Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 14:36
Behavioral task
behavioral1
Sample
6046546f24a081b5c8df8bd27a1b5fb0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6046546f24a081b5c8df8bd27a1b5fb0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
6046546f24a081b5c8df8bd27a1b5fb0_NeikiAnalytics.exe
-
Size
109KB
-
MD5
6046546f24a081b5c8df8bd27a1b5fb0
-
SHA1
22f11b7e685e9c7a7a41f2ddea1024e8857a3cf5
-
SHA256
f874264bb848ac44989eeecc410553e7d66218557e15ec5ba728aba486f89a52
-
SHA512
505a3a743b68ba3058743938723bbdb1282b2890e0bb6cd27cdfbe9535d3cbb3025dd6913babae62fb7942e4a0dcd115eadd3c507c3d5ebf131365150a2d27ff
-
SSDEEP
3072:IQsqwycDxIsAJ9CLCqwzBu1DjHLMVDqqkSp:IuwywAJ92wtu1DjrFqh
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgehfkop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nljofl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhhfedil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bheffh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlobkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acnemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edmclccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndcdmikd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjlnnemp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpgeee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqcjepfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldanqkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjedffig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihbdplfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagpeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcagphom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojaelm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fknicb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khbdikip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdfehh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anclbkbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkjlic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anmfbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnkgeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpiljh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppopjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjnffjkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndeii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpneegel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmfkoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfckahdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lppbkgcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpqkcpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jifhaenk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknmla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qchmagie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Megdccmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhldpj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkeekk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihqoeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njghbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodfajaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oohgdhfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eabbjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpgeee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbdgfa32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/1588-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000c0000000233be-6.dat family_berbew behavioral2/memory/1568-8-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000800000002340a-14.dat family_berbew behavioral2/memory/680-16-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002340c-22.dat family_berbew behavioral2/memory/740-24-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002340e-30.dat family_berbew behavioral2/memory/2052-32-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023410-38.dat family_berbew behavioral2/memory/1332-39-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023412-46.dat family_berbew behavioral2/memory/1152-48-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023414-54.dat family_berbew behavioral2/memory/2784-56-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023416-62.dat family_berbew