Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 13:22
Behavioral task
behavioral1
Sample
547516405f114b08d4f9aaba92201c47510e7bf0bfb51197c8cedaa4a6fb6352_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
547516405f114b08d4f9aaba92201c47510e7bf0bfb51197c8cedaa4a6fb6352_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
547516405f114b08d4f9aaba92201c47510e7bf0bfb51197c8cedaa4a6fb6352_NeikiAnalytics.exe
-
Size
192KB
-
MD5
e4e3d6e8f98e37974bd4b5aca3737900
-
SHA1
1ff87185a0ee43868b6a8bb9a9f41c51e299dbb1
-
SHA256
547516405f114b08d4f9aaba92201c47510e7bf0bfb51197c8cedaa4a6fb6352
-
SHA512
3fd07d7b9ad2a58cdb9a2e15a592d0ad8bd291b43147c128f3678d797cf7e3f885b985739b5ee874ccd43292cd34529cd44b509a264639f5359bb12b6d73e702
-
SSDEEP
3072:DZZyePqpx8CqJ0K+AeRC2qOQpq3HNr5GnV54c4NthaeKU3d5vEiLqsC6vxfdwtP4:DmeSpWCqGRzqO+uNk54t3haeTFLel6ZX
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlkopcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cahail32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqijej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iompkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiijnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlcbenjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ennaieib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faagpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhndldcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfagipa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjilieka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obojhlbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Copfbfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhgmapfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naoniipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhneehek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mofglh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddcdkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhknm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfdjhndl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhhocjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okoafmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhdcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihjnom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmefooki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obnqem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lflmci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qmfgjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijbdha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mooaljkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlcnda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbikgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chkmkacq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Naoniipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkqbaecc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmbdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilncom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihgainbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bphbeplm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqdipqbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppbfpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nodgel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgqcmlgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cclkfdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Agfgqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmcfkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhmepp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknnbklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clomqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebbgid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjadmnic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hogmmjfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmpnhdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjbjhgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afnagk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdapak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmjejphb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pqhijbog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhndldcn.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000e00000001228a-5.dat family_berbew behavioral1/files/0x00070000000144c0-26.dat family_berbew behavioral1/files/0x00070000000145be-38.dat family_berbew behavioral1/memory/2756-45-0x0000000000350000-0x000000000038F000-memory.dmp family_berbew behavioral1/files/0x0008000000014723-52.dat family_berbew behavioral1/files/0x0006000000015693-73.dat family_berbew behavioral1/files/0x0006000000015bf4-80.dat family_berbew behavioral1/files/0x0006000000015cc7-103.dat family_berbew behavioral1/files/0x0006000000015ce8-111.dat family_berbew behavioral1/files/0x0006000000015d08-125.dat family_berbew behavioral1/files/0x0006000000015d24-140.dat family_berbew behavioral1/files/0x0006000000015d53-161.dat family_berbew behavioral1/files/0x0038000000014349-170.dat family_berbew behavioral1/files/0x0006000000015d83-188.dat family_berbew behavioral1/memory/2160-192-0x00000000002F0000-0x000000000032F000-memory.dmp family_berbew behavioral1/files/0x0006000000015d9f-199.dat family_berbew behavioral1/memory/2068-206-0x0000000000250000-0x000000000028F000-memory.dmp family_berbew behavioral1/files/0x0006000000015e1d-221.dat family_berbew behavioral1/files/0x0006000000015fef-233.dat family_berbew behavioral1/memory/1636-234-0x00000000002E0000-0x000000000031F000-memory.dmp family_berbew behavioral1/memory/264-240-0x00000000002E0000-0x000000000031F000-memory.dmp family_berbew behavioral1/files/0x000600000001615c-244.dat family_berbew behavioral1/files/0x0006000000016455-256.dat family_berbew behavioral1/files/0x00060000000165e1-269.dat family_berbew behavioral1/files/0x0006000000016a8a-280.dat family_berbew behavioral1/files/0x0006000000016c6f-290.dat family_berbew behavioral1/memory/264-300-0x00000000002E0000-0x000000000031F000-memory.dmp family_berbew behavioral1/files/0x0006000000016cc1-303.dat family_berbew behavioral1/files/0x0006000000016d17-313.dat family_berbew behavioral1/files/0x0006000000016d32-324.dat family_berbew behavioral1/files/0x0006000000016d43-336.dat family_berbew behavioral1/memory/1360-350-0x0000000000270000-0x00000000002AF000-memory.dmp family_berbew behavioral1/memory/2784-356-0x0000000000270000-0x00000000002AF000-memory.dmp family_berbew behavioral1/files/0x0006000000016d5f-355.dat family_berbew behavioral1/files/0x0006000000016d68-368.dat family_berbew behavioral1/files/0x0006000000016d8b-378.dat family_berbew behavioral1/memory/1360-351-0x0000000000270000-0x00000000002AF000-memory.dmp family_berbew behavioral1/memory/1592-391-0x0000000000280000-0x00000000002BF000-memory.dmp family_berbew behavioral1/files/0x0006000000016dba-388.dat family_berbew behavioral1/files/0x0006000000016dd1-398.dat family_berbew behavioral1/files/0x0006000000016de3-410.dat family_berbew behavioral1/files/0x0006000000017223-423.dat family_berbew behavioral1/files/0x00060000000173f6-434.dat family_berbew behavioral1/files/0x0006000000017577-449.dat family_berbew behavioral1/files/0x000d000000018673-457.dat family_berbew behavioral1/files/0x000500000001870f-469.dat family_berbew behavioral1/files/0x0005000000018723-478.dat family_berbew behavioral1/files/0x0005000000018797-488.dat family_berbew behavioral1/files/0x00050000000187b3-498.dat family_berbew behavioral1/files/0x0006000000018bd9-512.dat family_berbew behavioral1/files/0x00060000000190da-521.dat family_berbew behavioral1/files/0x0005000000019358-533.dat family_berbew behavioral1/files/0x00050000000193e5-542.dat family_berbew behavioral1/files/0x0005000000019428-553.dat family_berbew behavioral1/files/0x0005000000019447-563.dat family_berbew behavioral1/files/0x000500000001947b-573.dat family_berbew behavioral1/files/0x000500000001951f-582.dat family_berbew behavioral1/files/0x00050000000195b1-594.dat family_berbew behavioral1/files/0x0005000000019629-603.dat family_berbew behavioral1/files/0x000500000001962d-615.dat family_berbew behavioral1/files/0x0005000000019631-621.dat family_berbew behavioral1/files/0x0005000000019637-632.dat family_berbew behavioral1/files/0x000500000001963d-641.dat family_berbew behavioral1/files/0x0005000000019640-654.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1064 Ngfcca32.exe 2364 Nlblkhei.exe 2756 Nlblkhei.exe 2664 Nqqdag32.exe 2080 Njiijlbp.exe 2800 Nbdnoo32.exe 3008 Nohnhc32.exe 2160 Ohqbqhde.exe 2856 Odgcfijj.exe 1636 Onphoo32.exe 1848 Okchhc32.exe 1440 Obnqem32.exe 772 Omgaek32.exe 2068 Ocajbekl.exe 1896 Pphjgfqq.exe 264 Paggai32.exe 1104 Pmnhfjmg.exe 1844 Ppmdbe32.exe 1132 Ppoqge32.exe 2204 Pbmmcq32.exe 1360 Plfamfpm.exe 2304 Pndniaop.exe 3060 Penfelgm.exe 1592 Qaefjm32.exe 2108 Qdccfh32.exe 2784 Qmlgonbe.exe 2292 Amndem32.exe 2792 Ahchbf32.exe 2580 Aiedjneg.exe 3004 Apomfh32.exe 2720 Aigaon32.exe 2872 Alenki32.exe 1248 Aiinen32.exe 880 Alhjai32.exe 1444 Aoffmd32.exe 2256 Afmonbqk.exe 1532 Ailkjmpo.exe 2604 Aljgfioc.exe 2780 Bbdocc32.exe 568 Bebkpn32.exe 1480 Bhahlj32.exe 324 Bokphdld.exe 2288 Baildokg.exe 2384 Beehencq.exe 1852 Bloqah32.exe 1960 Bkaqmeah.exe 2116 Balijo32.exe 2352 Begeknan.exe 2688 Bhfagipa.exe 2616 Bopicc32.exe 2460 Bnbjopoi.exe 2564 Bpafkknm.exe 2608 Bgknheej.exe 2512 Bkfjhd32.exe 2836 Baqbenep.exe 2696 Bpcbqk32.exe 1996 Cgmkmecg.exe 1924 Cjlgiqbk.exe 1948 Cljcelan.exe 1776 Cdakgibq.exe 1712 Cgpgce32.exe 1576 Cjndop32.exe 112 Cphlljge.exe 3016 Ccfhhffh.exe -
