Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 13:15
Behavioral task
behavioral1
Sample
534ddcbde3b2e9cc22a03c42fe3a173e459671520475c47f118d842b4feeac90_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
534ddcbde3b2e9cc22a03c42fe3a173e459671520475c47f118d842b4feeac90_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
534ddcbde3b2e9cc22a03c42fe3a173e459671520475c47f118d842b4feeac90_NeikiAnalytics.exe
-
Size
233KB
-
MD5
b5630f26625fd46a03768286418a1f00
-
SHA1
0d536c3091d0746bce9f7799560d2d5a69871424
-
SHA256
534ddcbde3b2e9cc22a03c42fe3a173e459671520475c47f118d842b4feeac90
-
SHA512
68aaf7621570c9e7d76b6f892c84c2b2a9a4a8bdd391175c73c365de4fc1f41e0f3eb3be34cfb17a6e41986c8dd7bbe5f5ff3bde6309128940be965f6d1215da
-
SSDEEP
6144:jJM+sHLfRKB3A4U2dga1mcyw7I6BjtCYYs2:+xr5WHR1mK7fVtXP2
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Majopeii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edihepnm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkhbdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibjjhn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kagichjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okeieh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Becifhfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onholckc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnbbbabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckpjfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lekehdgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenahpha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laciofpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fckajehi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hobkfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lalcng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkbchk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mamleegg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boepel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npjebj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liggbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbkhfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echknh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elppfmoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edkdkplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffimfqgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfckahdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlopkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndghmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbiaapdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocdqjceo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qffbbldm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdiooblp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnnmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqgkhnjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngpccdlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chagok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmcojh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hioiji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjjhbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcgohig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaepqjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cddecc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mglack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdmpcdfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddpeoafg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edbklofb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Deagdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odgqdlnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcojed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfpcgpae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnjnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anmjcieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aepefb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgbefoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpdelajl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ondeac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdegandp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kibgmdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmbmibhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eocenh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcfqfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icnpmp32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000a000000023400-6.dat family_berbew behavioral2/files/0x0007000000023415-14.dat