Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 00:03
Behavioral task
behavioral1
Sample
3b436634841af88f8cac32d59e71dcb0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3b436634841af88f8cac32d59e71dcb0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
3b436634841af88f8cac32d59e71dcb0_NeikiAnalytics.exe
-
Size
3.7MB
-
MD5
3b436634841af88f8cac32d59e71dcb0
-
SHA1
9d1ddd6d9b13d22aac29b1560cefe7a9ae3db544
-
SHA256
78921dd0aca44a2bff89c63b13bf5c047bf4b62f4efdb7a6e92777df6c2db349
-
SHA512
44d055d59eb46f39903e249b5fac90000e356d7569ce32c89b72da8839a2a17e6568be035b5e4f7047b43564637c7a9c8788455de00b3005c85ad2074bc621d8
-
SSDEEP
98304:P6r6HaSHFaZRBEYyqmS2DiHPKQgmZ0aUgUjvha/4wzlF65T:vaSHFaZRBEYyqmS2DiHPKQgwUgUjvhoU
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enmjlojd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pomgjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqkgbcff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnnjmbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifomll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miifeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgkmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pofjpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghkeio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcnmin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgpmmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljhefhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olanmgig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekcpbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngmgne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inkjhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbgalmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmpjmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igigla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hipmfjee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omnjojpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbeidl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jejefqaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oohnonij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccgajfeh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqcejcha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnbeeiji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbbmmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmioc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcelpggq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngndaccj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbmokop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Injmcmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iliinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilqoobdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daekdooc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eidbij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkpma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llflea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cncnob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cibmlmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fibojhim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qeodhjmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lejgch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mepfiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfhjkabi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlfelogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkmefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfoafi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfqgab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjbkgfej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddifgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acnlgp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kijchhbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emmkiclm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgnomg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meamcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cijpahho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aopemh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Indfca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbelcblk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqbala32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diccgfpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eehicoel.