Analysis
-
max time kernel
144s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
14/05/2024, 10:12
Behavioral task
behavioral1
Sample
c25000d1be40d2a16db3635b65302cc0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
c25000d1be40d2a16db3635b65302cc0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
c25000d1be40d2a16db3635b65302cc0_NeikiAnalytics.exe
-
Size
768KB
-
MD5
c25000d1be40d2a16db3635b65302cc0
-
SHA1
503de0b4bebd0b5c21a88b48e9fc09311aba0fdf
-
SHA256
2dcbd5ae17f8f6b2ffbf960457b866064bfc466f5523c818aeb165717388ab50
-
SHA512
88c1ba197242bb2d362b4148c6ccc46310c3c5cee88be4d0d75b50a02f627672f3c64dae4cdd1a9d3901fe0f8e83bdb67d2e854386cdf62f39cce7cd83f500fc
-
SSDEEP
12288:3fvu6IveDVqvQ6IvYvc6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvGZX:eq5h3q5htaSHFaZRBEYyqmaf2qwiHPKu
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpbopfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqipio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lclpdncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dijbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekkkoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epikpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgccinoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcalieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpablkhc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajckij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgeihcme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lehaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qoifflkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjliajmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohqbhdpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjcmebie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kniieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbiado32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqfdnhfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chokikeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Folaiqng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghhhcomg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fffhifdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fimhjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nloiakho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodbbdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igfkfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlegnjbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flkdfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdnldd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nliaao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpqkad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehhpla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkeldnpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgjccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njghbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpjcgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Injmcmej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iciaqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnmhpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbaipkbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppmcdq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miaboe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcnqpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpiecd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghipne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgihfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bihjfnmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oekiqccc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmcolgbj.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000800000002343a-7.dat family_berbew behavioral2/files/0x0007000000023441-15.dat family_berbew behavioral2/files/0x0007000000023444-24.dat family_berbew behavioral2/files/0x0007000000023446-31.dat family_berbew behavioral2/files/0x0007000000023448-39.dat family_berbew behavioral2/files/0x000700000002344a-49.dat family_berbew behavioral2/files/0x000700000002344c-55.dat family_berbew behavioral2/files/0x0007000000023450-72.dat family_berbew behavioral2/files/0x000700000002344e-64.dat family_berbew behavioral2/files/0x0007000000023452-79.dat family_berbew behavioral2/files/0x000800000002343e-87.dat family_berbew behavioral2/files/0x0007000000023455-95.dat family_berbew behavioral2/files/0x0007000000023457-104.dat family_berbew behavioral2/files/0x000700000002345a-111.dat family_berbew behavioral2/files/0x000700000002345c-120.dat family_berbew behavioral2/files/0x000700000002345e-128.dat family_berbew behavioral2/files/0x0007000000023460-136.dat family_berbew behavioral2/files/0x0007000000023462-143.dat family_berbew behavioral2/files/0x0007000000023464-149.dat family_berbew behavioral2/files/0x0007000000023466-157.dat family_berbew behavioral2/files/0x000700000002346a-171.dat family_berbew behavioral2/files/0x0007000000023478-219.dat family_berbew behavioral2/files/0x000700000002347e-241.dat family_berbew behavioral2/files/0x000700000002347c-234.dat family_berbew behavioral2/files/0x000700000002347a-227.dat family_berbew behavioral2/files/0x0007000000023476-213.dat family_berbew behavioral2/files/0x0007000000023474-206.dat family_berbew behavioral2/files/0x0007000000023472-199.dat family_berbew behavioral2/files/0x0007000000023470-192.dat family_berbew behavioral2/files/0x000700000002346e-185.dat family_berbew behavioral2/files/0x000700000002346c-178.dat family_berbew behavioral2/files/0x0007000000023468-164.dat family_berbew behavioral2/files/0x00070000000234de-540.dat family_berbew behavioral2/files/0x00070000000234e6-563.dat family_berbew behavioral2/files/0x00070000000234f4-605.dat family_berbew behavioral2/files/0x0007000000023502-653.dat family_berbew behavioral2/files/0x000700000002350a-678.dat family_berbew behavioral2/files/0x0007000000023536-810.dat family_berbew behavioral2/files/0x000700000002353c-828.dat family_berbew behavioral2/files/0x0007000000023556-918.dat family_berbew behavioral2/files/0x0007000000023599-1145.dat family_berbew behavioral2/files/0x00070000000235bd-1267.dat family_berbew behavioral2/files/0x00070000000235c3-1287.dat family_berbew behavioral2/files/0x00070000000235cf-1325.dat family_berbew behavioral2/files/0x00070000000235d3-1338.dat family_berbew behavioral2/files/0x00070000000235e5-1395.dat family_berbew behavioral2/files/0x00070000000235ee-1426.dat family_berbew behavioral2/files/0x00070000000235f8-1457.dat family_berbew behavioral2/files/0x0007000000023604-1489.dat family_berbew behavioral2/files/0x0007000000023616-1555.dat family_berbew behavioral2/files/0x000700000002361a-1569.dat family_berbew behavioral2/files/0x000700000002362b-1618.dat family_berbew behavioral2/files/0x000700000002362f-1631.dat family_berbew behavioral2/files/0x0007000000023639-1663.dat family_berbew behavioral2/files/0x0004000000022e35-1831.dat family_berbew behavioral2/files/0x000700000002366e-1882.dat family_berbew behavioral2/files/0x0007000000023672-1895.dat family_berbew behavioral2/files/0x000700000002368d-1991.dat family_berbew behavioral2/files/0x000700000002369c-2047.dat family_berbew behavioral2/files/0x000700000002369e-2057.dat family_berbew behavioral2/files/0x00070000000236a2-2070.dat family_berbew behavioral2/files/0x00070000000236fb-2376.dat family_berbew behavioral2/files/0x0007000000023733-2564.dat family_berbew behavioral2/files/0x000700000002373b-2591.