Analysis
-
max time kernel
134s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 13:25
Behavioral task
behavioral1
Sample
54e46aa4641bba35c5869882fcf46cf408b709c74c63911352a2c501337b0784_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
54e46aa4641bba35c5869882fcf46cf408b709c74c63911352a2c501337b0784_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
54e46aa4641bba35c5869882fcf46cf408b709c74c63911352a2c501337b0784_NeikiAnalytics.exe
-
Size
357KB
-
MD5
b690848ff947d3aa6414a771bdfe76f0
-
SHA1
604da46c3b92c51f9a98575d3f4aece1c1032b80
-
SHA256
54e46aa4641bba35c5869882fcf46cf408b709c74c63911352a2c501337b0784
-
SHA512
8297a9369b93ac5e45fd46ee0d92d720a0ae2dfc18dc9a343b81b1038240f571774d5efc2ab3147ab84abc9c115983fd91e009bd1352cc243937fde1a2def795
-
SSDEEP
6144:I1vpUTDaxdZGKmHibP1n6xJmPMwZoXpKtCe8AUReheFlfSZR0SvsuFrGoyeg3klx:Cvp2iHG0ZoXpKtCe1eehil6ZR5ZrQegO
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfmahkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgbeiiqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eelkeeah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbpahan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijqoilii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beogaenl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbmebgpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohppjpkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaablcej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qidckjae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljplkonl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpaqmnap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhjfgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpbqcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fodgkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akgibd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioheci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phgfko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaagcpdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocpbfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjhfjpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfajhblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jogjgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqimoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjepaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqmqcmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcjldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iiipeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pihbbgjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gncldi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aahfdihn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaonji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qoqhncgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abgdnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhiomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkmncl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dinpnged.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oknhdjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oddmokoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fennoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdegfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfpmifoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mncfgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpgobc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlelda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boobki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdkklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnjklb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noagjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbboiknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnnlocgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndicnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nanhihno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkjdpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lohccp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdqkifmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Himionmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpcpdfhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lffohikd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eifmimch.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x0009000000016c90-5.dat family_berbew behavioral1/files/0x0008000000016d4a-24.dat family_berbew behavioral1/files/0x0009000000016d55-33.dat family_berbew behavioral1/files/0x0007000000018b42-50.dat family_berbew behavioral1/files/0x00050000000194f2-70.dat family_berbew behavioral1/files/0x000500000001950c-75.dat family_berbew behavioral1/files/0x0009000000016d24-90.dat family_berbew behavioral1/files/0x0005000000019570-101.dat family_berbew behavioral1/files/0x000500000001959e-123.dat family_berbew behavioral1/files/0x00050000000195a4-128.dat family_berbew behavioral1/files/0x00050000000195a7-142.dat family_berbew behavioral1/files/0x00050000000195a9-156.dat family_berbew behavioral1/files/0x00050000000195ba-176.dat family_berbew behavioral1/files/0x0005000000019646-189.dat family_berbew behavioral1/files/0x000500000001996e-196.dat family_berbew behavioral1/files/0x0005000000019bd7-209.dat family_berbew behavioral1/files/0x0005000000019bef-226.dat family_berbew behavioral1/files/0x0005000000019ce6-234.dat family_berbew behavioral1/files/0x0005000000019f60-252.dat family_berbew behavioral1/files/0x000500000001a013-261.dat family_berbew behavioral1/files/0x000500000001a3c8-292.dat family_berbew behavioral1/memory/880-295-0x0000000000260000-0x0000000000295000-memory.dmp family_berbew behavioral1/files/0x000500000001a429-315.dat family_berbew behavioral1/files/0x000500000001a431-327.dat family_berbew behavioral1/files/0x000500000001a43b-336.dat family_berbew behavioral1/files/0x000500000001a44b-369.dat family_berbew behavioral1/files/0x000500000001a44f-378.dat family_berbew behavioral1/files/0x000500000001a453-389.dat family_berbew behavioral1/files/0x000500000001a45b-413.dat family_berbew behavioral1/memory/1296-419-0x00000000002B0000-0x00000000002E5000-memory.dmp family_berbew behavioral1/files/0x000500000001a463-434.dat family_berbew behavioral1/memory/2840-437-0x0000000000220000-0x0000000000255000-memory.dmp family_berbew behavioral1/memory/2840-438-0x0000000000220000-0x0000000000255000-memory.dmp family_berbew behavioral1/files/0x000500000001a46c-458.dat family_berbew behavioral1/files/0x000500000001a470-467.dat family_berbew behavioral1/memory/2496-464-0x00000000003A0000-0x00000000003D5000-memory.dmp family_berbew behavioral1/files/0x000500000001a467-445.dat family_berbew behavioral1/files/0x000500000001a474-480.dat family_berbew behavioral1/files/0x000500000001a47d-502.dat family_berbew behavioral1/files/0x000500000001a484-511.dat family_berbew behavioral1/files/0x000500000001a489-525.dat family_berbew behavioral1/files/0x000500000001ad1c-546.dat family_berbew behavioral1/files/0x000500000001a543-535.dat family_berbew behavioral1/files/0x000500000001c6d5-568.dat family_berbew behavioral1/files/0x000500000001c78b-585.dat family_berbew behavioral1/files/0x000500000001c832-610.dat family_berbew behavioral1/files/0x000500000001c83b-629.dat family_berbew behavioral1/files/0x000500000001c83f-641.dat family_berbew behavioral1/files/0x000500000001c843-655.dat family_berbew behavioral1/files/0x000500000001c847-663.dat family_berbew behavioral1/files/0x000500000001c84b-672.dat family_berbew behavioral1/files/0x000500000001c853-698.dat