Analysis
-
max time kernel
117s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 14:30
Behavioral task
behavioral1
Sample
5e4382e8c17992363ba14591349716f0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5e4382e8c17992363ba14591349716f0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
5e4382e8c17992363ba14591349716f0_NeikiAnalytics.exe
-
Size
135KB
-
MD5
5e4382e8c17992363ba14591349716f0
-
SHA1
00340c05e4104b8862ea2ebf42e9444cfc27b21c
-
SHA256
c45f07c8501fd910fc2ccfbccb33efcbe566cc85b85a726b94b9671c4c848d17
-
SHA512
fbf2b2526035c548817276a5975df04b0c8b8f857d8725c1d70f91c8c60e9cb68ad3b19922e438cdf0d777a9b393750a4fba255d60a9301457374913fb562746
-
SSDEEP
1536:StfUBEH0hlIsIm6A+444444444444444444444444444444444jdBJi544F44B4G:OMIfqZzTsK8Qr5+ViKGe7Yfs0a0Uoi
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhmqhkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlgimqhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plmbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcemnopj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpldcfmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogekpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnpkflne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaegpaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djlfma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dafoikjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpldcfmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akqpom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opihgfop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnemfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgpndg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chggdoee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dblhmoio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cohkpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jepmgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lngnfnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldahkaij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghibjjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikjhki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoimecmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oghhfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjkhdacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhqjen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abdbflnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jodhdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flabdecn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Honfqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elfcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljnqdhga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Donojm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gleqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcandb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfagemej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fajbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iikifegp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijphofem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jigbebhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgfgkbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmagpef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeaepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgfmep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amafgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bacefpbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfmgelil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imnbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bammlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccgklc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khldkllj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgicg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmfocnjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hijhhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqlebf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfofol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bffbdadk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbdhjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnbdko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjkgjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghibjjnk.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000d000000014267-5.dat family_berbew behavioral1/files/0x000800000001466c-18.dat family_berbew behavioral1/files/0x0007000000014738-32.dat family_berbew behavioral1/files/0x0009000000014a94-52.dat family_berbew behavioral1/files/0x0006000000015a2d-59.dat family_berbew behavioral1/memory/2384-67-0x00000000005E0000-0x0000000000622000-memory.dmp family_berbew behavioral1/files/0x0006000000015c0d-74.dat family_berbew behavioral1/files/0x000900000001445e-87.dat family_berbew behavioral1/files/0x0006000000015c3c-100.dat family_berbew behavioral1/files/0x0006000000015c5d-118.dat family_berbew behavioral1/files/0x0006000000015c7c-128.dat family_berbew behavioral1/files/0x0006000000015cb9-144.dat family_berbew behavioral1/files/0x0006000000015e41-168.dat family_berbew behavioral1/files/0x0006000000015e6f-184.dat family_berbew behavioral1/files/0x0006000000015eaf-197.dat family_berbew behavioral1/files/0x0006000000016042-204.dat family_berbew behavioral1/files/0x0006000000016283-220.dat family_berbew behavioral1/files/0x0006000000016c10-260.dat family_berbew behavioral1/memory/1656-290-0x0000000000220000-0x0000000000262000-memory.dmp family_berbew behavioral1/files/0x0006000000016d01-304.dat family_berbew behavioral1/files/0x0006000000016d24-314.dat family_berbew behavioral1/files/0x0006000000018b15-402.dat family_berbew behavioral1/files/0x0005000000019368-485.dat family_berbew behavioral1/files/0x000500000001939b-494.dat family_berbew behavioral1/files/0x000500000001946f-515.dat family_berbew behavioral1/files/0x0005000000019485-528.dat family_berbew behavioral1/files/0x00040000000194dc-550.dat family_berbew behavioral1/files/0x00050000000194ea-561.dat family_berbew behavioral1/files/0x00040000000194d6-538.dat family_berbew behavioral1/files/0x0005000000019410-506.dat family_berbew behavioral1/memory/888-476-0x0000000000220000-0x0000000000262000-memory.dmp family_berbew behavioral1/files/0x000500000001931b-469.dat family_berbew behavioral1/files/0x00050000000192c9-459.dat family_berbew behavioral1/files/0x0006000000018ba2-446.dat family_berbew behavioral1/files/0x0006000000018b73-436.dat family_berbew behavioral1/memory/1108-435-0x0000000000220000-0x0000000000262000-memory.dmp family_berbew behavioral1/files/0x0006000000018b4a-424.dat family_berbew behavioral1/files/0x00050000000194ef-572.dat family_berbew behavioral1/files/0x00050000000194f4-583.dat family_berbew behavioral1/files/0x0006000000018b37-415.dat family_berbew behavioral1/files/0x0005000000019521-596.dat family_berbew behavioral1/files/0x0006000000018ae2-391.dat family_berbew behavioral1/files/0x0005000000019570-603.dat family_berbew behavioral1/files/0x000500000001959e-613.dat family_berbew behavioral1/files/0x00050000000195a4-624.dat family_berbew behavioral1/files/0x00050000000195ba-656.dat family_berbew behavioral1/files/0x0005000000019bef-706.dat family_berbew behavioral1/files/0x0005000000019ce6-718.dat family_berbew behavioral1/files/0x0005000000019f60-742.dat family_berbew behavioral1/files/0x000500000001a013-754.dat family_berbew behavioral1/files/0x000500000001a3c2-784.dat family_berbew behavioral1/files/0x000500000001a3d4-810.dat family_berbew behavioral1/files/0x000500000001a429-822.dat family_berbew behavioral1/files/0x000500000001a447-862.dat family_berbew behavioral1/files/0x000500000001a453-907.dat family_berbew behavioral1/files/0x000500000001a470-995.dat family_berbew behavioral1/files/0x000500000001a474-1009.dat family_berbew behavioral1/files/0x000500000001a47d-1033.dat family_berbew behavioral1/files/0x000500000001a489-1059.dat family_berbew behavioral1/files/0x000500000001a543-1071.dat family_berbew behavioral1/files/0x000500000001ad1c-1082.dat family_berbew behavioral1/files/0x000500000001c288-1093.dat family_berbew behavioral1/files/0x000500000001c6d5-1104.dat family_berbew behavioral1/files/0x000500000001c71e-1114.