Analysis
-
max time kernel
146s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 13:31
Behavioral task
behavioral1
Sample
56403b204843697e94304034a7871c04d96d2769fc15ff3c99fda0f406e52512_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
56403b204843697e94304034a7871c04d96d2769fc15ff3c99fda0f406e52512_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
56403b204843697e94304034a7871c04d96d2769fc15ff3c99fda0f406e52512_NeikiAnalytics.exe
-
Size
669KB
-
MD5
ce5aa4e2369141189fec36c3f7a819e0
-
SHA1
1e1717a2b6bf9c776abbf560ccf0f928c4fca988
-
SHA256
56403b204843697e94304034a7871c04d96d2769fc15ff3c99fda0f406e52512
-
SHA512
475c29c4bdc434db48f6e3f746b6624b94d52973df296e7b9083db865983da9859eab3842e2eac702920cc08f2650af5f6c736823a9d8701eb72088eae9cb643
-
SSDEEP
12288:neO0rceVKhMpQnqr+cI3a72LXrY6x46UbR/qYglMi:b03chMpQnqrdX72LbY6x46uR/qYglMi
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnonkq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpanan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfchlbfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omfekbdh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfaajnfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iidphgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcapicdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocnabm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbbffdlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjeiodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmgelf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbihjifh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipihpkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhahaiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oeokal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpqldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iomoenej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iacngdgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnicid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefjii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqdcnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jldbpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnfnlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpmomo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jebfng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eofgpikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgloefco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpdgqmnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdfehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hemdlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipgbdbqb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkndie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbnoiqdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnicid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adfnofpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igfclkdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pagbaglh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kidben32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngjbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gimqajgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nopfpgip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkceokii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhnikc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddligq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbhboolf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pplobcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cglbhhga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iijfhbhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljdkll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aefjii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdlqqcnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfglfdkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmmmfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcecjmkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlpfhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljceqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adcjop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqdpgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kolabf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeehkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpkibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlglidlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnmopk32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x00090000000235f6-6.dat family_berbew behavioral2/files/0x00070000000235fe-14.dat family_berbew behavioral2/files/0x0007000000023600-22.dat family_berbew behavioral2/files/0x0007000000023602-30.dat