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3768 Jpnchp32.exe 4856 Jfhlejnh.exe 3172 Jmbdbd32.exe 3964 Jpppnp32.exe 4192 Kbaipkbi.exe 1244 Kpeiioac.exe 692 Kebbafoj.exe 3064 Lffhfh32.exe 4680 Liddbc32.exe 3856 Llcpoo32.exe 1404 Lmdina32.exe 1564 Lbabgh32.exe 3616 Likjcbkc.exe 4812 Lingibiq.exe 2320 Mbfkbhpa.exe 4516 Medgncoe.exe 3328 Mmlpoqpg.exe 3532 Mpjlklok.exe 640 Mibpda32.exe 1096 Mmnldp32.exe 3248 Mlampmdo.exe 3472 Mdhdajea.exe 3740 Mgfqmfde.exe 4928 Meiaib32.exe 2692 Mmpijp32.exe 844 Mlcifmbl.exe 2848 Mdjagjco.exe 1376 Mcmabg32.exe 424 Melnob32.exe 4476 Mmbfpp32.exe 2732 Mlefklpj.exe 2020 Mpablkhc.exe 3828 Mcpnhfhf.exe 5008 Mgkjhe32.exe 2064 Miifeq32.exe 1544 Mnebeogl.exe 3052 Npcoakfp.exe 1516 Ndokbi32.exe 228 Ngmgne32.exe 2360 Nilcjp32.exe 1808 Nngokoej.exe 1916 Npfkgjdn.exe 1836 Ndaggimg.exe 1316 Ngpccdlj.exe 2792 Nebdoa32.exe 1860 Nnjlpo32.exe 3320 Nlmllkja.exe 400 Ndcdmikd.exe 4744 Ncfdie32.exe 3500 Neeqea32.exe 1196 Nnlhfn32.exe 4788 Nloiakho.exe 1500 Ndfqbhia.exe 624 Ncianepl.exe 4740 Nfgmjqop.exe 1252 Nnneknob.exe 2616 Npmagine.exe 4836 Ndhmhh32.exe 3728 Nggjdc32.exe 3700 Njefqo32.exe 3148 Nnqbanmo.exe 4088 Ogifjcdp.exe 1908 Ojjolnaq.exe 1028 Oneklm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mnfnlf32.exe Mjkblhfo.exe File created C:\Windows\SysWOW64\Klqcmdnk.dll Hffken32.exe File opened for modification C:\Windows\SysWOW64\Njefqo32.exe Nggjdc32.exe File created C:\Windows\SysWOW64\Jgilhm32.dll Chcddk32.exe File opened for modification C:\Windows\SysWOW64\Dodbbdbb.exe Dkifae32.exe File created C:\Windows\SysWOW64\Bfjnjcni.exe Bclang32.exe File created C:\Windows\SysWOW64\Jfhepbll.dll Dpnkdq32.exe File created C:\Windows\SysWOW64\Momkkhch.dll Fdglmkeg.exe File created C:\Windows\SysWOW64\Mmacdg32.dll Kgdpni32.exe File created C:\Windows\SysWOW64\Godcje32.dll Process not Found File created C:\Windows\SysWOW64\Hjcbmgnb.dll Process not Found File created C:\Windows\SysWOW64\Alcidkmm.dll Dfknkg32.exe File opened for modification C:\Windows\SysWOW64\Ggeboaob.exe Gfdfgiid.exe File created C:\Windows\SysWOW64\Ecbjkngo.exe Dlkbjqgm.exe File created C:\Windows\SysWOW64\Blqllqqa.exe Bdickcpo.exe File created C:\Windows\SysWOW64\Bboffejp.exe Process not Found File created C:\Windows\SysWOW64\Hjlena32.dll Aabmqd32.exe File created C:\Windows\SysWOW64\Lmbhgd32.exe Lnohlgep.exe File opened for modification C:\Windows\SysWOW64\Ocdjpmac.exe Oohnonij.exe File created C:\Windows\SysWOW64\Kmnoab32.dll Knbbep32.exe File created C:\Windows\SysWOW64\Fpggamqc.exe Fmikeaap.exe File created C:\Windows\SysWOW64\Bdlgcp32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Eaceghcg.exe Process not Found File created C:\Windows\SysWOW64\Epndknin.exe Elbhjp32.exe File opened for modification C:\Windows\SysWOW64\Kdigadjo.exe Kmaopfjm.exe File created C:\Windows\SysWOW64\Fpejkd32.dll Gncchb32.exe File created C:\Windows\SysWOW64\Bhmbqm32.exe Process not Found File created C:\Windows\SysWOW64\Aibibp32.exe Process not Found File created C:\Windows\SysWOW64\Cogflbdn.dll Dhhnpjmh.exe File created C:\Windows\SysWOW64\Edpgli32.exe Emeoooml.exe File created C:\Windows\SysWOW64\Bpnihiio.exe Bmomlnjk.exe File created C:\Windows\SysWOW64\Nfnamjhk.exe Process not Found File created C:\Windows\SysWOW64\Eddnic32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lhkgoiqe.exe Locbfd32.exe File created C:\Windows\SysWOW64\Qodeajbg.exe Process not Found File created C:\Windows\SysWOW64\Egilaj32.dll Process not Found File created C:\Windows\SysWOW64\Ockdmmoj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ikkpgafg.exe Igpdfb32.exe File created C:\Windows\SysWOW64\Gapjhc32.dll Igpdfb32.exe File opened for modification C:\Windows\SysWOW64\Nloiakho.exe Nnlhfn32.exe File opened for modification C:\Windows\SysWOW64\Oneklm32.exe Ojjolnaq.exe File created C:\Windows\SysWOW64\Fnckpmql.exe Fkeodaai.exe File created C:\Windows\SysWOW64\Mkjkef32.dll Inmgmijo.exe File