Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2024, 16:50
Behavioral task
behavioral1
Sample
e5b4583f67db0db433537631630c5f90_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
e5b4583f67db0db433537631630c5f90_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
e5b4583f67db0db433537631630c5f90_NeikiAnalytics.exe
-
Size
352KB
-
MD5
e5b4583f67db0db433537631630c5f90
-
SHA1
95c56a0801dfb206ac942002eafcd3dc370c5871
-
SHA256
777e905015a81056bc1f5030d14548e61bdf4f0871578c3ad05d205b43f66c97
-
SHA512
bd36b0a88e22ff64d9ea073d2558597342ff26dccfbb53ce7fdba640c7bf73d5c1e598f0fb6e1086e988259878a2cecebe0a4e70f8329bb67addc12406e3b23b
-
SSDEEP
6144:xYKTmYnE+VGt/+Kypr1ItvLUErOU7amYBAYpd0ucyEWJrj1mKZHPSv/rpwMBhpNN:xB6YnENgVrCZYE6YYBHpd0uD319ZvSn9
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djelgied.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkkgpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkgcea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aadifclh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkleeplq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neafjdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Higjaoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imoneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdafnpqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oihagaji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjoiil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfldelik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbofcghl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elbmlmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkffog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfembo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifefimom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjlpjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhbimf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qchmagie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahkobekf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdhmnlcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjinkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cajlhqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkikkeeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfcmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkcfid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flinkojm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chiigadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkofdbkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cobkhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnckpmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdgafjpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmegbjgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhlpfgbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgkpdcmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Piijno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oldjcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddgkpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhlpfgbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bljlfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdglmkeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghlcnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bffkij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edopabqn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kijchhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbcjnilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfbobf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjdaodja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iggjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0005000000022f32-6.dat family_berbew behavioral2/files/0x00070000000233e4-14.dat family_berbew behavioral2/files/0x00070000000233e6-22.dat family_berbew behavioral2/files/0x00070000000233e8-30.dat family_berbew behavioral2/files/0x00070000000233ea-38.dat family_berbew behavioral2/files/0x00070000000233ec-46.dat family_berbew behavioral2/files/0x00070000000233ee-55.dat family_berbew behavioral2/files/0x00070000000233f0-62.dat family_berbew behavioral2/files/0x00070000000233f2-70.dat family_berbew behavioral2/files/0x00070000000233f4-78.dat family_berbew behavioral2/files/0x00070000000233f6-86.dat family_berbew behavioral2/files/0x00070000000233f8-94.dat family_berbew behavioral2/files/0x00070000000233fb-102.dat family_berbew behavioral2/files/0x00070000000233fd-111.dat family_berbew behavioral2/files/0x00080000000233e0-120.dat family_berbew behavioral2/files/0x0007000000023400-126.dat family_berbew behavioral2/files/0x0007000000023402-135.dat family_berbew behavioral2/files/0x0007000000023406-150.dat family_berbew behavioral2/files/0x0007000000023404-143.dat family_berbew behavioral2/files/0x0007000000023408-159.dat family_berbew behavioral2/files/0x000700000002340a-166.dat family_berbew behavioral2/files/0x000700000002340c-174.dat family_berbew behavioral2/files/0x000700000002340e-183.dat family_berbew behavioral2/files/0x0007000000023410-190.dat family_berbew behavioral2/files/0x0007000000023412-197.dat family_berbew behavioral2/files/0x0007000000023414-206.dat family_berbew behavioral2/files/0x0007000000023416-214.dat family_berbew behavioral2/files/0x0007000000023418-223.dat