Analysis
-
max time kernel
156s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 15:55
Behavioral task
behavioral1
Sample
c5ef4155d3c03f99d960bbe76fa5d020_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
c5ef4155d3c03f99d960bbe76fa5d020_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
c5ef4155d3c03f99d960bbe76fa5d020_NeikiAnalytics.exe
-
Size
768KB
-
MD5
c5ef4155d3c03f99d960bbe76fa5d020
-
SHA1
145b10cd4b489516b28eb0510f3f155cae25a913
-
SHA256
86ef661c41d11c82324237de355e15bb555a76170b24273736d7c6c96ad2b116
-
SHA512
68f1eefc88f2fa8eee99879f22a5b91715e34aca679b4c0a35817c4de8f5ce66e93214cb20d20ba576aa0a0b7d81dffa29b136b89d61175084bfcb0d29842e32
-
SSDEEP
12288:Bv06IveDVqvQ6IvYvc6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvGZ+A:iq5h3q5htaSHFaZRBEYyqmaf2qwiHPKu
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nolekd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naqqmieo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhbpqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kboldq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ameipl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpqjaanf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebbfpjbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jogqlpde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feocoaai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aljmal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadlmanj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcbikd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eedkniob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojefjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojllkcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gndbie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blnjecfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfedmfqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbokab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkioojpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohiefdhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkhhbbck.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkjocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghkebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bomknp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfacai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijaimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgopplkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohahkojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dagiba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnpice32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aphngglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkgoke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qghlmbae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olndnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbpjbe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jioajliq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnpice32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmkehicj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjlbag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qebpipij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcpblo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckmmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liofdigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihhmgaqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icdhojka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdfeandd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eljknl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haaocp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llhnpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbiabq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fanbll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiehjgnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbpcah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aagkaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neglceej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000900000001ea83-8.dat