created C:\Windows\SysWOW64\Lpekef32.exe Lhncdi32.exe File created C:\Windows\SysWOW64\Clkbmh32.dll Nliaao32.exe File created C:\Windows\SysWOW64\Fkcboack.exe Fdijbg32.exe File opened for modification C:\Windows\SysWOW64\Opeiadfg.exe Process not Found File created C:\Windows\SysWOW64\Olqjha32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bqmeal32.exe Bmbiamhi.exe File created C:\Windows\SysWOW64\Plndcl32.exe Piphgq32.exe File opened for modification C:\Windows\SysWOW64\Lmdemd32.exe Lnadagbm.exe File created C:\Windows\SysWOW64\Lgjijmin.exe Lekmnajj.exe File created C:\Windows\SysWOW64\Fofdocoe.dll Dijbno32.exe File created C:\Windows\SysWOW64\Igjeanmj.exe Ifgldfio.exe File created C:\Windows\SysWOW64\Pckppl32.exe Ppmcdq32.exe File opened for modification C:\Windows\SysWOW64\Fhofmq32.exe Faenpf32.exe File opened for modification C:\Windows\SysWOW64\Knenkbio.exe Kfnfjehl.exe File created C:\Windows\SysWOW64\Aaoaic32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pjjhbl32.exe Pgllfp32.exe File created C:\Windows\SysWOW64\Mecjif32.exe Mjneln32.exe File created C:\Windows\SysWOW64\Kcejco32.exe Kdbjhbbd.exe File opened for modification C:\Windows\SysWOW64\Ppjbmc32.exe Process not Found File created C:\Windows\SysWOW64\Eibfck32.exe Ehailbaa.exe File created C:\Windows\SysWOW64\Ecjddk32.dll Efmmmn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13788 9676 Process not Found 1511 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nppbddqg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lobfem32.dll" Jgonlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obhehh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjddk32.dll" Efmmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll" Oddmdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnhcelbo.dll" Hdlpneli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjeiodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmloej32.dll" Cpbbch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Becnaq32.dll" Hhknpmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idcondbo.dll" Eibfck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohlljcfl.dll" Eiieicml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akeodedd.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpdbcaok.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmqmma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hglipp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll" Ncfdie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jknfplei.dll" Gaadfkgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bclhhnca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjfmjln.dll" Jglklggl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aehgnied.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hloqml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgdpni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eafbac32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pidabppl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiieicml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipflihfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnicid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll" Afmhck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfbelofc.dll" Ehiffh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmbiamhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Napjdpcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkdjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqdblmhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kinmcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlkbjqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejoomhmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpiecd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfjcnold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgdhgbbj.dll" Opadhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbiado32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Appnje32.dll" Jlobkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jicchk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikpndppf.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Melmcj32.dll" Oampjeml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cedckdaj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llobhg32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehojk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll" Pqbdjfln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhlkilba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bomkcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mieced32.dll" Malgcg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4340 wrote to memory of 3768 4340 c25000d1be40d2a16db3635b65302cc0_NeikiAnalytics.exe 85 PID 4340 wrote to memory of 3768 4340 c25000d1be40d2a16db3635b65302cc0_NeikiAnalytics.exe 85 PID 4340 wrote to memory of 3768 4340 c25000d1be40d2a16db3635b65302cc0_NeikiAnalytics.exe 85 PID 3768 wrote to memory of 4856 3768 Jpnchp32.exe 86 PID 3768 wrote to memory of 4856 3768 Jpnchp32.exe 86 PID 3768 wrote to memory of 4856 3768 Jpnchp32.exe 86 PID 4856 wrote to memory of 3172 4856 Jfhlejnh.exe 87 PID 4856 wrote to memory of 3172 4856 Jfhlejnh.exe 87 PID 4856 wrote to memory of 3172 4856 Jfhlejnh.exe 87 PID 3172 wrote to memory of 3964 3172 Jmbdbd32.exe 88 PID 3172 wrote to memory of 3964 3172 Jmbdbd32.exe 88 PID 3172 wrote to memory of 3964 3172 Jmbdbd32.exe 88 PID 3964 wrote to memory of 4192 3964 Jpppnp32.exe 89 PID 3964 wrote to memory of 4192 3964 Jpppnp32.exe 89 PID 3964 wrote to memory of 4192 3964 Jpppnp32.exe 89 PID 4192 wrote to memory of 1244 4192 Kbaipkbi.exe 90 PID 4192 wrote to memory of 1244 4192 Kbaipkbi.exe 90 PID 4192 wrote to memory of 1244 4192 Kbaipkbi.exe 90 PID 1244 wrote to memory of 692 1244 Kpeiioac.exe 91 PID 1244 wrote to memory of 692 1244 Kpeiioac.exe 91 PID 1244 wrote to memory of 692 1244 Kpeiioac.exe 91 PID 692 wrote to memory of 3064 692 Kebbafoj.exe 92 PID 692 wrote to memory of 3064 692 Kebbafoj.exe 92 PID 692 wrote to memory of 3064 692 Kebbafoj.exe 92 PID 3064 wrote to memory of 4680 3064 Lffhfh32.exe 93 PID 3064 wrote to memory of 4680 3064 Lffhfh32.exe 93 PID 3064 wrote to memory of 4680 3064 Lffhfh32.exe 93 PID 4680 wrote to memory of 3856 4680 Liddbc32.exe 94 PID 4680 wrote to memory of 3856 4680 Liddbc32.exe 94 PID 4680 wrote to memory of 3856 4680 Liddbc32.exe 94 PID 3856 wrote to memory of 1404 3856 Llcpoo32.exe 96 PID 3856 wrote to memory of 1404 3856 Llcpoo32.exe 96 PID 3856 wrote to memory of 1404 3856 Llcpoo32.exe 96 PID 1404 wrote to memory of 1564 1404 Lmdina32.exe 97 PID 1404 wrote to memory of 1564 1404 Lmdina32.exe 97 PID 1404 wrote to memory of 1564 1404 Lmdina32.exe 97 PID 1564 wrote to memory of 3616 1564 Lbabgh32.exe 98 PID 1564 wrote to memory of 3616 1564 Lbabgh32.exe 98 PID 1564 wrote to memory of 3616 1564 Lbabgh32.exe 98 PID 3616 wrote to memory of 4812 3616 Likjcbkc.exe 100 PID 3616 wrote to memory of 4812 3616 Likjcbkc.exe 100 PID 3616 wrote to memory of 4812 3616 Likjcbkc.exe 100 PID 4812 wrote to memory of 2320 4812 Lingibiq.exe 101 PID 4812 wrote to memory of 2320 4812 Lingibiq.exe 101 PID 4812 wrote to memory of 2320 4812 Lingibiq.exe 101 PID 2320 wrote to memory of 4516 2320 Mbfkbhpa.exe 102 PID 2320 wrote to memory of 4516 2320 Mbfkbhpa.exe 102 PID 2320 wrote to memory of 4516 2320 Mbfkbhpa.exe 102 PID 4516 wrote to memory of 3328 4516 Medgncoe.exe 103 PID 4516 wrote to memory of 3328 4516 Medgncoe.exe 103 PID 4516 wrote to memory of 3328 4516 Medgncoe.exe 103 PID 3328 wrote to memory of 3532 3328 Mmlpoqpg.exe 104 PID 3328 wrote to memory