Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 14:37
Behavioral task
behavioral1
Sample
60e1796ea67f3dd43474078f14dfc9e0_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
60e1796ea67f3dd43474078f14dfc9e0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
60e1796ea67f3dd43474078f14dfc9e0_NeikiAnalytics.exe
-
Size
94KB
-
MD5
60e1796ea67f3dd43474078f14dfc9e0
-
SHA1
18e36078106418f620ced3eb0f7b2ff2c355495a
-
SHA256
0bde9adad9d49898d3cdb54fd6288385fbc24b3e71ff6aff0b1854118ac93d38
-
SHA512
6829951dc33101f792234e825ffe87a8fe891b97942f895f1d46f44914fee2cb023c505a93715a64512e377088dfce9f8105e288b746e236dfc86c04bfe08b92
-
SSDEEP
1536:L9t9acVlio4KbG/RXKxzPKZRtXP/f68sKndb/cLl2Lf4aIZTJ+7LhkiB0MPiKeEJ:JtUcVT4KbG/RXKxzsRN/f68ndLOWf4at
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bedbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjhgke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glinjqhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqbcbkab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gokbgpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jifecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcidmkpq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljceqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djmima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhfcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Damfao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gejhef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcaeea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aofjoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmhccpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deejpjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmeandma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgpeha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmhofbma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpipkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlicflic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hidgai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoeieolb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fncibg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imknli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hllcfnhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nchhfild.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgfdojfm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnamofdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkcccn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcpgmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefcgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqpcjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gejhef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kongmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhgjaml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldfhgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pphckb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppdjpcng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pknghk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlmegd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glpdjpbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amikgpcc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kejeebpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lelajb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qffoejkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cegnol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnhgjaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njedbjej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekgqennl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdodbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeocna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ledepn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmffnq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpiecd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Debnjgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gegchl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncpeaoih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elhfbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icfmci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfgjbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Limpiomm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkcccn32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000800000002323c-7.dat