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000a000000023400-7.dat family_berbew behavioral2/files/0x0007000000023414-15.dat family_berbew behavioral2/files/0x0007000000023416-18.dat family_berbew behavioral2/files/0x0009000000023411-31.dat family_berbew behavioral2/files/0x0007000000023419-38.dat family_berbew behavioral2/files/0x000700000002341b-47.dat family_berbew behavioral2/files/0x000700000002341d-55.dat family_berbew behavioral2/files/0x000700000002341f-63.dat family_berbew behavioral2/files/0x0007000000023421-71.dat family_berbew behavioral2/files/0x0007000000023423-79.dat family_berbew behavioral2/files/0x0007000000023425-88.dat family_berbew behavioral2/files/0x0007000000023427-96.dat family_berbew behavioral2/files/0x0007000000023429-103.dat family_berbew behavioral2/files/0x0006000000022ac7-111.dat family_berbew behavioral2/files/0x000f000000023376-119.dat family_berbew behavioral2/files/0x000a000000023384-127.dat family_berbew behavioral2/files/0x0008000000023394-135.dat family_berbew behavioral2/files/0x0008000000023397-143.dat family_berbew behavioral2/files/0x000800000002339a-151.dat family_berbew behavioral2/files/0x000800000002339d-159.dat family_berbew behavioral2/files/0x00080000000233a0-168.dat family_berbew behavioral2/files/0x00080000000233a3-175.dat family_berbew behavioral2/files/0x000900000002342d-179.dat family_berbew behavioral2/files/0x000700000002342f-192.dat family_berbew behavioral2/files/0x0007000000023431-199.dat family_berbew behavioral2/files/0x0007000000023433-207.dat family_berbew behavioral2/files/0x0007000000023435-215.dat family_berbew behavioral2/files/0x0007000000023437-223.dat family_berbew behavioral2/files/0x0007000000023439-231.dat family_berbew behavioral2/files/0x000700000002343b-241.dat family_berbew behavioral2/files/0x000700000002343d-250.dat family_berbew behavioral2/files/0x000700000002343f-259.dat family_berbew behavioral2/files/0x000700000002345b-343.dat family_berbew behavioral2/files/0x000700000002347b-444.dat family_berbew behavioral2/files/0x0007000000023483-470.dat family_berbew behavioral2/files/0x0007000000023489-488.dat family_berbew behavioral2/files/0x0007000000023499-538.dat family_berbew behavioral2/files/0x00070000000234a1-563.dat family_berbew behavioral2/files/0x00070000000234a7-581.dat family_berbew behavioral2/files/0x00070000000234a9-589.dat family_berbew behavioral2/files/0x00070000000234b1-613.dat family_berbew behavioral2/files/0x00070000000234b3-620.dat family_berbew behavioral2/files/0x00070000000234b7-632.dat family_berbew behavioral2/files/0x00070000000234b9-639.dat family_berbew behavioral2/files/0x00070000000234bf-658.dat family_berbew behavioral2/files/0x00070000000234c1-665.dat family_berbew behavioral2/files/0x00070000000234c7-683.dat family_berbew behavioral2/files/0x00070000000234cb-695.dat family_berbew behavioral2/files/0x00070000000234cf-707.dat family_berbew behavioral2/files/0x00070000000234d5-730.dat family_berbew behavioral2/files/0x00070000000234d9-744.dat family_berbew behavioral2/files/0x00070000000234db-753.dat family_berbew behavioral2/files/0x00070000000234df-766.dat family_berbew behavioral2/files/0x00070000000234e7-795.dat family_berbew behavioral2/files/0x00070000000234f7-853.dat family_berbew behavioral2/files/0x00070000000234f9-861.dat family_berbew behavioral2/files/0x0007000000023501-892.dat family_berbew behavioral2/files/0x0007000000023515-965.dat family_berbew behavioral2/files/0x0007000000023519-978.dat family_berbew behavioral2/files/0x000700000002351f-1001.dat family_berbew behavioral2/files/0x0007000000023521-1009.dat family_berbew behavioral2/files/0x0007000000023529-1035.dat family_berbew behavioral2/files/0x000700000002352d-1051.dat family_berbew behavioral2/files/0x0007000000023533-1073.