Loads dropped DLL 64 IoCs
pid Process 2416 547516405f114b08d4f9aaba92201c47510e7bf0bfb51197c8cedaa4a6fb6352_NeikiAnalytics.exe 2416 547516405f114b08d4f9aaba92201c47510e7bf0bfb51197c8cedaa4a6fb6352_NeikiAnalytics.exe 1064 Ngfcca32.exe 1064 Ngfcca32.exe 2364 Nlblkhei.exe 2364 Nlblkhei.exe 2756 Nlblkhei.exe 2756 Nlblkhei.exe 2664 Nqqdag32.exe 2664 Nqqdag32.exe 2080 Njiijlbp.exe 2080 Njiijlbp.exe 2800 Nbdnoo32.exe 2800 Nbdnoo32.exe 3008 Nohnhc32.exe 3008 Nohnhc32.exe 2160 Ohqbqhde.exe 2160 Ohqbqhde.exe 2856 Odgcfijj.exe 2856 Odgcfijj.exe 1636 Onphoo32.exe 1636 Onphoo32.exe 1848 Okchhc32.exe 1848 Okchhc32.exe 1440 Obnqem32.exe 1440 Obnqem32.exe 772 Omgaek32.exe 772 Omgaek32.exe 2068 Ocajbekl.exe 2068 Ocajbekl.exe 1896 Pphjgfqq.exe 1896 Pphjgfqq.exe 264 Paggai32.exe 264 Paggai32.exe 1104 Pmnhfjmg.exe 1104 Pmnhfjmg.exe 1844 Ppmdbe32.exe 1844 Ppmdbe32.exe 1132 Ppoqge32.exe 1132 Ppoqge32.exe 2204 Pbmmcq32.exe 2204 Pbmmcq32.exe 1360 Plfamfpm.exe 1360 Plfamfpm.exe 2304 Pndniaop.exe 2304 Pndniaop.exe 3060 Penfelgm.exe 3060 Penfelgm.exe 1592 Qaefjm32.exe 1592 Qaefjm32.exe 2108 Qdccfh32.exe 2108 Qdccfh32.exe 2784 Qmlgonbe.exe 2784 Qmlgonbe.exe 2292 Amndem32.exe 2292 Amndem32.exe 2792 Ahchbf32.exe 2792 Ahchbf32.exe 2580 Aiedjneg.exe 2580 Aiedjneg.exe 3004 Apomfh32.exe 3004 Apomfh32.exe 2720 Aigaon32.exe 2720 Aigaon32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lhnffb32.dll Pgbhabjp.exe File created C:\Windows\SysWOW64\Egadpgfp.dll Fejgko32.exe File created C:\Windows\SysWOW64\Fiaeoang.exe Ffbicfoc.exe File opened for modification C:\Windows\SysWOW64\Iajcde32.exe Inngcfid.exe File created C:\Windows\SysWOW64\Nhokkp32.dll Ccahbp32.exe File created C:\Windows\SysWOW64\Hkcdafqb.exe Hlqdei32.exe File opened for modification C:\Windows\SysWOW64\Aigaon32.exe Apomfh32.exe File created C:\Windows\SysWOW64\Ikfmfi32.exe Ihgainbg.exe File created C:\Windows\SysWOW64\Aaloddnn.exe Annbhi32.exe File opened for modification C:\Windows\SysWOW64\Gphmeo32.exe Gaemjbcg.exe File created C:\Windows\SysWOW64\Mhgmapfi.exe Mppepcfg.exe File opened for modification C:\Windows\SysWOW64\Nckjkl32.exe Nplmop32.exe File opened for modification C:\Windows\SysWOW64\Okdkal32.exe Ohendqhd.exe File opened for modification C:\Windows\SysWOW64\Qqeicede.exe Qngmgjeb.exe File created C:\Windows\SysWOW64\Amndem32.exe Qmlgonbe.exe File created C:\Windows\SysWOW64\Opanhd32.dll Bloqah32.exe File created C:\Windows\SysWOW64\Lihmjejl.exe Lfjqnjkh.exe File opened for modification C:\Windows\SysWOW64\Dkcofe32.exe Dhdcji32.exe File created C:\Windows\SysWOW64\Hcpbee32.dll Melfncqb.exe File created C:\Windows\SysWOW64\Lnpbep32.dll Jfqahgpg.exe File created C:\Windows\SysWOW64\Algdlcdm.dll Ghcoqh32.exe File created C:\Windows\SysWOW64\Jgojpjem.exe Jhljdm32.exe File opened for modification C:\Windows\SysWOW64\Cjpqdp32.exe Cfeddafl.exe File created C:\Windows\SysWOW64\Gjodeppm.dll Mkclhl32.exe File created C:\Windows\SysWOW64\Hojgbclk.dll Alpmfdcb.exe File opened for modification C:\Windows\SysWOW64\Dpbheh32.exe Dlgldibq.exe File opened for modification C:\Windows\SysWOW64\Edpmjj32.exe Emieil32.exe File opened for modification C:\Windows\SysWOW64\Eqijej32.exe Emnndlod.exe File created C:\Windows\SysWOW64\Heihnoph.exe Hmbpmapf.exe File created C:\Windows\SysWOW64\Gbolehjh.dll Epfhbign.exe File opened for modification C:\Windows\SysWOW64\Kkgmgmfd.exe Kihqkagp.exe File opened for modification C:\Windows\SysWOW64\Mdcpdp32.exe Maedhd32.exe File created C:\Windows\SysWOW64\Fdlpjk32.dll Cilibi32.exe File created C:\Windows\SysWOW64\Nohnhc32.exe Nbdnoo32.exe File opened for modification C:\Windows\SysWOW64\Amndem32.exe Qmlgonbe.exe File created C:\Windows\SysWOW64\Cphlljge.exe Cjndop32.exe File created C:\Windows\SysWOW64\Mkgfckcj.exe Mdmmfa32.exe File created C:\Windows\SysWOW64\Nadddkfi.dll Olmhdf32.exe File opened for modification C:\Windows\SysWOW64\Aefeijle.exe Afcenm32.exe File created C:\Windows\SysWOW64\Ceamohhb.dll Nofdklgl.exe File opened for modification C:\Windows\SysWOW64\Kihqkagp.exe Kemejc32.exe File opened for modification C:\Windows\SysWOW64\Aamfnkai.exe Abjebn32.exe File created C:\Windows\SysWOW64\Mfbnag32.dll Hedocp32.exe File created C:\Windows\SysWOW64\Bpmiamoh.dll Knklagmb.exe File created C:\Windows\SysWOW64\Lclclfdi.dll Pckoam32.exe File opened for modification C:\Windows\SysWOW64\Bhdgjb32.exe Beejng32.exe File created C:\Windows\SysWOW64\Ecpgmhai.exe Emeopn32.exe File created C:\Windows\SysWOW64\Qimhoi32.exe Qbcpbo32.exe File opened for modification C:\Windows\SysWOW64\Iccbqh32.exe Hpefdl32.exe File opened for modification C:\Windows\SysWOW64\Lhpfqama.exe Lafndg32.exe File created C:\Windows\SysWOW64\Fddmgjpo.exe Fmjejphb.exe