family_berbew behavioral2/files/0x0008000000023243-16.dat family_berbew behavioral2/files/0x0007000000023245-24.dat family_berbew behavioral2/files/0x0008000000023241-30.dat family_berbew behavioral2/files/0x0007000000023248-39.dat family_berbew behavioral2/files/0x000700000002324a-47.dat family_berbew behavioral2/files/0x000700000002324c-55.dat family_berbew behavioral2/files/0x000700000002324e-63.dat family_berbew behavioral2/files/0x0007000000023250-71.dat family_berbew behavioral2/files/0x0007000000023252-80.dat family_berbew behavioral2/files/0x0007000000023254-88.dat family_berbew behavioral2/files/0x0007000000023256-97.dat family_berbew behavioral2/files/0x0007000000023258-106.dat family_berbew behavioral2/files/0x000700000002325a-111.dat family_berbew behavioral2/files/0x000700000002325c-124.dat family_berbew behavioral2/files/0x000700000002325e-133.dat family_berbew behavioral2/files/0x0007000000023261-142.dat family_berbew behavioral2/files/0x0007000000023263-154.dat family_berbew behavioral2/files/0x0007000000023265-163.dat family_berbew behavioral2/files/0x0007000000023267-169.dat family_berbew behavioral2/files/0x0007000000023269-178.dat family_berbew behavioral2/files/0x000700000002326b-187.dat family_berbew behavioral2/files/0x000700000002326d-196.dat family_berbew behavioral2/files/0x000700000002326f-205.dat family_berbew behavioral2/files/0x0007000000023271-214.dat family_berbew behavioral2/files/0x0007000000023273-223.dat family_berbew behavioral2/files/0x0007000000023275-232.dat family_berbew behavioral2/files/0x0007000000023277-241.dat family_berbew behavioral2/files/0x0007000000023279-250.dat family_berbew behavioral2/files/0x000700000002327b-259.dat family_berbew behavioral2/files/0x000700000002327d-270.dat family_berbew behavioral2/files/0x000700000002327f-277.dat family_berbew behavioral2/files/0x0007000000023283-289.dat family_berbew behavioral2/files/0x0007000000023289-309.dat family_berbew behavioral2/files/0x000700000002328f-330.dat family_berbew behavioral2/files/0x0007000000023295-351.dat family_berbew behavioral2/files/0x00070000000232a1-393.dat family_berbew behavioral2/files/0x00070000000232a5-407.dat family_berbew behavioral2/files/0x00070000000232b0-442.dat family_berbew behavioral2/files/0x00070000000232bc-484.dat family_berbew behavioral2/files/0x00070000000232c0-498.dat family_berbew behavioral2/files/0x00070000000232c2-506.dat family_berbew behavioral2/files/0x00070000000232c8-526.dat family_berbew behavioral2/files/0x00070000000232cc-540.dat family_berbew behavioral2/files/0x00070000000232d0-555.dat family_berbew behavioral2/files/0x00070000000232d8-582.dat family_berbew behavioral2/files/0x00070000000232e4-624.dat family_berbew behavioral2/files/0x00070000000232e8-638.dat family_berbew behavioral2/files/0x00070000000232f2-673.dat family_berbew behavioral2/files/0x0007000000023307-735.dat family_berbew behavioral2/files/0x0007000000023311-770.dat family_berbew behavioral2/files/0x0008000000023318-798.dat family_berbew behavioral2/files/0x000700000002333d-903.dat family_berbew behavioral2/files/0x0007000000023347-936.dat family_berbew behavioral2/files/0x0007000000023359-999.dat family_berbew behavioral2/files/0x0007000000023361-1027.dat family_berbew behavioral2/files/0x0007000000023365-1041.dat family_berbew behavioral2/files/0x0007000000023371-1083.dat family_berbew behavioral2/files/0x0007000000023375-1097.dat family_berbew behavioral2/files/0x000700000002337f-1132.dat family_berbew behavioral2/files/0x0007000000023383-1146.dat family_berbew behavioral2/files/0x0008000000023395-1208.dat family_berbew behavioral2/files/0x000700000002339f-1242.dat family_berbew behavioral2/files/0x00070000000233a7-1267.