family_berbew behavioral2/files/0x0008000000023249-16.dat family_berbew behavioral2/files/0x000800000002324c-24.dat family_berbew behavioral2/files/0x000700000002324e-32.dat family_berbew behavioral2/files/0x0007000000023251-40.dat family_berbew behavioral2/files/0x0007000000023253-48.dat family_berbew behavioral2/files/0x0007000000023255-56.dat family_berbew behavioral2/files/0x0007000000023257-64.dat family_berbew behavioral2/files/0x0007000000023259-72.dat family_berbew behavioral2/files/0x000700000002325b-80.dat family_berbew behavioral2/files/0x000700000002325e-88.dat family_berbew behavioral2/files/0x0007000000023260-97.dat family_berbew behavioral2/files/0x0007000000023262-104.dat family_berbew behavioral2/files/0x0007000000023264-112.dat family_berbew behavioral2/files/0x0007000000023266-120.dat family_berbew behavioral2/files/0x0007000000023268-128.dat family_berbew behavioral2/files/0x000700000002326a-136.dat family_berbew behavioral2/files/0x000700000002326c-144.dat family_berbew behavioral2/files/0x000200000001e32b-152.dat family_berbew behavioral2/files/0x000700000002326f-160.dat family_berbew behavioral2/files/0x0007000000023271-168.dat family_berbew behavioral2/files/0x0007000000023273-176.dat family_berbew behavioral2/files/0x0007000000023275-184.dat family_berbew behavioral2/files/0x0007000000023277-192.dat family_berbew behavioral2/files/0x0007000000023279-200.dat family_berbew behavioral2/files/0x000700000002327b-208.dat family_berbew behavioral2/files/0x000700000002327d-216.dat family_berbew behavioral2/files/0x000700000002327f-224.dat family_berbew behavioral2/files/0x0007000000023281-233.dat family_berbew behavioral2/files/0x0007000000023283-241.dat family_berbew behavioral2/files/0x0007000000023285-249.dat family_berbew behavioral2/files/0x0007000000023287-257.dat family_berbew behavioral2/files/0x0007000000023292-286.dat family_berbew behavioral2/files/0x000700000002329c-317.dat family_berbew behavioral2/files/0x00070000000232a8-358.dat family_berbew behavioral2/files/0x00070000000232af-378.dat family_berbew behavioral2/files/0x00070000000232b9-412.dat family_berbew behavioral2/files/0x00070000000232bf-432.dat family_berbew behavioral2/files/0x00070000000232cb-470.dat family_berbew behavioral2/files/0x00070000000232dc-508.dat family_berbew behavioral2/files/0x000700000002330c-630.dat family_berbew behavioral2/files/0x0007000000023310-644.dat family_berbew behavioral2/files/0x000700000002331a-677.dat family_berbew behavioral2/files/0x0007000000023322-703.dat family_berbew behavioral2/files/0x0007000000023326-716.dat family_berbew behavioral2/files/0x000700000002332e-742.dat family_berbew behavioral2/files/0x000700000002333e-794.dat family_berbew behavioral2/files/0x0007000000023344-816.dat family_berbew behavioral2/files/0x000700000002334e-853.dat family_berbew behavioral2/files/0x0007000000023352-868.dat family_berbew behavioral2/files/0x000700000002335a-897.dat family_berbew behavioral2/files/0x0007000000023364-932.dat family_berbew behavioral2/files/0x0007000000023366-940.dat family_berbew behavioral2/files/0x000700000002336a-955.dat family_berbew behavioral2/files/0x000700000002336e-970.dat family_berbew behavioral2/files/0x0007000000023378-1008.dat family_berbew behavioral2/files/0x000700000002337a-1018.dat family_berbew behavioral2/files/0x000700000002337e-1031.dat family_berbew behavioral2/files/0x0007000000023386-1060.dat family_berbew behavioral2/files/0x0007000000023394-1110.dat family_berbew behavioral2/files/0x00070000000233a4-1163.dat family_berbew behavioral2/files/0x00070000000233b0-1211.dat family_berbew behavioral2/files/0x00070000000233b2-1220.dat family_berbew behavioral2/files/0x00070000000233bc-1262.