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2992 Kknafn32.exe 4256 Kpjjod32.exe 3128 Laciofpa.exe 3004 Mnocof32.exe 608 Ngpjnkpf.exe 4040 Ncgkcl32.exe 1064 Occkojkm.exe 4536 Pkaiqf32.exe 3600 Pghieg32.exe 3848 Pbddcoei.exe 4280 Qeemej32.exe 4620 Abkjdnoa.exe 2232 Acmflf32.exe 3832 Bhkhibmc.exe 1604 Ckcgkldl.exe 4940 Clbceo32.exe 3256 Deanodkh.exe 1520 Ekcpbj32.exe 2432 Elbmlmml.exe 1868 Elgfgl32.exe 2568 Fchddejl.exe 4856 Fhjfhl32.exe 1904 Gcagkdba.exe 4220 Gmoeoidl.exe 4008 Hkmefd32.exe 956 Ifjodl32.exe 5088 Jbeidl32.exe 4436 Jlbgha32.exe 4328 Kfoafi32.exe 2464 Klqcioba.exe 3160 Likjcbkc.exe 3576 Lphoelqn.exe 888 Mcpnhfhf.exe 3056 Miifeq32.exe 840 Ngmgne32.exe 4632 Npfkgjdn.exe 4664 Nnjlpo32.exe 4624 Ngbpidjh.exe 3012 Nnlhfn32.exe 3224 Ngdmod32.exe 396 Nnneknob.exe 4088 Nggjdc32.exe 1300 Ocnjidkf.exe 4116 Oncofm32.exe 632 Ocpgod32.exe 3544 Olhlhjpd.exe 2996 Oqfdnhfk.exe 3260 Oqhacgdh.exe 3528 Ofeilobp.exe 4672 Pqknig32.exe 724 Pjcbbmif.exe 4736 Pdifoehl.exe 4796 Pmdkch32.exe 1148 Pgioqq32.exe 4152 Pqbdjfln.exe 4660 Pfolbmje.exe 4188 Pdpmpdbd.exe 1192 Qqfmde32.exe 3040 Qjoankoi.exe 4608 Qcgffqei.exe 2068 Anmjcieo.exe 5028 Ageolo32.exe 1104 Afjlnk32.exe 4744 Acnlgp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hjjnae32.exe Hkeaqi32.exe File created C:\Windows\SysWOW64\Gdidcm32.dll Oadfkdgd.exe File created C:\Windows\SysWOW64\Lqkgbcff.exe Ljaoeini.exe File created C:\Windows\SysWOW64\Ihejacdm.dll Mjkblhfo.exe File opened for modification C:\Windows\SysWOW64\Nmbjcljl.exe Mfhbga32.exe File created C:\Windows\SysWOW64\Fnebjidl.dll Lpepbgbd.exe File created C:\Windows\SysWOW64\Lcafnn32.dll Hkehkocf.exe File opened for modification C:\Windows\SysWOW64\Chdialdl.exe Boldhf32.exe File opened for modification C:\Windows\SysWOW64\Ehbnigjj.exe Enmjlojd.exe File created C:\Windows\SysWOW64\Eglkdbfn.dll Fiodpl32.exe File opened for modification C:\Windows\SysWOW64\Dkceokii.exe Ddjmba32.exe File created C:\Windows\SysWOW64\Boenhgdd.exe Bdojjo32.exe File created C:\Windows\SysWOW64\Mqhfoebo.exe Mjnnbk32.exe File created C:\Windows\SysWOW64\Gceegdko.dll Cnahdi32.exe File created C:\Windows\SysWOW64\Gekmam32.dll Dpgeee32.exe File opened for modification C:\Windows\SysWOW64\Kageaj32.exe Kjmmepfj.exe File created C:\Windows\SysWOW64\Lcfidb32.exe Lllagh32.exe File created C:\Windows\SysWOW64\Blfiei32.dll Pqbdjfln.exe File created C:\Windows\SysWOW64\Oofaiokl.exe Opadhb32.exe File created C:\Windows\SysWOW64\Boeebnhp.exe Bochmn32.exe File opened for modification C:\Windows\SysWOW64\Fneggdhg.exe Efgemb32.exe File created C:\Windows\SysWOW64\Ickglm32.exe Ilqoobdd.exe File created C:\Windows\SysWOW64\Mkfdhbpg.dll Beihma32.exe File created C:\Windows\SysWOW64\Akcaoeoo.dll Eoideh32.exe File created C:\Windows\SysWOW64\Hpdfnolo.exe Hjjnae32.exe File created C:\Windows\SysWOW64\Himnbjpd.dll Hoogfnnb.exe File opened for modification C:\Windows\SysWOW64\Ceehho32.exe Cfdhkhjj.exe File created C:\Windows\SysWOW64\Dbbffdlq.exe Dijbno32.exe File opened for modification C:\Windows\SysWOW64\Ekcpbj32.exe Deanodkh.exe File created C:\Windows\SysWOW64\Cnkkjh32.exe Chnbbqpn.exe File created C:\Windows\SysWOW64\Ghfedh32.dll Fbbicl32.exe File created C:\Windows\SysWOW64\Gckoph32.dll Hbhijepa.exe File created C:\Windows\SysWOW64\Bnoeha32.dll Hgelek32.exe File created C:\Windows\SysWOW64\Jekpanpa.dll Cfdhkhjj.exe File created C:\Windows\SysWOW64\Cibmlmeb.exe Cceddf32.exe File created C:\Windows\SysWOW64\Qjfmkk32.exe Pdmdnadc.exe File created C:\Windows\SysWOW64\Memcpg32.dll Jbeidl32.exe File created C:\Windows\SysWOW64\Jboqnpjm.dll Molelb32.exe File created C:\Windows\SysWOW64\Olanmgig.exe Oeheqm32.exe File opened for modification C:\Windows\SysWOW64\Cdlqqcnl.exe Cnahdi32.exe File created C:\Windows\SysWOW64\Ppioondd.dll Dnmhpg32.exe File opened for modification C:\Windows\SysWOW64\Amjbbfgo.exe Afpjel32.exe File created C:\Windows\SysWOW64\Hodlgn32.dll Fbgbnkfm.exe File opened for modification C:\Windows\SysWOW64\Mehjol32.exe Molelb32.exe File created C:\Windows\SysWOW64\Pcjiff32.exe Plndcl32.exe File opened for modification C:\Windows\SysWOW64\Igigla32.exe Icknfcol.exe File created C:\Windows\SysWOW64\Npdopj32.dll Ilqoobdd.exe File opened for modification C:\Windows\SysWOW64\Mnjqmpgg.exe Mcelpggq.exe File created C:\Windows\SysWOW64\Jeocna32.exe Jaajhb32.exe File created C:\Windows\SysWOW64\Jnkcogno.exe Jecofa32.exe File opened for modification C:\Windows\SysWOW64\Ifdonfka.exe Inkjhi32.exe File opened for modification C:\Windows\SysWOW64\Diicml32.exe Dfhjkabi.exe File created C:\Windows\SysWOW64\Lmbhgd32.exe Lkalplel.exe File created C:\Windows\SysWOW64\Qbobmnod.dll