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4940 Gehbjm32.exe 4428 Gpbpbecj.exe 3356 Gmfplibd.exe 3304 Hpiecd32.exe 3852 Hidgai32.exe 4752 Hpqldc32.exe 3792 Hoeieolb.exe 3380 Imiehfao.exe 2524 Imkbnf32.exe 2928 Iibccgep.exe 2348 Ieidhh32.exe 4828 Jleijb32.exe 1972 Jgmjmjnb.exe 1728 Johnamkm.exe 1844 Kcidmkpq.exe 3524 Kjgeedch.exe 2072 Ljceqb32.exe 4516 Mmmqhl32.exe 4092 Mgeakekd.exe 2532 Nnojho32.exe 2316 Nqpcjj32.exe 4596 Onmfimga.exe 3132 Oclkgccf.exe 4612 Pjpfjl32.exe 4656 Afpjel32.exe 4420 Aajhndkb.exe 3960 Bmeandma.exe 3560 Bdfpkm32.exe 1408 Cnhgjaml.exe 4708 Dkndie32.exe 4068 Dqnjgl32.exe 3036 Damfao32.exe 4252 Dqbcbkab.exe 824 Eoepebho.exe 4908 Eojiqb32.exe 3136 Fofilp32.exe 1808 Gokbgpeg.exe 2756 Gejhef32.exe 1496 Glfmgp32.exe 1624 Giljfddl.exe 4048 Hiacacpg.exe 1236 Hicpgc32.exe 5028 Ibqnkh32.exe 448 Ieccbbkn.exe 1712 Ibjqaf32.exe 1364 Jifecp32.exe 2064 Jeocna32.exe 4168 Johggfha.exe 512 Kifojnol.exe 4760 Lhnhajba.exe 744 Ledepn32.exe 1952 Loofnccf.exe 3632 Mjlalkmd.exe 3196 Mcfbkpab.exe 1948 Njbgmjgl.exe 3352 Njedbjej.exe 4584 Nfldgk32.exe 5040 Ncpeaoih.exe 4300 Nqfbpb32.exe 3528 Oqoefand.exe 4728 Oflmnh32.exe 4104 Paihlpfi.exe 4756 Acqgojmb.exe 4748 Amikgpcc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bdicce32.dll Qnamofdf.exe File opened for modification C:\Windows\SysWOW64\Akjgdjoj.exe Ajjjjghg.exe File opened for modification C:\Windows\SysWOW64\Glpdjpbj.exe Gbhpajlj.exe File created C:\Windows\SysWOW64\Iibccgep.exe Imkbnf32.exe File opened for modification C:\Windows\SysWOW64\Iibccgep.exe Imkbnf32.exe File created C:\Windows\SysWOW64\Cmmdfp32.dll Damfao32.exe File opened for modification C:\Windows\SysWOW64\Jcaeea32.exe Jcoioabf.exe File created C:\Windows\SysWOW64\Kaflio32.exe Kgngqico.exe File opened for modification C:\Windows\SysWOW64\Opjgidfa.exe Nmbhgjoi.exe File created C:\Windows\SysWOW64\Ppdjpcng.exe Ppamjcpj.exe File created C:\Windows\SysWOW64\Lbkggg32.dll Joobdfei.exe File opened for modification C:\Windows\SysWOW64\Pcpgmf32.exe Pmeoqlpl.exe File opened for modification C:\Windows\SysWOW64\Bikeni32.exe Aehbmk32.exe File created C:\Windows\SysWOW64\Abbiej32.exe Adnilfnl.exe File created C:\Windows\SysWOW64\Eojeodga.exe Dojlhg32.exe File created C:\Windows\SysWOW64\Jabajbcd.dll Akopoi32.exe File opened for modification C:\Windows\SysWOW64\Ieidhh32.exe Iibccgep.exe File opened for modification C:\Windows\SysWOW64\Cdjlap32.exe Bedbhi32.exe File opened for modification C:\Windows\SysWOW64\Ddjehneg.exe Dgfdojfm.exe File created C:\Windows\SysWOW64\Lacbpccn.exe Lelajb32.exe File created C:\Windows\SysWOW64\Pipoedpc.dll Gjhonp32.exe File created C:\Windows\SysWOW64\Opjgidfa.exe Nmbhgjoi.exe File created C:\Windows\SysWOW64\Akopoi32.exe Anjpeelk.exe File created C:\Windows\SysWOW64\Gejhef32.exe Gokbgpeg.exe File created C:\Windows\SysWOW64\Defgao32.dll Acqgojmb.exe File created C:\Windows\SysWOW64\Clijablo.exe Cmbpjfij.exe File opened for modification C:\Windows\SysWOW64\Gqkajk32.exe Glmhdm32.exe File created C:\Windows\SysWOW64\Gjhonp32.exe Gfgjbb32.exe File created C:\Windows\SysWOW64\Ddegdohc.dll Knkcmild.exe File opened for modification C:\Windows\SysWOW64\Lhcjbfag.exe Ljoiibbm.exe File created C:\Windows\SysWOW64\Hqdkbakj.dll Ppamjcpj.exe File created C:\Windows\SysWOW64\Qnbidcgp.dll Aajhndkb.exe File created C:\Windows\SysWOW64\Ajdggc32.dll Giljfddl.exe File opened for modification C:\Windows\SysWOW64\Mjlalkmd.exe Loofnccf.exe File created C:\Windows\SysWOW64\Obcckehh.dll Iencmm32.exe File opened for modification C:\Windows\SysWOW64\Celgjlpn.exe Cbknhqbl.exe File created C:\Windows\SysWOW64\Dijppjfd.exe Celgjlpn.exe File created C:\Windows\SysWOW64\Dfoamm32.dll Iooimi32.exe File opened for modification C:\Windows\SysWOW64\Fgfmeg32.exe Enllgbcl.exe File created C:\Windows\SysWOW64\Fcpfdg32.dll Lacbpccn.exe File opened for modification C:\Windows\SysWOW64\Jginej32.exe Jfehpg32.exe File created C:\Windows\SysWOW64\Lifmdfkg.dll Dhfcae32.exe File opened for modification C:\Windows\SysWOW64\Ieccbbkn.exe Ibqnkh32.exe File created C:\Windows\SysWOW64\Lhnhajba.exe Kifojnol.exe File opened for modification C:\Windows\SysWOW64\Ncpeaoih.exe Nfldgk32.exe File created C:\Windows\SysWOW64\Jeaiij32.exe Icfmci32.exe File created C:\Windows\SysWOW64\Jomeoggk.exe Ihgnfnjl.exe File created C:\Windows\SysWOW64\Kialcj32.dll Pokanf32.exe File created C:\Windows\SysWOW64\Enllgbcl.exe Eilfldoi.exe File created C:\Windows\SysWOW64\Ippephla.dll Kffhakjp.exe