Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
28/05/2024, 10:11
Behavioral task
behavioral1
Sample
3ed536292604c9365d1232cb3e24cca0_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
3ed536292604c9365d1232cb3e24cca0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
3ed536292604c9365d1232cb3e24cca0_NeikiAnalytics.exe
-
Size
6.7MB
-
MD5
3ed536292604c9365d1232cb3e24cca0
-
SHA1
93dd603e18b175d714a1f581049edbedb7021c81
-
SHA256
318e00fe75b6d16685dd4069fbb855baed8dc4b7a6e85c62b1bfc11773db04c8
-
SHA512
feb88968d9bdc1406adcfab2f90f561d6ddf6a41105a01a27f487e418b855802dc893f0fce952a355025cf724ad33f3f511ee0e986b9b7263bfbfe949aa46e6d
-
SSDEEP
196608:daSHFaZRBEYyqmS2DiHPKQgwUgUjvho4wzlF65i6YxE+a3:daSHFaZRBEYyqmS2DiHPKQg3jvZwNVO3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkdgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bohoogbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjdilgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffiepg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkpegnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kphpdhdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehaaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgeopqfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jafilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppqqbjkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efbpihoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpokjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgdciiod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qodlkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alhmjbhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpokjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbgkfbbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obcccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgplkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihnmfoli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pppnia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omhhma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnhakp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afnagk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edhpaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnodjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leonofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dndndbnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcmjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migbnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngdifkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbpfeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnciiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndndbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amkpegnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmbhok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nakeib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbknmicj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjgbmoda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ienfml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pecelm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khagijcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baakhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libicbma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgjmfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmanoifd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdikkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjgjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldfldpqf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Almjcobe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcdipnqn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpmooind.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghjhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmifiahi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgjkmijh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nblaajbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Figoefkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bppoqeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enepnoji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lidilk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgbdpena.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pefijfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiknhbcg.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x001000000001226b-5.dat family_berbew behavioral1/files/0x0008000000015cc7-18.dat family_berbew behavioral1/files/0x0007000000015ce3-32.dat family_berbew behavioral1/files/0x0035000000015c93-53.dat family_berbew behavioral1/files/0x0008000000015d19-60.dat family_berbew behavioral1/files/0x000600000001686d-74.dat family_berbew behavioral1/files/0x0006000000016c56-95.dat family_berbew behavioral1/files/0x0006000000016c7a-110.dat family_berbew behavioral1/files/0x0006000000016ce7-124.dat family_berbew behavioral1/files/0x0006000000016d2c-141.dat family_berbew behavioral1/files/0x0006000000016d3d-154.dat family_berbew behavioral1/files/0x0006000000016d65-181.dat family_berbew behavioral1/files/0x0014000000018669-250.dat family_berbew behavioral1/files/0x0005000000018787-293.dat family_berbew behavioral1/memory/2992-431-0x0000000000440000-0x0000000000473000-memory.dmp family_berbew behavioral1/files/0x0005000000019fba-580.dat family_berbew behavioral1/files/0x000500000001a43e-625.dat family_berbew behavioral1/files/0x000500000001a4f1-797.dat family_berbew behavioral1/files/0x000500000001c77a-955.dat family_berbew behavioral1/files/0x000500000001c885-1014.dat family_berbew behavioral1/files/0x000500000001c8e4-1157.dat family_berbew behavioral1/files/0x000500000001c8f9-1223.dat family_berbew behavioral1/files/0x000400000001cb9d-1349.dat family_berbew behavioral1/files/0x000400000001cbd5-1413.dat family_berbew behavioral1/files/0x000400000001cc17-1477.dat family_berbew behavioral1/files/0x000400000001cddf-1682.dat family_berbew behavioral1/files/0x000400000001d3b8-1937.dat family_berbew behavioral1/files/0x000400000001d931-2274.dat family_berbew behavioral1/files/0x000400000001d9e2-2338.dat family_berbew behavioral1/files/0x000400000001da03-2408.dat family_berbew behavioral1/files/0x000400000001da69-2552.dat family_berbew behavioral1/files/0x000400000001da8d-2584.dat family_berbew behavioral1/files/0x000400000001da87-2576.dat family_berbew behavioral1/files/0x000400000001da7f-2568.dat family_berbew behavioral1/files/0x000400000001da75-2560.dat family_berbew behavioral1/files/0x000400000001da59-2544.dat family_berbew behavioral1/files/0x000400000001da52-2536.dat family_berbew behavioral1/files/0x000400000001da4c-2528.dat family_berbew behavioral1/files/0x000400000001da46-2520.dat family_berbew behavioral1/files/0x000400000001da3d-2512.dat family_berbew behavioral1/files/0x000400000001da34-2504.dat family_berbew behavioral1/files/0x000400000001da2d-2496.dat family_berbew behavioral1/files/0x000400000001da29-2488.dat family_berbew behavioral1/files/0x000400000001da25-2480.dat family_berbew behavioral1/files/0x000400000001da21-2472.dat family_berbew behavioral1/files/0x000400000001da96-3265.dat family_berbew behavioral1/files/0x000400000001da9e-3271.dat family_berbew behavioral1/files/0x000400000001da1d-2464.dat family_berbew behavioral1/files/0x000400000001daa7-3280.dat family_berbew behavioral1/files/0x000400000001da19-2456.dat family_berbew