C:\Windows\SysWOW64\Daofpchf.exeC:\Windows\system32\Daofpchf.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1172 -
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe115⤵PID:528
-
C:\Windows\SysWOW64\Daacecfc.exeC:\Windows\system32\Daacecfc.exe116⤵PID:596
-
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe117⤵
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe118⤵
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe119⤵PID:340
-
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe120⤵PID:1560
-
C:\Windows\SysWOW64\Dmmmfc32.exeC:\Windows\system32\Dmmmfc32.exe121⤵PID:1952
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-