Analysis
-
max time kernel
144s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2024, 06:32
Behavioral task
behavioral1
Sample
b1b6bcce37ebbc4e0d1bb8dcb5c2cb80_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
b1b6bcce37ebbc4e0d1bb8dcb5c2cb80_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
b1b6bcce37ebbc4e0d1bb8dcb5c2cb80_NeikiAnalytics.exe
-
Size
384KB
-
MD5
b1b6bcce37ebbc4e0d1bb8dcb5c2cb80
-
SHA1
530176fe77ba97285cee72d03e03e3c87998d205
-
SHA256
e6635e4f11b4d211eabc861e61518bbc55f15e2ec7feed03b5c434127ead3133
-
SHA512
bc1cda94d0bdb28b54cb40f978ffa451ebc002590b9f4d41086dca87dba5253d11658f48e1f37ee347cda17cb78851be143c461b2b27cb1bd106d0edab6e91cc
-
SSDEEP
6144:+jRelzTV9dip1/pui6yYPaIGckjh/xaSfBJKFbhD7sYQpui6yYPaIGck7/DiuoHN:llzndiplpV6yYPMLnfBJKFbhDwBpV6y+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdhfhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eefhjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhjmiad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jefbfgig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajfoiqll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aclpap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oqihnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogcpjhoq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Demecd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbeqmoji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmngqdpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajfoiqll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clpgpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcckif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocpgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ippggbck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnffqf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peqcjkfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clpgpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dahode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecandfpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jimekgff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfeopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgagbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbplc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgkhlnbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oqdoboli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddmhja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deoaid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odbgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfhlejnh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdeoemeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aeniabfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lddbqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkmchi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmefhako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ldjhpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oneklm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncnadk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Docmgjhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilghlc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kplpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iejcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aclpap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dohfbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcagkdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hiefcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcpclbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcpclbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojhiqefo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bajjli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdhfhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcddpdpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqdoboli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfjjppmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogpmjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhohlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcmnpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hckjacjg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpgmha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnnmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kajfig32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0008000000022f51-6.dat family_berbew behavioral2/files/0x00070000000233ec-14.dat family_berbew behavioral2/files/0x00070000000233ee-23.dat family_berbew