behavioral2/memory/4992-64-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023418-70.dat family_berbew behavioral2/memory/2908-76-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002341a-78.dat family_berbew behavioral2/memory/1680-84-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002341c-87.dat family_berbew behavioral2/memory/4924-88-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002341e-94.dat family_berbew behavioral2/memory/2832-95-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023420-97.dat family_berbew behavioral2/files/0x0007000000023422-110.dat family_berbew behavioral2/memory/868-108-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/5096-116-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023424-118.dat family_berbew behavioral2/memory/2004-119-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023426-126.dat family_berbew behavioral2/memory/232-127-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023428-134.dat family_berbew behavioral2/memory/3036-140-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002342a-142.dat family_berbew behavioral2/memory/5084-143-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002342c-150.dat family_berbew behavioral2/memory/2824-151-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002342e-158.dat family_berbew behavioral2/memory/1488-160-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023430-166.dat family_berbew behavioral2/memory/4760-167-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0009000000023400-174.dat family_berbew behavioral2/memory/2444-175-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023433-183.dat family_berbew behavioral2/memory/2952-184-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023435-190.dat family_berbew behavioral2/memory/3976-192-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023437-198.dat family_berbew behavioral2/memory/876-200-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023439-206.dat family_berbew behavioral2/memory/4896-208-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002343b-214.dat family_berbew behavioral2/memory/3116-216-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002343d-222.dat family_berbew behavioral2/memory/4672-224-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002343f-225.dat family_berbew behavioral2/files/0x000700000002343f-230.dat family_berbew behavioral2/memory/1076-232-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023441-238.dat family_berbew behavioral2/memory/2120-240-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0008000000023443-246.dat family_berbew behavioral2/memory/3680-248-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1568 Pjdilcla.exe 680 Pqnaim32.exe 740 Pghieg32.exe 2052 Pnbbbabh.exe 1332 Pqpnombl.exe 1152 Pkfblfab.exe 2784 Pndohaqe.exe 4992 Pcagphom.exe 2908 Pnfkma32.exe 1680 Paegjl32.exe 4924 Pgopffec.exe 2832 Pbddcoei.exe 868 Qcepkg32.exe 5096 Qkmhlekj.exe 2004 Qnkdhpjn.exe 232 Qchmagie.exe 3036 Qnnanphk.exe 5084 Qalnjkgo.exe 2824 Alabgd32.exe 1488 Aanjpk32.exe 4760 Ahhblemi.exe 2444 Abngjnmo.exe 2952 Ahkobekf.exe 3976 Aeopki32.exe 876 Angddopp.exe 4896 Adcmmeog.exe 3116 Ajneip32.exe 4672 Bahmfj32.exe 1076 Bjpaooda.exe 2120 Bdhfhe32.exe 3680 Bjbndobo.exe 2416 Balfaiil.exe 3452 Bhfonc32.exe 4220 Bopgjmhe.exe 3296 Baocghgi.exe 3092 Bhikcb32.exe 756 Bldgdago.exe 1148 Bbnpqk32.exe 668 Bdolhc32.exe 4076 Blfdia32.exe 4176 Cbqlfkmi.exe 2732 Ceoibflm.exe 2776 Cliaoq32.exe 4824 Cogmkl32.exe 4772 Cafigg32.exe 3496 Chpada32.exe 324 Cknnpm32.exe 2672 Cbefaj32.exe 4888 Cdfbibnb.exe 3044 Clnjjpod.exe 3468 Colffknh.exe 3600 Cefoce32.exe 4608 Cdiooblp.exe 4032 Clpgpp32.exe 4600 Conclk32.exe 1220 Camphf32.exe 4300 Cdkldb32.exe 3128 Clbceo32.exe 4252 Doqpak32.exe 692 Dbllbibl.exe 2524 Ddmhja32.exe 3780 Dkgqfl32.exe 3288 Daaicfgd.exe 3616 Dhkapp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ejjaqk32.exe Process not Found File created C:\Windows\SysWOW64\Fmcldc32.dll Faenpf32.exe File opened for modification C:\Windows\SysWOW64\Indfca32.exe Igjngh32.exe File created C:\Windows\SysWOW64\Jofill32.dll Gpnmbl32.exe File opened for modification C:\Windows\SysWOW64\Hcblpdgg.exe Hpcodihc.exe File opened for modification C:\Windows\SysWOW64\Feoodn32.exe Process not Found File created C:\Windows\SysWOW64\Bnnkgo32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Eklajcmc.