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3100 Nckkfp32.exe 3112 Ooibkpmi.exe 3524 Oonlfo32.exe 3856 Pmkofa32.exe 4884 Pcgdhkem.exe 1444 Qfjjpf32.exe 1296 Afockelf.exe 2520 Aagdnn32.exe 2372 Adjjeieh.exe 3512 Bfkbfd32.exe 5084 Bfaigclq.exe 1700 Cbkfbcpb.exe 3516 Cmedjl32.exe 3004 Ccdihbgg.exe 3404 Dnngpj32.exe 2816 Ejjaqk32.exe 4968 Eddnic32.exe 4944 Fqbeoc32.exe 3460 Fbfkceca.exe 2336 Gndbie32.exe 1148 Hkmlnimb.exe 4668 Igjbci32.exe 4812 Ijmhkchl.exe 4316 Jbijgp32.exe 2412 Jnpjlajn.exe 2100 Jogqlpde.exe 4656 Kahinkaf.exe 2532 Kaopoj32.exe 5004 Lddble32.exe 3940 Lhdggb32.exe 4476 Mdpagc32.exe 1852 Mkocol32.exe 3668 Nkapelka.exe 3964 Nhgmcp32.exe 1612 Ndnnianm.exe 1796 Ookhfigk.exe 1508 Ofgmib32.exe 3908 Odljjo32.exe 1076 Pdngpo32.exe 5068 Pfncia32.exe 2296 Pecpknke.exe 2120 Pfbmdabh.exe 4456 Qejfkmem.exe 4312 Qmckbjdl.exe 5036 Aeopfl32.exe 3240 Afceko32.exe 2932 Aidomjaf.exe 4648 Bppcpc32.exe 3052 Bpbpecen.exe 1936 Bliajd32.exe 4512 Blnjecfl.exe 5096 Cmpcdfll.exe 264 Cfjeckpj.exe 4928 Ddqbbo32.exe 960 Dmkcpdao.exe 2172 Dlqpaafg.exe 4252 Eiijfd32.exe 4664 Eepkkefp.exe 4960 Eebgqe32.exe 5020 Egdqph32.exe 4464 Fnqebaog.exe 3128 Fcpkph32.exe 2460 Fcbgfhii.exe 5140 Fcddkggf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ohobebig.exe Ogpfko32.exe File opened for modification C:\Windows\SysWOW64\Bjmpfdhb.exe Bqdlmo32.exe File created C:\Windows\SysWOW64\Hnhknj32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nhdicjfp.exe Nolekd32.exe File opened for modification C:\Windows\SysWOW64\Ecnlhf32.exe Process not Found File created C:\Windows\SysWOW64\Hoepmd32.exe Haaocp32.exe File created C:\Windows\SysWOW64\Cbfokcae.dll Pjhlfb32.exe File opened for modification C:\Windows\SysWOW64\Ojefjd32.exe Olaeqp32.exe File created C:\Windows\SysWOW64\Mfejme32.exe Mefmbbod.exe File created C:\Windows\SysWOW64\Afigdbde.dll Kjhccf32.exe File opened for modification C:\Windows\SysWOW64\Dkkabeng.exe Process not Found File created C:\Windows\SysWOW64\Abddepbk.dll Process not Found File created C:\Windows\SysWOW64\Qlnfkgho.exe Pfoamp32.exe File opened for modification C:\Windows\SysWOW64\Cjjcof32.exe Cjhfjg32.exe File opened for modification C:\Windows\SysWOW64\Kbccak32.exe Process not Found File created C:\Windows\SysWOW64\Lcbikd32.exe Lgkhec32.exe File created C:\Windows\SysWOW64\Infhohhe.exe Process not Found File created C:\Windows\SysWOW64\Dfcqod32.exe Dlnlak32.exe File opened for modification C:\Windows\SysWOW64\Enmjedpa.exe Eddemo32.exe File created C:\Windows\SysWOW64\Iqqpmc32.dll Process not Found File created C:\Windows\SysWOW64\Pdmdhheh.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kahinkaf.exe Jogqlpde.exe File created C:\Windows\SysWOW64\Ckjbbbga.exe Cnfahn32.exe File opened for modification C:\Windows\SysWOW64\Cdeijmph.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cjhfjg32.exe Capbaacl.exe File opened for modification C:\Windows\SysWOW64\Omgabj32.exe Ohkijc32.exe File created C:\Windows\SysWOW64\Jlblcdpf.exe Jnoopm32.exe File created C:\Windows\SysWOW64\Ejcaidlp.exe Eqkmpo32.exe File opened for modification C:\Windows\SysWOW64\Hmginjki.exe Haphiiee.exe File created C:\Windows\SysWOW64\Ojfmdk32.exe Oqmhlego.exe File opened for modification C:\Windows\SysWOW64\Phfjmlhh.exe Pajekb32.exe File created C:\Windows\SysWOW64\Bfdkoabk.dll Paioplob.exe File created C:\Windows\SysWOW64\Kijhgmeo.dll Bldogjib.exe File created C:\Windows\SysWOW64\Mkhfig32.dll Process not Found File created C:\Windows\SysWOW64\Lbhojo32.exe Lmkfah32.exe File created C:\Windows\SysWOW64\Kjblcj32.exe Kllodfpd.exe File created C:\Windows\SysWOW64\Idcpofaf.dll Apeabg32.exe File opened for modification C:\Windows\SysWOW64\Djihhoao.exe Dhjknljl.exe File created C:\Windows\SysWOW64\Ififkj32.dll Lhnhplpg.exe File opened for modification C:\Windows\SysWOW64\Jenedhaa.exe Jgjekc32.exe File created C:\Windows\SysWOW64\Kjkpif32.exe Kjhccf32.exe File created C:\Windows\SysWOW64\Koaaaaip.exe Koodka32.exe File opened for modification C:\Windows\SysWOW64\Eddnbhfe.exe Process not Found File created C:\Windows\SysWOW64\Oehpnnpl.dll Jmnheggo.exe File opened for modification