family_berbew behavioral1/files/0x000500000001c857-712.dat family_berbew behavioral1/files/0x000500000001c85d-724.dat family_berbew behavioral1/files/0x000400000001c8da-736.dat family_berbew behavioral1/files/0x000400000001c8e0-749.dat family_berbew behavioral1/files/0x000400000001c8e9-777.dat family_berbew behavioral1/files/0x000400000001c8e4-765.dat family_berbew behavioral1/files/0x000400000001c8f3-804.dat family_berbew behavioral1/files/0x000400000001c8fe-833.dat family_berbew behavioral1/files/0x000400000001c9b4-898.dat family_berbew behavioral1/files/0x000400000001ca6a-911.dat family_berbew behavioral1/files/0x000400000001cb17-968.dat family_berbew behavioral1/files/0x000400000001cb24-979.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2152 Jjbbpmgo.exe 2888 Kghpoa32.exe 2924 Koddccaa.exe 2852 Kcamjb32.exe 2588 Kbgjkn32.exe 2620 Kokjdb32.exe 2520 Lbnpkmfg.exe 940 Lgmeid32.exe 2856 Liqoflfh.exe 1884 Mjpkqonj.exe 1892 Mpopnejo.exe 1732 Mgjebg32.exe 1728 Mbpipp32.exe 660 Mngjeamd.exe 592 Nmnclmoj.exe 2560 Nfidjbdg.exe 2944 Nlhjhi32.exe 320 Noffdd32.exe 1596 Ooicid32.exe 1028 Ookpodkj.exe 956 Oeehln32.exe 1756 Ohcdhi32.exe 880 Oehdan32.exe 1840 Oopijc32.exe 2992 Ogknoe32.exe 1712 Pdonhj32.exe 2068 Pdakniag.exe 2272 Pincfpoo.exe 2204 Phcpgm32.exe 2912 Pciddedl.exe 1560 Pkdihhag.exe 2580 Pejmfqan.exe 2712 Qobbofgn.exe 1296 Qhjfgl32.exe 2400 Qackpado.exe 2840 Aqhhanig.exe 1512 Acfdnihk.exe 2496 Amohfo32.exe 1812 Anneqafn.exe 932 Ackmih32.exe 1332 Abpjjeim.exe 2148 Bkpeci32.exe 2092 Bkbaii32.exe 2692 Bcmfmlen.exe 2756 Bflbigdb.exe 240 Cpdgbm32.exe 1056 Cillkbac.exe 1748 Cjlheehe.exe 696 Ccdmnj32.exe 2172 Clpabm32.exe 2684 Cbiiog32.exe 2976 Cicalakk.exe 1612 Cpmjhk32.exe 1632 Dhiomn32.exe 2936 Daacecfc.exe 1800 Dkigoimd.exe 2636 Dhmhhmlm.exe 2772 Dogpdg32.exe 2844 Dafmqb32.exe 1696 Dgbeiiqe.exe 2624 Dknajh32.exe 2524 Dpkibo32.exe 2348 Dgeaoinb.exe 476 Dmojkc32.exe -
Loads dropped DLL 64 IoCs
pid Process 1556 54e46aa4641bba35c5869882fcf46cf408b709c74c63911352a2c501337b0784_NeikiAnalytics.exe 1556 54e46aa4641bba35c5869882fcf46cf408b709c74c63911352a2c501337b0784_NeikiAnalytics.exe 2152 Jjbbpmgo.exe 2152 Jjbbpmgo.exe 2888 Kghpoa32.exe 2888 Kghpoa32.exe 2924 Koddccaa.exe 2924 Koddccaa.exe 2852 Kcamjb32.exe 2852 Kcamjb32.exe 2588 Kbgjkn32.exe 2588 Kbgjkn32.exe 2620 Kokjdb32.exe 2620 Kokjdb32.exe 2520 Lbnpkmfg.exe 2520 Lbnpkmfg.exe 940 Lgmeid32.exe 940 Lgmeid32.exe 2856 Liqoflfh.exe 2856 Liqoflfh.exe 1884 Mjpkqonj.exe 1884 Mjpkqonj.exe 1892 Mpopnejo.exe 1892 Mpopnejo.exe 1732 Mgjebg32.exe 1732 Mgjebg32.exe 1728 Mbpipp32.exe 1728 Mbpipp32.exe 660 Mngjeamd.exe 660 Mngjeamd.exe 592 Nmnclmoj.exe 592 Nmnclmoj.exe 2560 Nfidjbdg.exe 2560 Nfidjbdg.exe 2944 Nlhjhi32.exe 2944 Nlhjhi32.exe 320 Noffdd32.exe 320 Noffdd32.exe 1596 Ooicid32.exe 1596 Ooicid32.exe 1028 Ookpodkj.exe 1028 Ookpodkj.exe 956 Oeehln32.exe 956 Oeehln32.exe 1756 Ohcdhi32.exe 1756 Ohcdhi32.exe 880 Oehdan32.exe 880 Oehdan32.exe 1840 Oopijc32.exe 1840 Oopijc32.exe 2992 Ogknoe32.exe 2992 Ogknoe32.exe 1712 Pdonhj32.exe 1712 Pdonhj32.exe 2068 Pdakniag.exe 2068 Pdakniag.exe 2272 Pincfpoo.exe 2272 Pincfpoo.exe 2204 Phcpgm32.exe 2204 Phcpgm32.exe 2912 Pciddedl.exe 2912 Pciddedl.exe 1560 Pkdihhag.exe 1560 Pkdihhag.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Flfpabkp.exe Fkecij32.exe File created C:\Windows\SysWOW64\Nhgnaehm.exe Nameek32.exe File created C:\Windows\SysWOW64\Mchdpibh.dll Ehmpeb32.exe File created C:\Windows\SysWOW64\Hibidc32.exe Hpjeknfi.exe File created C:\Windows\SysWOW64\Ghqchi32.exe Gmgenh32.exe File created C:\Windows\SysWOW64\Hpamlo32.dll Process not Found File created C:\Windows\SysWOW64\Nipdkieg.exe Mpgobc32.exe File created C:\Windows\SysWOW64\Acohnhab.exe Qfkgdd32.exe File created C:\Windows\SysWOW64\Ijelgemi.exe Hnnkbd32.exe File created