behavioral2/files/0x00070000000233f1-31.dat family_berbew behavioral2/files/0x00070000000233f3-38.dat family_berbew behavioral2/files/0x00070000000233f5-46.dat family_berbew behavioral2/files/0x00070000000233f7-54.dat family_berbew behavioral2/files/0x00070000000233f9-62.dat family_berbew behavioral2/files/0x00070000000233fb-70.dat family_berbew behavioral2/files/0x00070000000233fd-78.dat family_berbew behavioral2/files/0x00070000000233ff-81.dat family_berbew behavioral2/files/0x0007000000023401-94.dat family_berbew behavioral2/files/0x0007000000023403-102.dat family_berbew behavioral2/files/0x0007000000023405-110.dat family_berbew behavioral2/files/0x00080000000233e9-118.dat family_berbew behavioral2/files/0x0007000000023408-126.dat family_berbew behavioral2/files/0x000700000002340a-134.dat family_berbew behavioral2/files/0x000700000002340d-142.dat family_berbew behavioral2/files/0x000700000002340f-152.dat family_berbew behavioral2/files/0x0007000000023411-158.dat family_berbew behavioral2/files/0x0007000000023413-166.dat family_berbew behavioral2/files/0x0007000000023415-175.dat family_berbew behavioral2/files/0x0007000000023417-182.dat family_berbew behavioral2/files/0x0007000000023419-191.dat family_berbew behavioral2/files/0x000700000002341b-198.dat family_berbew behavioral2/files/0x000700000002341d-206.dat family_berbew behavioral2/files/0x000700000002341f-214.dat family_berbew behavioral2/files/0x0007000000023421-222.dat family_berbew behavioral2/files/0x0007000000023423-230.dat family_berbew behavioral2/files/0x0007000000023425-238.dat family_berbew behavioral2/files/0x0007000000023427-246.dat family_berbew behavioral2/files/0x0007000000023429-254.dat family_berbew behavioral2/files/0x000700000002342f-269.dat family_berbew behavioral2/files/0x0007000000023437-293.dat family_berbew behavioral2/files/0x000700000002343f-317.dat family_berbew behavioral2/files/0x0007000000023447-341.dat family_berbew behavioral2/files/0x000700000002344d-359.dat family_berbew behavioral2/files/0x0007000000023457-389.dat family_berbew behavioral2/files/0x000700000002345b-401.dat family_berbew behavioral2/files/0x0007000000023461-419.dat family_berbew behavioral2/files/0x0007000000023470-461.dat family_berbew behavioral2/files/0x0007000000023478-485.dat family_berbew behavioral2/files/0x0007000000023486-527.dat family_berbew behavioral2/files/0x00070000000234a6-631.dat family_berbew behavioral2/files/0x00070000000234ac-652.dat family_berbew behavioral2/files/0x00080000000234b4-673.dat family_berbew behavioral2/files/0x00070000000234b7-686.dat family_berbew behavioral2/files/0x00070000000234da-860.dat family_berbew behavioral2/files/0x00070000000234fb-970.dat family_berbew behavioral2/files/0x000700000002350a-1019.dat family_berbew behavioral2/files/0x000700000002351c-1080.dat family_berbew behavioral2/files/0x000700000002355d-1309.dat family_berbew behavioral2/files/0x0007000000023561-1323.dat family_berbew behavioral2/files/0x0007000000023565-1336.dat family_berbew behavioral2/files/0x0007000000023579-1401.dat family_berbew behavioral2/files/0x000700000002357f-1421.dat family_berbew behavioral2/files/0x000700000002358b-1461.dat family_berbew behavioral2/files/0x0007000000023599-1506.dat family_berbew behavioral2/files/0x00070000000235a5-1547.dat family_berbew behavioral2/files/0x00070000000235be-1630.dat family_berbew behavioral2/files/0x00070000000235c6-1656.dat family_berbew behavioral2/files/0x00070000000235d2-1695.dat family_berbew behavioral2/files/0x00070000000235dc-1727.dat family_berbew behavioral2/files/0x00070000000235e0-1739.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 636 Kbfiep32.exe 4956 Kmlnbi32.exe 2576 Kpjjod32.exe 1444 Kajfig32.exe 688 Kkbkamnl.exe 4528 Lpocjdld.exe 1376 Lmccchkn.exe 1764 Lgkhlnbn.exe 2828 Lijdhiaa.exe 1340 Laalifad.exe 2104 Laciofpa.exe 4856 Laefdf32.exe 5084 Lddbqa32.exe 2808 Mpkbebbf.exe 3956 Mnocof32.exe 2704 Mgghhlhq.exe 1404 Mnapdf32.exe 64 Mcnhmm32.exe 4872 Mdmegp32.exe 3144 Mpdelajl.exe 3796 Mdpalp32.exe 1548 Nnhfee32.exe 3916 Njogjfoj.exe 1080 Nqiogp32.exe 2184 Nbhkac32.exe 4104 Nkqpjidj.exe 5016 Nqmhbpba.exe 4772 Nggqoj32.exe 4512 Ncnadk32.exe 2916 Ojhiqefo.exe 3172 Ogljjiei.exe 3360 Oqdoboli.exe 4132 Ojmcld32.exe 3372 Odbgim32.exe 892 Okloegjl.exe 4004 Oqihnn32.exe 4496 Ogcpjhoq.exe 220 Okolkg32.exe 2760 Obidhaog.exe 5068 Pgemphmn.exe 1744 Pjdilcla.exe 3668 Pbkamqmd.exe 4652 Pghieg32.exe 4080 Pjffbc32.exe 2896 Pqpnombl.exe 4788 Pcojkhap.exe 4680 Pjhbgb32.exe 3732 Pabkdmpi.exe 1984 Pgmcqggf.exe 4636 Pnfkma32.exe 516 Peqcjkfp.exe 1736 Pjmlbbdg.exe 1184 Pnihcq32.exe 3084 Qecppkdm.exe 3572 Qgallfcq.exe 3176 