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2064 Ljabkeaf.exe 2456 Mmakmp32.exe 2588 Mfllkece.exe 2384 Mbcmpfhi.exe 2404 Mfaefd32.exe 656 Nlnnnk32.exe 2168 Noacef32.exe 764 Nkhdkgnj.exe 1348 Nemhhpmp.exe 2220 Nadimacd.exe 1444 Oionacqo.exe 2312 Ogcnkgoh.exe 2336 Ommfga32.exe 1620 Ogekpg32.exe 2764 Olbchn32.exe 2240 Oghhfg32.exe 2228 Oldpnn32.exe 1052 Oemegc32.exe 1268 Pkjmoj32.exe 1472 Pdbahpec.exe 1664 Plijimee.exe 1656 Pgckjk32.exe 960 Pojbkh32.exe 2944 Pqkobqhd.exe 1004 Pgegok32.exe 856 Qgjqjjll.exe 2840 Qmgibqjc.exe 1584 Qmifhq32.exe 2208 Aipfmane.exe 2856 Abhkfg32.exe 2612 Akqpom32.exe 2556 Aeidgbaf.exe 2640 Akcldl32.exe 2372 Agjmim32.exe 2160 Aboaff32.exe 1108 Akhfoldn.exe 1372 Bccjdnbi.exe 1008 Bjmbqhif.exe 888 Bpjkiogm.exe 1492 Bplhnoej.exe 2248 Bffpki32.exe 2264 Bfhmqhkd.exe 1644 Bmbemb32.exe 1764 Bncaekhp.exe 1388 Clgbno32.exe 240 Cofnjj32.exe 1604 Cikbhc32.exe 1532 Cohkpj32.exe 1676 Cdecha32.exe 2896 Ejkkfjkj.exe 3036 Epecbd32.exe 1760 Fheabelm.exe 1100 Fmcjhdbc.exe 2880 Fdnolfon.exe 2532 Fnfcel32.exe 2624 Ffmkfifa.exe 2408 Filgbdfd.exe 2304 Fofpoo32.exe 1556 Fbdlkj32.exe 2508 Findhdcb.exe 2596 Gnkmqkbi.exe 968 Gqiimfam.exe 2256 Ggcaiqhj.exe 2904 Gmpjagfa.exe -
Loads dropped DLL 64 IoCs
pid Process 1196 5e4382e8c17992363ba14591349716f0_NeikiAnalytics.exe 1196 5e4382e8c17992363ba14591349716f0_NeikiAnalytics.exe 2064 Ljabkeaf.exe 2064 Ljabkeaf.exe 2456 Mmakmp32.exe 2456 Mmakmp32.exe 2588 Mfllkece.exe 2588 Mfllkece.exe 2384 Mbcmpfhi.exe 2384 Mbcmpfhi.exe 2404 Mfaefd32.exe 2404 Mfaefd32.exe 656 Nlnnnk32.exe 656 Nlnnnk32.exe 2168 Noacef32.exe 2168 Noacef32.exe 764 Nkhdkgnj.exe 764 Nkhdkgnj.exe 1348 Nemhhpmp.exe 1348 Nemhhpmp.exe 2220 Nadimacd.exe 2220 Nadimacd.exe 1444 Oionacqo.exe 1444 Oionacqo.exe 2312 Ogcnkgoh.exe 2312 Ogcnkgoh.exe 2336 Ommfga32.exe 2336 Ommfga32.exe 1620 Ogekpg32.exe 1620 Ogekpg32.exe 2764 Olbchn32.exe 2764 Olbchn32.exe 2240 Oghhfg32.exe 2240 Oghhfg32.exe 2228 Oldpnn32.exe 2228 Oldpnn32.exe 1052 Oemegc32.exe 1052 Oemegc32.exe 1268 Pkjmoj32.exe 1268 Pkjmoj32.exe 1472 Pdbahpec.exe 1472 Pdbahpec.exe 1664 Plijimee.exe 1664 Plijimee.exe 1656 Pgckjk32.exe 1656 Pgckjk32.exe 960 Pojbkh32.exe 960 Pojbkh32.exe 2944 Pqkobqhd.exe 2944 Pqkobqhd.exe 1004 Pgegok32.exe 1004 Pgegok32.exe 856 Qgjqjjll.exe 856 Qgjqjjll.exe 2840 Qmgibqjc.exe 2840 Qmgibqjc.exe 1584 Qmifhq32.exe 1584 Qmifhq32.exe 2208 Aipfmane.exe 2208 Aipfmane.exe 2856 Abhkfg32.exe 2856 Abhkfg32.exe 2612 Akqpom32.exe 2612 Akqpom32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Iediin32.exe Igqhpj32.exe File opened for modification C:\Windows\SysWOW64\Fmcjhdbc.exe Fheabelm.exe File created C:\Windows\SysWOW64\Apgahbgk.dll Illbhp32.exe File opened for modification C:\Windows\SysWOW64\Nameek32.exe Nefdpjkl.exe File created C:\Windows\SysWOW64\Ghacfmic.exe Ggagmjbq.exe File created C:\Windows\SysWOW64\Hfbcidmk.exe Hmjoqo32.exe File opened for modification C:\Windows\SysWOW64\Jeclebja.exe Jhoklnkg.exe File created C:\Windows\SysWOW64\Dlfqea32.dll Nqokpd32.exe File opened for modification C:\Windows\SysWOW64\Jcandb32.exe Jjijkmbi.exe File opened for modification C:\Windows\SysWOW64\Abhkfg32.exe Aipfmane.exe File created C:\Windows\SysWOW64\Nplnekmg.dll Ldahkaij.exe File created C:\Windows\SysWOW64\Mncmib32.dll Abgaeddg.exe File opened for modification C:\Windows\SysWOW64\Mjcaimgg.exe Mgedmb32.exe File created C:\Windows\SysWOW64\Ijnkifgp.exe Iaegpaao.exe File opened for modification C:\Windows\SysWOW64\Blinefnd.exe Bacihmoo.exe File created C:\Windows\SysWOW64\Paggce32.exe Pljnkodm.exe File created C:\Windows\SysWOW64\Abjeejep.exe Aiaqle32.exe File opened for modification C:\Windows\SysWOW64\Bammlq32.exe Bjbeofpp.exe File created C:\Windows\SysWOW64\Bijlibjp.dll Eaednh32.exe File created C:\Windows\SysWOW64\Iqllghon.exe Igcgnbim.exe File created C:\Windows\SysWOW64\Qmifhq32.exe Qmgibqjc.exe File created C:\Windows\SysWOW64\Djgfgkbo.exe Dcmnja32.exe File created C:\Windows\SysWOW64\Jfjhbo32.exe Jkdcdf32.exe File created C:\Windows\SysWOW64\Ipfbma32.dll Klhemhpk.exe File created C:\Windows\SysWOW64\Iaegpaao.exe Ingkdeak.exe File created C:\Windows\SysWOW64\Bihgmdih.exe Amafgc32.exe File created C:\Windows\SysWOW64\Mmakmp32.exe Ljabkeaf.exe File created C:\Windows\SysWOW64\Jaipmp32.dll Gfmgelil.exe File created C:\Windows\SysWOW64\Acfmcc32.exe Ahpifj32.exe File opened for modification C:\Windows\SysWOW64\Lekghdad.exe Lmpcca32.exe File created C:\Windows\SysWOW64\Fjkhdlkp.dll Goddjc32.exe File created C:\Windows\SysWOW64\Bdjkbh32.dll Jahbmlil.exe File created C:\Windows\SysWOW64\Ijdppm32.exe Iqllghon.exe File opened for modification C:\Windows\SysWOW64\Kkmand32.exe Kjleflod.exe File opened for modification C:\Windows\SysWOW64\Hcajhi32.exe Gfnjne32.exe File opened for modification C:\Windows\SysWOW64\Mokilo32.exe Ljnqdhga.exe