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ecdbop32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bdhfhe32.exe Bjpaooda.exe File created C:\Windows\SysWOW64\Aoalgn32.exe Ahgcjddh.exe File created C:\Windows\SysWOW64\Jiglalpk.dll Angddopp.exe File opened for modification C:\Windows\SysWOW64\Hmhhehlb.exe Heapdjlp.exe File created C:\Windows\SysWOW64\Bneljh32.dll Bnkgeg32.exe File created C:\Windows\SysWOW64\Phigif32.exe Pmcclm32.exe File created C:\Windows\SysWOW64\Hlglnp32.dll Process not Found File created C:\Windows\SysWOW64\Qckcba32.dll Process not Found File created C:\Windows\SysWOW64\Edmclccp.exe Eangpgcl.exe File created C:\Windows\SysWOW64\Iddljmpc.exe Injcmc32.exe File opened for modification C:\Windows\SysWOW64\Kecabifp.exe Kbddfmgl.exe File created C:\Windows\SysWOW64\Fpbmfn32.exe Emdajb32.exe File created C:\Windows\SysWOW64\Jcanll32.exe Process not Found File created C:\Windows\SysWOW64\Fenpmnno.dll Process not Found File created C:\Windows\SysWOW64\Mgmodn32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pnfkma32.exe Pcagphom.exe File opened for modification C:\Windows\SysWOW64\Hmcojh32.exe Helfik32.exe File created C:\Windows\SysWOW64\Icnklbmj.exe Ipoopgnf.exe File opened for modification C:\Windows\SysWOW64\Megljppl.exe Mnmdme32.exe File created C:\Windows\SysWOW64\Nmcpoedn.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fafkecel.exe Fljcmlfd.exe File created C:\Windows\SysWOW64\Flippejg.dll Qjlnnemp.exe File created C:\Windows\SysWOW64\Oboijgbl.exe Okgaijaj.exe File created C:\Windows\SysWOW64\Ijdabh32.dll Kdpmbc32.exe File opened for modification C:\Windows\SysWOW64\Iolhkh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gbmadd32.exe Process not Found File created C:\Windows\SysWOW64\Bdlgcp32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Amddjegd.exe Agglboim.exe File opened for modification C:\Windows\SysWOW64\Ijadbdoj.exe Igchfiof.exe File opened for modification C:\Windows\SysWOW64\Njiegl32.exe Nihipdhl.exe File created C:\Windows\SysWOW64\Bcpcam32.dll Bombmcec.exe File opened for modification C:\Windows\SysWOW64\Jdodkebj.exe Jnelok32.exe File created C:\Windows\SysWOW64\Mmddqemj.dll Ojigdcll.exe File created C:\Windows\SysWOW64\Qmfqknfm.dll Process not Found File created C:\Windows\SysWOW64\Ifgldfio.exe Iomcgl32.exe File created C:\Windows\SysWOW64\Akejpg32.dll Jkmgblok.exe File created C:\Windows\SysWOW64\Hnnhejgh.dll Pmoiqneg.exe File created C:\Windows\SysWOW64\Ppdbgncl.exe Process not Found File created C:\Windows\SysWOW64\Jbbfdfkn.exe Jkhngl32.exe File opened for modification C:\Windows\SysWOW64\Ajeadd32.exe Aggegh32.exe File created C:\Windows\SysWOW64\Gigheh32.exe Ggilil32.exe File created C:\Windows\SysWOW64\Kecabifp.exe Kbddfmgl.exe File created C:\Windows\SysWOW64\Nmocfo32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kofkbk32.exe Process not Found File created C:\Windows\SysWOW64\Dodfed32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Imfdff32.exe Icnpmp32.exe File created C:\Windows\SysWOW64\Gifhkeje.dll Dmgbnq32.exe File created C:\Windows\SysWOW64\Fcmpdfhi.dll Lgffic32.exe File opened for modification C:\Windows\SysWOW64\Lcggio32.exe Lmmolepp.exe File created C:\Windows\SysWOW64\Enigke32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fndpmndl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nfjola32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gmjlcj32.exe Gdcdbl32.exe File created C:\Windows\SysWOW64\Famjkl32.exe Fggfnc32.exe File opened for modification C:\Windows\SysWOW64\Ifgldfio.exe Iomcgl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4352 4252 Process not Found 1691 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlieda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdihjfbe.dll" Fljcmlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pekbga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aefjii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddnnfbmk.dll" Ijcahd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjpobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqcjepfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpnmbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acbldmmh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhicpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igfkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmechmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oeehkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphblj32.dll" Bomkcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjliff32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadbk32.dll" Fhemmlhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lghcocol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlmfeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lclpdncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdcmnil.dll" Lpbopfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdehni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnhpoamf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocpgod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gaefgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Peahgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhqcam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkgpbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oclknk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpjqcaao.dll" Emkndc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmfnpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifleoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll" Bganhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bheffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecbjkngo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aainof32.dll" Eleiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll" Bnkgeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehfjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkconn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqindg32.dll" Bheplb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnicfelf.dll" Pbddcoei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlgjo32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Folaiqng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dblgpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghkeio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mebcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kedoge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eocenh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1588 wrote to memory of 1568 1588 6046546f24a081b5c8df8bd27a1b5fb0_NeikiAnalytics.exe 81 PID 1588 wrote to memory of 1568 1588 6046546f24a081b5c8df8bd27a1b5fb0_NeikiAnalytics.exe 81 PID 1588 wrote to memory of 1568 1588 6046546f24a081b5c8df8bd27a1b5fb0_NeikiAnalytics.exe 81 PID 1568 wrote to memory of 680 1568 Pjdilcla.exe 82 PID 1568 wrote to memory of 680 1568 Pjdilcla.exe 82 PID 1568 wrote to memory of 680 1568 Pjdilcla.exe 82 PID 680 wrote to memory of 740 680 Pqnaim32.exe 84 PID 680 wrote to memory of 740 680 Pqnaim32.exe 84 PID 680 wrote to memory of 740 680 Pqnaim32.exe 84 PID 740 wrote to memory of 2052 740 Pghieg32.exe 85 PID 740 wrote to memory of 2052 740 Pghieg32.exe 85 PID 740 wrote to memory of 2052 740 Pghieg32.exe 85 PID 2052 wrote to memory of 1332 2052 Pnbbbabh.exe 86 PID 2052 wrote to memory of 1332 2052 Pnbbbabh.exe 86 PID 2052 wrote to memory of 1332 2052 Pnbbbabh.exe 86 PID 1332 wrote to memory of 1152 1332 Pqpnombl.exe 88 PID 1332 wrote to memory of 1152 1332 Pqpnombl.exe 88 PID 1332 wrote to memory of 1152 1332 Pqpnombl.exe 88 PID 1152 wrote to memory of 2784 1152 Pkfblfab.exe 89 PID 1152 wrote to memory of 2784 1152 Pkfblfab.exe 89 PID 1152 wrote to memory of 2784 1152 Pkfblfab.exe 89 PID 2784 wrote to memory of 4992 2784 Pndohaqe.exe 90 PID 2784 wrote to memory of 4992 2784 Pndohaqe.exe 90 PID 2784 wrote to memory of 4992 2784 Pndohaqe.exe 90 PID 4992 wrote to memory of 2908 4992 Pcagphom.exe 92 PID 4992 wrote to memory of 2908 4992 Pcagphom.exe 92 PID 4992 wrote to memory of 2908 4992 Pcagphom.exe 92 PID 2908 wrote to memory of 1680 2908 Pnfkma32.exe 93 PID 2908 wrote to memory of 1680 2908 Pnfkma32.exe 93 PID 2908 wrote to memory of 1680 2908 Pnfkma32.exe 93 PID 1680 wrote to memory of 4924 1680 Paegjl32.exe 94 PID 1680 wrote to memory of 4924 1680 Paegjl32.exe 94 PID 1680 wrote to memory of 4924 1680 Paegjl32.exe 94 PID 4924 wrote to memory of 2832 4924 Pgopffec.exe 95 PID 4924 wrote to memory of 2832 4924 Pgopffec.exe 95 PID 4924 wrote to memory of 2832 4924 Pgopffec.exe 95 PID 2832 wrote to memory of 868 2832 Pbddcoei.exe 96 PID 2832 wrote to memory of 868 2832 Pbddcoei.exe 96 PID 2832 wrote to memory of 