Mkmkkjko.exe File opened for modification C:\Windows\SysWOW64\Paelfmaf.exe Olicnfco.exe File created C:\Windows\SysWOW64\Jhpicj32.dll Nfcabp32.exe File created C:\Windows\SysWOW64\Bhqndghj.dll Boldhf32.exe File created C:\Windows\SysWOW64\Miifeq32.exe Mcpnhfhf.exe File created C:\Windows\SysWOW64\Nhhdnf32.exe Noppeaed.exe File opened for modification C:\Windows\SysWOW64\Qcgffqei.exe Qjoankoi.exe File created C:\Windows\SysWOW64\Mhafeb32.exe Mbenmk32.exe File created C:\Windows\SysWOW64\Icdheded.exe Ingpmmgm.exe File created C:\Windows\SysWOW64\Mpolbbim.dll Nnafno32.exe File created C:\Windows\SysWOW64\Enpfan32.exe Ehbnigjj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7632 6848 WerFault.exe 755 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acmflf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmaffnce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfedh32.dll" Fbbicl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olhlhjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgflfoob.dll" Gpkchqdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjnnbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbcqpq32.dll" Ghipne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oohnonij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pofjpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pneall32.dll" Ppolhcnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pciqnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobhb32.dll" Amqhbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpfljc32.dll" Fkmjaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgknhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmdnljan.dll" Bjcmebie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eifhdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbhijepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgjhee32.dll" Meiioonj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fimhjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll" Ngbpidjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bckkca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpofk32.dll" Dddllkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geplnioe.dll" Elgfgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkabjbih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkchelci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bahdob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooagno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pagpdj32.dll" Edjgfcec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qebhhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmfhkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgekdpbp.dll" Nlphbnoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Diccgfpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gicaifkq.dll" Injmcmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jleiba32.dll" Jniood32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdigjdia.dll" Kjkpoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecefqnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odoogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhlpmmgb.dll" Kjgeedch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffmfchle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nggjdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djaiilmd.dll" Lkofdbkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcpojd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loeolc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mepfiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncpgam32.dll" Lnjgfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afelhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfljoa32.dll" Afelhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbfldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojigdcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdpjlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqhfoebo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljdkll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll" Oqhacgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqhacgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnbebofc.dll" Jejefqaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbgeno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkegpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omnjojpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oampjeml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdkdgchl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnkkjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppolhcnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akamff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncgkcl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3740 