family_berbew behavioral2/files/0x0007000000023417-22.dat family_berbew behavioral2/files/0x0007000000023419-31.dat family_berbew behavioral2/files/0x000700000002341b-38.dat family_berbew behavioral2/files/0x000700000002341d-46.dat family_berbew behavioral2/files/0x000700000002341f-54.dat family_berbew behavioral2/files/0x0007000000023421-62.dat family_berbew behavioral2/files/0x0007000000023423-70.dat family_berbew behavioral2/files/0x0007000000023425-73.dat family_berbew behavioral2/files/0x0007000000023427-86.dat family_berbew behavioral2/files/0x0007000000023429-94.dat family_berbew behavioral2/files/0x000700000002342b-102.dat family_berbew behavioral2/files/0x000700000002342d-110.dat family_berbew behavioral2/files/0x000700000002342f-118.dat family_berbew behavioral2/files/0x0007000000023431-126.dat family_berbew behavioral2/files/0x0007000000023433-134.dat family_berbew behavioral2/files/0x0007000000023436-142.dat family_berbew behavioral2/files/0x0007000000023438-150.dat family_berbew behavioral2/files/0x0009000000023411-158.dat family_berbew behavioral2/files/0x000700000002343b-167.dat family_berbew behavioral2/files/0x000700000002343d-175.dat family_berbew behavioral2/files/0x000700000002343f-182.dat family_berbew behavioral2/files/0x0007000000023441-189.dat family_berbew behavioral2/files/0x0007000000023443-196.dat family_berbew behavioral2/files/0x000700000002344b-229.dat family_berbew behavioral2/files/0x0007000000023449-222.dat family_berbew behavioral2/files/0x0007000000023451-254.dat family_berbew behavioral2/files/0x000700000002344f-247.dat family_berbew behavioral2/files/0x000700000002344d-236.dat family_berbew behavioral2/files/0x0007000000023447-215.dat family_berbew behavioral2/files/0x0007000000023445-203.dat family_berbew behavioral2/files/0x000700000002347b-377.dat family_berbew behavioral2/files/0x0007000000023481-395.dat family_berbew behavioral2/files/0x000700000002348d-431.dat family_berbew behavioral2/files/0x00070000000234ad-527.dat family_berbew behavioral2/files/0x000800000002339d-730.dat family_berbew behavioral2/files/0x00070000000234f6-805.dat family_berbew behavioral2/files/0x0007000000023519-920.dat family_berbew behavioral2/files/0x0007000000023531-1002.dat family_berbew behavioral2/files/0x000700000002353b-1036.dat family_berbew behavioral2/files/0x0007000000023555-1124.dat family_berbew behavioral2/files/0x000700000002355d-1148.dat family_berbew behavioral2/files/0x0007000000023586-1270.dat family_berbew behavioral2/files/0x000700000002358f-1310.dat family_berbew behavioral2/files/0x000700000002359c-1361.dat family_berbew behavioral2/files/0x00070000000235df-1581.dat family_berbew behavioral2/files/0x00070000000235e9-1615.dat family_berbew behavioral2/files/0x00070000000235ef-1636.dat family_berbew behavioral2/files/0x0007000000023611-1749.dat family_berbew behavioral2/files/0x0007000000023629-1825.dat family_berbew behavioral2/files/0x0007000000023631-1851.dat family_berbew behavioral2/files/0x0007000000023637-1872.dat family_berbew behavioral2/files/0x0007000000023653-1963.dat family_berbew behavioral2/files/0x0007000000023661-2008.dat family_berbew behavioral2/files/0x000700000002366d-2047.dat family_berbew behavioral2/files/0x000700000002367c-2092.dat family_berbew behavioral2/files/0x0007000000023680-2106.dat family_berbew behavioral2/files/0x000700000002368c-2146.dat family_berbew behavioral2/files/0x0007000000023692-2167.dat family_berbew behavioral2/files/0x000700000002369a-2193.dat family_berbew behavioral2/files/0x00070000000236a0-2213.dat family_berbew behavioral2/files/0x00070000000236aa-2247.dat family_berbew behavioral2/files/0x00070000000236b2-2274.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2992 Kinemkko.exe 4956 Kdcijcke.exe 1544 Kgbefoji.exe 5084 Kipabjil.exe 1292 Kagichjo.exe 3040 Kpjjod32.exe 1900 Kajfig32.exe 5020 Kckbqpnj.exe 3572 Lalcng32.exe 4544 Lcmofolg.exe 2188 Liggbi32.exe 3168 Ldmlpbbj.exe 4656 Lijdhiaa.exe 5008 Lpcmec32.exe 1104 Lnhmng32.exe 3472 Laciofpa.exe 2920 Lcdegnep.exe 624 Lnjjdgee.exe 864 Lcgblncm.exe 2504 Mjqjih32.exe 2128 Mpkbebbf.exe 2452 Mjcgohig.exe 872 Majopeii.exe 2592 Mdiklqhm.exe 3244 Mcklgm32.exe 3232 Mgghhlhq.exe 5100 Mkbchk32.exe 2844 Mnapdf32.exe 3484 Mamleegg.exe 116 Mpolqa32.exe 3616 Mdkhapfj.exe 1644 Mncmjfmk.exe 216 Mpaifalo.exe 4592 Mdmegp32.exe 4900 Mcpebmkb.exe 3280 Mglack32.exe 3992 Mkgmcjld.exe 2884 Mjjmog32.exe 4972 Mnfipekh.exe 1872 Maaepd32.exe 2680 Mpdelajl.exe 3492 Mdpalp32.exe 4528 Mcbahlip.exe 3980 Mgnnhk32.exe 1088 Nafokcol.exe 4704 Ncgkcl32.exe 1608 Ngcgcjnc.exe 4476 Nbhkac32.exe 1704 Ndghmo32.exe 3544 Ngedij32.exe 3464 Njcpee32.exe 