File created C:\Windows\SysWOW64\Jfghif32.exe Jonplmcb.exe File created C:\Windows\SysWOW64\Cnkicn32.exe Cklmgb32.exe File created C:\Windows\SysWOW64\Ekgednng.dll Ecejkf32.exe File opened for modification C:\Windows\SysWOW64\Iompkh32.exe Ilncom32.exe File created C:\Windows\SysWOW64\Qhiphb32.dll Qijdocfj.exe File created C:\Windows\SysWOW64\Aaolidlk.exe Aigchgkh.exe File created C:\Windows\SysWOW64\Baqbenep.exe Bkfjhd32.exe File opened for modification C:\Windows\SysWOW64\Fncdgcqm.exe Flehkhai.exe File opened for modification C:\Windows\SysWOW64\Ocajbekl.exe Omgaek32.exe File created C:\Windows\SysWOW64\Ppoqge32.exe Ppmdbe32.exe File created C:\Windows\SysWOW64\Maomqp32.dll Cbkeib32.exe File opened for modification C:\Windows\SysWOW64\Biamilfj.exe Bkommo32.exe File created C:\Windows\SysWOW64\Dfdlklmn.dll Gakcimgf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7696 7656 WerFault.exe 758 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ileiplhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekebnbmn.dll" Mkklljmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lphhoacd.dll" Odgcfijj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjlqhoba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jmbiipml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmnace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Clomqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afcenm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Egamfkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncnkh32.dll" Gopkmhjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehllae32.dll" Inngcfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aghcamqb.dll" Fhneehek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeieqod.dll" Kicmdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ngkogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipghqomc.dll" Qmlgonbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mocaac32.dll" Bopicc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiehea32.dll" Inqcif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Anlmmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ipgbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qjnmlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bphbeplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfcfmmpb.dll" Afmonbqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ccfhhffh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ecejkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mmldme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebagmn32.dll" Dgdmmgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Globlmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakqnc32.dll" Fioija32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pokieo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Affcmdmb.dll" Ebjglbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qflhbhgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qefpjhef.dll" Cfeddafl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jqdipqbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dcenlceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnaga32.dll" Okoafmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gioicn32.dll" Aaolidlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkmmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckqfeoma.dll" Lfjqnjkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egamfkdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ennaieib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pedleg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oegjkb32.dll" Bhndldcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bobhal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aiedjneg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddagfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llkbap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abmbhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ahlgfdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gmdadnkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlfojn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akodpalp.dll" Kjnfniii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lijjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phccmbca.dll" Amhpnkch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ihgainbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Incpoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgaqoq32.dll" Hmbpmapf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oobjaqaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mpmapm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afmonbqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fiaeoang.