of 3532 3328 Mmlpoqpg.exe 104 PID 3328 wrote to memory of 3532 3328 Mmlpoqpg.exe 104 PID 3532 wrote to memory of 640 3532 Mpjlklok.exe 105 PID 3532 wrote to memory of 640 3532 Mpjlklok.exe 105 PID 3532 wrote to memory of 640 3532 Mpjlklok.exe 105 PID 640 wrote to memory of 1096 640 Mibpda32.exe 106 PID 640 wrote to memory of 1096 640 Mibpda32.exe 106 PID 640 wrote to memory of 1096 640 Mibpda32.exe 106 PID 1096 wrote to memory of 3248 1096 Mmnldp32.exe 107 PID 1096 wrote to memory of 3248 1096 Mmnldp32.exe 107 PID 1096 wrote to memory of 3248 1096 Mmnldp32.exe 107 PID 3248 wrote to memory of 3472 3248 Mlampmdo.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\c25000d1be40d2a16db3635b65302cc0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c25000d1be40d2a16db3635b65302cc0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\Jpnchp32.exeC:\Windows\system32\Jpnchp32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\Jfhlejnh.exeC:\Windows\system32\Jfhlejnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\Jpppnp32.exeC:\Windows\system32\Jpppnp32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Kbaipkbi.exeC:\Windows\system32\Kbaipkbi.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\Kpeiioac.exeC:\Windows\system32\Kpeiioac.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Kebbafoj.exeC:\Windows\system32\Kebbafoj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\Lffhfh32.exeC:\Windows\system32\Lffhfh32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Liddbc32.exeC:\Windows\system32\Liddbc32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Llcpoo32.exeC:\Windows\system32\Llcpoo32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\Lmdina32.exeC:\Windows\system32\Lmdina32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Lbabgh32.exeC:\Windows\system32\Lbabgh32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Likjcbkc.exeC:\Windows\system32\Likjcbkc.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\Lingibiq.exeC:\Windows\system32\Lingibiq.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\Mbfkbhpa.exeC:\Windows\system32\Mbfkbhpa.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Medgncoe.exeC:\Windows\system32\Medgncoe.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Mmlpoqpg.exeC:\Windows\system32\Mmlpoqpg.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\Mpjlklok.exeC:\Windows\system32\Mpjlklok.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Mibpda32.exeC:\Windows\system32\Mibpda32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Mmnldp32.exeC:\Windows\system32\Mmnldp32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Mlampmdo.exeC:\Windows\system32\Mlampmdo.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\Mdhdajea.exeC:\Windows\system32\Mdhdajea.exe23⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Mgfqmfde.exeC:\Windows\system32\Mgfqmfde.exe24⤵
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Meiaib32.exeC:\Windows\system32\Meiaib32.exe25⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Mmpijp32.exeC:\Windows\system32\Mmpijp32.exe26⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Mlcifmbl.exeC:\Windows\system32\Mlcifmbl.exe27⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Mdjagjco.exeC:\Windows\system32\Mdjagjco.exe28⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Mcmabg32.exeC:\Windows\system32\Mcmabg32.exe29⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Melnob32.exeC:\Windows\system32\Melnob32.exe30⤵
- Executes dropped EXE
PID:424 -
C:\Windows\SysWOW64\Mmbfpp32.exeC:\Windows\system32\Mmbfpp32.exe31⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Mlefklpj.exeC:\Windows\system32\Mlefklpj.exe32⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Mpablkhc.exeC:\Windows\system32\Mpablkhc.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Mcpnhfhf.exeC:\Windows\system32\Mcpnhfhf.exe34⤵