C:\Windows\SysWOW64\Hadkdf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nppfimnm.exe Njcnafpe.exe File opened for modification C:\Windows\SysWOW64\Ochjmd32.exe Ngaihcli.exe File created C:\Windows\SysWOW64\Chlbcn32.dll Aihaifam.exe File created C:\Windows\SysWOW64\Acanjcbi.dll Igbaeh32.exe File created C:\Windows\SysWOW64\Nmqbln32.dll Process not Found File created C:\Windows\SysWOW64\Ecbecfqe.exe Process not Found File created C:\Windows\SysWOW64\Hlmpoh32.dll Bomknp32.exe File created C:\Windows\SysWOW64\Jjfgeh32.dll Mgimmkgp.exe File created C:\Windows\SysWOW64\Migcpneb.exe Lhcjbfag.exe File opened for modification C:\Windows\SysWOW64\Aachaa32.exe Qoboofnb.exe File opened for modification C:\Windows\SysWOW64\Nehjmnei.exe Nhdicjfp.exe File opened for modification C:\Windows\SysWOW64\Lcapbi32.exe Process not Found File created C:\Windows\SysWOW64\Jdbheajp.exe Jhlgpp32.exe File opened for modification C:\Windows\SysWOW64\Bddcocff.exe Bhmbjb32.exe File created C:\Windows\SysWOW64\Cjmnoo32.dll Pmgcoaie.exe File created C:\Windows\SysWOW64\Lfhbpf32.dll Hhglhi32.exe File opened for modification C:\Windows\SysWOW64\Mfqlph32.exe Modgnn32.exe File created C:\Windows\SysWOW64\Agjblo32.dll Foplnb32.exe File created C:\Windows\SysWOW64\Pepafcii.dll Bhfmic32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jogqlpde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hahcfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciogobcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfndlphp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciaiem32.dll" Mgjkag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfkbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oakjnnap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ailabddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agqhik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfjhbe32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlnfkgho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgfaf32.dll" Nkapelka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nejgbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pphckb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goqkne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfpbfljd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnkkcmdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qejfkmem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kofheeoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cohdoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igkkdigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Colmba32.dll" Cnaachha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knnpieak.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcacqeaf.dll" Nejgbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocdqcikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkpgooim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohahkojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgecbebc.dll" Imdlgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcgdhkem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjjaci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Foqdem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poimigfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blenhmph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdhdkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oenldl32.dll" Aclpkffa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphiikma.dll" Gajpmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdipce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkjqkhld.dll" Jenedhaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapnokng.dll" Bmomecoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eabjjafe.dll" Qocfjlan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fimhcbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhgjll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkioojpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhgbdbac.dll" Peonhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fneohd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kocgkdei.dll" Capbaacl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghpooanf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghohdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khmoionj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idfqajkm.