Qajadlja.exe 2304 Qjbena32.exe 448 Aanjpk32.exe 972 Ajfoiqll.exe 2536 Aelcfilb.exe 3672 Aacckjaf.exe 4124 Angddopp.exe 2016 Adcmmeog.exe 4752 Alkdnboj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Icifbang.exe Ikbnacmd.exe File created C:\Windows\SysWOW64\Ieolehop.exe Ibqpimpl.exe File opened for modification C:\Windows\SysWOW64\Jfeopj32.exe Jlpkba32.exe File created C:\Windows\SysWOW64\Bfajji32.dll Ldleel32.exe File created C:\Windows\SysWOW64\Goaojagc.dll Njnpppkn.exe File opened for modification C:\Windows\SysWOW64\Obidhaog.exe Okolkg32.exe File opened for modification C:\Windows\SysWOW64\Iehfdi32.exe Icgjmapi.exe File created C:\Windows\SysWOW64\Ajanck32.exe Qcgffqei.exe File opened for modification C:\Windows\SysWOW64\Ageolo32.exe Adgbpc32.exe File created C:\Windows\SysWOW64\Fqjamcpe.dll Cfmajipb.exe File opened for modification C:\Windows\SysWOW64\Pjhbgb32.exe Pcojkhap.exe File created C:\Windows\SysWOW64\Hleecc32.dll Mlopkm32.exe File created C:\Windows\SysWOW64\Klqmnp32.dll Peqcjkfp.exe File created C:\Windows\SysWOW64\Habmmpbg.dll Alkdnboj.exe File created C:\Windows\SysWOW64\Ldoaklml.exe Lenamdem.exe File opened for modification C:\Windows\SysWOW64\Dddhpjof.exe Dmjocp32.exe File opened for modification C:\Windows\SysWOW64\Ghaliknf.exe Gfbploob.exe File created C:\Windows\SysWOW64\Mpnaemnl.dll Hcdmga32.exe File created C:\Windows\SysWOW64\Jcpfco32.dll Clbceo32.exe File created C:\Windows\SysWOW64\Jlnnmb32.exe Jioaqfcc.exe File created C:\Windows\SysWOW64\Dmjocp32.exe Dfpgffpm.exe File opened for modification C:\Windows\SysWOW64\Qgallfcq.exe Qecppkdm.exe File created C:\Windows\SysWOW64\Amddjegd.exe Anadoi32.exe File created C:\Windows\SysWOW64\Hfqlnm32.exe Hbeqmoji.exe File opened for modification C:\Windows\SysWOW64\Icnpmp32.exe Ilghlc32.exe File created C:\Windows\SysWOW64\Memcpg32.dll Jehokgge.exe File created C:\Windows\SysWOW64\Kplpjn32.exe Kmncnb32.exe File created C:\Windows\SysWOW64\Ofeilobp.exe Oqhacgdh.exe File created C:\Windows\SysWOW64\Beihma32.exe Bmbplc32.exe File created C:\Windows\SysWOW64\Okloegjl.exe Odbgim32.exe File opened for modification C:\Windows\SysWOW64\Dkoggkjo.exe Dddojq32.exe File created C:\Windows\SysWOW64\Kngpec32.dll Dhocqigp.exe File created C:\Windows\SysWOW64\Dahode32.exe Dceohhja.exe File created C:\Windows\SysWOW64\Ghekjiam.dll Caebma32.exe File created C:\Windows\SysWOW64\Pcojkhap.exe Pqpnombl.exe File created C:\Windows\SysWOW64\Nhmkghpm.dll Qecppkdm.exe File opened for modification C:\Windows\SysWOW64\Hmcojh32.exe Helfik32.exe File created C:\Windows\SysWOW64\Bagplp32.dll Jlbgha32.exe File created C:\Windows\SysWOW64\Bfhhoi32.exe Beglgani.exe File created C:\Windows\SysWOW64\Ppaaagol.dll b1b6bcce37ebbc4e0d1bb8dcb5c2cb80_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Pqpnombl.exe Pjffbc32.exe File opened for modification C:\Windows\SysWOW64\Bjokdipf.exe Bcebhoii.exe File created C:\Windows\SysWOW64\Gcmdhh32.dll Febgea32.exe File opened for modification C:\Windows\SysWOW64\Ghopckpi.exe Gcagkdba.exe File created C:\Windows\SysWOW64\Ehljfnpn.exe Eemnjbaj.exe File created C:\Windows\SysWOW64\Ipdejo32.dll Ikbnacmd.exe File created C:\Windows\SysWOW64\Mdpalp32.exe Mpdelajl.exe File opened for modification C:\Windows\SysWOW64\Peqcjkfp.exe Pnfkma32.exe File created C:\Windows\SysWOW64\Ecnpbjmi.dll Hbgmcnhf.exe File created C:\Windows\SysWOW64\Pdmpje32.exe Pjhlml32.exe File opened for modification C:\Windows\SysWOW64\Afjlnk32.exe Aclpap32.exe File created C:\Windows\SysWOW64\Ddonekbl.exe Dmefhako.exe File created C:\Windows\SysWOW64\Hekcnknf.dll Pjmlbbdg.exe File created C:\Windows\SysWOW64\Ohjgdmkj.dll Fkffog32.exe File created C:\Windows\SysWOW64\Bhhdil32.exe Bclhhnca.exe File opened for modification C:\Windows\SysWOW64\Gcimkc32.exe Gkaejf32.exe File created C:\Windows\SysWOW64\Kgldjcmk.dll Qmkadgpo.exe File created C:\Windows\SysWOW64\Lbhnnj32.dll Kpjjod32.exe File created C:\Windows\SysWOW64\Kmipecpd.dll Fkopnh32.exe File created C:\Windows\SysWOW64\Geplnioe.dll Fkalchij.exe File opened for modification C:\Windows\SysWOW64\Pjhlml32.exe Pgioqq32.exe File opened for modification C:\Windows\SysWOW64\Kbfiep32.exe b1b6bcce37ebbc4e0d1bb8dcb5c2cb80_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Aelcfilb.exe Ajfoiqll.exe File opened for modification C:\Windows\SysWOW64\Bjdkjo32.exe Bhfonc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9660 9448 WerFault.exe 465 