File opened for modification C:\Windows\SysWOW64\Kaflio32.exe Kgngqico.exe File created C:\Windows\SysWOW64\Kjgeedch.exe Kcidmkpq.exe File created C:\Windows\SysWOW64\Dqnjgl32.exe Dkndie32.exe File opened for modification C:\Windows\SysWOW64\Gokbgpeg.exe Fofilp32.exe File opened for modification C:\Windows\SysWOW64\Kifojnol.exe Johggfha.exe File created C:\Windows\SysWOW64\Aceomp32.dll Kjopbd32.exe File opened for modification C:\Windows\SysWOW64\Mhefhf32.exe Lhcjbfag.exe File opened for modification C:\Windows\SysWOW64\Cjomldfp.exe Bjhgke32.exe File created C:\Windows\SysWOW64\Ihgnfnjl.exe Iooimi32.exe File opened for modification C:\Windows\SysWOW64\Hiinoc32.exe Giddddad.exe File created C:\Windows\SysWOW64\Eojiqb32.exe Eoepebho.exe File created C:\Windows\SysWOW64\Kmmcjnkq.dll Hiacacpg.exe File created C:\Windows\SysWOW64\Mcfbkpab.exe Mjlalkmd.exe File created C:\Windows\SysWOW64\Celgjlpn.exe Cbknhqbl.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 6460 6916 WerFault.exe 337 6604 6916 WerFault.exe 337 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imkbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfedh32.dll" Eojiqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gejhef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhefhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnghhqdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pknghk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eelpqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqfbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcipf32.dll" Fncibg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcljmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kceoppmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kceoppmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbegml32.dll" Hidgai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibqnkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogajpp32.dll" Ajdbac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbelak32.dll" Cmbpjfij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhnhajba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjfmminc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdbbfadn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiacacpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhljen32.dll" Kejeebpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abbiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmbfiokn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momael32.dll" Deejpjgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkcccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngifef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmbhgjoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imiehfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgqin32.dll" Nnojho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoepebho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgpeha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khecje32.dll" Jjnaaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agqhik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Engaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aablof32.dll" Kcidmkpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcgagm32.dll" Gbbkocid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiiigchq.dll" Jfehpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjbjlpga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfokn32.dll" Gpbpbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqnjgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogpoiia.dll" Llkjmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqfolqna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akopoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kongmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkpdnm32.dll" Pcpgmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmbfiokn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceomp32.dll" Kjopbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qolmplcl.dll" Opjgidfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckbaokim.dll" Gmfplibd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afpjel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieccbbkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbfkceca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hccggl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnapgjdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjdqhjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhhcne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjnbdofa.dll" Celgjlpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcpgmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfanflne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jikjlg32.dll" Abbiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjgeedch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oclkgccf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defgao32.dll" Acqgojmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nooikj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 412 wrote to memory of 4940 412 60e1796ea67f3dd43474078f14dfc9e0_NeikiAnalytics.exe 90 PID 412 wrote to memory of 4940 412 60e1796ea67f3dd43474078f14dfc9e0_NeikiAnalytics.exe 90 PID 412 wrote to memory of 4940 412 60e1796ea67f3dd43474078f14dfc9e0_NeikiAnalytics.exe 90 PID 4940 wrote to memory of 4428 4940 Gehbjm32.exe 91 PID 4940 wrote to memory of 4428 4940 Gehbjm32.exe 91 PID 4940 wrote to memory of 4428 4940 Gehbjm32.exe 91 PID 4428 wrote to memory of 3356 4428 Gpbpbecj.exe 92 PID 4428 wrote to memory of 3356 4428 Gpbpbecj.exe 92 PID 4428 wrote to memory of 3356 4428 Gpbpbecj.exe 92 PID 3356 wrote to memory of 3304 3356 Gmfplibd.exe 93 PID 3356 wrote to memory of 3304 3356 Gmfplibd.exe 93 PID 3356 wrote to memory of 3304 3356 Gmfplibd.exe 93 PID 3304 wrote to memory of 3852 3304 Hpiecd32.exe 94 PID 3304 wrote to memory of 3852 3304 Hpiecd32.exe 94 PID 3304 wrote to memory of 3852 3304 Hpiecd32.exe 94 PID 3852 wrote to memory of 4752 3852 Hidgai32.exe 95 PID 3852 wrote to memory of 4752 3852 Hidgai32.exe 95 PID 3852 wrote to memory of 4752 3852 Hidgai32.exe 95 PID 4752 wrote to memory of 3792 4752 Hpqldc32.exe 96 PID 4752 wrote to memory of 3792 4752 Hpqldc32.exe 96 PID 4752 wrote to memory of 3792 4752 Hpqldc32.exe 96 PID 3792 wrote to memory of 3380 3792 Hoeieolb.exe 97 PID 3792 wrote to memory of 3380 3792 Hoeieolb.exe 97 PID 3792 wrote to memory of 3380 3792 Hoeieolb.exe 97 PID 3380 wrote to memory of 2524 3380 Imiehfao.exe 98 PID 3380 wrote to memory of 2524 3380 Imiehfao.exe 98 PID 3380 wrote to memory of 2524 3380 Imiehfao.exe 98 PID 2524 wrote to memory of 2928 2524 Imkbnf32.exe 99 PID 2524 wrote to memory of 2928 2524 Imkbnf32.exe 99 PID 2524 wrote to memory of 2928 2524 Imkbnf32.exe 99 PID 2928 wrote to memory of 2348 2928 Iibccgep.exe 100 PID 2928 wrote to memory of 2348 2928 Iibccgep.exe 100 PID 2928 wrote to memory of 2348 2928 Iibccgep.exe 100 PID 2348 wrote to memory of 4828 2348 Ieidhh32.exe 101 PID 2348 wrote to memory of 4828 2348 Ieidhh32.exe 101 PID 2348 wrote to memory of 4828 2348 Ieidhh32.exe 101 PID 4828 wrote to memory of 1972 4828 Jleijb32.exe 102 PID 4828 wrote to memory of 1972 4828 Jleijb32.exe 102 PID 4828 wrote to memory of 1972 4828 Jleijb32.exe 102 PID 1972 wrote to memory of 1728 1972 Jgmjmjnb.exe 103 PID 1972 wrote to memory of 1728 1972 Jgmjmjnb.exe 103 PID 1972 wrote to memory of 1728 1972 Jgmjmjnb.exe 103 PID 1728 wrote to memory of 1844 1728 Johnamkm.exe 104 PID 1728 wrote to memory of 1844 1728 Johnamkm.exe 104 PID 1728 wrote to memory of 1844 1728 Johnamkm.exe 104 PID 1844 wrote to memory of 3524 1844 Kcidmkpq.exe 105 PID 1844 wrote to memory of 3524 1844 Kcidmkpq.exe 105 PID 1844 wrote to memory of 3524 1844 Kcidmkpq.exe 105 PID 3524 wrote to memory of 2072 3524 Kjgeedch.exe 106 PID 3524 wrote to memory of 2072 3524 Kjgeedch.exe 106 PID 3524 wrote to memory of 2072 3524 Kjgeedch.exe 106 PID 2072 wrote to memory of 4516 2072 Ljceqb32.exe 107 PID 2072 wrote to memory of 4516 2072 Ljceqb32.exe 107 PID 2072 wrote to memory of 4516 2072 Ljceqb32.exe 107 PID 4516 wrote to memory of 4092 4516 Mmmqhl32.exe 108 PID 4516 wrote to memory of 4092 4516 Mmmqhl32.exe 108 PID 4516 wrote to memory of 4092 4516 Mmmqhl32.exe 108 PID 4092 wrote to memory of 2532 4092 Mgeakekd.exe 109 PID 4092 wrote to memory of 2532 4092 Mgeakekd.exe 109 PID 4092 wrote to memory of 2532 4092 Mgeakekd.exe 109 PID 2532 wrote to memory of 2316 2532 Nnojho32.exe 110 PID 2532 wrote to memory of 2316 2532 Nnojho32.exe 110 PID 2532 wrote to memory of 2316 2532 Nnojho32.exe 110 PID 2316 wrote to memory of 4596 2316 Nqpcjj32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\60e1796ea67f3dd43474078f14dfc9e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\60e1796ea67f3dd43474078f14dfc9e0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\Gehbjm32.exeC:\Windows\system32\Gehbjm32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Gpbpbecj.exeC:\Windows\system32\Gpbpbecj.