behavioral1/files/0x000400000001da15-2448.dat family_berbew behavioral1/files/0x000400000001da13-2440.dat family_berbew behavioral1/files/0x000400000001da0f-2432.dat family_berbew behavioral1/files/0x000400000001da0b-2424.dat family_berbew behavioral1/files/0x000400000001da07-2416.dat family_berbew behavioral1/files/0x000400000001d9ff-2400.dat family_berbew behavioral1/files/0x000400000001d9fb-2392.dat family_berbew behavioral1/files/0x000400000001d9f7-2384.dat family_berbew behavioral1/files/0x000400000001d9f3-2376.dat family_berbew behavioral1/files/0x000400000001d9ef-2368.dat family_berbew behavioral1/files/0x000400000001d9ea-2354.dat family_berbew behavioral1/files/0x000400000001d9e6-2346.dat family_berbew behavioral1/files/0x000400000001d9de-2330.dat family_berbew behavioral1/files/0x000400000001d9da-2322.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2972 Qecoqk32.exe 2076 Bkodhe32.exe 2752 Baildokg.exe 2552 Bcaomf32.exe 2684 Emeopn32.exe 2588 Emhlfmgj.exe 2208 Ebedndfa.exe 2880 Icbimi32.exe 1516 Igdogl32.exe 288 Ihdkao32.exe 1612 Incpoe32.exe 2728 Icpigm32.exe 1296 Jnemdecl.exe 2724 Jfqahgpg.exe 2380 Jmjjea32.exe 332 Jbgbni32.exe 1632 Jkpgfn32.exe 1240 Jfekcg32.exe 448 Jkbcln32.exe 1536 Jejhecaj.exe 1908 Jkdpanhg.exe 1820 Kaaijdgn.exe 928 Kkgmgmfd.exe 272 Kaceodek.exe 1792 Kkijmm32.exe 884 Keanebkb.exe 1568 Kjnfniii.exe 3064 Kpkofpgq.exe 2648 Kjqccigf.exe 2904 Kcihlong.exe 2800 Kmaled32.exe 3040 Lbnemk32.exe 3004 Lpbefoai.exe 2992 Leonofpp.exe 2040 Logbhl32.exe 2816 Limfed32.exe 1124 Lkncmmle.exe 1688 Lecgje32.exe 1096 Lollckbk.exe 1816 Lefdpe32.exe 2360 Mkclhl32.exe 1768 Mppepcfg.exe 1300 Mihiih32.exe 2348 Mdmmfa32.exe 376 Mmfbogcn.exe 2192 Meagci32.exe 2908 Moiklogi.exe 2548 Mhbped32.exe 1804 Najdnj32.exe 2236 Nlphkb32.exe 1188 Ncjqhmkm.exe 2092 Nhfipcid.exe 1472 Nncahjgl.exe 2148 Nhiffc32.exe 2332 Nnennj32.exe 1252 Nhkbkc32.exe 2336 Njlockkm.exe 1980 Ndbcpd32.exe 2572 Oddpfc32.exe 2760 Ojahnj32.exe 1676 Oonafa32.exe 708 Ojcecjee.exe 1484 Oopnlacm.exe 1356 Ofjfhk32.exe -
Loads dropped DLL 64 IoCs
pid Process 2180 3ed536292604c9365d1232cb3e24cca0_NeikiAnalytics.exe 2180 3ed536292604c9365d1232cb3e24cca0_NeikiAnalytics.exe 2972 Qecoqk32.exe 2972 Qecoqk32.exe 2076 Bkodhe32.exe 2076 Bkodhe32.exe 2752 Baildokg.exe 2752 Baildokg.exe 2552 Bcaomf32.exe 2552 Bcaomf32.exe 2684 Emeopn32.exe 2684 Emeopn32.exe 2588 Emhlfmgj.exe 2588 Emhlfmgj.exe 2208 Ebedndfa.exe 2208 Ebedndfa.exe 2880 Icbimi32.exe 2880 Icbimi32.exe 1516 Igdogl32.exe 1516 Igdogl32.exe 288 Ihdkao32.exe 288 Ihdkao32.exe 1612 Incpoe32.exe 1612 Incpoe32.exe 2728 Icpigm32.exe 2728 Icpigm32.exe 1296 Jnemdecl.exe 1296 Jnemdecl.exe 2724 Jfqahgpg.exe 2724 Jfqahgpg.exe 2380 Jmjjea32.exe 2380 Jmjjea32.exe 332 Jbgbni32.exe 332 Jbgbni32.exe 1632 Jkpgfn32.exe 1632 Jkpgfn32.exe 1240 Jfekcg32.exe 1240 Jfekcg32.exe 448 Jkbcln32.exe 448 Jkbcln32.exe 1536 Jejhecaj.exe 1536 Jejhecaj.exe 1908 Jkdpanhg.exe 1908 Jkdpanhg.exe 1820 Kaaijdgn.exe 1820 Kaaijdgn.exe 928 Kkgmgmfd.exe 928 Kkgmgmfd.exe 272 Kaceodek.exe 272 Kaceodek.exe 1792 Kkijmm32.exe 1792 Kkijmm32.exe 884 Keanebkb.exe 884 Keanebkb.exe 1568 Kjnfniii.exe 1568 Kjnfniii.exe 3064 Kpkofpgq.exe 3064 Kpkofpgq.exe 2648 Kjqccigf.exe 2648 Kjqccigf.exe 2904 Kcihlong.exe 2904 Kcihlong.exe 2800 Kmaled32.exe 2800 Kmaled32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bnhmpeom.dll Cgeopqfp.exe File created C:\Windows\SysWOW64\Bhojoaaa.dll Ienfml32.exe File opened for modification C:\Windows\SysWOW64\Behinlkh.exe Bbimbpld.exe File created C:\Windows\SysWOW64\Ljibgg32.exe Lcojjmea.exe File opened for modification C:\Windows\SysWOW64\Jbcgeilh.exe Jneoojeb.exe File opened for modification C:\Windows\SysWOW64\Pmojocel.exe Pfdabino.exe File opened for modification C:\Windows\SysWOW64\Lhdcojaa.exe