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2416 wrote to memory of 1064 2416 547516405f114b08d4f9aaba92201c47510e7bf0bfb51197c8cedaa4a6fb6352_NeikiAnalytics.exe 28 PID 2416 wrote to memory of 1064 2416 547516405f114b08d4f9aaba92201c47510e7bf0bfb51197c8cedaa4a6fb6352_NeikiAnalytics.exe 28 PID 2416 wrote to memory of 1064 2416 547516405f114b08d4f9aaba92201c47510e7bf0bfb51197c8cedaa4a6fb6352_NeikiAnalytics.exe 28 PID 2416 wrote to memory of 1064 2416 547516405f114b08d4f9aaba92201c47510e7bf0bfb51197c8cedaa4a6fb6352_NeikiAnalytics.exe 28 PID 1064 wrote to memory of 2364 1064 Ngfcca32.exe 29 PID 1064 wrote to memory of 2364 1064 Ngfcca32.exe 29 PID 1064 wrote to memory of 2364 1064 Ngfcca32.exe 29 PID 1064 wrote to memory of 2364 1064 Ngfcca32.exe 29 PID 2364 wrote to memory of 2756 2364 Nlblkhei.exe 30 PID 2364 wrote to memory of 2756 2364 Nlblkhei.exe 30 PID 2364 wrote to memory of 2756 2364 Nlblkhei.exe 30 PID 2364 wrote to memory of 2756 2364 Nlblkhei.exe 30 PID 2756 wrote to memory of 2664 2756 Nlblkhei.exe 31 PID 2756 wrote to memory of 2664 2756 Nlblkhei.exe 31 PID 2756 wrote to memory of 2664 2756 Nlblkhei.exe 31 PID 2756 wrote to memory of 2664 2756 Nlblkhei.exe 31 PID 2664 wrote to memory of 2080 2664 Nqqdag32.exe 32 PID 2664 wrote to memory of 2080 2664 Nqqdag32.exe 32 PID 2664 wrote to memory of 2080 2664 Nqqdag32.exe 32 PID 2664 wrote to memory of 2080 2664 Nqqdag32.exe 32 PID 2080 wrote to memory of 2800 2080 Njiijlbp.exe 33 PID 2080 wrote to memory of 2800 2080 Njiijlbp.exe 33 PID 2080 wrote to memory of 2800 2080 Njiijlbp.exe 33 PID 2080 wrote to memory of 2800 2080 Njiijlbp.exe 33 PID 2800 wrote to memory of 3008 2800 Nbdnoo32.exe 34 PID 2800 wrote to memory of 3008 2800 Nbdnoo32.exe 34 PID 2800 wrote to memory of 3008 2800 Nbdnoo32.exe 34 PID 2800 wrote to memory of 3008 2800 Nbdnoo32.exe 34 PID 3008 wrote to memory of 2160 3008 Nohnhc32.exe 35 PID 3008 wrote to memory of 2160 3008 Nohnhc32.exe 35 PID 3008 wrote to memory of 2160 3008 Nohnhc32.exe 35 PID 3008 wrote to memory of 2160 3008 Nohnhc32.exe 35 PID 2160 wrote to memory of 2856 2160 Ohqbqhde.exe 36 PID 2160 wrote to memory of 2856 2160 Ohqbqhde.exe 36 PID 2160 wrote to memory of 2856 2160 Ohqbqhde.exe 36 PID 2160 wrote to memory of 2856 2160 Ohqbqhde.exe 36 PID 2856 wrote to memory of 1636 2856 Odgcfijj.exe 37 PID 2856 wrote to memory of 1636 2856 Odgcfijj.exe 37 PID 2856 wrote to memory of 1636 2856 Odgcfijj.exe 37 PID 2856 wrote to memory of 1636 2856 Odgcfijj.exe 37 PID 1636 wrote to memory of 1848 1636 Onphoo32.exe 38 PID 1636 wrote to memory of 1848 1636 Onphoo32.exe 38 PID 1636 wrote to memory of 1848 1636 Onphoo32.exe 38 PID 1636 wrote to memory of 1848 1636 Onphoo32.exe 38 PID 1848 wrote to memory of 1440 1848 Okchhc32.exe 39 PID 1848 wrote to memory of 1440 1848 Okchhc32.exe 39 PID 1848 wrote to memory of 1440 1848 Okchhc32.exe 39 PID 1848 wrote to memory of 1440 1848 Okchhc32.exe 39 PID 1440 wrote to memory of 772 1440 Obnqem32.exe 40 PID 1440 wrote to memory of 772 1440 Obnqem32.exe 40 PID 1440 wrote to memory of 772 1440 Obnqem32.exe 40 PID 1440 wrote to memory of 772 1440 Obnqem32.exe 40 PID 772 wrote to memory of 2068 772 Omgaek32.exe 41 PID 772 wrote to memory of 2068 772 Omgaek32.exe 41 PID 772 wrote to memory of 2068 772 Omgaek32.exe 41 PID 772 wrote to memory of 2068 772 Omgaek32.exe 41 PID 2068 wrote to memory of 1896 2068 Ocajbekl.exe 42 PID 2068 wrote to memory of 1896 2068 Ocajbekl.exe 42 PID 2068 wrote to memory of 1896 2068 Ocajbekl.exe 42 PID 2068 wrote to memory of 1896 2068 Ocajbekl.exe 42 PID 1896 wrote to memory of 264 1896 Pphjgfqq.exe 43 PID 1896 wrote to memory of 264 1896 Pphjgfqq.exe 43 PID 1896 wrote to memory of 264 1896 Pphjgfqq.exe 43 PID 1896 wrote to memory of 264 1896 Pphjgfqq.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\547516405f114b08d4f9aaba92201c47510e7bf0bfb51197c8cedaa4a6fb6352_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\547516405f114b08d4f9aaba92201c47510e7bf0bfb51197c8cedaa4a6fb6352_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:264 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1104 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1844 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1132 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1360 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe33⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe34⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe35⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe36⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe38⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe39⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe40⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe41⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe42⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe43⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe44⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe45⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1852 