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mcnhmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcnhmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gicinj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afhohlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhijoaa.dll" Ldoaklml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aminee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bajjli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djhgpa32.dll" Eapedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ghaliknf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hmcojh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jioaqfcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ocpgod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qmmnjfnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mgghhlhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hcpclbfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hbgmcnhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lbjlfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Conclk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eapedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjeoglgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll" Mnocof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nggqoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihoofe32.dll" Iihkpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ojgbfocc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pnfdcjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll" Cfmajipb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dejacond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pghieg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnlnon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dlncan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hckjacjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Heapdjlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Imoneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qjbena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdpie32.dll" Bajjli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nconcm32.dll" Bdmpcdfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Doeiljfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpdkcl32.dll" Kedoge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qcgffqei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Glhonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldjicq32.dll" Gfbploob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gfembo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgdacjh.dll" Npcoakfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ecoangbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfkgaokd.dll" Fhqcam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmabdibj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ibnccmbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagplp32.dll" Jlbgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Daconoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgcqbd32.dll" Pjhbgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ehedfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Icgjmapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kplpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Neeqea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmkjkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll" Bjddphlq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aanjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Demecd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhkapp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dlncan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gkhbdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Laciofpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Adcmmeog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnjafgo.dll" Hkdbpe32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5036 wrote to memory of 636 5036 b1b6bcce37ebbc4e0d1bb8dcb5c2cb80_NeikiAnalytics.exe 83 PID 5036 wrote to memory of 636 5036 b1b6bcce37ebbc4e0d1bb8dcb5c2cb80_NeikiAnalytics.exe 83 PID 5036 wrote to memory of 636 5036 b1b6bcce37ebbc4e0d1bb8dcb5c2cb80_NeikiAnalytics.exe 83 PID 636 wrote to memory of 4956 636 Kbfiep32.exe 84 PID 636 wrote to memory of 4956 636 Kbfiep32.exe 84 PID 636 wrote to memory of 4956 636 Kbfiep32.exe 84 PID 4956 wrote to memory of 2576 4956 Kmlnbi32.exe 85 PID 4956 wrote to memory of 2576 4956 Kmlnbi32.exe 85 PID 4956 wrote to memory of 2576 4956 Kmlnbi32.exe 85 PID 2576 wrote to memory of 1444 2576 Kpjjod32.exe 86 PID 2576 wrote to memory of 1444 2576 Kpjjod32.exe 86 PID 2576 wrote to memory of 1444 2576 Kpjjod32.exe 86 PID 1444 wrote to memory of 688 1444 Kajfig32.exe 87 PID 1444 wrote to memory of 688 1444 Kajfig32.exe 87 