File created C:\Windows\SysWOW64\Cchlkipc.dll Gbdhjm32.exe File created C:\Windows\SysWOW64\Hjpqkajf.dll Dppigchi.exe File created C:\Windows\SysWOW64\Imldmnjj.dll Edidqf32.exe File opened for modification C:\Windows\SysWOW64\Gehiioaj.exe Gonale32.exe File created C:\Windows\SysWOW64\Dkbfgoak.dll Hpjeialg.exe File created C:\Windows\SysWOW64\Eeaepd32.exe Elipgofb.exe File created C:\Windows\SysWOW64\Gpogiglp.exe Gieommdc.exe File created C:\Windows\SysWOW64\Ijimli32.exe Ihiabfhk.exe File created C:\Windows\SysWOW64\Mjnjjbbh.exe Meabakda.exe File created C:\Windows\SysWOW64\Ecbbbh32.dll Bgibnj32.exe File created C:\Windows\SysWOW64\Aobffp32.dll Okbapi32.exe File created C:\Windows\SysWOW64\Bphaglgo.exe Bkkioeig.exe File created C:\Windows\SysWOW64\Cmqmci32.dll Fheabelm.exe File created C:\Windows\SysWOW64\Abigipko.dll Cmmagpef.exe File created C:\Windows\SysWOW64\Aboaff32.exe Agjmim32.exe File created C:\Windows\SysWOW64\Lnqjnhge.exe Kajiigba.exe File created C:\Windows\SysWOW64\Okhefl32.exe Nbpqmfmd.exe File opened for modification C:\Windows\SysWOW64\Jahbmlil.exe Jgpndg32.exe File opened for modification C:\Windows\SysWOW64\Neblqoel.exe Ncdpdcfh.exe File created C:\Windows\SysWOW64\Ldllgiek.exe Lnbdko32.exe File opened for modification C:\Windows\SysWOW64\Cagienkb.exe Ckjamgmk.exe File created C:\Windows\SysWOW64\Obkglbmf.dll Mfgnnhkc.exe File opened for modification C:\Windows\SysWOW64\Bkkioeig.exe Bacefpbg.exe File created C:\Windows\SysWOW64\Fgldnkkf.exe Fkecij32.exe File created C:\Windows\SysWOW64\Clllik32.dll Abfoll32.exe File created C:\Windows\SysWOW64\Fbbnekdd.dll Qppkfhlc.exe File opened for modification C:\Windows\SysWOW64\Aclpaali.exe Anogijnb.exe File created C:\Windows\SysWOW64\Bacihmoo.exe Ajhddk32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nknkeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhpfip32.dll" Gehiioaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mchoid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnbpjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdfooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofdclinq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgfmep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolgka32.dll" Obecld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfdopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmepkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkpbohhb.dll" Gdhdkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpaphegf.dll" Mhqjen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pppgjnfc.dll" Okhefl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecjgio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glnkcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmdnf32.dll" Dbncjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpggei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hifbdnbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nplnekmg.dll" Ldahkaij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiahnnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnjkec32.dll" Ncfmjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epphbb32.dll" Kfebambf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfnjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkicbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mloiec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dohafell.dll" Ghajacmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhjlli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boleejag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aebakp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmfafgbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lblcfnhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggoekd32.dll" Gckfpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqeomfgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjfcpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbdmeoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmoej32.dll" Lgmeid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bammlq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceebklai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqennbbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpjnmlel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clfhml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaipmp32.dll" Gfmgelil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdlca32.dll" Ofcqcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijphofem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnddef32.dll" Ihglhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpppbp32.dll" Jgmaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchdpibh.dll" Efppqoil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhhgpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbhebfck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elipgofb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfagemej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmggllha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkkioeig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbkgbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Halbai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhoklnkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjlemlnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qabkpdke.dll" Cdecha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odfhpd32.dll" Ioefdpne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpfecckm.dll" Apclnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iikifegp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gblkoham.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmoofdea.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1196 wrote to memory of 2064 1196 5e4382e8c17992363ba14591349716f0_NeikiAnalytics.exe 28 PID 1196 wrote to memory of 2064 1196 5e4382e8c17992363ba14591349716f0_NeikiAnalytics.exe 28 PID 1196 wrote to memory of 2064 1196 5e4382e8c17992363ba14591349716f0_NeikiAnalytics.exe 28 PID 1196 wrote to memory of 2064 1196 5e4382e8c17992363ba14591349716f0_NeikiAnalytics.exe 28 PID 2064 wrote to memory of 2456 2064 Ljabkeaf.exe 29 PID 2064 wrote to memory of 2456 2064 Ljabkeaf.exe 29 PID 2064 wrote to memory of 2456 2064 Ljabkeaf.exe 29 PID 2064 wrote to memory of 2456 2064 Ljabkeaf.exe 29 PID 2456 wrote to memory of 2588 2456 Mmakmp32.exe 30 PID 2456 wrote to memory of 2588 2456 Mmakmp32.exe 30 PID 2456 wrote to memory of 2588 2456 Mmakmp32.exe 30 PID 2456 wrote to memory of 2588 2456 Mmakmp32.exe 30 PID 2588 wrote to memory of 2384 2588 Mfllkece.exe 31 PID 2588 wrote to memory of 2384 2588 Mfllkece.exe 31 PID 2588 wrote to memory of 2384 2588 Mfllkece.exe 31 PID 2588 wrote to memory of 2384 2588 Mfllkece.exe 31 PID 2384 wrote to memory of 2404 2384 Mbcmpfhi.exe 32 PID 2384 wrote to memory of 2404 2384 Mbcmpfhi.exe 32 PID 2384 wrote to memory of 2404 2384 Mbcmpfhi.exe 32 PID 2384 wrote to memory of 2404 2384 Mbcmpfhi.exe 32 PID 2404 wrote to memory of 656 2404 Mfaefd32.exe 33 PID 2404 wrote to memory of 656 2404 Mfaefd32.exe 33 PID 2404 wrote to memory of 656 2404 Mfaefd32.exe 33 PID 2404 wrote to memory of 656 2404 Mfaefd32.exe 33 PID 656 wrote to memory of 2168 656 Nlnnnk32.exe 34 PID 656 wrote to memory of 2168 656 Nlnnnk32.exe 34 PID 656 wrote to memory of 2168 656 Nlnnnk32.exe 34 PID 656 wrote to memory of 2168 656 Nlnnnk32.exe 34 PID 2168 wrote to memory of 764 2168 Noacef32.exe 35 PID 2168 wrote to memory of 764 2168 Noacef32.exe 35 PID 2168 wrote to memory of 764 2168 Noacef32.exe 35 PID 2168 wrote to memory of 764 2168 Noacef32.exe 35 PID 764 wrote to memory of 1348 764 Nkhdkgnj.exe 36 PID 764 wrote to memory of 1348 764 Nkhdkgnj.exe 36 PID 764 wrote to memory of 1348 764 Nkhdkgnj.exe 36 PID 764 wrote to memory of 1348 764 Nkhdkgnj.exe 36 PID 1348 wrote to memory of 2220 1348 Nemhhpmp.exe 37 PID 1348 wrote to memory of 2220 1348 Nemhhpmp.exe 37 PID 1348 wrote to memory of 2220 1348 Nemhhpmp.exe 37 PID 1348 wrote to memory of 2220 1348 Nemhhpmp.exe 37 PID 2220 wrote to memory of 1444 2220 Nadimacd.exe 38 PID 2220 wrote to memory of 1444 2220 Nadimacd.exe 38 PID 2220 wrote to memory of 1444 2220 Nadimacd.exe 38 PID 2220 wrote to memory of 1444 2220 Nadimacd.exe 38 PID 1444 wrote to memory of 2312 1444 Oionacqo.exe 39 PID 1444 wrote to memory of 2312 1444 Oionacqo.exe 39 PID 1444 wrote to memory of 2312 1444 Oionacqo.exe 39 PID 1444 wrote to memory of 2312 1444 Oionacqo.exe 39 PID 2312 wrote to memory of 2336 2312 Ogcnkgoh.exe 40 PID 2312 wrote to memory of 2336 2312 Ogcnkgoh.exe 40 PID 2312 wrote to memory of 2336 2312 Ogcnkgoh.exe 40 PID 2312 wrote to memory of 2336 2312 Ogcnkgoh.exe 40 PID 2336 wrote to memory of 