family_berbew behavioral2/files/0x0007000000023604-38.dat family_berbew behavioral2/files/0x0007000000023606-46.dat family_berbew behavioral2/files/0x0007000000023608-54.dat family_berbew behavioral2/files/0x000700000002360a-63.dat family_berbew behavioral2/files/0x000700000002360c-70.dat family_berbew behavioral2/files/0x000700000002360e-78.dat family_berbew behavioral2/files/0x0007000000023610-87.dat family_berbew behavioral2/files/0x0007000000023612-94.dat family_berbew behavioral2/files/0x000700000002363a-237.dat family_berbew behavioral2/files/0x0007000000023638-230.dat family_berbew behavioral2/files/0x0007000000023636-223.dat family_berbew behavioral2/files/0x0007000000023634-216.dat family_berbew behavioral2/files/0x0007000000023632-209.dat family_berbew behavioral2/files/0x0007000000023630-202.dat family_berbew behavioral2/files/0x000700000002362e-195.dat family_berbew behavioral2/files/0x000700000002362c-188.dat family_berbew behavioral2/files/0x000700000002362a-181.dat family_berbew behavioral2/files/0x0007000000023628-174.dat family_berbew behavioral2/files/0x0007000000023626-167.dat family_berbew behavioral2/files/0x0007000000023624-160.dat family_berbew behavioral2/files/0x0007000000023622-153.dat family_berbew behavioral2/files/0x0007000000023620-146.dat family_berbew behavioral2/files/0x000700000002361e-139.dat family_berbew behavioral2/files/0x000700000002361c-132.dat family_berbew behavioral2/files/0x000700000002361a-125.dat family_berbew behavioral2/files/0x0007000000023618-118.dat family_berbew behavioral2/files/0x0007000000023616-111.dat family_berbew behavioral2/files/0x0007000000023614-103.dat family_berbew behavioral2/files/0x00070000000236c1-653.dat family_berbew behavioral2/files/0x00070000000236cb-682.dat family_berbew behavioral2/files/0x00070000000236d7-719.dat family_berbew behavioral2/files/0x00070000000236de-743.dat family_berbew behavioral2/files/0x00070000000236ee-791.dat family_berbew behavioral2/files/0x000700000002370e-887.dat family_berbew behavioral2/files/0x000700000002371f-935.dat family_berbew behavioral2/files/0x000700000002372d-984.dat family_berbew behavioral2/files/0x000700000002372f-992.dat family_berbew behavioral2/files/0x0007000000023739-1022.dat family_berbew behavioral2/files/0x000700000002374d-1085.dat family_berbew behavioral2/files/0x0007000000023754-1107.dat family_berbew behavioral2/files/0x0008000000023756-1120.dat family_berbew behavioral2/files/0x0007000000023767-1164.dat family_berbew behavioral2/files/0x0007000000023771-1198.dat family_berbew behavioral2/files/0x0007000000023779-1223.dat family_berbew behavioral2/files/0x000700000002377f-1244.dat family_berbew behavioral2/files/0x000700000002378d-1291.dat family_berbew behavioral2/files/0x0007000000023799-1329.dat family_berbew behavioral2/files/0x00070000000237a4-1362.dat family_berbew behavioral2/files/0x00070000000237ac-1388.dat family_berbew behavioral2/files/0x00070000000237b2-1407.dat family_berbew behavioral2/files/0x00070000000237b8-1428.dat family_berbew behavioral2/files/0x00070000000237c7-1524.dat family_berbew behavioral2/files/0x00070000000237d7-1575.dat family_berbew behavioral2/files/0x00070000000237e0-1600.dat family_berbew behavioral2/files/0x00070000000237e6-1621.dat family_berbew behavioral2/files/0x00070000000237f7-1668.dat family_berbew behavioral2/files/0x00070000000237fc-1681.dat family_berbew behavioral2/files/0x0007000000023804-1701.dat family_berbew behavioral2/files/0x0007000000023808-1715.dat family_berbew behavioral2/files/0x0007000000023819-1786.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4672 Kkgiimng.exe 3800 Kmieae32.exe 2828 Kdbjhbbd.exe 640 Lqikmc32.exe 832 Lknojl32.exe 4900 Lkalplel.exe 3948 Lqndhcdc.exe 3040 Lmdemd32.exe 1652 Lcnmin32.exe 3336 Lndagg32.exe 4200 Lqbncb32.exe 4832 Lenicahg.exe 2316 Mkhapk32.exe 1512 Mnfnlf32.exe 1548 Madjhb32.exe 2400 Mccfdmmo.exe 2188 Mgobel32.exe 2788 Mnhkbfme.exe 376 Mmkkmc32.exe 1216 Mebcop32.exe 2276 Mcecjmkl.exe 1532 Mkmkkjko.exe 3660 Mjokgg32.exe 2936 Mnkggfkb.exe 872 Maiccajf.exe 1580 Meepdp32.exe 4684 Mchppmij.exe 1628 Mkohaj32.exe 5116 Mjahlgpf.exe 3112 Mmpdhboj.exe 3668 Megljppl.exe 212 Mcjmel32.exe 3880 Mkadfj32.exe 2932 Mnpabe32.exe 3212 Manmoq32.exe 3864 Nclikl32.exe 4680 Nlcalieg.exe 4664 Nnbnhedj.exe 3884 Napjdpcn.exe 776 Nelfeo32.exe 2856 Ngjbaj32.exe 4388 Njinmf32.exe 1852 Nndjndbh.exe 1360 Nabfjpak.exe 3276 Ncabfkqo.exe 4856 Nlhkgi32.exe 1424 Njkkbehl.exe 4280 Nmigoagp.exe 1828 Neqopnhb.exe 3172 Nhokljge.exe 3760 Nlkgmh32.exe 1244 Nnicid32.exe 1284 Nagpeo32.exe 4212 Neclenfo.exe 4728 Nhahaiec.exe 4648 Njpdnedf.exe 2696 Nnkpnclp.exe 4884 Najmjokc.exe 4432 Oeehkn32.exe 2160 Ohcegi32.exe 1392 Oloahhki.exe 1220 Onnmdcjm.exe 5032 Ohhnbhok.exe 5148 Ojgjndno.