C:\Windows\SysWOW64\Kgkonj32.exe Kpafapbk.exe File opened for modification C:\Windows\SysWOW64\Dglbmg32.exe Dekeeonn.exe File opened for modification C:\Windows\SysWOW64\Bkhjamcf.exe Aeghng32.exe File created C:\Windows\SysWOW64\Qjpnmmqd.dll Hbboiknb.exe File created C:\Windows\SysWOW64\Lpbhmiji.exe Process not Found File created C:\Windows\SysWOW64\Noqhljpc.dll Aeghng32.exe File created C:\Windows\SysWOW64\Eoeadjbl.dll Nqmqcmdh.exe File opened for modification C:\Windows\SysWOW64\Ohppjpkc.exe Oebdndlp.exe File created C:\Windows\SysWOW64\Inbndm32.dll Ladpagin.exe File created C:\Windows\SysWOW64\Kciifc32.exe Keehmobp.exe File created C:\Windows\SysWOW64\Ckmbcq32.dll Process not Found File created C:\Windows\SysWOW64\Ajfgpl32.dll Dkigoimd.exe File created C:\Windows\SysWOW64\Cceogcfj.exe Cfanmogq.exe File opened for modification C:\Windows\SysWOW64\Icifjk32.exe Iaimipjl.exe File created C:\Windows\SysWOW64\Lgpfpe32.exe Lkifkdjm.exe File created C:\Windows\SysWOW64\Eobjmken.dll Bbimbpld.exe File created C:\Windows\SysWOW64\Biikne32.exe Bbocak32.exe File opened for modification C:\Windows\SysWOW64\Kciifc32.exe Keehmobp.exe File created C:\Windows\SysWOW64\Jncfhkjh.dll Flhmfbim.exe File created C:\Windows\SysWOW64\Jlamnm32.dll Fjlqcppm.exe File created C:\Windows\SysWOW64\Dlejhf32.dll Mibdcakk.exe File created C:\Windows\SysWOW64\Mmpmjpba.exe Mffdmfjd.exe File created C:\Windows\SysWOW64\Bibjaofg.dll Pljlbf32.exe File created C:\Windows\SysWOW64\Qoqhncgp.exe Qbmhdp32.exe File opened for modification C:\Windows\SysWOW64\Himionmc.exe Hijmin32.exe File opened for modification C:\Windows\SysWOW64\Kdilkllh.exe Kkqhbf32.exe File created C:\Windows\SysWOW64\Ccdhfhda.dll Hnikmnho.exe File created C:\Windows\SysWOW64\Hjjokpjd.dll Dgbeiiqe.exe File opened for modification C:\Windows\SysWOW64\Bfdenafn.exe Bjmeiq32.exe File opened for modification C:\Windows\SysWOW64\Jaaoakmc.exe Process not Found File created C:\Windows\SysWOW64\Haggijgb.exe Hnikmnho.exe File created C:\Windows\SysWOW64\Kadhen32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kokjdb32.exe Kbgjkn32.exe File created C:\Windows\SysWOW64\Mqpflg32.exe Mjfnomde.exe File opened for modification C:\Windows\SysWOW64\Nlefhcnc.exe Nbmaon32.exe File created C:\Windows\SysWOW64\Kmnlhg32.exe Jbhhkn32.exe File opened for modification C:\Windows\SysWOW64\Geaaolbo.exe Gikpjk32.exe File created C:\Windows\SysWOW64\Ipoqofjh.exe Hfflfp32.exe File created C:\Windows\SysWOW64\Lgmeid32.exe Lbnpkmfg.exe File created C:\Windows\SysWOW64\Ljfepegb.dll Emdeok32.exe File opened for modification C:\Windows\SysWOW64\Gckfpc32.exe Gibbgmfe.exe File created C:\Windows\SysWOW64\Kfnnlboi.exe Kmficl32.exe File created C:\Windows\SysWOW64\Nlcbociq.dll Jkabmi32.exe File created C:\Windows\SysWOW64\Jondii32.dll Kbgjkn32.exe File opened for modification C:\Windows\SysWOW64\Bcmfmlen.exe Bkbaii32.exe File opened for modification C:\Windows\SysWOW64\Ldmaijdc.exe Lfippfej.exe File created C:\Windows\SysWOW64\Pdkiinlj.dll Pdnkanfg.exe File created C:\Windows\SysWOW64\Olopjddf.exe Odckfb32.exe File created C:\Windows\SysWOW64\Ghjajqph.dll Mbmebgpi.exe File opened for modification C:\Windows\SysWOW64\Icbkhnan.exe Iaobkf32.exe File created C:\Windows\SysWOW64\Iaalhl32.dll Kimlqfeq.exe File created C:\Windows\SysWOW64\Obcgaill.exe Oikcicfl.exe File created C:\Windows\SysWOW64\Noddcolo.dll Bbocak32.exe File opened for modification C:\Windows\SysWOW64\Ahmehqna.exe Alfdcp32.exe File created C:\Windows\SysWOW64\Idqcamnn.dll Mnpobefe.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 964 4388 Process not Found 1143 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifpfl32.dll" Oehicoom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbkgig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciidbebp.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnbibolf.dll" Mgegfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omgfdhbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhnmcb32.dll" Ifjlcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeenbm32.dll" Dcblgbfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glbaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naipph32.dll" Mmkcoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jipjmena.dll" Cedbmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmpcgace.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccmblnif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Habili32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgimkf32.dll" Pghjqlmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdbjqpda.dll" Cicalakk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdmbhnjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaokcb32.dll" Ndqkleln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfieigio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccjfi32.dll" Kageia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okdamdah.dll" Chabmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Joicje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcfhpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Legaoehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dafoikjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcmoeong.dll" Bdipfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afnmbcbg.dll" Hndoifdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ildhhm32.dll" Bdkhjgeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmnqje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcophb32.dll" Chohqebq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdhnnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhbciaki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghaeoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oolbcaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llkido32.dll" Nlgfqldf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ooicid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fobkfqpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnbifl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkfjpemb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Japciodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmgcagc.dll" Olopjddf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpeonkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cepkfbia.dll" Jeofnpke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeecim32.dll" Gbjojh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhfmbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdggbp32.dll" Iplnpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jipcbidn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqheei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqfpainh.dll" Paqdgcfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahbekjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldknflmi.dll" Pdecoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkggnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobnp32.dll" Cfjihdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oidqcdjh.dll" Kegebn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgddam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkqcb32.dll" Boobki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpgieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll" Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambcgi32.dll" Nfbjhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfgcff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlelda32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1556 wrote to memory of 2152 1556 54e46aa4641bba35c5869882fcf46cf408b709c74c63911352a2c501337b0784_NeikiAnalytics.exe 