3260 Nbkhfc32.exe 1904 Ndidbn32.exe 1632 Nggqoj32.exe 2968 Njfmke32.exe 4368 Nqpego32.exe 376 Okeieh32.exe 4768 Ondeac32.exe 2096 Odnnnnfe.exe 2604 Ogljjiei.exe 1616 Ojjffddl.exe 4396 Obangb32.exe 2080 Odpjcm32.exe 868 Okjbpglo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fbnkjc32.dll Kbaipkbi.exe File created C:\Windows\SysWOW64\Cndikf32.exe Belebq32.exe File created C:\Windows\SysWOW64\Phfkqkek.dll Acocaf32.exe File created C:\Windows\SysWOW64\Hobkfd32.exe Hmcojh32.exe File created C:\Windows\SysWOW64\Ipdejo32.dll Ikbnacmd.exe File opened for modification C:\Windows\SysWOW64\Cafigg32.exe Cbcilkjg.exe File created C:\Windows\SysWOW64\Hbcbgk32.dll Eeidoc32.exe File created C:\Windows\SysWOW64\Ffkjlp32.exe Fbpnkama.exe File created C:\Windows\SysWOW64\Becbkfdh.dll Ckpjfm32.exe File opened for modification C:\Windows\SysWOW64\Mdjagjco.exe Miemjaci.exe File opened for modification C:\Windows\SysWOW64\Pqdqof32.exe Pjjhbl32.exe File opened for modification C:\Windows\SysWOW64\Nbkhfc32.exe Njcpee32.exe File created C:\Windows\SysWOW64\Mbfkbhpa.exe Lmiciaaj.exe File created C:\Windows\SysWOW64\Jcpkbc32.dll Kinemkko.exe File created C:\Windows\SysWOW64\Mdiklqhm.exe Majopeii.exe File created C:\Windows\SysWOW64\Majknlkd.dll Ncgkcl32.exe File opened for modification C:\Windows\SysWOW64\Gcagkdba.exe Gofkje32.exe File created C:\Windows\SysWOW64\Laffdj32.dll Hkkhqd32.exe File created C:\Windows\SysWOW64\Bjfaeh32.exe Banllbdn.exe File created C:\Windows\SysWOW64\Mdmegp32.exe Mpaifalo.exe File created C:\Windows\SysWOW64\Pllfhkno.dll Blpnib32.exe File opened for modification C:\Windows\SysWOW64\Fakdpb32.exe Fchddejl.exe File created C:\Windows\SysWOW64\Hlpijopg.dll Cbefaj32.exe File opened for modification C:\Windows\SysWOW64\Megdccmb.exe Mlopkm32.exe File created C:\Windows\SysWOW64\Odmgcgbi.exe Opakbi32.exe File created C:\Windows\SysWOW64\Kckbqpnj.exe Kajfig32.exe File opened for modification C:\Windows\SysWOW64\Mcbahlip.exe Mdpalp32.exe File opened for modification C:\Windows\SysWOW64\Bobcpmfc.exe Bldgdago.exe File created C:\Windows\SysWOW64\Olkhmi32.exe Onhhamgg.exe File created C:\Windows\SysWOW64\Pgioqq32.exe Pdkcde32.exe File opened for modification C:\Windows\SysWOW64\Baicac32.exe Bjmnoi32.exe File opened for modification C:\Windows\SysWOW64\Cmnpgb32.exe Chagok32.exe File created C:\Windows\SysWOW64\Mpbbmhgf.dll Bdkcmdhp.exe File opened for modification C:\Windows\SysWOW64\Jehokgge.exe Jbjcolha.exe File created C:\Windows\SysWOW64\Fojhkmkj.dll Lmbmibhb.exe File created C:\Windows\SysWOW64\Paegjl32.exe Pnfkma32.exe File opened for modification C:\Windows\SysWOW64\Aaepqjpd.exe Abbpem32.exe File created C:\Windows\SysWOW64\Dlncan32.exe Ddgkpp32.exe File created C:\Windows\SysWOW64\Fdlnbm32.exe Ffimfqgm.exe File created C:\Windows\SysWOW64\Pnjknp32.dll Ncbknfed.exe File created C:\Windows\SysWOW64\Bdknoa32.dll Nbhkac32.exe File opened for modification C:\Windows\SysWOW64\Okloegjl.exe Ocegdjij.exe File opened for modification C:\Windows\SysWOW64\Pjdilcla.exe Pkaiqf32.exe File created C:\Windows\SysWOW64\Gbmgladp.dll Ngpccdlj.exe File created C:\Windows\SysWOW64\Bjmnoi32.exe Aepefb32.exe File created C:\Windows\SysWOW64\Lmppcbjd.exe Lffhfh32.exe File created C:\Windows\SysWOW64\Oolpjdob.dll Lboeaifi.exe File opened for modification C:\Windows\SysWOW64\Ogifjcdp.exe Nnqbanmo.exe File created C:\Windows\SysWOW64\Cpaqkn32.dll Edbklofb.exe File created C:\Windows\SysWOW64\Gfgkmfoj.dll Gofkje32.exe File opened for modification C:\Windows\SysWOW64\Gmjlcj32.exe Gfpcgpae.exe File created C:\Windows\SysWOW64\Higchddh.dll Dceohhja.exe File created C:\Windows\SysWOW64\Gallfmbn.dll Bmemac32.exe File created C:\Windows\SysWOW64\Dpmdoo32.dll Aeiofcji.exe File opened for modification C:\Windows\SysWOW64\Ajkaii32.exe Aglemn32.exe File created C:\Windows\SysWOW64\Opbnic32.dll Nbkhfc32.exe File created C:\Windows\SysWOW64\Gohhpe32.exe Gmjlcj32.exe File opened for modification C:\Windows\SysWOW64\Oflgep32.exe Ogifjcdp.exe File created C:\Windows\SysWOW64\Lpggmhkg.dll Cmnpgb32.exe File created C:\Windows\SysWOW64\Mnaela32.dll Oqihnn32.exe File created C:\Windows\SysWOW64\Qnnanphk.exe Qloebdig.exe File created C:\Windows\SysWOW64\Afhohlbj.exe Acjclpcf.exe File created C:\Windows\SysWOW64\Ehmdjdgk.dll Anmjcieo.exe File created C:\Windows\SysWOW64\Fqjamcpe.dll Belebq32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10852 10712 WerFault.exe 524 