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pnplfj32.exe Ppolhcnm.exe File opened for modification C:\Windows\SysWOW64\Qemhbj32.exe Qmepam32.exe File created C:\Windows\SysWOW64\Fedbbjgh.dll Mnhkbfme.exe File created C:\Windows\SysWOW64\Dkceokii.exe Dfglfdkb.exe File opened for modification C:\Windows\SysWOW64\Hajkqfoe.exe Hhaggp32.exe File created C:\Windows\SysWOW64\Mqdcnl32.exe Mnegbp32.exe File created C:\Windows\SysWOW64\Cnffoibg.dll Ocohmc32.exe File opened for modification C:\Windows\SysWOW64\Pidlqb32.exe Pcgdhkem.exe File opened for modification C:\Windows\SysWOW64\Bhnikc32.exe Bepmoh32.exe File created C:\Windows\SysWOW64\Igajal32.exe Ibfnqmpf.exe File created C:\Windows\SysWOW64\Cdecba32.dll Dfglfdkb.exe File created C:\Windows\SysWOW64\Jebfng32.exe Jcdjbk32.exe File opened for modification C:\Windows\SysWOW64\Hhfpbpdo.exe Hbihjifh.exe File created C:\Windows\SysWOW64\Ehcplf32.dll Dkahilkl.exe File opened for modification C:\Windows\SysWOW64\Dkceokii.exe Dfglfdkb.exe File created C:\Windows\SysWOW64\Pccopc32.dll Hemdlj32.exe File opened for modification C:\Windows\SysWOW64\Kckqbj32.exe Kpmdfonj.exe File created C:\Windows\SysWOW64\Ilibdmgp.exe Iijfhbhl.exe File created C:\Windows\SysWOW64\Nlkfjqib.dll Nnicid32.exe File opened for modification C:\Windows\SysWOW64\Ebifmm32.exe Eojiqb32.exe File created C:\Windows\SysWOW64\Dgjoif32.exe Damfao32.exe File created C:\Windows\SysWOW64\Fkofga32.exe Fiqjke32.exe File created C:\Windows\SysWOW64\Ohcegi32.exe Oeehkn32.exe File opened for modification C:\Windows\SysWOW64\Nlhkgi32.exe Ncabfkqo.exe File opened for modification C:\Windows\SysWOW64\Najmjokc.exe Nnkpnclp.exe File created C:\Windows\SysWOW64\Glllagck.dll Lakfeodm.exe File created C:\Windows\SysWOW64\Klhhpb32.dll Omalpc32.exe File opened for modification C:\Windows\SysWOW64\Opqofe32.exe Ofhknodl.exe File created C:\Windows\SysWOW64\Cpfoag32.dll Cnfkdb32.exe File created C:\Windows\SysWOW64\Cndepccb.dll Pmaffnce.exe File created C:\Windows\SysWOW64\Ghbjikdh.dll Omegjomb.exe File opened for modification C:\Windows\SysWOW64\Pnmopk32.exe Pplobcpp.exe File opened for modification C:\Windows\SysWOW64\Amnlme32.exe Agdcpkll.exe File opened for modification C:\Windows\SysWOW64\Iefphb32.exe Ipihpkkd.exe File created C:\Windows\SysWOW64\Dfookdli.dll Nagpeo32.exe File created C:\Windows\SysWOW64\Lomqcjie.exe Llodgnja.exe File created C:\Windows\SysWOW64\Pmhkafda.dll Imiehfao.exe File created C:\Windows\SysWOW64\Onkidm32.exe Nfcabp32.exe File opened for modification C:\Windows\SysWOW64\Gpaihooo.exe Gihpkd32.exe File opened for modification C:\Windows\SysWOW64\Cbbnpg32.exe Cocacl32.exe File created C:\Windows\SysWOW64\Domdocba.dll Bddcenpi.exe File opened for modification C:\Windows\SysWOW64\Enkmfolf.exe Ehndnh32.exe File opened for modification C:\Windows\SysWOW64\Okkdic32.exe Ohmhmh32.exe File created C:\Windows\SysWOW64\Baannc32.exe Bhhiemoj.exe File created C:\Windows\SysWOW64\Jabphdjm.dll Dhbebj32.exe File created C:\Windows\SysWOW64\Jbecoe32.dll Qoelkp32.exe File created C:\Windows\SysWOW64\Bnkbcj32.exe Bklfgo32.exe File created C:\Windows\SysWOW64\Anfmbd32.dll Ddifgk32.exe File opened for modification C:\Windows\SysWOW64\Plpjoe32.exe Pdfehh32.exe File created C:\Windows\SysWOW64\Dmokdgeg.dll Loighj32.exe File opened for modification C:\Windows\SysWOW64\Omnjojpo.exe Onkidm32.exe File created C:\Windows\SysWOW64\Bgeemcfc.dll Napjdpcn.exe File created C:\Windows\SysWOW64\Omnjojpo.exe Onkidm32.exe File opened for modification C:\Windows\SysWOW64\Hnbeeiji.exe Hifmmb32.exe File created C:\Windows\SysWOW64\Joqafgni.exe Jhgiim32.exe File created C:\Windows\SysWOW64\Alelqb32.exe Adndoe32.exe File created C:\Windows\SysWOW64\Accimdgp.dll Jiglnf32.exe File opened for modification C:\Windows\SysWOW64\Odoogi32.exe Oelolmnd.exe File opened for modification C:\Windows\SysWOW64\Pjmjdm32.exe Phonha32.exe File created C:\Windows\SysWOW64\Ejphhm32.dll Aknbkjfh.exe File created C:\Windows\SysWOW64\Abjfai32.dll Adndoe32.exe File created C:\Windows\SysWOW64\Khfclo32.dll Chnbbqpn.exe File created C:\Windows\SysWOW64\Jiglnf32.exe Jghpbk32.exe File created C:\Windows\SysWOW64\Mcpcdg32.exe Mqafhl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12692 12460 WerFault.exe 638 