868 2832 Pbddcoei.exe 96 PID 868 wrote to memory of 5096 868 Qcepkg32.exe 97 PID 868 wrote to memory of 5096 868 Qcepkg32.exe 97 PID 868 wrote to memory of 5096 868 Qcepkg32.exe 97 PID 5096 wrote to memory of 2004 5096 Qkmhlekj.exe 98 PID 5096 wrote to memory of 2004 5096 Qkmhlekj.exe 98 PID 5096 wrote to memory of 2004 5096 Qkmhlekj.exe 98 PID 2004 wrote to memory of 232 2004 Qnkdhpjn.exe 99 PID 2004 wrote to memory of 232 2004 Qnkdhpjn.exe 99 PID 2004 wrote to memory of 232 2004 Qnkdhpjn.exe 99 PID 232 wrote to memory of 3036 232 Qchmagie.exe 100 PID 232 wrote to memory of 3036 232 Qchmagie.exe 100 PID 232 wrote to memory of 3036 232 Qchmagie.exe 100 PID 3036 wrote to memory of 5084 3036 Qnnanphk.exe 101 PID 3036 wrote to memory of 5084 3036 Qnnanphk.exe 101 PID 3036 wrote to memory of 5084 3036 Qnnanphk.exe 101 PID 5084 wrote to memory of 2824 5084 Qalnjkgo.exe 102 PID 5084 wrote to memory of 2824 5084 Qalnjkgo.exe 102 PID 5084 wrote to memory of 2824 5084 Qalnjkgo.exe 102 PID 2824 wrote to memory of 1488 2824 Alabgd32.exe 103 PID 2824 wrote to memory of 1488 2824 Alabgd32.exe 103 PID 2824 wrote to memory of 1488 2824 Alabgd32.exe 103 PID 1488 wrote to memory of 4760 1488 Aanjpk32.exe 104 PID 1488 wrote to memory of 4760 1488 Aanjpk32.exe 104 PID 1488 wrote to memory of 4760 1488 Aanjpk32.exe 104 PID 4760 wrote to memory of 2444 4760 Ahhblemi.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\6046546f24a081b5c8df8bd27a1b5fb0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6046546f24a081b5c8df8bd27a1b5fb0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe23⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe24⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe25⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:876 -
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe27⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe28⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe29⤵
- Executes dropped EXE
PID:4672 -
C:\Windows\SysWOW64\Bjpaooda.exeC:\Windows\system32\Bjpaooda.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1076 -
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe31⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe32⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe33⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe34⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe35⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe36⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe37⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Bldgdago.exeC:\Windows\system32\Bldgdago.exe38⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe39⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe40⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Blfdia32.exeC:\Windows\system32\Blfdia32.exe41⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe42⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe43⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe44⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe45⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe46⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe47⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe48⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe49⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe50⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe51⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe52⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Cefoce32.exeC:\Windows\system32\Cefoce32.exe53⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe54⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe55⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe56⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe57⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe58⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe59⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe60⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe61⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe62⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe63⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe64⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe65⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Dlgmpogj.exeC:\Windows\system32\Dlgmpogj.exe66⤵PID:440
-