Lbgkfbbj.exe File created C:\Windows\SysWOW64\Hgjefg32.exe Hanlnp32.exe File created C:\Windows\SysWOW64\Kaaijdgn.exe Jkdpanhg.exe File created C:\Windows\SysWOW64\Konojnki.dll Kjqccigf.exe File opened for modification C:\Windows\SysWOW64\Ckmpkpbl.exe Chocodch.exe File created C:\Windows\SysWOW64\Lkgifd32.exe Ldmaijdc.exe File opened for modification C:\Windows\SysWOW64\Hbknmicj.exe Hlqfqo32.exe File created C:\Windows\SysWOW64\Egdnbg32.dll Bcaomf32.exe File created C:\Windows\SysWOW64\Kjqccigf.exe Kpkofpgq.exe File created C:\Windows\SysWOW64\Aghcamqb.dll Fikejl32.exe File opened for modification C:\Windows\SysWOW64\Biqfpb32.exe Bphaglgo.exe File created C:\Windows\SysWOW64\Mgnigi32.dll Kobkbaac.exe File opened for modification C:\Windows\SysWOW64\Defljp32.exe Coldmfkf.exe File created C:\Windows\SysWOW64\Nhcgkbja.exe Nphbfplf.exe File opened for modification C:\Windows\SysWOW64\Kgcpjmcb.exe Knklagmb.exe File created C:\Windows\SysWOW64\Midbog32.dll Bkghjq32.exe File opened for modification C:\Windows\SysWOW64\Gllnnc32.exe Fakglf32.exe File opened for modification C:\Windows\SysWOW64\Hpbiommg.exe Hgjefg32.exe File created C:\Windows\SysWOW64\Pmmani32.dll Ajbggjfq.exe File created C:\Windows\SysWOW64\Ibebkc32.dll Kaldcb32.exe File opened for modification C:\Windows\SysWOW64\Lkccob32.exe Khnqbhdi.exe File created C:\Windows\SysWOW64\Enfenplo.exe Egllae32.exe File created C:\Windows\SysWOW64\Ichlpm32.dll Plaoim32.exe File created C:\Windows\SysWOW64\Eehkmm32.dll Lkepdbkb.exe File created C:\Windows\SysWOW64\Mbenmb32.dll Gohqhl32.exe File created C:\Windows\SysWOW64\Amkpegnj.exe Qbelgood.exe File created C:\Windows\SysWOW64\Mfkbpc32.dll Ookmfk32.exe File created C:\Windows\SysWOW64\Efbpihoo.exe Dpmeij32.exe File opened for modification C:\Windows\SysWOW64\Dojald32.exe Dfamcogo.exe File created C:\Windows\SysWOW64\Afnagk32.exe Alhmjbhj.exe File created C:\Windows\SysWOW64\Agmceh32.dll Kcakaipc.exe File created C:\Windows\SysWOW64\Poocpnbm.exe Piekcd32.exe File created C:\Windows\SysWOW64\Chmibmlo.exe Ckiiiine.exe File opened for modification C:\Windows\SysWOW64\Ojahnj32.exe Oddpfc32.exe File opened for modification C:\Windows\SysWOW64\Knklagmb.exe Kincipnk.exe File created C:\Windows\SysWOW64\Dldbfo32.dll Jpmooind.exe File created C:\Windows\SysWOW64\Gkdjlion.dll Gikaio32.exe File opened for modification C:\Windows\SysWOW64\Ookmfk32.exe Oebimf32.exe File opened for modification C:\Windows\SysWOW64\Gnicoh32.exe Fbpfeh32.exe File created C:\Windows\SysWOW64\Dpphipbk.exe Dajlhc32.exe File created C:\Windows\SysWOW64\Nmnace32.exe Ngdifkpi.exe File created C:\Windows\SysWOW64\Befpkmph.exe Bfjmia32.exe File created C:\Windows\SysWOW64\Ngnlaehe.dll Flhkhnel.exe File created C:\Windows\SysWOW64\Fikejl32.exe Fnfamcoj.exe File opened for modification C:\Windows\SysWOW64\Oomjlk32.exe Ohcaoajg.exe File created C:\Windows\SysWOW64\Nqbidn32.dll Ldmaijdc.exe File opened for modification C:\Windows\SysWOW64\Odanqb32.exe Nhcgkbja.exe File created C:\Windows\SysWOW64\Qdhqpe32.exe Qnnhcknd.exe File opened for modification C:\Windows\SysWOW64\Nblaajbd.exe Nakeib32.exe File opened for modification C:\Windows\SysWOW64\Kpkofpgq.exe Kjnfniii.exe File opened for modification C:\Windows\SysWOW64\Nakeib32.exe Nplhooec.exe File created C:\Windows\SysWOW64\Ofnppgbh.exe Nloedjin.exe File created C:\Windows\SysWOW64\Kckido32.dll Jijacjnc.exe File created C:\Windows\SysWOW64\Kolhdbjh.exe Jibpghbk.exe File created C:\Windows\SysWOW64\Pcagkmaj.exe Pppnia32.exe File opened for modification C:\Windows\SysWOW64\Fagnmkjm.exe Eipjmk32.exe File created C:\Windows\SysWOW64\Mclgfa32.dll Blpjegfm.exe File created C:\Windows\SysWOW64\Afcbgd32.exe Afqeaemk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4872 