28 PID 1556 wrote to memory of 2152 1556 54e46aa4641bba35c5869882fcf46cf408b709c74c63911352a2c501337b0784_NeikiAnalytics.exe 28 PID 1556 wrote to memory of 2152 1556 54e46aa4641bba35c5869882fcf46cf408b709c74c63911352a2c501337b0784_NeikiAnalytics.exe 28 PID 1556 wrote to memory of 2152 1556 54e46aa4641bba35c5869882fcf46cf408b709c74c63911352a2c501337b0784_NeikiAnalytics.exe 28 PID 2152 wrote to memory of 2888 2152 Jjbbpmgo.exe 29 PID 2152 wrote to memory of 2888 2152 Jjbbpmgo.exe 29 PID 2152 wrote to memory of 2888 2152 Jjbbpmgo.exe 29 PID 2152 wrote to memory of 2888 2152 Jjbbpmgo.exe 29 PID 2888 wrote to memory of 2924 2888 Kghpoa32.exe 30 PID 2888 wrote to memory of 2924 2888 Kghpoa32.exe 30 PID 2888 wrote to memory of 2924 2888 Kghpoa32.exe 30 PID 2888 wrote to memory of 2924 2888 Kghpoa32.exe 30 PID 2924 wrote to memory of 2852 2924 Koddccaa.exe 31 PID 2924 wrote to memory of 2852 2924 Koddccaa.exe 31 PID 2924 wrote to memory of 2852 2924 Koddccaa.exe 31 PID 2924 wrote to memory of 2852 2924 Koddccaa.exe 31 PID 2852 wrote to memory of 2588 2852 Kcamjb32.exe 32 PID 2852 wrote to memory of 2588 2852 Kcamjb32.exe 32 PID 2852 wrote to memory of 2588 2852 Kcamjb32.exe 32 PID 2852 wrote to memory of 2588 2852 Kcamjb32.exe 32 PID 2588 wrote to memory of 2620 2588 Kbgjkn32.exe 33 PID 2588 wrote to memory of 2620 2588 Kbgjkn32.exe 33 PID 2588 wrote to memory of 2620 2588 Kbgjkn32.exe 33 PID 2588 wrote to memory of 2620 2588 Kbgjkn32.exe 33 PID 2620 wrote to memory of 2520 2620 Kokjdb32.exe 34 PID 2620 wrote to memory of 2520 2620 Kokjdb32.exe 34 PID 2620 wrote to memory of 2520 2620 Kokjdb32.exe 34 PID 2620 wrote to memory of 2520 2620 Kokjdb32.exe 34 PID 2520 wrote to memory of 940 2520 Lbnpkmfg.exe 35 PID 2520 wrote to memory of 940 2520 Lbnpkmfg.exe 35 PID 2520 wrote to memory of 940 2520 Lbnpkmfg.exe 35 PID 2520 wrote to memory of 940 2520 Lbnpkmfg.exe 35 PID 940 wrote to memory of 2856 940 Lgmeid32.exe 36 PID 940 wrote to memory of 2856 940 Lgmeid32.exe 36 PID 940 wrote to memory of 2856 940 Lgmeid32.exe 36 PID 940 wrote to memory of 2856 940 Lgmeid32.exe 36 PID 2856 wrote to memory of 1884 2856 Liqoflfh.exe 37 PID 2856 wrote to memory of 1884 2856 Liqoflfh.exe 37 PID 2856 wrote to memory of 1884 2856 Liqoflfh.exe 37 PID 2856 wrote to memory of 1884 2856 Liqoflfh.exe 37 PID 1884 wrote to memory of 1892 1884 Mjpkqonj.exe 38 PID 1884 wrote to memory of 1892 1884 Mjpkqonj.exe 38 PID 1884 wrote to memory of 1892 1884 Mjpkqonj.exe 38 PID 1884 wrote to memory of 1892 1884 Mjpkqonj.exe 38 PID 1892 wrote to memory of 1732 1892 Mpopnejo.exe 39 PID 1892 wrote to memory of 1732 1892 Mpopnejo.exe 39 PID 1892 wrote to memory of 1732 1892 Mpopnejo.exe 39 PID 1892 wrote to memory of 1732 1892 Mpopnejo.exe 39 PID 1732 wrote to memory of 1728 1732 Mgjebg32.exe 40 PID 1732 wrote to memory of 1728 1732 Mgjebg32.exe 40 PID 1732 wrote to memory of 1728 1732 Mgjebg32.exe 40 PID 1732 wrote to memory of 1728 1732 Mgjebg32.exe 40 PID 1728 wrote to memory of 660 1728 Mbpipp32.exe 41 PID 1728 wrote to memory of 660 1728 Mbpipp32.exe 41 PID 1728 wrote to memory of 660 1728 Mbpipp32.exe 41 PID 1728 wrote to memory of 660 1728 Mbpipp32.exe 41 PID 660 wrote to memory of 592 660 Mngjeamd.exe 42 PID 660 wrote to memory of 592 660 Mngjeamd.exe 42 PID 660 wrote to memory of 592 660 Mngjeamd.exe 42 PID 660 wrote to memory of 592 660 Mngjeamd.exe 42 PID 592 wrote to memory of 2560 592 Nmnclmoj.exe 43 PID 592 wrote to memory of 2560 592 Nmnclmoj.exe 43 PID 592 wrote to memory of 2560 592 Nmnclmoj.exe 43 PID 592 wrote to memory of 2560 592 Nmnclmoj.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\54e46aa4641bba35c5869882fcf46cf408b709c74c63911352a2c501337b0784_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\54e46aa4641bba35c5869882fcf46cf408b709c74c63911352a2c501337b0784_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Kghpoa32.exeC:\Windows\system32\Kghpoa32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Mbpipp32.exeC:\Windows\system32\Mbpipp32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Mngjeamd.exeC:\Windows\system32\Mngjeamd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\Nmnclmoj.exeC:\Windows\system32\Nmnclmoj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:320 -