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Gmfplibd.exeC:\Windows\system32\Gmfplibd.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Hpiecd32.exeC:\Windows\system32\Hpiecd32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\Hidgai32.exeC:\Windows\system32\Hidgai32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\Hpqldc32.exeC:\Windows\system32\Hpqldc32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Hoeieolb.exeC:\Windows\system32\Hoeieolb.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\Imiehfao.exeC:\Windows\system32\Imiehfao.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\Imkbnf32.exeC:\Windows\system32\Imkbnf32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Iibccgep.exeC:\Windows\system32\Iibccgep.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Ieidhh32.exeC:\Windows\system32\Ieidhh32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Jleijb32.exeC:\Windows\system32\Jleijb32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Jgmjmjnb.exeC:\Windows\system32\Jgmjmjnb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Johnamkm.exeC:\Windows\system32\Johnamkm.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Kcidmkpq.exeC:\Windows\system32\Kcidmkpq.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Kjgeedch.exeC:\Windows\system32\Kjgeedch.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\Ljceqb32.exeC:\Windows\system32\Ljceqb32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Mmmqhl32.exeC:\Windows\system32\Mmmqhl32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Mgeakekd.exeC:\Windows\system32\Mgeakekd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\Nnojho32.exeC:\Windows\system32\Nnojho32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Nqpcjj32.exeC:\Windows\system32\Nqpcjj32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Onmfimga.exeC:\Windows\system32\Onmfimga.exe23⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Oclkgccf.exeC:\Windows\system32\Oclkgccf.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:3132 -
C:\Windows\SysWOW64\Pjpfjl32.exeC:\Windows\system32\Pjpfjl32.exe25⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Afpjel32.exeC:\Windows\system32\Afpjel32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4656 -
C:\Windows\SysWOW64\Aajhndkb.exeC:\Windows\system32\Aajhndkb.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4420 -
C:\Windows\SysWOW64\Bmeandma.exeC:\Windows\system32\Bmeandma.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Bdfpkm32.exeC:\Windows\system32\Bdfpkm32.exe29⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Cnhgjaml.exeC:\Windows\system32\Cnhgjaml.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Dkndie32.exeC:\Windows\system32\Dkndie32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4708 -
C:\Windows\SysWOW64\Dqnjgl32.exeC:\Windows\system32\Dqnjgl32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:4068 -
C:\Windows\SysWOW64\Damfao32.exeC:\Windows\system32\Damfao32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Dqbcbkab.exeC:\Windows\system32\Dqbcbkab.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Eoepebho.exeC:\Windows\system32\Eoepebho.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:824 -
C:\Windows\SysWOW64\Eojiqb32.exeC:\Windows\system32\Eojiqb32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4908 -
C:\Windows\SysWOW64\Fofilp32.exeC:\Windows\system32\Fofilp32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3136 -