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gndbie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olaeqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekoddodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oajgdm32.dll" Oonlfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opopdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnacqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmjigl32.dll" Fcpkph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohiefdhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igajka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhekfhho.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3604 wrote to memory of 3100 3604 c5ef4155d3c03f99d960bbe76fa5d020_NeikiAnalytics.exe 90 PID 3604 wrote to memory of 3100 3604 c5ef4155d3c03f99d960bbe76fa5d020_NeikiAnalytics.exe 90 PID 3604 wrote to memory of 3100 3604 c5ef4155d3c03f99d960bbe76fa5d020_NeikiAnalytics.exe 90 PID 3100 wrote to memory of 3112 3100 Nckkfp32.exe 91 PID 3100 wrote to memory of 3112 3100 Nckkfp32.exe 91 PID 3100 wrote to memory of 3112 3100 Nckkfp32.exe 91 PID 3112 wrote to memory of 3524 3112 Ooibkpmi.exe 92 PID 3112 wrote to memory of 3524 3112 Ooibkpmi.exe 92 PID 3112 wrote to memory of 3524 3112 Ooibkpmi.exe 92 PID 3524 wrote to memory of 3856 3524 Oonlfo32.exe 93 PID 3524 wrote to memory of 3856 3524 Oonlfo32.exe 93 PID 3524 wrote to memory of 3856 3524 Oonlfo32.exe 93 PID 3856 wrote to memory of 4884 3856 Pmkofa32.exe 94 PID 3856 wrote to memory of 4884 3856 Pmkofa32.exe 94 PID 3856 wrote to memory of 4884 3856 Pmkofa32.exe 94 PID 4884 wrote to memory of 1444 4884 Pcgdhkem.exe 95 PID 4884 wrote to memory of 1444 4884 Pcgdhkem.exe 95 PID 4884 wrote to memory of 1444 4884 Pcgdhkem.exe 95 PID 1444 wrote to memory of 1296 1444 Qfjjpf32.exe 96 PID 1444 wrote to memory of 1296 1444 Qfjjpf32.exe 96 PID 1444 wrote to memory of 1296 1444 Qfjjpf32.exe 96 PID 1296 wrote to memory of 2520 1296 Afockelf.exe 97 PID 1296 wrote to memory of 2520 1296 Afockelf.exe 97 PID 1296 wrote to memory of 2520 1296 Afockelf.exe 97 PID 2520 wrote to memory of 2372 2520 Aagdnn32.exe 98 PID 2520 wrote to memory of 2372 2520 Aagdnn32.exe 98 PID 2520 wrote to memory of 2372 2520 Aagdnn32.exe 98 PID 2372 wrote to memory of 3512 2372 Adjjeieh.exe 99 PID 2372 wrote to memory of 3512 2372 Adjjeieh.exe 99 PID 2372 wrote to memory of 3512 2372 Adjjeieh.exe 99 PID 3512 wrote to memory of 5084 3512 Bfkbfd32.exe 100 PID 3512 wrote to memory of 5084 3512 Bfkbfd32.exe 100 PID 3512 wrote to memory of 5084 3512 Bfkbfd32.exe 100 PID 5084 wrote to memory of 1700 5084 Bfaigclq.exe 101 PID 5084 wrote to memory of 1700 5084 Bfaigclq.exe 101 PID 5084 wrote to memory of 1700 5084 Bfaigclq.exe 101 PID 1700 wrote to memory of 3516 1700 Cbkfbcpb.exe 102 PID 1700 wrote to memory of 3516 1700 Cbkfbcpb.exe 102 PID 1700 wrote to memory of 3516 1700 Cbkfbcpb.exe 102 PID 3516 wrote to memory of 3004 3516 Cmedjl32.exe 103 PID 3516 wrote to memory of 3004 3516 Cmedjl32.exe 103 PID 3516 wrote to memory of 3004 3516 Cmedjl32.exe 103 PID 3004 wrote to memory of 3404 3004 Ccdihbgg.exe 104 PID 3004 wrote to memory of 3404 3004 Ccdihbgg.exe 104 PID 3004 wrote to memory of 3404 3004 Ccdihbgg.exe 104 PID 3404 wrote to memory of 2816 3404 Dnngpj32.exe 105 PID 3404 wrote to memory of 2816 3404 Dnngpj32.exe 105 PID 3404 wrote to memory of 2816 3404 Dnngpj32.exe 105 PID 2816 wrote to memory of 4968 2816 Ejjaqk32.exe 106 PID 2816 wrote to memory of 4968 2816 Ejjaqk32.exe 106 PID 2816 wrote to memory of 4968 2816 Ejjaqk32.exe 106 PID 4968 wrote to memory of 4944 4968 Eddnic32.exe 107 PID 4968 wrote