5076 WerFault.exe 574 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glhbolin.dll" Jinghn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjdilgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llbnnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcocgkbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chocodch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ienfml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojigbhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbche32.dll" Qodlkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fapgblob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofmbnkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omkicqkc.dll" Kijmbnpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iccbqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncgfge32.dll" Lbgkfbbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eipjmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlnhkclm.dll" Ghkbccdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hanlnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhajpc32.dll" Mofglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbnlaqhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flccjn32.dll" Ibpjaagi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oonafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idcokkak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmmjl32.dll" Odanqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchfbild.dll" Aimkeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oebimf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbhmg32.dll" Gnicoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npcika32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgeegb32.dll" Lefdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mihiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibafdk32.dll" Nhllob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gocalqhm.dll" Ihnmfoli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odjbdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldmaijdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocfacia.dll" Aemafjeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdlkiepd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aljoonfg.dll" Dooqceid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Papfegmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdbchd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgdadjhq.dll" Agmacgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnoklc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdnjb32.dll" Ghelfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moanaiie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hakphqja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngjoif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiofdmkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpjqiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngibaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgiked32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khagijcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djqcki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emeopn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjbpkign.dll" Jnemdecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkqbaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbdoec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcagpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhdcojaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqelfddi.dll" Dfamcogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emkaol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idcokkak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alhmjbhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdpcpjb.dll" Ochenfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njlockkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ionkallc.dll" Oopnlacm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2972 