wrote to memory of 2992 3740 3b436634841af88f8cac32d59e71dcb0_NeikiAnalytics.exe 82 PID 3740 wrote to memory of 2992 3740 3b436634841af88f8cac32d59e71dcb0_NeikiAnalytics.exe 82 PID 3740 wrote to memory of 2992 3740 3b436634841af88f8cac32d59e71dcb0_NeikiAnalytics.exe 82 PID 2992 wrote to memory of 4256 2992 Kknafn32.exe 83 PID 2992 wrote to memory of 4256 2992 Kknafn32.exe 83 PID 2992 wrote to memory of 4256 2992 Kknafn32.exe 83 PID 4256 wrote to memory of 3128 4256 Kpjjod32.exe 84 PID 4256 wrote to memory of 3128 4256 Kpjjod32.exe 84 PID 4256 wrote to memory of 3128 4256 Kpjjod32.exe 84 PID 3128 wrote to memory of 3004 3128 Laciofpa.exe 87 PID 3128 wrote to memory of 3004 3128 Laciofpa.exe 87 PID 3128 wrote to memory of 3004 3128 Laciofpa.exe 87 PID 3004 wrote to memory of 608 3004 Mnocof32.exe 88 PID 3004 wrote to memory of 608 3004 Mnocof32.exe 88 PID 3004 wrote to memory of 608 3004 Mnocof32.exe 88 PID 608 wrote to memory of 4040 608 Ngpjnkpf.exe 90 PID 608 wrote to memory of 4040 608 Ngpjnkpf.exe 90 PID 608 wrote to memory of 4040 608 Ngpjnkpf.exe 90 PID 4040 wrote to memory of 1064 4040 Ncgkcl32.exe 91 PID 4040 wrote to memory of 1064 4040 Ncgkcl32.exe 91 PID 4040 wrote to memory of 1064 4040 Ncgkcl32.exe 91 PID 1064 wrote to memory of 4536 1064 Occkojkm.exe 92 PID 1064 wrote to memory of 4536 1064 Occkojkm.exe 92 PID 1064 wrote to memory of 4536 1064 Occkojkm.exe 92 PID 4536 wrote to memory of 3600 4536 Pkaiqf32.exe 93 PID 4536 wrote to memory of 3600 4536 Pkaiqf32.exe 93 PID 4536 wrote to memory of 3600 4536 Pkaiqf32.exe 93 PID 3600 wrote to memory of 3848 3600 Pghieg32.exe 94 PID 3600 wrote to memory of 3848 3600 Pghieg32.exe 94 PID 3600 wrote to memory of 3848 3600 Pghieg32.exe 94 PID 3848 wrote to memory of 4280 3848 Pbddcoei.exe 95 PID 3848 wrote to memory of 4280 3848 Pbddcoei.exe 95 PID 3848 wrote to memory of 4280 3848 Pbddcoei.exe 95 PID 4280 wrote to memory of 4620 4280 Qeemej32.exe 96 PID 4280 wrote to memory of 4620 4280 Qeemej32.exe 96 PID 4280 wrote to memory of 4620 4280 Qeemej32.exe 96 PID 4620 wrote to memory of 2232 4620 Abkjdnoa.exe 97 PID 4620 wrote to memory of 2232 4620 Abkjdnoa.exe 97 PID 4620 wrote to memory of 2232 4620 Abkjdnoa.exe 97 PID 2232 wrote to memory of 3832 2232 Acmflf32.exe 99 PID 2232 wrote to memory of 3832 2232 Acmflf32.exe 99 PID 2232 wrote to memory of 3832 2232 Acmflf32.exe 99 PID 3832 wrote to memory of 1604 3832 Bhkhibmc.exe 101 PID 3832 wrote to memory of 1604 3832 Bhkhibmc.exe 101 PID 3832 wrote to memory of 1604 3832 Bhkhibmc.exe 101 PID 1604 wrote to memory of 4940 1604 Ckcgkldl.exe 102 PID 1604 wrote to memory of 4940 1604 Ckcgkldl.exe 102 PID 1604 wrote to memory of 4940 1604 Ckcgkldl.exe 102 PID 4940 wrote to memory of 3256 4940 Clbceo32.exe 103 PID 4940 wrote to memory of 3256 4940 Clbceo32.exe 103 PID 4940 wrote to memory of 3256 4940 Clbceo32.exe 103 PID 3256 wrote to memory of 1520 3256 Deanodkh.exe 104 PID 3256 wrote to memory of 1520 3256 Deanodkh.exe 104 PID 3256 wrote to memory of 1520 3256 Deanodkh.exe 104 PID 1520 wrote to memory of 2432 1520 Ekcpbj32.exe 105 PID 1520 wrote to memory of 2432 1520 Ekcpbj32.exe 105 PID 1520 wrote to memory of 2432 1520 Ekcpbj32.exe 105 PID 2432 wrote to memory of 1868 2432 Elbmlmml.exe 106 PID 2432 wrote to memory of 1868 2432 Elbmlmml.exe 106 PID 2432 wrote to memory of 1868 2432 Elbmlmml.exe 106 PID 1868 wrote to memory of 2568 1868 Elgfgl32.exe 107 PID 1868 wrote to memory of 2568 1868 Elgfgl32.exe 107 PID 1868 wrote to memory of 2568 1868 Elgfgl32.exe 107 PID 2568 wrote to memory of 4856 2568 Fchddejl.