C:\Windows\SysWOW64\Dbaemi32.exeC:\Windows\system32\Dbaemi32.exe67⤵PID:3764
-
C:\Windows\SysWOW64\Ddbbeade.exeC:\Windows\system32\Ddbbeade.exe68⤵PID:2988
-
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe69⤵PID:1512
-
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe70⤵PID:2892
-
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe71⤵PID:3256
-
C:\Windows\SysWOW64\Dllfkn32.exeC:\Windows\system32\Dllfkn32.exe72⤵PID:336
-
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe73⤵PID:1436
-
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe74⤵PID:3952
-
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe75⤵PID:1564
-
C:\Windows\SysWOW64\Eaklidoi.exeC:\Windows\system32\Eaklidoi.exe76⤵PID:4572
-
C:\Windows\SysWOW64\Eefhjc32.exeC:\Windows\system32\Eefhjc32.exe77⤵PID:2692
-
C:\Windows\SysWOW64\Edihepnm.exeC:\Windows\system32\Edihepnm.exe78⤵PID:1400
-
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe79⤵PID:4504
-
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe80⤵PID:2324
-
C:\Windows\SysWOW64\Ehgqln32.exeC:\Windows\system32\Ehgqln32.exe81⤵PID:5092
-
C:\Windows\SysWOW64\Ekemhj32.exeC:\Windows\system32\Ekemhj32.exe82⤵PID:4972
-
C:\Windows\SysWOW64\Eapedd32.exeC:\Windows\system32\Eapedd32.exe83⤵PID:1028
-
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe84⤵
- Modifies registry class
PID:1212 -
C:\Windows\SysWOW64\Eocenh32.exeC:\Windows\system32\Eocenh32.exe85⤵
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Eabbjc32.exeC:\Windows\system32\Eabbjc32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3424 -
C:\Windows\SysWOW64\Ecandfpd.exeC:\Windows\system32\Ecandfpd.exe87⤵PID:3476
-
C:\Windows\SysWOW64\Eepjpb32.exeC:\Windows\system32\Eepjpb32.exe88⤵PID:4764
-
C:\Windows\SysWOW64\Fljcmlfd.exeC:\Windows\system32\Fljcmlfd.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe90⤵PID:1744
-
C:\Windows\SysWOW64\Fdegandp.exeC:\Windows\system32\Fdegandp.exe91⤵PID:2024
-
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe92⤵
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe93⤵PID:1840
-
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe94⤵PID:1216
-
C:\Windows\SysWOW64\Faihkbci.exeC:\Windows\system32\Faihkbci.exe95⤵PID:4304
-
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe96⤵PID:3532
-
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe97⤵PID:1788
-
C:\Windows\SysWOW64\Fomhdg32.exeC:\Windows\system32\Fomhdg32.exe98⤵PID:2812
-
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe99⤵PID:640
-
C:\Windows\SysWOW64\Ffgqqaip.exeC:\Windows\system32\Ffgqqaip.exe100⤵PID:5168
-
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe101⤵
- Modifies registry class
PID:5212 -
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe102⤵PID:5256
-
C:\Windows\SysWOW64\Fckajehi.exeC:\Windows\system32\Fckajehi.exe103⤵PID:5296
-
C:\Windows\SysWOW64\Fbnafb32.exeC:\Windows\system32\Fbnafb32.exe104⤵PID:5344
-
C:\Windows\SysWOW64\Fdlnbm32.exeC:\Windows\system32\Fdlnbm32.exe105⤵PID:5388
-
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe106⤵PID:5432
-
C:\Windows\SysWOW64\Foabofnn.exeC:\Windows\system32\Foabofnn.exe107⤵PID:5472
-
C:\Windows\SysWOW64\Fcmnpe32.exeC:\Windows\system32\Fcmnpe32.exe108⤵PID:5512
-
C:\Windows\SysWOW64\Ffkjlp32.exeC:\Windows\system32\Ffkjlp32.exe109⤵PID:5564
-
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe110⤵PID:5604
-
C:\Windows\SysWOW64\Glebhjlg.exeC:\Windows\system32\Glebhjlg.exe111⤵PID:5644
-
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe112⤵PID:5696
-
C:\Windows\SysWOW64\Gbbkaako.exeC:\Windows\system32\Gbbkaako.exe113⤵PID:5736
-
C:\Windows\SysWOW64\Gfngap32.exeC:\Windows\system32\Gfngap32.exe114⤵PID:5784
-
C:\Windows\SysWOW64\Ghlcnk32.exeC:\Windows\system32\Ghlcnk32.exe115⤵PID:5824
-
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe116⤵PID:5872
-
C:\Windows\SysWOW64\Gofkje32.exeC:\Windows\system32\Gofkje32.exe117⤵PID:5916
-
C:\Windows\SysWOW64\Gbdgfa32.exeC:\Windows\system32\Gbdgfa32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5956 -
C:\Windows\SysWOW64\Gdcdbl32.exeC:\Windows\system32\Gdcdbl32.exe119⤵
- Drops file in System32 directory
PID:6000 -
C:\Windows\SysWOW64\Gmjlcj32.exeC:\Windows\system32\Gmjlcj32.exe120⤵PID:6044
-
C:\Windows\SysWOW64\Gkmlofol.exeC:\Windows\system32\Gkmlofol.exe121⤵PID:6088
-
C:\Windows\SysWOW64\Gcddpdpo.exeC:\Windows\system32\Gcddpdpo.exe122⤵PID:6132
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-