2180 3ed536292604c9365d1232cb3e24cca0_NeikiAnalytics.exe 28 PID 2180 wrote to memory of 2972 2180 3ed536292604c9365d1232cb3e24cca0_NeikiAnalytics.exe 28 PID 2180 wrote to memory of 2972 2180 3ed536292604c9365d1232cb3e24cca0_NeikiAnalytics.exe 28 PID 2180 wrote to memory of 2972 2180 3ed536292604c9365d1232cb3e24cca0_NeikiAnalytics.exe 28 PID 2972 wrote to memory of 2076 2972 Qecoqk32.exe 29 PID 2972 wrote to memory of 2076 2972 Qecoqk32.exe 29 PID 2972 wrote to memory of 2076 2972 Qecoqk32.exe 29 PID 2972 wrote to memory of 2076 2972 Qecoqk32.exe 29 PID 2076 wrote to memory of 2752 2076 Bkodhe32.exe 30 PID 2076 wrote to memory of 2752 2076 Bkodhe32.exe 30 PID 2076 wrote to memory of 2752 2076 Bkodhe32.exe 30 PID 2076 wrote to memory of 2752 2076 Bkodhe32.exe 30 PID 2752 wrote to memory of 2552 2752 Baildokg.exe 31 PID 2752 wrote to memory of 2552 2752 Baildokg.exe 31 PID 2752 wrote to memory of 2552 2752 Baildokg.exe 31 PID 2752 wrote to memory of 2552 2752 Baildokg.exe 31 PID 2552 wrote to memory of 2684 2552 Bcaomf32.exe 32 PID 2552 wrote to memory of 2684 2552 Bcaomf32.exe 32 PID 2552 wrote to memory of 2684 2552 Bcaomf32.exe 32 PID 2552 wrote to memory of 2684 2552 Bcaomf32.exe 32 PID 2684 wrote to memory of 2588 2684 Emeopn32.exe 33 PID 2684 wrote to memory of 2588 2684 Emeopn32.exe 33 PID 2684 wrote to memory of 2588 2684 Emeopn32.exe 33 PID 2684 wrote to memory of 2588 2684 Emeopn32.exe 33 PID 2588 wrote to memory of 2208 2588 Emhlfmgj.exe 34 PID 2588 wrote to memory of 2208 2588 Emhlfmgj.exe 34 PID 2588 wrote to memory of 2208 2588 Emhlfmgj.exe 34 PID 2588 wrote to memory of 2208 2588 Emhlfmgj.exe 34 PID 2208 wrote to memory of 2880 2208 Ebedndfa.exe 35 PID 2208 wrote to memory of 2880 2208 Ebedndfa.exe 35 PID 2208 wrote to memory of 2880 2208 Ebedndfa.exe 35 PID 2208 wrote to memory of 2880 2208 Ebedndfa.exe 35 PID 2880 wrote to memory of 1516 2880 Icbimi32.exe 36 PID 2880 wrote to memory of 1516 2880 Icbimi32.exe 36 PID 2880 wrote to memory of 1516 2880 Icbimi32.exe 36 PID 2880 wrote to memory of 1516 2880 Icbimi32.exe 36 PID 1516 wrote to memory of 288 1516 Igdogl32.exe 37 PID 1516 wrote to memory of 288 1516 Igdogl32.exe 37 PID 1516 wrote to memory of 288 1516 Igdogl32.exe 37 PID 1516 wrote to memory of 288 1516 Igdogl32.exe 37 PID 288 wrote to memory of 1612 288 Ihdkao32.exe 38 PID 288 wrote to memory of 1612 288 Ihdkao32.exe 38 PID 288 wrote to memory of 1612 288 Ihdkao32.exe 38 PID 288 wrote to memory of 1612 288 Ihdkao32.exe 38 PID 1612 wrote to memory of 2728 1612 Incpoe32.exe 39 PID 1612 wrote to memory of 2728 1612 Incpoe32.exe 39 PID 1612 wrote to memory of 2728 1612 Incpoe32.exe 39 PID 1612 wrote to memory of 2728 1612 Incpoe32.exe 39 PID 2728 wrote to memory of 1296 2728 Icpigm32.exe 40 PID 2728 wrote to memory of 1296 2728 Icpigm32.exe 40 PID 2728 wrote to memory of 1296 2728 Icpigm32.exe 40 PID 2728 wrote to memory of 1296 2728 Icpigm32.exe 40 PID 1296 wrote to memory of 2724 1296 Jnemdecl.exe 41 PID 1296 wrote to memory of 2724 1296 Jnemdecl.exe 41 PID 1296 wrote to memory of 2724 1296 Jnemdecl.exe 41 PID 1296 wrote to memory of 2724 1296 Jnemdecl.exe 41 PID 2724 wrote to memory of 2380 2724 Jfqahgpg.exe 42 PID 2724 wrote to memory of 2380 2724 Jfqahgpg.exe 42 PID 2724 wrote to memory of 2380 2724 Jfqahgpg.exe 42 PID 2724 wrote to memory of 2380 2724 Jfqahgpg.exe 42 PID 2380 wrote to memory of 332 2380 Jmjjea32.exe 43 PID 2380 wrote to memory of 332 2380 Jmjjea32.exe 43 PID 2380 wrote to memory of 332 2380 Jmjjea32.exe 43 PID 2380 wrote to memory of 332 2380 Jmjjea32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ed536292604c9365d1232cb3e24cca0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3ed536292604c9365d1232cb3e24cca0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:332 -