family_berbew behavioral2/files/0x000700000002341a-230.dat family_berbew behavioral2/files/0x000700000002341c-238.dat family_berbew behavioral2/files/0x000700000002341e-246.dat family_berbew behavioral2/files/0x0007000000023420-254.dat family_berbew behavioral2/files/0x0007000000023424-262.dat family_berbew behavioral2/files/0x000700000002343c-341.dat family_berbew behavioral2/files/0x0007000000023444-365.dat family_berbew behavioral2/files/0x000700000002344a-383.dat family_berbew behavioral2/files/0x0007000000023450-401.dat family_berbew behavioral2/files/0x0007000000023456-419.dat family_berbew behavioral2/files/0x000700000002345c-437.dat family_berbew behavioral2/files/0x0007000000023464-461.dat family_berbew behavioral2/files/0x0007000000023487-567.dat family_berbew behavioral2/files/0x0007000000023493-602.dat family_berbew behavioral2/files/0x000700000002349c-637.dat family_berbew behavioral2/files/0x00070000000234ab-677.dat family_berbew behavioral2/files/0x00070000000234bd-738.dat family_berbew behavioral2/files/0x00070000000234e2-858.dat family_berbew behavioral2/files/0x00070000000234f7-925.dat family_berbew behavioral2/files/0x0007000000023520-1075.dat family_berbew behavioral2/files/0x0007000000023528-1102.dat family_berbew behavioral2/files/0x000700000002352c-1115.dat family_berbew behavioral2/files/0x0007000000023566-1313.dat family_berbew behavioral2/files/0x000700000002357a-1378.dat family_berbew behavioral2/files/0x000700000002357e-1392.dat family_berbew behavioral2/files/0x0007000000023586-1420.dat family_berbew behavioral2/files/0x000700000002358e-1447.dat family_berbew behavioral2/files/0x000700000002359a-1488.dat family_berbew behavioral2/files/0x00070000000235a0-1509.dat family_berbew behavioral2/files/0x00070000000235a9-1536.dat family_berbew behavioral2/files/0x00070000000235af-1558.dat family_berbew behavioral2/files/0x00070000000235b5-1579.dat family_berbew behavioral2/files/0x00070000000235b9-1591.dat family_berbew behavioral2/files/0x00070000000235c3-1622.dat family_berbew behavioral2/files/0x00070000000235cf-1663.dat family_berbew behavioral2/files/0x00070000000235d7-1687.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 452 Jfkoeppq.exe 5044 Kmegbjgn.exe 4128 Kbapjafe.exe 3916 Kacphh32.exe 4840 Kbdmpqcb.exe 3616 Kphmie32.exe 3780 Kagichjo.exe 4976 Kcifkp32.exe 1384 Kpmfddnf.exe 2236 Liekmj32.exe 3596 Lcmofolg.exe 544 Liggbi32.exe 3172 Lcpllo32.exe 1220 Lnepih32.exe 2032 Ldohebqh.exe 1048 Lkiqbl32.exe 4676 Lklnhlfb.exe 2584 Laefdf32.exe 1928 Lknjmkdo.exe 1244 Mjqjih32.exe 3464 Mciobn32.exe 1848 Majopeii.exe 908 Mcklgm32.exe 4904 Mdkhapfj.exe 1224 Mncmjfmk.exe 3832 Mglack32.exe 4564 Maaepd32.exe 2856 Mdpalp32.exe 228 Ndbnboqb.exe 4780 Nnjbke32.exe 2548 Ngcgcjnc.exe 532 Ndghmo32.exe 1972 Ngedij32.exe 1396 Njcpee32.exe 1288 Ndidbn32.exe 3508 Nggqoj32.exe 3152 Njfmke32.exe 1468 Nbmelbid.exe 2208 Ncnadk32.exe 3136 Okeieh32.exe 2720 Ondeac32.exe 2460 Oqbamo32.exe 3556 Ocqnij32.exe 3640 Ojjffddl.exe 1712 Oqdoboli.exe 1524 Okjbpglo.exe 3992 Oqgkhnjf.exe 1240 Ogaceh32.exe 4528 Ojopad32.exe 4604 Obfhba32.exe 1332 Odednmpm.exe 5076 Ojalgcnd.exe 4112 Obidhaog.exe 4592 Pcjapi32.exe 1876 Pnpemb32.exe 4320 Pqnaim32.exe 720 Pjffbc32.exe 4148 Pbmncp32.exe 3024 Pcojkhap.exe 4900 Pbpjhp32.exe 4688 Pgmcqggf.exe 4972 Pnfkma32.exe 2816 Pkjlge32.exe 448 Pagdol32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gnfhfl32.exe Gglpibgm.exe File created C:\Windows\SysWOW64\Bjaqpbkh.exe Bgbdcgld.exe File opened for modification C:\Windows\SysWOW64\Fdffbake.exe Fagjfflb.exe File created C:\Windows\SysWOW64\Ieagmcmq.exe Process not Found File created C:\Windows\SysWOW64\Liggbi32.exe Lcmofolg.exe File opened for modification C:\Windows\SysWOW64\Maaepd32.exe Mglack32.exe File opened for modification C:\Windows\SysWOW64\Dhclmp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fpkibf32.exe Process not Found File created C:\Windows\SysWOW64\Ncfmno32.exe Npgabc32.exe File created C:\Windows\SysWOW64\Olijhmgj.exe Oadfkdgd.exe File created C:\Windows\SysWOW64\Mnkggfkb.exe Mkmkkjko.exe File created C:\Windows\SysWOW64\Kodnmkap.exe Process not Found File opened for modification C:\Windows\SysWOW64\Akpoaj32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Clpgpp32.exe Cdiooblp.exe File created C:\Windows\SysWOW64\Dbfmkjoa.dll Gdjjckag.exe File created C:\Windows\SysWOW64\Kbbpccql.dll Fgjccb32.exe File created C:\Windows\SysWOW64\Gapbdjgd.dll Haafcb32.exe File created C:\Windows\SysWOW64\Lhjlnlii.dll Pojcjh32.exe File opened for modification C:\Windows\SysWOW64\Epikpo32.exe Eiobceef.exe File created C:\Windows\SysWOW64\Impliekg.exe Process not Found File created C:\Windows\SysWOW64\Aqjpajgi.dll Process not Found File created C:\Windows\SysWOW64\Ceckcp32.exe Cnicfe32.exe File created C:\Windows\SysWOW64\Bpcelk32.dll Gfokoelp.exe File created C:\Windows\SysWOW64\Dfglfdkb.exe Process not Found File created C:\Windows\SysWOW64\Jgmjmjnb.exe Process not Found File created C:\Windows\SysWOW64\Enmjlojd.exe Process not Found File created C:\Windows\SysWOW64\Nqfbpb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nimmifgo.exe Process not Found File created C:\Windows\SysWOW64\Lhenai32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jfoiokfb.exe Ilidbbgl.exe File created C:\Windows\SysWOW64\Gjdlbifk.dll Jlpkba32.exe File created