- Executes dropped EXE
PID:3828 -
C:\Windows\SysWOW64\Mgkjhe32.exeC:\Windows\system32\Mgkjhe32.exe35⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Miifeq32.exeC:\Windows\system32\Miifeq32.exe36⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Mnebeogl.exeC:\Windows\system32\Mnebeogl.exe37⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Npcoakfp.exeC:\Windows\system32\Npcoakfp.exe38⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Ndokbi32.exeC:\Windows\system32\Ndokbi32.exe39⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Ngmgne32.exeC:\Windows\system32\Ngmgne32.exe40⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Nilcjp32.exeC:\Windows\system32\Nilcjp32.exe41⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Nngokoej.exeC:\Windows\system32\Nngokoej.exe42⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Npfkgjdn.exeC:\Windows\system32\Npfkgjdn.exe43⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Ndaggimg.exeC:\Windows\system32\Ndaggimg.exe44⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Ngpccdlj.exeC:\Windows\system32\Ngpccdlj.exe45⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Nebdoa32.exeC:\Windows\system32\Nebdoa32.exe46⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Nnjlpo32.exeC:\Windows\system32\Nnjlpo32.exe47⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Nlmllkja.exeC:\Windows\system32\Nlmllkja.exe48⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Ndcdmikd.exeC:\Windows\system32\Ndcdmikd.exe49⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Ncfdie32.exeC:\Windows\system32\Ncfdie32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4744 -
C:\Windows\SysWOW64\Neeqea32.exeC:\Windows\system32\Neeqea32.exe51⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Nnlhfn32.exeC:\Windows\system32\Nnlhfn32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1196 -
C:\Windows\SysWOW64\Nloiakho.exeC:\Windows\system32\Nloiakho.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Ndfqbhia.exeC:\Windows\system32\Ndfqbhia.exe54⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Ncianepl.exeC:\Windows\system32\Ncianepl.exe55⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Nfgmjqop.exeC:\Windows\system32\Nfgmjqop.exe56⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Nnneknob.exeC:\Windows\system32\Nnneknob.exe57⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Npmagine.exeC:\Windows\system32\Npmagine.exe58⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Ndhmhh32.exeC:\Windows\system32\Ndhmhh32.exe59⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Nggjdc32.exeC:\Windows\system32\Nggjdc32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3728 -
C:\Windows\SysWOW64\Njefqo32.exeC:\Windows\system32\Njefqo32.exe61⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Nnqbanmo.exeC:\Windows\system32\Nnqbanmo.exe62⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\Ogifjcdp.exeC:\Windows\system32\Ogifjcdp.exe63⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Ojjolnaq.exeC:\Windows\system32\Ojjolnaq.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Oneklm32.exeC:\Windows\system32\Oneklm32.exe65⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Opdghh32.exeC:\Windows\system32\Opdghh32.exe66⤵PID:1496
-
C:\Windows\SysWOW64\Odocigqg.exeC:\Windows\system32\Odocigqg.exe67⤵PID:4644
-
C:\Windows\SysWOW64\Ognpebpj.exeC:\Windows\system32\Ognpebpj.exe68⤵PID:3972
-
C:\Windows\SysWOW64\Ojllan32.exeC:\Windows\system32\Ojllan32.exe69⤵PID:1116
-
C:\Windows\SysWOW64\Onhhamgg.exeC:\Windows\system32\Onhhamgg.exe70⤵PID:3288
-
C:\Windows\SysWOW64\Oqfdnhfk.exeC:\Windows\system32\Oqfdnhfk.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1312 -
C:\Windows\SysWOW64\Ogpmjb32.exeC:\Windows\system32\Ogpmjb32.exe72⤵PID:1752
-