1620 2336 Ommfga32.exe 41 PID 2336 wrote to memory of 1620 2336 Ommfga32.exe 41 PID 2336 wrote to memory of 1620 2336 Ommfga32.exe 41 PID 2336 wrote to memory of 1620 2336 Ommfga32.exe 41 PID 1620 wrote to memory of 2764 1620 Ogekpg32.exe 42 PID 1620 wrote to memory of 2764 1620 Ogekpg32.exe 42 PID 1620 wrote to memory of 2764 1620 Ogekpg32.exe 42 PID 1620 wrote to memory of 2764 1620 Ogekpg32.exe 42 PID 2764 wrote to memory of 2240 2764 Olbchn32.exe 43 PID 2764 wrote to memory of 2240 2764 Olbchn32.exe 43 PID 2764 wrote to memory of 2240 2764 Olbchn32.exe 43 PID 2764 wrote to memory of 2240 2764 Olbchn32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e4382e8c17992363ba14591349716f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5e4382e8c17992363ba14591349716f0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Ljabkeaf.exeC:\Windows\system32\Ljabkeaf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Mfllkece.exeC:\Windows\system32\Mfllkece.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Mbcmpfhi.exeC:\Windows\system32\Mbcmpfhi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Mfaefd32.exeC:\Windows\system32\Mfaefd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Nlnnnk32.exeC:\Windows\system32\Nlnnnk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\Noacef32.exeC:\Windows\system32\Noacef32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Nemhhpmp.exeC:\Windows\system32\Nemhhpmp.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Oionacqo.exeC:\Windows\system32\Oionacqo.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Oldpnn32.exeC:\Windows\system32\Oldpnn32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1052 -
C:\Windows\SysWOW64\Pkjmoj32.exeC:\Windows\system32\Pkjmoj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1472 -
C:\Windows\SysWOW64\Plijimee.exeC:\Windows\system32\Plijimee.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:960 -
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Pgegok32.exeC:\Windows\system32\Pgegok32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1004 -
C:\Windows\SysWOW64\Qgjqjjll.exeC:\Windows\system32\Qgjqjjll.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:856 -
C:\Windows\SysWOW64\Qmgibqjc.exeC:\Windows\system32\Qmgibqjc.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Qmifhq32.exeC:\Windows\system32\Qmifhq32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Aipfmane.exeC:\Windows\system32\Aipfmane.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Abhkfg32.exeC:\Windows\system32\Abhkfg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Akqpom32.exeC:\Windows\system32\Akqpom32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Aeidgbaf.exeC:\Windows\system32\Aeidgbaf.exe33⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Akcldl32.exeC:\Windows\system32\Akcldl32.exe34⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe36⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe37⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Bccjdnbi.exeC:\Windows\system32\Bccjdnbi.exe38⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Bjmbqhif.exeC:\Windows\system32\Bjmbqhif.exe39⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe40⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Bplhnoej.exeC:\Windows\system32\Bplhnoej.exe41⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe42⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe44⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe45⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe46⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Cofnjj32.exeC:\Windows\system32\Cofnjj32.exe47⤵
- Executes dropped EXE
PID:240 -
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe48⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe51⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe52⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Fheabelm.exeC:\Windows\system32\Fheabelm.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe54⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe55⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe56⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe57⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Filgbdfd.exeC:\Windows\system32\Filgbdfd.exe58⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Fofpoo32.exeC:\Windows\system32\Fofpoo32.exe59⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe60⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe61⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe62⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe63⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe64⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe65⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Gqlebf32.exeC:\Windows\system32\Gqlebf32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2688 -