to memory of 4944 4968 Eddnic32.exe 107 PID 4968 wrote to memory of 4944 4968 Eddnic32.exe 107 PID 4944 wrote to memory of 3460 4944 Fqbeoc32.exe 108 PID 4944 wrote to memory of 3460 4944 Fqbeoc32.exe 108 PID 4944 wrote to memory of 3460 4944 Fqbeoc32.exe 108 PID 3460 wrote to memory of 2336 3460 Fbfkceca.exe 109 PID 3460 wrote to memory of 2336 3460 Fbfkceca.exe 109 PID 3460 wrote to memory of 2336 3460 Fbfkceca.exe 109 PID 2336 wrote to memory of 1148 2336 Gndbie32.exe 110 PID 2336 wrote to memory of 1148 2336 Gndbie32.exe 110 PID 2336 wrote to memory of 1148 2336 Gndbie32.exe 110 PID 1148 wrote to memory of 4668 1148 Hkmlnimb.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5ef4155d3c03f99d960bbe76fa5d020_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c5ef4155d3c03f99d960bbe76fa5d020_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Nckkfp32.exeC:\Windows\system32\Nckkfp32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\Ooibkpmi.exeC:\Windows\system32\Ooibkpmi.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\Oonlfo32.exeC:\Windows\system32\Oonlfo32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\Pmkofa32.exeC:\Windows\system32\Pmkofa32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\Pcgdhkem.exeC:\Windows\system32\Pcgdhkem.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Qfjjpf32.exeC:\Windows\system32\Qfjjpf32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Afockelf.exeC:\Windows\system32\Afockelf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Aagdnn32.exeC:\Windows\system32\Aagdnn32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Adjjeieh.exeC:\Windows\system32\Adjjeieh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Bfkbfd32.exeC:\Windows\system32\Bfkbfd32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Bfaigclq.exeC:\Windows\system32\Bfaigclq.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Cbkfbcpb.exeC:\Windows\system32\Cbkfbcpb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Cmedjl32.exeC:\Windows\system32\Cmedjl32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\Ccdihbgg.exeC:\Windows\system32\Ccdihbgg.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Dnngpj32.exeC:\Windows\system32\Dnngpj32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\Ejjaqk32.exeC:\Windows\system32\Ejjaqk32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Eddnic32.exeC:\Windows\system32\Eddnic32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Fqbeoc32.exeC:\Windows\system32\Fqbeoc32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Fbfkceca.exeC:\Windows\system32\Fbfkceca.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\Gndbie32.exeC:\Windows\system32\Gndbie32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Hkmlnimb.exeC:\Windows\system32\Hkmlnimb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Igjbci32.exeC:\Windows\system32\Igjbci32.exe23⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Ijmhkchl.exeC:\Windows\system32\Ijmhkchl.exe24⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Jbijgp32.exeC:\Windows\system32\Jbijgp32.exe25⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Jnpjlajn.exeC:\Windows\system32\Jnpjlajn.exe26⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Jogqlpde.exeC:\Windows\system32\Jogqlpde.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Kahinkaf.exeC:\Windows\system32\Kahinkaf.exe28⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Kaopoj32.exeC:\Windows\system32\Kaopoj32.exe29⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Lddble32.exeC:\Windows\system32\Lddble32.exe30⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Lhdggb32.exeC:\Windows\system32\Lhdggb32.exe31⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Mdpagc32.exeC:\Windows\system32\Mdpagc32.exe32⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Mkocol32.exeC:\Windows\system32\Mkocol32.exe33⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Nkapelka.exeC:\Windows\system32\Nkapelka.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:3668 -