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b436634841af88f8cac32d59e71dcb0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3b436634841af88f8cac32d59e71dcb0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\Ckcgkldl.exeC:\Windows\system32\Ckcgkldl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\Ekcpbj32.exeC:\Windows\system32\Ekcpbj32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Elgfgl32.exeC:\Windows\system32\Elgfgl32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe23⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Gcagkdba.exeC:\Windows\system32\Gcagkdba.exe24⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe25⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Hkmefd32.exeC:\Windows\system32\Hkmefd32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Ifjodl32.exeC:\Windows\system32\Ifjodl32.exe27⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Jbeidl32.exeC:\Windows\system32\Jbeidl32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5088 -
C:\Windows\SysWOW64\Jlbgha32.exeC:\Windows\system32\Jlbgha32.exe29⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Kfoafi32.exeC:\Windows\system32\Kfoafi32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Klqcioba.exeC:\Windows\system32\Klqcioba.exe31⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Likjcbkc.exeC:\Windows\system32\Likjcbkc.exe32⤵
- Executes dropped EXE
PID:3160 -
C:\Windows\SysWOW64\Lphoelqn.exeC:\Windows\system32\Lphoelqn.exe33⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Mcpnhfhf.exeC:\Windows\system32\Mcpnhfhf.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:888 -
C:\Windows\SysWOW64\Miifeq32.exeC:\Windows\system32\Miifeq32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Ngmgne32.exeC:\Windows\system32\Ngmgne32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Npfkgjdn.exeC:\Windows\system32\Npfkgjdn.exe37⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Nnjlpo32.exeC:\Windows\system32\Nnjlpo32.exe38⤵
- Executes dropped EXE
PID:4664 -
C:\Windows\SysWOW64\Ngbpidjh.exeC:\Windows\system32\Ngbpidjh.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:4624 -
C:\Windows\SysWOW64\Nnlhfn32.exeC:\Windows\system32\Nnlhfn32.exe40⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Ngdmod32.exeC:\Windows\system32\Ngdmod32.exe41⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Nnneknob.exeC:\Windows\system32\Nnneknob.exe42⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Nggjdc32.exeC:\Windows\system32\Nggjdc32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:4088 -
C:\Windows\SysWOW64\Ocnjidkf.exeC:\Windows\system32\Ocnjidkf.exe44⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe45⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Ocpgod32.exeC:\Windows\system32\Ocpgod32.exe46⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Olhlhjpd.exeC:\Windows\system32\Olhlhjpd.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:3544 -
C:\Windows\SysWOW64\Oqfdnhfk.exeC:\Windows\system32\Oqfdnhfk.exe48⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Oqhacgdh.exeC:\Windows\system32\Oqhacgdh.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:3260 -
C:\Windows\SysWOW64\Ofeilobp.exeC:\Windows\system32\Ofeilobp.exe50⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Pqknig32.exeC:\Windows\system32\Pqknig32.exe51⤵
- Executes dropped EXE
PID:4672 -
C:\Windows\SysWOW64\Pjcbbmif.exeC:\Windows\system32\Pjcbbmif.exe52⤵
- Executes dropped EXE
PID:724 -
C:\Windows\SysWOW64\Pdifoehl.exeC:\Windows\system32\Pdifoehl.exe53⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe54⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe55⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4152 -
C:\Windows\SysWOW64\Pfolbmje.exeC:\Windows\system32\Pfolbmje.exe57⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Pdpmpdbd.exeC:\Windows\system32\Pdpmpdbd.exe58⤵
- Executes dropped EXE
PID:4188 -
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe59⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Qjoankoi.exeC:\Windows\system32\Qjoankoi.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe61⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Anmjcieo.exeC:\Windows\system32\Anmjcieo.exe62⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe63⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe64⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Acnlgp32.exeC:\Windows\system32\Acnlgp32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe66⤵PID:2052
-
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe67⤵PID:1596