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1240 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:448 -
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1820 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:928 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:272 -
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Kmaled32.exeC:\Windows\system32\Kmaled32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe33⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe34⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Logbhl32.exeC:\Windows\system32\Logbhl32.exe36⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe37⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe38⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe39⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe40⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe42⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe43⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe45⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Mmfbogcn.exeC:\Windows\system32\Mmfbogcn.exe46⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe47⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe48⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe49⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe50⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe51⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe52⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe53⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe54⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe55⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe56⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe57⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Njlockkm.exeC:\Windows\system32\Njlockkm.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe59⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe60⤵PID:2444
-
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Ojahnj32.exeC:\Windows\system32\Ojahnj32.exe62⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Ojcecjee.exeC:\Windows\system32\Ojcecjee.exe64⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Ofjfhk32.exeC:\Windows\system32\Ofjfhk32.exe66⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Okgnab32.exeC:\Windows\system32\Okgnab32.exe67⤵PID:2200
-
C:\Windows\SysWOW64\Ofmbnkhg.exeC:\Windows\system32\Ofmbnkhg.exe68⤵
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe69⤵PID:1608
-
C:\Windows\SysWOW64\Obcccl32.exeC:\Windows\system32\Obcccl32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3108 -
C:\Windows\SysWOW64\Pgplkb32.exeC:\Windows\system32\Pgplkb32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3164 -
C:\Windows\SysWOW64\Pnjdhmdo.exeC:\Windows\system32\Pnjdhmdo.exe72⤵PID:3224
-
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe73⤵PID:3280
-
C:\Windows\SysWOW64\Pefijfii.exeC:\Windows\system32\Pefijfii.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3344 -
C:\Windows\SysWOW64\Pmanoifd.exeC:\Windows\system32\Pmanoifd.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3408 -
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe76⤵PID:3472
-
C:\Windows\SysWOW64\Papfegmk.exeC:\Windows\system32\Papfegmk.exe77⤵
- Modifies registry class
PID:3532 -
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe78⤵PID:3592
-
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe79⤵PID:3652