C:\Windows\SysWOW64\Ibcllpfj.dll Jgonlm32.exe File created C:\Windows\SysWOW64\Fbajbi32.exe Fpbmfn32.exe File opened for modification C:\Windows\SysWOW64\Ocohmc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dpkmal32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lgmngglp.exe Lpcfkm32.exe File opened for modification C:\Windows\SysWOW64\Gjfnedho.exe Gbofcghl.exe File opened for modification C:\Windows\SysWOW64\Gmiclo32.exe Gkkgpc32.exe File created C:\Windows\SysWOW64\Igdnabjh.exe Idfaefkd.exe File opened for modification C:\Windows\SysWOW64\Dfglfdkb.exe Process not Found File created C:\Windows\SysWOW64\Dijbno32.exe Process not Found File created C:\Windows\SysWOW64\Mfnoqc32.exe Process not Found File created C:\Windows\SysWOW64\Ickfifmb.dll Aclpap32.exe File created C:\Windows\SysWOW64\Naeheh32.dll Cmqmma32.exe File created C:\Windows\SysWOW64\Fpnfmjbo.dll Bgeaifia.exe File opened for modification C:\Windows\SysWOW64\Kiejmi32.exe Jbkbpoog.exe File created C:\Windows\SysWOW64\Hlfkfcja.dll Phbhcmjl.exe File created C:\Windows\SysWOW64\Dfefkkqp.exe Ccgjopal.exe File opened for modification C:\Windows\SysWOW64\Dmefhako.exe Dobfld32.exe File created C:\Windows\SysWOW64\Ojigdcll.exe Odoogi32.exe File created C:\Windows\SysWOW64\Ckeimm32.exe Chglab32.exe File created C:\Windows\SysWOW64\Dnkdmlfj.dll Process not Found File created C:\Windows\SysWOW64\Qjpiha32.exe Pagdol32.exe File opened for modification C:\Windows\SysWOW64\Kpbmco32.exe Kemhff32.exe File created C:\Windows\SysWOW64\Madccamk.dll Indmnh32.exe File created C:\Windows\SysWOW64\Fpplna32.dll Bihjfnmm.exe File created C:\Windows\SysWOW64\Iinqbn32.exe Igpdfb32.exe File created C:\Windows\SysWOW64\Paeelgnj.exe Process not Found File created C:\Windows\SysWOW64\Cdmfllhn.exe Process not Found File created C:\Windows\SysWOW64\Fnaokmco.exe Fggfnc32.exe File created C:\Windows\SysWOW64\Bfqkddfd.exe Bogcgj32.exe File created C:\Windows\SysWOW64\Cfogeb32.exe Cpeohh32.exe File created C:\Windows\SysWOW64\Npakijcp.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bhnikc32.exe Badanigc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14692 3160 Process not Found 1513 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pamiaboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kboljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll" Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dahhio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gempgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igedlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amodep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmnkkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aodogdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjjkejin.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgbmccpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpgeee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opogbbig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lccahg32.dll" Jnhidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmomj32.dll" Kniieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefioe32.dll" Qikgco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbhijepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjmcmj32.dll" Pbmncp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll" Qmkadgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khbdikip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdomhkp.dll" Aglnbhal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeggngeb.dll" Edjgfcec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojidbohn.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pncgmkmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfajam32.dll" Gnfhfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dobfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpecbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pioelhgj.dll" Idfaefkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fomnhddq.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpahkbdh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkikkeeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ampkof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heolpdjf.dll" Ibmeoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpjda32.dll" Kbbhqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjliajmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eiobceef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lknjmkdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Biadeoce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlgklif.dll" Cpbbch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdidcm32.dll" Oadfkdgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phbhcmjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hckjacjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icknfcol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eapedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll" Qfcfml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iihkpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjpfdin.dll" Iickkbje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbhafkok.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnpn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abeiec32.dll" Jbileede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejldilhc.dll" Jieagojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nheble32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3792 wrote to memory of 452 3792 e5b4583f67db0db433537631630c5f90_NeikiAnalytics.exe 83 PID 3792 wrote to memory of 452 3792 e5b4583f67db0db433537631630c5f90_NeikiAnalytics.exe 83 PID 3792 wrote to memory of 452 3792 e5b4583f67db0db433537631630c5f90_NeikiAnalytics.exe 83 PID 452 wrote to memory of 5044 452 Jfkoeppq.exe 84 PID 452 wrote to memory of 5044 452 Jfkoeppq.exe 84 PID 452 wrote to memory of 5044 452 Jfkoeppq.exe 84 PID 5044 wrote to memory of 4128 5044 Kmegbjgn.exe 85 PID 5044 wrote to memory of 4128 5044 Kmegbjgn.exe 85 PID 5044 wrote to memory of 4128 5044 Kmegbjgn.exe 85 PID 4128 wrote to memory of 3916 4128 Kbapjafe.exe 86 PID 4128 wrote to memory of 3916 4128 Kbapjafe.exe 86 PID 4128 wrote to memory of 3916 4128 Kbapjafe.exe 86 PID 3916 wrote to memory of 4840 3916 Kacphh32.exe 87 PID 3916 wrote to memory of 4840 3916 Kacphh32.exe 87 PID 3916 wrote to memory of 4840 3916 Kacphh32.exe 87 PID 4840 wrote to memory of 3616 4840 Kbdmpqcb.exe 88 PID 4840 wrote to memory of 3616 4840 Kbdmpqcb.exe 88 PID 4840 wrote to memory of 3616 4840 Kbdmpqcb.exe 88 PID 3616 wrote to memory of 3780 3616 Kphmie32.exe 89 PID 3616 wrote to memory of 3780 3616 Kphmie32.exe 89 PID 3616 wrote to memory of 3780 3616 Kphmie32.exe 89 PID 3780 wrote to memory of 4976 3780 Kagichjo.exe 90 PID 3780 wrote to memory of 4976 3780 Kagichjo.exe 90 PID 3780 wrote to memory of 4976 3780 Kagichjo.exe 90 PID 4976 wrote to memory of 1384 4976 Kcifkp32.exe 91 PID 4976 wrote to memory of 1384 4976 Kcifkp32.exe 91 PID 4976 wrote to memory of 1384 4976 Kcifkp32.exe 91 PID 1384 wrote to memory of 2236 1384 Kpmfddnf.exe 92 PID 1384 wrote to memory of 2236 1384 Kpmfddnf.exe 92 PID 1384 wrote to memory of 2236 1384 Kpmfddnf.exe 92 PID 2236 wrote to memory of 3596 2236 Liekmj32.exe 93 PID 2236 wrote to memory of 3596 2236 Liekmj32.exe 93 PID 2236 wrote to memory of 3596 2236 Liekmj32.exe 93 PID 3596 wrote to memory of 544 3596 Lcmofolg.exe 94 PID 3596 wrote to memory of 544 3596 Lcmofolg.exe 94 PID 3596 wrote to memory of 544 3596 Lcmofolg.exe 94 PID 544 wrote to memory of 3172 544 Liggbi32.exe 95 PID 544 wrote to memory of 3172 544 Liggbi32.exe 95 PID 544 wrote to memory of 3172 544 Liggbi32.exe 95 PID 3172 wrote to memory of 1220 3172 Lcpllo32.exe 96 PID 3172 wrote to memory of 1220 3172 Lcpllo32.exe 96 PID 3172 wrote to memory of 1220 3172 Lcpllo32.exe 96 PID 1220 wrote to memory of 2032 1220 Lnepih32.exe 98 PID 1220 wrote to memory of 2032 1220 Lnepih32.exe 98 PID 1220 wrote to memory of 2032 1220 Lnepih32.exe 98 PID 2032 wrote to memory of 1048 2032 Ldohebqh.exe 100 PID 2032 wrote to memory of 1048 2032 Ldohebqh.exe 100 PID 2032 wrote to memory of 1048 2032 Ldohebqh.exe 100 PID 1048 wrote to memory of 4676 1048 Lkiqbl32.exe 101 PID 1048 wrote to memory of 4676 1048 Lkiqbl32.exe 101 PID 1048 wrote to memory of 4676 1048 Lkiqbl32.exe 101 PID 4676 wrote to memory of 2584 4676 Lklnhlfb.exe 102 PID 4676 wrote to memory of 2584 4676 Lklnhlfb.exe 102 PID 4676 wrote to memory of 2584 4676 Lklnhlfb.exe 102 PID 2584 wrote to memory of 1928 2584 Laefdf32.exe 103 PID 2584 wrote to memory of 1928 2584 Laefdf32.exe 103 PID 2584 wrote to memory of 1928 2584 Laefdf32.exe 103 PID 1928 wrote to memory of 1244 1928 Lknjmkdo.exe 104 PID 1928 wrote to memory of 1244 1928 Lknjmkdo.exe 104 PID 1928 wrote to memory of 1244 1928 Lknjmkdo.exe 104 PID 1244 wrote to memory of 3464 1244 Mjqjih32.exe 105 PID 1244 wrote to memory of 3464 1244 Mjqjih32.exe 105 PID 1244 wrote to memory of 3464 1244 Mjqjih32.exe 105 PID 3464 wrote to memory of 1848 3464 Mciobn32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5b4583f67db0db433537631630c5f90_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e5b4583f67db0db433537631630c5f90_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\Jfkoeppq.exeC:\Windows\system32\Jfkoeppq.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\Kacphh32.exeC:\Windows\system32\Kacphh32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Liekmj32.exeC:\Windows\system32\Liekmj32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Lklnhlfb.exeC:\Windows\system32\Lklnhlfb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe23⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe24⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe25⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe26⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3832 