C:\Windows\SysWOW64\Ojoign32.exeC:\Windows\system32\Ojoign32.exe73⤵PID:2784
-
C:\Windows\SysWOW64\Oddmdf32.exeC:\Windows\system32\Oddmdf32.exe74⤵
- Modifies registry class
PID:4620 -
C:\Windows\SysWOW64\Ofeilobp.exeC:\Windows\system32\Ofeilobp.exe75⤵PID:2016
-
C:\Windows\SysWOW64\Pmoahijl.exeC:\Windows\system32\Pmoahijl.exe76⤵PID:5060
-
C:\Windows\SysWOW64\Pcijeb32.exeC:\Windows\system32\Pcijeb32.exe77⤵PID:2140
-
C:\Windows\SysWOW64\Pjcbbmif.exeC:\Windows\system32\Pjcbbmif.exe78⤵PID:2764
-
C:\Windows\SysWOW64\Pqmjog32.exeC:\Windows\system32\Pqmjog32.exe79⤵PID:2676
-
C:\Windows\SysWOW64\Pclgkb32.exeC:\Windows\system32\Pclgkb32.exe80⤵PID:1536
-
C:\Windows\SysWOW64\Pfjcgn32.exeC:\Windows\system32\Pfjcgn32.exe81⤵PID:1920
-
C:\Windows\SysWOW64\Pnakhkol.exeC:\Windows\system32\Pnakhkol.exe82⤵PID:1840
-
C:\Windows\SysWOW64\Pdkcde32.exeC:\Windows\system32\Pdkcde32.exe83⤵PID:4236
-
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe84⤵PID:752
-
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe85⤵PID:4700
-
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe86⤵
- Modifies registry class
PID:4768 -
C:\Windows\SysWOW64\Pgllfp32.exeC:\Windows\system32\Pgllfp32.exe87⤵
- Drops file in System32 directory
PID:4204 -
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe88⤵PID:5128
-
C:\Windows\SysWOW64\Pmidog32.exeC:\Windows\system32\Pmidog32.exe89⤵PID:5176
-
C:\Windows\SysWOW64\Pcbmka32.exeC:\Windows\system32\Pcbmka32.exe90⤵PID:5216
-
C:\Windows\SysWOW64\Pfaigm32.exeC:\Windows\system32\Pfaigm32.exe91⤵PID:5256
-
C:\Windows\SysWOW64\Qnhahj32.exeC:\Windows\system32\Qnhahj32.exe92⤵PID:5304
-
C:\Windows\SysWOW64\Qceiaa32.exeC:\Windows\system32\Qceiaa32.exe93⤵PID:5348
-
C:\Windows\SysWOW64\Qfcfml32.exeC:\Windows\system32\Qfcfml32.exe94⤵PID:5392
-
C:\Windows\SysWOW64\Qnjnnj32.exeC:\Windows\system32\Qnjnnj32.exe95⤵PID:5432
-
C:\Windows\SysWOW64\Qqijje32.exeC:\Windows\system32\Qqijje32.exe96⤵PID:5472
-
C:\Windows\SysWOW64\Qgcbgo32.exeC:\Windows\system32\Qgcbgo32.exe97⤵PID:5512
-
C:\Windows\SysWOW64\Ajanck32.exeC:\Windows\system32\Ajanck32.exe98⤵PID:5552
-
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe99⤵PID:5592
-
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe100⤵PID:5640
-
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe101⤵PID:5680
-
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5720 -
C:\Windows\SysWOW64\Anogiicl.exeC:\Windows\system32\Anogiicl.exe103⤵PID:5760
-
C:\Windows\SysWOW64\Aqncedbp.exeC:\Windows\system32\Aqncedbp.exe104⤵PID:5804
-
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe105⤵PID:5844
-
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe106⤵PID:5884
-
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe107⤵PID:5924
-
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe108⤵PID:5960
-
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe109⤵PID:6004
-
C:\Windows\SysWOW64\Agjhgngj.exeC:\Windows\system32\Agjhgngj.exe110⤵PID:6044
-
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe111⤵
- Modifies registry class
PID:6084 -
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe112⤵PID:6124
-
C:\Windows\SysWOW64\Aabmqd32.exeC:\Windows\system32\Aabmqd32.exe113⤵
- Drops file in System32 directory
PID:5140 -
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe114⤵PID:5200
-
C:\Windows\SysWOW64\Aglemn32.exeC:\Windows\system32\Aglemn32.exe115⤵PID:5264
-
C:\Windows\SysWOW64\Ajkaii32.exeC:\Windows\system32\Ajkaii32.exe116⤵PID:5356
-
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe117⤵PID:5416
-
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe118⤵PID:5408
-
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe119⤵PID:5532
-
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe120⤵PID:5608
-
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe121⤵PID:5676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-