PID 1444 wrote to memory of 688 1444 Kajfig32.exe 87 PID 688 wrote to memory of 4528 688 Kkbkamnl.exe 88 PID 688 wrote to memory of 4528 688 Kkbkamnl.exe 88 PID 688 wrote to memory of 4528 688 Kkbkamnl.exe 88 PID 4528 wrote to memory of 1376 4528 Lpocjdld.exe 89 PID 4528 wrote to memory of 1376 4528 Lpocjdld.exe 89 PID 4528 wrote to memory of 1376 4528 Lpocjdld.exe 89 PID 1376 wrote to memory of 1764 1376 Lmccchkn.exe 90 PID 1376 wrote to memory of 1764 1376 Lmccchkn.exe 90 PID 1376 wrote to memory of 1764 1376 Lmccchkn.exe 90 PID 1764 wrote to memory of 2828 1764 Lgkhlnbn.exe 91 PID 1764 wrote to memory of 2828 1764 Lgkhlnbn.exe 91 PID 1764 wrote to memory of 2828 1764 Lgkhlnbn.exe 91 PID 2828 wrote to memory of 1340 2828 Lijdhiaa.exe 93 PID 2828 wrote to memory of 1340 2828 Lijdhiaa.exe 93 PID 2828 wrote to memory of 1340 2828 Lijdhiaa.exe 93 PID 1340 wrote to memory of 2104 1340 Laalifad.exe 94 PID 1340 wrote to memory of 2104 1340 Laalifad.exe 94 PID 1340 wrote to memory of 2104 1340 Laalifad.exe 94 PID 2104 wrote to memory of 4856 2104 Laciofpa.exe 96 PID 2104 wrote to memory of 4856 2104 Laciofpa.exe 96 PID 2104 wrote to memory of 4856 2104 Laciofpa.exe 96 PID 4856 wrote to memory of 5084 4856 Laefdf32.exe 97 PID 4856 wrote to memory of 5084 4856 Laefdf32.exe 97 PID 4856 wrote to memory of 5084 4856 Laefdf32.exe 97 PID 5084 wrote to memory of 2808 5084 Lddbqa32.exe 98 PID 5084 wrote to memory of 2808 5084 Lddbqa32.exe 98 PID 5084 wrote to memory of 2808 5084 Lddbqa32.exe 98 PID 2808 wrote to memory of 3956 2808 Mpkbebbf.exe 99 PID 2808 wrote to memory of 3956 2808 Mpkbebbf.exe 99 PID 2808 wrote to memory of 3956 2808 Mpkbebbf.exe 99 PID 3956 wrote to memory of 2704 3956 Mnocof32.exe 100 PID 3956 wrote to memory of 2704 3956 Mnocof32.exe 100 PID 3956 wrote to memory of 2704 3956 Mnocof32.exe 100 PID 2704 wrote to memory of 1404 2704 Mgghhlhq.exe 101 PID 2704 wrote to memory of 1404 2704 Mgghhlhq.exe 101 PID 2704 wrote to memory of 1404 2704 Mgghhlhq.exe 101 PID 1404 wrote to memory of 64 1404 Mnapdf32.exe 103 PID 1404 wrote to memory of 64 1404 Mnapdf32.exe 103 PID 1404 wrote to memory of 64 1404 Mnapdf32.exe 103 PID 64 wrote to memory of 4872 64 Mcnhmm32.exe 104 PID 64 wrote to memory of 4872 64 Mcnhmm32.exe 104 PID 64 wrote to memory of 4872 64 Mcnhmm32.exe 104 PID 4872 wrote to memory of 3144 4872 Mdmegp32.exe 105 PID 4872 wrote to memory of 3144 4872 Mdmegp32.exe 105 PID 4872 wrote to memory of 3144 4872 Mdmegp32.exe 105 PID 3144 wrote to memory of 3796 3144 Mpdelajl.exe 106 PID 3144 wrote to memory of 3796 3144 Mpdelajl.exe 106 PID 3144 wrote to memory of 3796 3144 Mpdelajl.exe 106 PID 3796 wrote to memory of 1548 3796 Mdpalp32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1b6bcce37ebbc4e0d1bb8dcb5c2cb80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b1b6bcce37ebbc4e0d1bb8dcb5c2cb80_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe23⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe24⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe25⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe26⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe27⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe28⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4772 -
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe32⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe34⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3372 -
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe36⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:220 -
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe40⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe41⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe42⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe43⤵
- Executes dropped EXE
PID:3668 -
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4652 -
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4080 -
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4788 -
C:\Windows\SysWOW64\Pjhbgb32.exeC:\Windows\system32\Pjhbgb32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:4680 -
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe49⤵
- Executes dropped EXE
PID:3732 -
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe50⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4636 -
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:516 -
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe54⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3084 -
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe56⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe57⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:448 -