C:\Windows\SysWOW64\Nhgmcp32.exeC:\Windows\system32\Nhgmcp32.exe35⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Ndnnianm.exeC:\Windows\system32\Ndnnianm.exe36⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Ookhfigk.exeC:\Windows\system32\Ookhfigk.exe37⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Ofgmib32.exeC:\Windows\system32\Ofgmib32.exe38⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Odljjo32.exeC:\Windows\system32\Odljjo32.exe39⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Pdngpo32.exeC:\Windows\system32\Pdngpo32.exe40⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Pfncia32.exeC:\Windows\system32\Pfncia32.exe41⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Pecpknke.exeC:\Windows\system32\Pecpknke.exe42⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Pfbmdabh.exeC:\Windows\system32\Pfbmdabh.exe43⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Qejfkmem.exeC:\Windows\system32\Qejfkmem.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4456 -
C:\Windows\SysWOW64\Qmckbjdl.exeC:\Windows\system32\Qmckbjdl.exe45⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Aeopfl32.exeC:\Windows\system32\Aeopfl32.exe46⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Afceko32.exeC:\Windows\system32\Afceko32.exe47⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Aidomjaf.exeC:\Windows\system32\Aidomjaf.exe48⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Bppcpc32.exeC:\Windows\system32\Bppcpc32.exe49⤵
- Executes dropped EXE
PID:4648 -
C:\Windows\SysWOW64\Bpbpecen.exeC:\Windows\system32\Bpbpecen.exe50⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Bliajd32.exeC:\Windows\system32\Bliajd32.exe51⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Blnjecfl.exeC:\Windows\system32\Blnjecfl.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Cmpcdfll.exeC:\Windows\system32\Cmpcdfll.exe53⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Cfjeckpj.exeC:\Windows\system32\Cfjeckpj.exe54⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Ddqbbo32.exeC:\Windows\system32\Ddqbbo32.exe55⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Dmkcpdao.exeC:\Windows\system32\Dmkcpdao.exe56⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Dlqpaafg.exeC:\Windows\system32\Dlqpaafg.exe57⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Eiijfd32.exeC:\Windows\system32\Eiijfd32.exe58⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Eepkkefp.exeC:\Windows\system32\Eepkkefp.exe59⤵
- Executes dropped EXE
PID:4664 -
C:\Windows\SysWOW64\Eebgqe32.exeC:\Windows\system32\Eebgqe32.exe60⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Egdqph32.exeC:\Windows\system32\Egdqph32.exe61⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Fnqebaog.exeC:\Windows\system32\Fnqebaog.exe62⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Fcpkph32.exeC:\Windows\system32\Fcpkph32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:3128 -
C:\Windows\SysWOW64\Fcbgfhii.exeC:\Windows\system32\Fcbgfhii.exe64⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Fcddkggf.exeC:\Windows\system32\Fcddkggf.exe65⤵
- Executes dropped EXE
PID:5140 -
C:\Windows\SysWOW64\Gnlenp32.exeC:\Windows\system32\Gnlenp32.exe66⤵PID:5188
-
C:\Windows\SysWOW64\Glabolja.exeC:\Windows\system32\Glabolja.exe67⤵PID:5240
-
C:\Windows\SysWOW64\Gnanioad.exeC:\Windows\system32\Gnanioad.exe68⤵PID:5440
-
C:\Windows\SysWOW64\Iqpclh32.exeC:\Windows\system32\Iqpclh32.exe69⤵PID:5504
-
C:\Windows\SysWOW64\Jgjeppkp.exeC:\Windows\system32\Jgjeppkp.exe70⤵PID:5572
-
C:\Windows\SysWOW64\Kjmjgk32.exeC:\Windows\system32\Kjmjgk32.exe71⤵PID:5616
-
C:\Windows\SysWOW64\Khfdlnab.exeC:\Windows\system32\Khfdlnab.exe72⤵PID:5664
-
C:\Windows\SysWOW64\Lfpkhjae.exeC:\Windows\system32\Lfpkhjae.exe73⤵PID:5708
-
C:\Windows\SysWOW64\Lhogamih.exeC:\Windows\system32\Lhogamih.exe74⤵PID:5752
-
C:\Windows\SysWOW64\Mhfmbl32.exeC:\Windows\system32\Mhfmbl32.exe75⤵PID:5796
-
C:\Windows\SysWOW64\Mdokmm32.exeC:\Windows\system32\Mdokmm32.exe76⤵PID:5840