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelcja32.dll" Edkdkplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll" Pcijeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agglboim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kajfig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdkhapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmidh32.dll" Obangb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keoakjca.dll" Cddecc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eeidoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allebf32.dll" Lekehdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll" Pggbkagp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Liggbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpkman32.dll" Pqpnombl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qloebdig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbifelba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmogab32.dll" Dkjmlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkffk32.dll" Fakdpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fchddejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbeedbdm.dll" Lmppcbjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aacckjaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnhmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll" Mamleegg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffpbnb.dll" Oqgkhnjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnlnon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll" Cmlcbbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edbklofb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opdghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojoign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll" Aepefb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbhkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aipoal32.dll" Ekacmjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khkaedic.dll" Gcfqfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lepncd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjknp32.dll" Ncbknfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onhhamgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bffkij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okjbpglo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlncan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmlcbbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcdegnep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdhfhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddgkpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkmchi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilidbbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kiidgeki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkbchk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkaiqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdejo32.dll" Ikbnacmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbefaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cecbmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pggbkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmbfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajkaii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjgia32.dll" Acjjfggb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abemjmgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfbcpl32.dll" Clnjjpod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjegoo32.dll" Hbpgbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kibgmdcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lboeaifi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll" Lcgblncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkkhqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojjolnaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogljjiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkaiqf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1752 wrote to memory of 2992 1752 534ddcbde3b2e9cc22a03c42fe3a173e459671520475c47f118d842b4feeac90_NeikiAnalytics.exe 83 PID 1752 wrote to memory of 2992 1752 534ddcbde3b2e9cc22a03c42fe3a173e459671520475c47f118d842b4feeac90_NeikiAnalytics.exe 83 PID 1752 wrote to memory of 2992 1752 534ddcbde3b2e9cc22a03c42fe3a173e459671520475c47f118d842b4feeac90_NeikiAnalytics.exe 83 PID 2992 wrote to memory of 4956 2992 Kinemkko.exe 84 PID 2992 wrote to memory of 4956 2992 Kinemkko.exe 84 PID 2992 wrote to memory of 4956 2992 Kinemkko.exe 84 PID 4956 wrote to memory of 1544 4956 Kdcijcke.exe 85 PID 4956 wrote to memory of 1544 4956 Kdcijcke.exe 85 PID 4956 wrote to memory of 1544 4956 Kdcijcke.exe 85 PID 1544 wrote to memory of 5084 1544 Kgbefoji.exe 86 PID 1544 wrote to memory of 5084 1544 Kgbefoji.exe 86 PID 1544 wrote to memory of 5084 1544 Kgbefoji.exe 86 PID 5084 wrote to memory of 1292 