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe47⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe48⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe49⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe52⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe53⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe54⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe56⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe57⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe58⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe59⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe60⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe61⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe62⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe64⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe66⤵
- Drops file in System32 directory
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe67⤵PID:1764
-
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe69⤵PID:1680
-
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe70⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe71⤵PID:2096
-
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe72⤵PID:2768
-
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2516 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe74⤵PID:2520
-
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe75⤵PID:2676
-
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe76⤵PID:3020
-
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe77⤵PID:2728
-
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe78⤵PID:1632
-
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe79⤵PID:1724
-
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe80⤵PID:2568
-
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe81⤵PID:1664
-
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe82⤵
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:484 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe84⤵PID:636
-
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe85⤵PID:2312
-
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1316 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe87⤵PID:1980
-
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe88⤵
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe89⤵PID:1588
-
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe90⤵PID:2776
-
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe91⤵
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe92⤵PID:1964
-
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe93⤵PID:2712
-
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe94⤵PID:844
-
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe95⤵PID:1268
-
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe96⤵PID:2724
-
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe97⤵PID:1744
-
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe98⤵PID:2396
-
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe99⤵PID:2196
-
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe100⤵PID:2104
-
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe101⤵
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe102⤵PID:1984
-
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1580 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe104⤵PID:2240
-
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe105⤵
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe106⤵
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe107⤵PID:2016
-
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe108⤵PID:2840
-
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe109⤵
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe110⤵PID:1628
-
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe111⤵PID:1280
-
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe112⤵PID:2952
-
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe113⤵PID:1492
-
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe115⤵PID:2020
-
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe116⤵PID:1696
-
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe117⤵PID:3064
-
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe118⤵PID:2632
-
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe119⤵PID:2796
-
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe120⤵
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe121⤵PID:1920
-
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe122⤵PID:1704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-