-
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe68⤵PID:1092
-
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe69⤵PID:1292
-
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe70⤵PID:4960
-
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe71⤵PID:2868
-
C:\Windows\SysWOW64\Bjddphlq.exeC:\Windows\system32\Bjddphlq.exe72⤵PID:628
-
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe73⤵
- Drops file in System32 directory
PID:448 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe74⤵PID:2184
-
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe75⤵PID:1892
-
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe76⤵PID:2144
-
C:\Windows\SysWOW64\Chmndlge.exeC:\Windows\system32\Chmndlge.exe77⤵PID:3264
-
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe78⤵PID:940
-
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe79⤵
- Drops file in System32 directory
PID:4864 -
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe80⤵PID:3168
-
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe81⤵PID:4636
-
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe82⤵PID:3800
-
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe83⤵PID:880
-
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe84⤵PID:2636
-
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe85⤵PID:1312
-
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3384 -
C:\Windows\SysWOW64\Dahhio32.exeC:\Windows\system32\Dahhio32.exe87⤵PID:452
-
C:\Windows\SysWOW64\Eolhbc32.exeC:\Windows\system32\Eolhbc32.exe88⤵PID:2044
-
C:\Windows\SysWOW64\Eefaomcg.exeC:\Windows\system32\Eefaomcg.exe89⤵PID:1200
-
C:\Windows\SysWOW64\Eonehbjg.exeC:\Windows\system32\Eonehbjg.exe90⤵PID:3592
-
C:\Windows\SysWOW64\Emcbio32.exeC:\Windows\system32\Emcbio32.exe91⤵PID:3928
-
C:\Windows\SysWOW64\Eobocb32.exeC:\Windows\system32\Eobocb32.exe92⤵PID:4876
-
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe93⤵PID:2188
-
C:\Windows\SysWOW64\Fddqghpd.exeC:\Windows\system32\Fddqghpd.exe94⤵PID:1752
-
C:\Windows\SysWOW64\Fgeihcme.exeC:\Windows\system32\Fgeihcme.exe95⤵PID:4492
-
C:\Windows\SysWOW64\Fnobem32.exeC:\Windows\system32\Fnobem32.exe96⤵PID:3348
-
C:\Windows\SysWOW64\Fkcboack.exeC:\Windows\system32\Fkcboack.exe97⤵PID:2860
-
C:\Windows\SysWOW64\Fkeodaai.exeC:\Windows\system32\Fkeodaai.exe98⤵PID:224
-
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe99⤵
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\Gdppbfff.exeC:\Windows\system32\Gdppbfff.exe100⤵PID:332
-
C:\Windows\SysWOW64\Gkjhoq32.exeC:\Windows\system32\Gkjhoq32.exe101⤵PID:2700
-
C:\Windows\SysWOW64\Gnkaalkd.exeC:\Windows\system32\Gnkaalkd.exe102⤵PID:748
-
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe103⤵PID:4272
-
C:\Windows\SysWOW64\Gkaopp32.exeC:\Windows\system32\Gkaopp32.exe104⤵PID:1220
-
C:\Windows\SysWOW64\Hffcmh32.exeC:\Windows\system32\Hffcmh32.exe105⤵PID:2160
-
C:\Windows\SysWOW64\Hoogfnnb.exeC:\Windows\system32\Hoogfnnb.exe106⤵
- Drops file in System32 directory
PID:456 -
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe107⤵
- Drops file in System32 directory
PID:5136 -
C:\Windows\SysWOW64\Hdnldd32.exeC:\Windows\system32\Hdnldd32.exe108⤵PID:5180
-
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5224 -
C:\Windows\SysWOW64\Hofmfmhj.exeC:\Windows\system32\Hofmfmhj.exe110⤵PID:5268
-
C:\Windows\SysWOW64\Inkjhi32.exeC:\Windows\system32\Inkjhi32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5316 -
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe112⤵PID:5364
-
C:\Windows\SysWOW64\Ikaggmii.exeC:\Windows\system32\Ikaggmii.exe113⤵PID:5408
-
C:\Windows\SysWOW64\Ibnligoc.exeC:\Windows\system32\Ibnligoc.exe114⤵PID:5456
-
C:\Windows\SysWOW64\Igjeanmj.exeC:\Windows\system32\Igjeanmj.exe115⤵PID:5500
-
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe116⤵PID:5544
-
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe117⤵PID:5588
-
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe118⤵PID:5636
-
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe119⤵
- Drops file in System32 directory
PID:5680 -
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe120⤵PID:5724
-
C:\Windows\SysWOW64\Jiaglp32.exeC:\Windows\system32\Jiaglp32.exe121⤵PID:5768
-
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe122⤵PID:5812
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-