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe28⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe29⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe30⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe31⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe32⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe33⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe34⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe35⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe36⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe37⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe38⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe39⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe40⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe41⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe42⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Oqbamo32.exeC:\Windows\system32\Oqbamo32.exe43⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe44⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe45⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe46⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe47⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe48⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe49⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe50⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe51⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe52⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe53⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe54⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe55⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe56⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe57⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe58⤵
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:4148 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe60⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe61⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe62⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe63⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe64⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:448 -
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe66⤵PID:5048
-
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe67⤵PID:3428
-
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4092 -
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe69⤵PID:3764
-
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe70⤵PID:2140
-
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe71⤵PID:2988
-
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe72⤵PID:624
-
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe73⤵PID:1820
-
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe74⤵PID:1700
-
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe75⤵PID:4392
-
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe76⤵PID:2384
-
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe77⤵PID:4312
-
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe78⤵PID:4140
-
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1844 -
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe80⤵PID:4580
-
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe81⤵PID:3636
-
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe82⤵PID:244
-
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe83⤵PID:5164
-
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe84⤵PID:5208
-
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe85⤵PID:5272
-
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe86⤵PID:5316
-
C:\Windows\SysWOW64\Bjpaooda.exeC:\Windows\system32\Bjpaooda.exe87⤵PID:5360
-
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe88⤵PID:5404
-
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe89⤵PID:5448
-
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe90⤵PID:5492
-
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe91⤵PID:5536
-
C:\Windows\SysWOW64\Bldgdago.exeC:\Windows\system32\Bldgdago.exe92⤵PID:5576
-
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe93⤵PID:5624
-
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe94⤵PID:5668
-
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe95⤵PID:5712
-
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe96⤵PID:5756
-
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe97⤵PID:5804
-
C:\Windows\SysWOW64\Cdainc32.exeC:\Windows\system32\Cdainc32.exe98⤵PID:5848
-
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe99⤵PID:5884
-
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe100⤵PID:5932
-
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe101⤵PID:5972
-
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe102⤵PID:6008
-
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe103⤵PID:6064
-
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe104⤵PID:6132
-
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe105⤵PID:5160
-
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe106⤵PID:5240
-
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe107⤵PID:5308
-
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe108⤵PID:3804
-
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe109⤵PID:5436
-
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe110⤵
- Drops file in System32 directory
PID:5504 -
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe111⤵PID:5572
-
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe112⤵PID:5644
-
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe113⤵PID:5708
-
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe114⤵PID:5768
-
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe115⤵PID:5844
-
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe116⤵PID:5916
-
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe117⤵PID:6000
-
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe118⤵PID:6088
-
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe119⤵PID:5128
-
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe120⤵PID:5268
-
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe121⤵PID:3368
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-