5084 Kipabjil.exe 87 PID 5084 wrote to memory of 1292 5084 Kipabjil.exe 87 PID 5084 wrote to memory of 1292 5084 Kipabjil.exe 87 PID 1292 wrote to memory of 3040 1292 Kagichjo.exe 88 PID 1292 wrote to memory of 3040 1292 Kagichjo.exe 88 PID 1292 wrote to memory of 3040 1292 Kagichjo.exe 88 PID 3040 wrote to memory of 1900 3040 Kpjjod32.exe 89 PID 3040 wrote to memory of 1900 3040 Kpjjod32.exe 89 PID 3040 wrote to memory of 1900 3040 Kpjjod32.exe 89 PID 1900 wrote to memory of 5020 1900 Kajfig32.exe 90 PID 1900 wrote to memory of 5020 1900 Kajfig32.exe 90 PID 1900 wrote to memory of 5020 1900 Kajfig32.exe 90 PID 5020 wrote to memory of 3572 5020 Kckbqpnj.exe 91 PID 5020 wrote to memory of 3572 5020 Kckbqpnj.exe 91 PID 5020 wrote to memory of 3572 5020 Kckbqpnj.exe 91 PID 3572 wrote to memory of 4544 3572 Lalcng32.exe 92 PID 3572 wrote to memory of 4544 3572 Lalcng32.exe 92 PID 3572 wrote to memory of 4544 3572 Lalcng32.exe 92 PID 4544 wrote to memory of 2188 4544 Lcmofolg.exe 93 PID 4544 wrote to memory of 2188 4544 Lcmofolg.exe 93 PID 4544 wrote to memory of 2188 4544 Lcmofolg.exe 93 PID 2188 wrote to memory of 3168 2188 Liggbi32.exe 94 PID 2188 wrote to memory of 3168 2188 Liggbi32.exe 94 PID 2188 wrote to memory of 3168 2188 Liggbi32.exe 94 PID 3168 wrote to memory of 4656 3168 Ldmlpbbj.exe 95 PID 3168 wrote to memory of 4656 3168 Ldmlpbbj.exe 95 PID 3168 wrote to memory of 4656 3168 Ldmlpbbj.exe 95 PID 4656 wrote to memory of 5008 4656 Lijdhiaa.exe 96 PID 4656 wrote to memory of 5008 4656 Lijdhiaa.exe 96 PID 4656 wrote to memory of 5008 4656 Lijdhiaa.exe 96 PID 5008 wrote to memory of 1104 5008 Lpcmec32.exe 97 PID 5008 wrote to memory of 1104 5008 Lpcmec32.exe 97 PID 5008 wrote to memory of 1104 5008 Lpcmec32.exe 97 PID 1104 wrote to memory of 3472 1104 Lnhmng32.exe 98 PID 1104 wrote to memory of 3472 1104 Lnhmng32.exe 98 PID 1104 wrote to memory of 3472 1104 Lnhmng32.exe 98 PID 3472 wrote to memory of 2920 3472 Laciofpa.exe 100 PID 3472 wrote to memory of 2920 3472 Laciofpa.exe 100 PID 3472 wrote to memory of 2920 3472 Laciofpa.exe 100 PID 2920 wrote to memory of 624 2920 Lcdegnep.exe 101 PID 2920 wrote to memory of 624 2920 Lcdegnep.exe 101 PID 2920 wrote to memory of 624 2920 Lcdegnep.exe 101 PID 624 wrote to memory of 864 624 Lnjjdgee.exe 102 PID 624 wrote to memory of 864 624 Lnjjdgee.exe 102 PID 624 wrote to memory of 864 624 Lnjjdgee.exe 102 PID 864 wrote to memory of 2504 864 Lcgblncm.exe 104 PID 864 wrote to memory of 2504 864 Lcgblncm.exe 104 PID 864 wrote to memory of 2504 864 Lcgblncm.exe 104 PID 2504 wrote to memory of 2128 2504 Mjqjih32.exe 105 PID 2504 wrote to memory of 2128 2504 Mjqjih32.exe 105 PID 2504 wrote to memory of 2128 2504 Mjqjih32.exe 105 PID 2128 wrote to memory of 2452 2128 Mpkbebbf.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\534ddcbde3b2e9cc22a03c42fe3a173e459671520475c47f118d842b4feeac90_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\534ddcbde3b2e9cc22a03c42fe3a173e459671520475c47f118d842b4feeac90_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe25⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe26⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe27⤵
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5100 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe29⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3484 -
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe31⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:3616 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe33⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:216 -
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe35⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe36⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe38⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe39⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe40⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe41⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3492 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe44⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe45⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe46⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4704 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe48⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4476 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe51⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3464 -