-
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe80⤵
- Modifies registry class
PID:3712 -
C:\Windows\SysWOW64\Qbelgood.exeC:\Windows\system32\Qbelgood.exe81⤵
- Drops file in System32 directory
PID:3776 -
C:\Windows\SysWOW64\Amkpegnj.exeC:\Windows\system32\Amkpegnj.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3840 -
C:\Windows\SysWOW64\Abhimnma.exeC:\Windows\system32\Abhimnma.exe83⤵PID:3900
-
C:\Windows\SysWOW64\Alpmfdcb.exeC:\Windows\system32\Alpmfdcb.exe84⤵PID:3952
-
C:\Windows\SysWOW64\Alegac32.exeC:\Windows\system32\Alegac32.exe85⤵PID:4000
-
C:\Windows\SysWOW64\Aaaoij32.exeC:\Windows\system32\Aaaoij32.exe86⤵PID:4048
-
C:\Windows\SysWOW64\Ajjcbpdd.exeC:\Windows\system32\Ajjcbpdd.exe87⤵PID:2780
-
C:\Windows\SysWOW64\Aadloj32.exeC:\Windows\system32\Aadloj32.exe88⤵PID:3044
-
C:\Windows\SysWOW64\Bfadgq32.exeC:\Windows\system32\Bfadgq32.exe89⤵PID:2832
-
C:\Windows\SysWOW64\Bpiipf32.exeC:\Windows\system32\Bpiipf32.exe90⤵PID:2264
-
C:\Windows\SysWOW64\Blpjegfm.exeC:\Windows\system32\Blpjegfm.exe91⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Bfenbpec.exeC:\Windows\system32\Bfenbpec.exe92⤵PID:1504
-
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe93⤵PID:340
-
C:\Windows\SysWOW64\Bghjhp32.exeC:\Windows\system32\Bghjhp32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:400 -
C:\Windows\SysWOW64\Bppoqeja.exeC:\Windows\system32\Bppoqeja.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1992 -
C:\Windows\SysWOW64\Baakhm32.exeC:\Windows\system32\Baakhm32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2300 -
C:\Windows\SysWOW64\Ckjpacfp.exeC:\Windows\system32\Ckjpacfp.exe97⤵PID:1932
-
C:\Windows\SysWOW64\Ceodnl32.exeC:\Windows\system32\Ceodnl32.exe98⤵PID:3144
-
C:\Windows\SysWOW64\Clilkfnb.exeC:\Windows\system32\Clilkfnb.exe99⤵PID:3256
-
C:\Windows\SysWOW64\Cnkicn32.exeC:\Windows\system32\Cnkicn32.exe100⤵PID:3268
-
C:\Windows\SysWOW64\Chpmpg32.exeC:\Windows\system32\Chpmpg32.exe101⤵PID:3320
-
C:\Windows\SysWOW64\Cojema32.exeC:\Windows\system32\Cojema32.exe102⤵PID:3392
-
C:\Windows\SysWOW64\Cdgneh32.exeC:\Windows\system32\Cdgneh32.exe103⤵PID:3480
-
C:\Windows\SysWOW64\Cjdfmo32.exeC:\Windows\system32\Cjdfmo32.exe104⤵PID:3552
-
C:\Windows\SysWOW64\Cdikkg32.exeC:\Windows\system32\Cdikkg32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1184 -
C:\Windows\SysWOW64\Ckccgane.exeC:\Windows\system32\Ckccgane.exe106⤵PID:2876
-
C:\Windows\SysWOW64\Cppkph32.exeC:\Windows\system32\Cppkph32.exe107⤵PID:3372
-
C:\Windows\SysWOW64\Djhphncm.exeC:\Windows\system32\Djhphncm.exe108⤵PID:3792
-
C:\Windows\SysWOW64\Dcadac32.exeC:\Windows\system32\Dcadac32.exe109⤵PID:3820
-
C:\Windows\SysWOW64\Djklnnaj.exeC:\Windows\system32\Djklnnaj.exe110⤵PID:3972
-
C:\Windows\SysWOW64\Dogefd32.exeC:\Windows\system32\Dogefd32.exe111⤵PID:4020
-
C:\Windows\SysWOW64\Dfamcogo.exeC:\Windows\system32\Dfamcogo.exe112⤵
- Drops file in System32 directory
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Dojald32.exeC:\Windows\system32\Dojald32.exe113⤵PID:2808
-
C:\Windows\SysWOW64\Ddgjdk32.exeC:\Windows\system32\Ddgjdk32.exe114⤵PID:2060
-
C:\Windows\SysWOW64\Dkqbaecc.exeC:\Windows\system32\Dkqbaecc.exe115⤵
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Dfffnn32.exeC:\Windows\system32\Dfffnn32.exe116⤵PID:1136
-
C:\Windows\SysWOW64\Dkcofe32.exeC:\Windows\system32\Dkcofe32.exe117⤵PID:1592
-
C:\Windows\SysWOW64\Edkcojga.exeC:\Windows\system32\Edkcojga.exe118⤵PID:1532
-
C:\Windows\SysWOW64\Endhhp32.exeC:\Windows\system32\Endhhp32.exe119⤵PID:2764
-
C:\Windows\SysWOW64\Egllae32.exeC:\Windows\system32\Egllae32.exe120⤵
- Drops file in System32 directory
PID:3140 -
C:\Windows\SysWOW64\Enfenplo.exeC:\Windows\system32\Enfenplo.exe121⤵PID:3276
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-