C:\Windows\SysWOW64\Gokbgpeg.exeC:\Windows\system32\Gokbgpeg.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Gejhef32.exeC:\Windows\system32\Gejhef32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Glfmgp32.exeC:\Windows\system32\Glfmgp32.exe40⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Giljfddl.exeC:\Windows\system32\Giljfddl.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Hiacacpg.exeC:\Windows\system32\Hiacacpg.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4048 -
C:\Windows\SysWOW64\Hicpgc32.exeC:\Windows\system32\Hicpgc32.exe43⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Ibqnkh32.exeC:\Windows\system32\Ibqnkh32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5028 -
C:\Windows\SysWOW64\Ieccbbkn.exeC:\Windows\system32\Ieccbbkn.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:448 -
C:\Windows\SysWOW64\Ibjqaf32.exeC:\Windows\system32\Ibjqaf32.exe46⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Jifecp32.exeC:\Windows\system32\Jifecp32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Jeocna32.exeC:\Windows\system32\Jeocna32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Johggfha.exeC:\Windows\system32\Johggfha.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4168 -
C:\Windows\SysWOW64\Kifojnol.exeC:\Windows\system32\Kifojnol.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:512 -
C:\Windows\SysWOW64\Lhnhajba.exeC:\Windows\system32\Lhnhajba.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:4760 -
C:\Windows\SysWOW64\Ledepn32.exeC:\Windows\system32\Ledepn32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Loofnccf.exeC:\Windows\system32\Loofnccf.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Mjlalkmd.exeC:\Windows\system32\Mjlalkmd.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3632 -
C:\Windows\SysWOW64\Mcfbkpab.exeC:\Windows\system32\Mcfbkpab.exe55⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Njbgmjgl.exeC:\Windows\system32\Njbgmjgl.exe56⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Njedbjej.exeC:\Windows\system32\Njedbjej.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Nfldgk32.exeC:\Windows\system32\Nfldgk32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4584 -
C:\Windows\SysWOW64\Ncpeaoih.exeC:\Windows\system32\Ncpeaoih.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Nqfbpb32.exeC:\Windows\system32\Nqfbpb32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:4300 -
C:\Windows\SysWOW64\Oqoefand.exeC:\Windows\system32\Oqoefand.exe61⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Oflmnh32.exeC:\Windows\system32\Oflmnh32.exe62⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Paihlpfi.exeC:\Windows\system32\Paihlpfi.exe63⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Acqgojmb.exeC:\Windows\system32\Acqgojmb.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4756 -
C:\Windows\SysWOW64\Amikgpcc.exeC:\Windows\system32\Amikgpcc.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Ajdbac32.exeC:\Windows\system32\Ajdbac32.exe66⤵
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Cmpjoloh.exeC:\Windows\system32\Cmpjoloh.exe67⤵PID:1716
-
C:\Windows\SysWOW64\Ccmcgcmp.exeC:\Windows\system32\Ccmcgcmp.exe68⤵PID:4340
-
C:\Windows\SysWOW64\Dgpeha32.exeC:\Windows\system32\Dgpeha32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5032 -
C:\Windows\SysWOW64\Ekgqennl.exeC:\Windows\system32\Ekgqennl.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3880 -
C:\Windows\SysWOW64\Fncibg32.exeC:\Windows\system32\Fncibg32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5036 -
C:\Windows\SysWOW64\Fdbkja32.exeC:\Windows\system32\Fdbkja32.exe72⤵PID:3952
-
C:\Windows\SysWOW64\Fbfkceca.exeC:\Windows\system32\Fbfkceca.exe73⤵
- Modifies registry class
PID:3828 -
C:\Windows\SysWOW64\Gbkdod32.exeC:\Windows\system32\Gbkdod32.exe74⤵PID:4976
-
C:\Windows\SysWOW64\Gbbkocid.exeC:\Windows\system32\Gbbkocid.exe75⤵
- Modifies registry class
PID:3768 -
C:\Windows\SysWOW64\Hccggl32.exeC:\Windows\system32\Hccggl32.exe76⤵
- Modifies registry class
PID:4456 -
C:\Windows\SysWOW64\Hkaeih32.exeC:\Windows\system32\Hkaeih32.exe77⤵PID:364
-
C:\Windows\SysWOW64\Hcljmj32.exeC:\Windows\system32\Hcljmj32.exe78⤵
- Modifies registry class
PID:4540 -
C:\Windows\SysWOW64\Iencmm32.exeC:\Windows\system32\Iencmm32.exe79⤵
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Icfmci32.exeC:\Windows\system32\Icfmci32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4360 -