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1028 -
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956 -
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880 -
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Phcpgm32.exeC:\Windows\system32\Phcpgm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe33⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Qobbofgn.exeC:\Windows\system32\Qobbofgn.exe34⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe36⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Aqhhanig.exeC:\Windows\system32\Aqhhanig.exe37⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Acfdnihk.exeC:\Windows\system32\Acfdnihk.exe38⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe39⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Anneqafn.exeC:\Windows\system32\Anneqafn.exe40⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe41⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Abpjjeim.exeC:\Windows\system32\Abpjjeim.exe42⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Bkpeci32.exeC:\Windows\system32\Bkpeci32.exe43⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Bkbaii32.exeC:\Windows\system32\Bkbaii32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe45⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe46⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe47⤵
- Executes dropped EXE
PID:240 -
C:\Windows\SysWOW64\Cillkbac.exeC:\Windows\system32\Cillkbac.exe48⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Cjlheehe.exeC:\Windows\system32\Cjlheehe.exe49⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Ccdmnj32.exeC:\Windows\system32\Ccdmnj32.exe50⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Clpabm32.exeC:\Windows\system32\Clpabm32.exe51⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe52⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe54⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Daacecfc.exeC:\Windows\system32\Daacecfc.exe56⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Dkigoimd.exeC:\Windows\system32\Dkigoimd.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Dhmhhmlm.exeC:\Windows\system32\Dhmhhmlm.exe58⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Dogpdg32.exeC:\Windows\system32\Dogpdg32.exe59⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Dafmqb32.exeC:\Windows\system32\Dafmqb32.exe60⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Dknajh32.exeC:\Windows\system32\Dknajh32.exe62⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Dpkibo32.exeC:\Windows\system32\Dpkibo32.exe63⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe64⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe65⤵
- Executes dropped EXE
PID:476 -
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe66⤵PID:2724
-
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe67⤵PID:1760
-
C:\Windows\SysWOW64\Eelkeeah.exeC:\Windows\system32\Eelkeeah.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2216 -
C:\Windows\SysWOW64\Elfcbo32.exeC:\Windows\system32\Elfcbo32.exe69⤵PID:112
-
C:\Windows\SysWOW64\Eacljf32.exeC:\Windows\system32\Eacljf32.exe70⤵PID:2132
-
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe71⤵PID:1872
-
C:\Windows\SysWOW64\Eaeipfei.exeC:\Windows\system32\Eaeipfei.exe72⤵PID:860
-
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe73⤵PID:2200
-