-
C:\Windows\SysWOW64\Mklpof32.exeC:\Windows\system32\Mklpof32.exe77⤵PID:5884
-
C:\Windows\SysWOW64\Mhppik32.exeC:\Windows\system32\Mhppik32.exe78⤵PID:5924
-
C:\Windows\SysWOW64\Ndfanlpi.exeC:\Windows\system32\Ndfanlpi.exe79⤵PID:5964
-
C:\Windows\SysWOW64\Nolekd32.exeC:\Windows\system32\Nolekd32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5996 -
C:\Windows\SysWOW64\Nhdicjfp.exeC:\Windows\system32\Nhdicjfp.exe81⤵
- Drops file in System32 directory
PID:6044 -
C:\Windows\SysWOW64\Nehjmnei.exeC:\Windows\system32\Nehjmnei.exe82⤵PID:6080
-
C:\Windows\SysWOW64\Nejgbn32.exeC:\Windows\system32\Nejgbn32.exe83⤵
- Modifies registry class
PID:6128 -
C:\Windows\SysWOW64\Nkgoke32.exeC:\Windows\system32\Nkgoke32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5148 -
C:\Windows\SysWOW64\Ndpcdjho.exeC:\Windows\system32\Ndpcdjho.exe85⤵PID:5280
-
C:\Windows\SysWOW64\Ogefqeaj.exeC:\Windows\system32\Ogefqeaj.exe86⤵PID:4956
-
C:\Windows\SysWOW64\Oakjnnap.exeC:\Windows\system32\Oakjnnap.exe87⤵
- Modifies registry class
PID:5456 -
C:\Windows\SysWOW64\Oamgcm32.exeC:\Windows\system32\Oamgcm32.exe88⤵PID:5520
-
C:\Windows\SysWOW64\Okeklcen.exeC:\Windows\system32\Okeklcen.exe89⤵PID:5596
-
C:\Windows\SysWOW64\Pkhhbbck.exeC:\Windows\system32\Pkhhbbck.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5636 -
C:\Windows\SysWOW64\Poeahaib.exeC:\Windows\system32\Poeahaib.exe91⤵PID:5728
-
C:\Windows\SysWOW64\Phpbffnp.exeC:\Windows\system32\Phpbffnp.exe92⤵PID:5804
-
C:\Windows\SysWOW64\Qnpgdmjd.exeC:\Windows\system32\Qnpgdmjd.exe93⤵PID:5872
-
C:\Windows\SysWOW64\Qghlmbae.exeC:\Windows\system32\Qghlmbae.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5956 -
C:\Windows\SysWOW64\Akfdcq32.exeC:\Windows\system32\Akfdcq32.exe95⤵PID:6008
-
C:\Windows\SysWOW64\Aijeme32.exeC:\Windows\system32\Aijeme32.exe96⤵PID:6076
-
C:\Windows\SysWOW64\Anfmeldl.exeC:\Windows\system32\Anfmeldl.exe97⤵PID:5128
-
C:\Windows\SysWOW64\Ailabddb.exeC:\Windows\system32\Ailabddb.exe98⤵
- Modifies registry class
PID:5356 -
C:\Windows\SysWOW64\Agaoca32.exeC:\Windows\system32\Agaoca32.exe99⤵PID:4988
-
C:\Windows\SysWOW64\Bomppneg.exeC:\Windows\system32\Bomppneg.exe100⤵PID:4332
-
C:\Windows\SysWOW64\Bkdqdokk.exeC:\Windows\system32\Bkdqdokk.exe101⤵PID:5212
-
C:\Windows\SysWOW64\Bihancje.exeC:\Windows\system32\Bihancje.exe102⤵PID:1556
-
C:\Windows\SysWOW64\Bijncb32.exeC:\Windows\system32\Bijncb32.exe103⤵PID:5580
-
C:\Windows\SysWOW64\Bgokdomj.exeC:\Windows\system32\Bgokdomj.exe104⤵PID:5684
-
C:\Windows\SysWOW64\Ciogobcm.exeC:\Windows\system32\Ciogobcm.exe105⤵
- Modifies registry class
PID:5880 -
C:\Windows\SysWOW64\Chddpn32.exeC:\Windows\system32\Chddpn32.exe106⤵PID:5936
-
C:\Windows\SysWOW64\Cfedmfqd.exeC:\Windows\system32\Cfedmfqd.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6072 -
C:\Windows\SysWOW64\Chinkndp.exeC:\Windows\system32\Chinkndp.exe108⤵PID:5132
-
C:\Windows\SysWOW64\Chkjpm32.exeC:\Windows\system32\Chkjpm32.exe109⤵PID:5372
-
C:\Windows\SysWOW64\Cnebmgjj.exeC:\Windows\system32\Cnebmgjj.exe110⤵PID:628
-
C:\Windows\SysWOW64\Dijgjpip.exeC:\Windows\system32\Dijgjpip.exe111⤵PID:2136
-
C:\Windows\SysWOW64\Dbckcf32.exeC:\Windows\system32\Dbckcf32.exe112⤵PID:5528
-
C:\Windows\SysWOW64\Dpglmjoj.exeC:\Windows\system32\Dpglmjoj.exe113⤵PID:5912
-
C:\Windows\SysWOW64\Dlnlak32.exeC:\Windows\system32\Dlnlak32.exe114⤵
- Drops file in System32 directory
PID:6068 -
C:\Windows\SysWOW64\Dfcqod32.exeC:\Windows\system32\Dfcqod32.exe115⤵PID:5304
-
C:\Windows\SysWOW64\Donecfao.exeC:\Windows\system32\Donecfao.exe116⤵PID:3060
-
C:\Windows\SysWOW64\Dhgjll32.exeC:\Windows\system32\Dhgjll32.exe117⤵
- Modifies registry class
PID:5788 -
C:\Windows\SysWOW64\Eekjep32.exeC:\Windows\system32\Eekjep32.exe118⤵PID:6136
-
C:\Windows\SysWOW64\Eflceb32.exeC:\Windows\system32\Eflceb32.exe119⤵PID:4264
-
C:\Windows\SysWOW64\Epehnhbj.exeC:\Windows\system32\Epehnhbj.exe120⤵PID:5828
-
C:\Windows\SysWOW64\Eojeodga.exeC:\Windows\system32\Eojeodga.exe121⤵PID:3248
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-