C:\Windows\SysWOW64\Jeaiij32.exeC:\Windows\system32\Jeaiij32.exe81⤵PID:3964
-
C:\Windows\SysWOW64\Jjnaaa32.exeC:\Windows\system32\Jjnaaa32.exe82⤵
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Khabke32.exeC:\Windows\system32\Khabke32.exe83⤵PID:4064
-
C:\Windows\SysWOW64\Kongmo32.exeC:\Windows\system32\Kongmo32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5128 -
C:\Windows\SysWOW64\Kkgdhp32.exeC:\Windows\system32\Kkgdhp32.exe85⤵PID:5180
-
C:\Windows\SysWOW64\Llimgb32.exeC:\Windows\system32\Llimgb32.exe86⤵PID:5224
-
C:\Windows\SysWOW64\Llkjmb32.exeC:\Windows\system32\Llkjmb32.exe87⤵
- Modifies registry class
PID:5268 -
C:\Windows\SysWOW64\Lkcccn32.exeC:\Windows\system32\Lkcccn32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5316 -
C:\Windows\SysWOW64\Mojopk32.exeC:\Windows\system32\Mojopk32.exe89⤵PID:5352
-
C:\Windows\SysWOW64\Nchhfild.exeC:\Windows\system32\Nchhfild.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5404 -
C:\Windows\SysWOW64\Nooikj32.exeC:\Windows\system32\Nooikj32.exe91⤵
- Modifies registry class
PID:5460 -
C:\Windows\SysWOW64\Oohkai32.exeC:\Windows\system32\Oohkai32.exe92⤵PID:5508
-
C:\Windows\SysWOW64\Pmeoqlpl.exeC:\Windows\system32\Pmeoqlpl.exe93⤵
- Drops file in System32 directory
PID:5556 -
C:\Windows\SysWOW64\Pcpgmf32.exeC:\Windows\system32\Pcpgmf32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5608 -
C:\Windows\SysWOW64\Pokanf32.exeC:\Windows\system32\Pokanf32.exe95⤵
- Drops file in System32 directory
PID:5652 -
C:\Windows\SysWOW64\Piceflpi.exeC:\Windows\system32\Piceflpi.exe96⤵PID:5704
-
C:\Windows\SysWOW64\Qelcamcj.exeC:\Windows\system32\Qelcamcj.exe97⤵PID:5768
-
C:\Windows\SysWOW64\Aehbmk32.exeC:\Windows\system32\Aehbmk32.exe98⤵
- Drops file in System32 directory
PID:5888 -
C:\Windows\SysWOW64\Bikeni32.exeC:\Windows\system32\Bikeni32.exe99⤵PID:5928
-
C:\Windows\SysWOW64\Bedbhi32.exeC:\Windows\system32\Bedbhi32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5980 -
C:\Windows\SysWOW64\Cdjlap32.exeC:\Windows\system32\Cdjlap32.exe101⤵PID:6028
-
C:\Windows\SysWOW64\Cmbpjfij.exeC:\Windows\system32\Cmbpjfij.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:6072 -
C:\Windows\SysWOW64\Clijablo.exeC:\Windows\system32\Clijablo.exe103⤵PID:6116
-
C:\Windows\SysWOW64\Debnjgcp.exeC:\Windows\system32\Debnjgcp.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5140 -
C:\Windows\SysWOW64\Dgfdojfm.exeC:\Windows\system32\Dgfdojfm.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5220 -
C:\Windows\SysWOW64\Ddjehneg.exeC:\Windows\system32\Ddjehneg.exe106⤵PID:5296
-
C:\Windows\SysWOW64\Elhfbp32.exeC:\Windows\system32\Elhfbp32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5368 -
C:\Windows\SysWOW64\Eilfldoi.exeC:\Windows\system32\Eilfldoi.exe108⤵
- Drops file in System32 directory
PID:5440 -
C:\Windows\SysWOW64\Enllgbcl.exeC:\Windows\system32\Enllgbcl.exe109⤵
- Drops file in System32 directory
PID:5524 -
C:\Windows\SysWOW64\Fgfmeg32.exeC:\Windows\system32\Fgfmeg32.exe110⤵PID:5620
-
C:\Windows\SysWOW64\Glmhdm32.exeC:\Windows\system32\Glmhdm32.exe111⤵
- Drops file in System32 directory
PID:5688 -
C:\Windows\SysWOW64\Gqkajk32.exeC:\Windows\system32\Gqkajk32.exe112⤵PID:224
-
C:\Windows\SysWOW64\Gfgjbb32.exeC:\Windows\system32\Gfgjbb32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3532 -
C:\Windows\SysWOW64\Gjhonp32.exeC:\Windows\system32\Gjhonp32.exe114⤵
- Drops file in System32 directory
PID:5948 -
C:\Windows\SysWOW64\Hqddqj32.exeC:\Windows\system32\Hqddqj32.exe115⤵PID:6036
-
C:\Windows\SysWOW64\Hjoeoo32.exeC:\Windows\system32\Hjoeoo32.exe116⤵PID:6108
-
C:\Windows\SysWOW64\Imknli32.exeC:\Windows\system32\Imknli32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5188 -
C:\Windows\SysWOW64\Iaifbg32.exeC:\Windows\system32\Iaifbg32.exe118⤵PID:5276
-
C:\Windows\SysWOW64\Jjdgal32.exeC:\Windows\system32\Jjdgal32.exe119⤵PID:5380
-
C:\Windows\SysWOW64\Jclljaei.exeC:\Windows\system32\Jclljaei.exe120⤵PID:5496
-
C:\Windows\SysWOW64\Jnapgjdo.exeC:\Windows\system32\Jnapgjdo.exe121⤵
- Modifies registry class
PID:5304 -
C:\Windows\SysWOW64\Jcoioabf.exeC:\Windows\system32\Jcoioabf.exe122⤵
- Drops file in System32 directory
PID:796
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-