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:972 -
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe61⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe62⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe63⤵
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4752 -
C:\Windows\SysWOW64\Aniajnnn.exeC:\Windows\system32\Aniajnnn.exe66⤵PID:940
-
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe67⤵PID:4356
-
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe68⤵PID:2968
-
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe69⤵
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3524 -
C:\Windows\SysWOW64\Blpnib32.exeC:\Windows\system32\Blpnib32.exe72⤵PID:512
-
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe73⤵PID:4468
-
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe74⤵
- Drops file in System32 directory
PID:3104 -
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe75⤵PID:2028
-
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe76⤵PID:4224
-
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe77⤵
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Bldgdago.exeC:\Windows\system32\Bldgdago.exe78⤵PID:1392
-
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe79⤵PID:2820
-
C:\Windows\SysWOW64\Blfdia32.exeC:\Windows\system32\Blfdia32.exe80⤵PID:5140
-
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe81⤵PID:5176
-
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe82⤵PID:5220
-
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe83⤵PID:5260
-
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe84⤵PID:5304
-
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe85⤵PID:5348
-
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe86⤵PID:5392
-
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe87⤵PID:5436
-
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5480 -
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe89⤵
- Modifies registry class
PID:5524 -
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe90⤵PID:5572
-
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe91⤵
- Drops file in System32 directory
PID:5620 -
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe92⤵PID:5664
-
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5712 -
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe94⤵PID:5756
-
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5804 -
C:\Windows\SysWOW64\Demecd32.exeC:\Windows\system32\Demecd32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5848 -
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe97⤵
- Modifies registry class
PID:5892 -
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe98⤵
- Modifies registry class
PID:5936 -
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5980 -
C:\Windows\SysWOW64\Dhnnep32.exeC:\Windows\system32\Dhnnep32.exe100⤵PID:6024
-
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6068 -
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe102⤵PID:6108
-
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5136 -
C:\Windows\SysWOW64\Dkoggkjo.exeC:\Windows\system32\Dkoggkjo.exe104⤵PID:5212
-
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe105⤵
- Drops file in System32 directory
PID:5280 -
C:\Windows\SysWOW64\Dahode32.exeC:\Windows\system32\Dahode32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5344 -
C:\Windows\SysWOW64\Dhbgqohi.exeC:\Windows\system32\Dhbgqohi.exe107⤵PID:5416
-
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe108⤵
- Modifies registry class
PID:5520 -
C:\Windows\SysWOW64\Eolpmi32.exeC:\Windows\system32\Eolpmi32.exe109⤵PID:5580
-
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe110⤵PID:5660
-
C:\Windows\SysWOW64\Eefhjc32.exeC:\Windows\system32\Eefhjc32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5744 -
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe112⤵
- Modifies registry class
PID:5824 -
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe113⤵PID:5912
-
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe114⤵PID:5988
-
C:\Windows\SysWOW64\Eamhodmf.exeC:\Windows\system32\Eamhodmf.exe115⤵PID:6056
-
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe116⤵PID:3740
-
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe117⤵PID:5248
-
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe118⤵PID:5332
-
C:\Windows\SysWOW64\Eapedd32.exeC:\Windows\system32\Eapedd32.exe119⤵
- Modifies registry class
PID:5428 -
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe120⤵PID:5560
-
C:\Windows\SysWOW64\Ehimanbq.exeC:\Windows\system32\Ehimanbq.exe121⤵PID:5656
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-