C:\Windows\SysWOW64\Eoiiijcc.exeC:\Windows\system32\Eoiiijcc.exe74⤵PID:2240
-
C:\Windows\SysWOW64\Edfbaabj.exeC:\Windows\system32\Edfbaabj.exe75⤵PID:2656
-
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe76⤵PID:2988
-
C:\Windows\SysWOW64\Fpmbfbgo.exeC:\Windows\system32\Fpmbfbgo.exe77⤵PID:2384
-
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe78⤵PID:2640
-
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2336 -
C:\Windows\SysWOW64\Fkecij32.exeC:\Windows\system32\Fkecij32.exe80⤵
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Flfpabkp.exeC:\Windows\system32\Flfpabkp.exe81⤵PID:1664
-
C:\Windows\SysWOW64\Fcphnm32.exeC:\Windows\system32\Fcphnm32.exe82⤵PID:2280
-
C:\Windows\SysWOW64\Fjjpjgjj.exeC:\Windows\system32\Fjjpjgjj.exe83⤵PID:2668
-
C:\Windows\SysWOW64\Flhmfbim.exeC:\Windows\system32\Flhmfbim.exe84⤵
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe85⤵PID:2140
-
C:\Windows\SysWOW64\Gbhbdi32.exeC:\Windows\system32\Gbhbdi32.exe86⤵PID:632
-
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe87⤵PID:1160
-
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe88⤵
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Gmpcgace.exeC:\Windows\system32\Gmpcgace.exe89⤵
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Gblkoham.exeC:\Windows\system32\Gblkoham.exe90⤵PID:2672
-
C:\Windows\SysWOW64\Ggicgopd.exeC:\Windows\system32\Ggicgopd.exe91⤵PID:2076
-
C:\Windows\SysWOW64\Gncldi32.exeC:\Windows\system32\Gncldi32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2908 -
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe93⤵PID:1508
-
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe94⤵PID:2916
-
C:\Windows\SysWOW64\Hnheohcl.exeC:\Windows\system32\Hnheohcl.exe95⤵PID:2504
-
C:\Windows\SysWOW64\Hebnlb32.exeC:\Windows\system32\Hebnlb32.exe96⤵PID:2816
-
C:\Windows\SysWOW64\Hjofdi32.exeC:\Windows\system32\Hjofdi32.exe97⤵PID:3048
-
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe98⤵PID:1708
-
C:\Windows\SysWOW64\Hidcef32.exeC:\Windows\system32\Hidcef32.exe99⤵PID:1740
-
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe100⤵PID:2948
-
C:\Windows\SysWOW64\Hjcppidk.exeC:\Windows\system32\Hjcppidk.exe101⤵PID:2700
-
C:\Windows\SysWOW64\Hcldhnkk.exeC:\Windows\system32\Hcldhnkk.exe102⤵PID:1860
-
C:\Windows\SysWOW64\Hemqpf32.exeC:\Windows\system32\Hemqpf32.exe103⤵PID:2536
-
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe104⤵PID:996
-
C:\Windows\SysWOW64\Ieomef32.exeC:\Windows\system32\Ieomef32.exe105⤵PID:872
-
C:\Windows\SysWOW64\Inhanl32.exeC:\Windows\system32\Inhanl32.exe106⤵PID:1588
-
C:\Windows\SysWOW64\Ieajkfmd.exeC:\Windows\system32\Ieajkfmd.exe107⤵PID:2836
-
C:\Windows\SysWOW64\Illbhp32.exeC:\Windows\system32\Illbhp32.exe108⤵PID:2600
-
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe109⤵PID:1956
-
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2456 -
C:\Windows\SysWOW64\Idicbbpi.exeC:\Windows\system32\Idicbbpi.exe111⤵PID:2264
-
C:\Windows\SysWOW64\Ifgpnmom.exeC:\Windows\system32\Ifgpnmom.exe112⤵PID:2312
-
C:\Windows\SysWOW64\Ifjlcmmj.exeC:\Windows\system32\Ifjlcmmj.exe113⤵
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe114⤵PID:1876
-
C:\Windows\SysWOW64\Jfliim32.exeC:\Windows\system32\Jfliim32.exe115⤵PID:528
-
C:\Windows\SysWOW64\Jpdnbbah.exeC:\Windows\system32\Jpdnbbah.exe116⤵PID:2864
-
C:\Windows\SysWOW64\Jfofol32.exeC:\Windows\system32\Jfofol32.exe117⤵PID:2268
-
C:\Windows\SysWOW64\Jimbkh32.exeC:\Windows\system32\Jimbkh32.exe118⤵PID:2160
-
C:\Windows\SysWOW64\Jojkco32.exeC:\Windows\system32\Jojkco32.exe119⤵PID:2952
-
C:\Windows\SysWOW64\Jioopgef.exeC:\Windows\system32\Jioopgef.exe120⤵PID:3036
-
C:\Windows\SysWOW64\Jefpeh32.exeC:\Windows\system32\Jefpeh32.exe121⤵PID:2540
-
C:\Windows\SysWOW64\Jondnnbk.exeC:\Windows\system32\Jondnnbk.exe122⤵PID:2428
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-