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe67⤵PID:1148
-
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe68⤵PID:312
-
C:\Windows\SysWOW64\Gghkdp32.exeC:\Windows\system32\Gghkdp32.exe69⤵PID:2828
-
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe70⤵PID:1672
-
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1352 -
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe72⤵PID:940
-
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe73⤵PID:2036
-
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe75⤵PID:2912
-
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe76⤵PID:3044
-
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe77⤵PID:2868
-
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe78⤵
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe79⤵
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe80⤵PID:1984
-
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe81⤵PID:2548
-
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe82⤵PID:1988
-
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe83⤵
- Modifies registry class
PID:828 -
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe84⤵PID:2388
-
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe85⤵PID:2716
-
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe86⤵PID:1040
-
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe87⤵PID:1580
-
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe88⤵PID:924
-
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe89⤵PID:1172
-
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe90⤵PID:3000
-
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe91⤵PID:1720
-
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe92⤵PID:2492
-
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1736 -
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe94⤵PID:2576
-
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe95⤵PID:2356
-
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe96⤵PID:2420
-
C:\Windows\SysWOW64\Ipokcdjn.exeC:\Windows\system32\Ipokcdjn.exe97⤵PID:2000
-
C:\Windows\SysWOW64\Iapgkl32.exeC:\Windows\system32\Iapgkl32.exe98⤵PID:2348
-
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe99⤵PID:1708
-
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2008 -
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe101⤵PID:1512
-
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe102⤵PID:2804
-
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe103⤵PID:2152
-
C:\Windows\SysWOW64\Jepmgj32.exeC:\Windows\system32\Jepmgj32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2988 -
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe105⤵PID:2012
-
C:\Windows\SysWOW64\Joiappkp.exeC:\Windows\system32\Joiappkp.exe106⤵PID:2056
-
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe107⤵PID:2700
-
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe108⤵PID:2344
-
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe109⤵PID:2648
-
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe110⤵PID:2340
-
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe111⤵PID:2296
-
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2496 -
C:\Windows\SysWOW64\Kdjccf32.exeC:\Windows\system32\Kdjccf32.exe113⤵PID:824
-
C:\Windows\SysWOW64\Kghpoa32.exeC:\Windows\system32\Kghpoa32.exe114⤵PID:2568
-
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe115⤵PID:1780
-
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe116⤵PID:1608
-
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe117⤵PID:2756
-
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe118⤵
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe119⤵
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe120⤵
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Kkmand32.exeC:\Windows\system32\Kkmand32.exe121⤵PID:2468
-
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe122⤵PID:2412
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-