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3260 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe54⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe55⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe56⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe57⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe60⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe62⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:4396 -
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe64⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Onholckc.exeC:\Windows\system32\Onholckc.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2360 -
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1848 -
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe68⤵
- Drops file in System32 directory
PID:552 -
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe69⤵PID:3624
-
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe70⤵PID:3216
-
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe71⤵
- Drops file in System32 directory
PID:3108 -
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe72⤵PID:4300
-
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe73⤵PID:2900
-
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1844 -
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:464 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe76⤵PID:888
-
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe77⤵PID:548
-
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe78⤵PID:3600
-
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3300 -
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe80⤵
- Modifies registry class
PID:4116 -
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe81⤵PID:3760
-
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe82⤵PID:3036
-
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe83⤵PID:1340
-
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe84⤵PID:704
-
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe85⤵PID:1196
-
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe86⤵
- Drops file in System32 directory
PID:3540 -
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe87⤵PID:2112
-
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe88⤵PID:2964
-
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe89⤵PID:4000
-
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe90⤵PID:4400
-
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe91⤵PID:4624
-
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe92⤵PID:4468
-
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe93⤵PID:4780
-
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe94⤵PID:3856
-
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe95⤵PID:5168
-
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe96⤵PID:5212
-
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe97⤵
- Drops file in System32 directory
- Modifies registry class
PID:5260 -
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe98⤵PID:5316
-
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe99⤵PID:5364
-
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe100⤵
- Modifies registry class
PID:5416 -
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe101⤵PID:5468
-
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe102⤵PID:5516
-
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe103⤵PID:5560
-
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe104⤵PID:5608
-
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe105⤵PID:5644
-
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe106⤵PID:5684
-
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe107⤵PID:5732
-
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe108⤵PID:5780
-
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe109⤵
- Drops file in System32 directory
PID:5824 -
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe110⤵PID:5876
-
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe111⤵
- Modifies registry class
PID:5920 -
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe112⤵PID:5956
-
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe113⤵PID:6024
-
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe114⤵PID:6084
-
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe115⤵
- Drops file in System32 directory
PID:6128 -
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5148 -
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe117⤵PID:5244
-
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe118⤵PID:5324
-
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe119⤵PID:5404
-
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe120⤵
- Modifies registry class
PID:5484 -
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5544 -
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe122⤵PID:5628
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-