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkhkgplb.dll" Mgobel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpopokm.dll" Fbbpmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kapceeje.dll" Fpimlfke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpanan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kioghlbd.dll" Qpeahb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmmnd32.dll" Ljdkll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojigdcll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Giljfddl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjiqkhgo.dll" Iiopca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Maiccajf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnbakghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fechomko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glllagck.dll" Lakfeodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keldkigj.dll" Ohhnbhok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcfggkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnegbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pccahbmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hifmmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eiokinbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipgbdbqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhlkdj32.dll" Pmcclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofhknodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Joekag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhnojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjlalkmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klndfknp.dll" Nijqcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjieo32.dll" Baannc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnbeeiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iiopca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Impliekg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iidphgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jleijb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fofilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jebfng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcimdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkobmnka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cocacl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hoeieolb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pejkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkjiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npefkf32.dll" Coohhlpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enhpao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjgeedch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olaafabl.dll" Conanfli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cogddd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jafdcbge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lckiihok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nopfpgip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbiec32.dll" Aonoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifaciolc.dll" Enigke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fihnomjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnjoi32.dll" Fmhdkknd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klbjgbff.dll" Pmlfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eegcnaoo.dll" Eqiibjlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hoeieolb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppdbgncl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phlepppi.dll" Aopemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldgkp32.dll" Khlklj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbohpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imnocf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lqojclne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaghgm32.dll" Lknojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkhapk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Coadnlnb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2312 wrote to memory of 4672 2312 56403b204843697e94304034a7871c04d96d2769fc15ff3c99fda0f406e52512_NeikiAnalytics.exe 90 PID 2312 wrote to memory of 4672 2312 56403b204843697e94304034a7871c04d96d2769fc15ff3c99fda0f406e52512_NeikiAnalytics.exe 90 PID 2312 wrote to memory of 4672 2312 56403b204843697e94304034a7871c04d96d2769fc15ff3c99fda0f406e52512_NeikiAnalytics.exe 90 PID 4672 wrote to memory of 3800 4672 Kkgiimng.exe 91 PID 4672 wrote to memory of 3800 4672 Kkgiimng.exe 91 PID 4672 wrote to memory of 3800 4672 Kkgiimng.exe 91 PID 3800 wrote to memory of 2828 3800 Kmieae32.exe 92 PID 3800 wrote to memory of 2828 3800 Kmieae32.exe 92 PID 3800 wrote to memory of 2828 3800 Kmieae32.exe 92 PID 2828 wrote to memory of 640 2828 Kdbjhbbd.exe 93 PID 2828 wrote to memory of 640 2828 Kdbjhbbd.exe 93 PID 2828 wrote to memory of 640 2828 Kdbjhbbd.exe 93 PID 640 wrote to memory of 832 640 Lqikmc32.exe 94 PID 640 wrote to memory of 832 640 Lqikmc32.exe 94 PID 640 wrote to memory of 832 640 Lqikmc32.exe 94 PID 832 wrote to memory of 4900 832 Lknojl32.exe 97 PID 832 wrote to memory of 4900 832 Lknojl32.exe 97 PID 832 wrote to memory of 4900 832 Lknojl32.exe 97 PID 4900 wrote to memory of 3948 4900 Lkalplel.exe 98 PID 4900 wrote to memory of 3948 4900 Lkalplel.exe 98 PID 4900 wrote to memory of 3948 4900 Lkalplel.exe 98 PID 3948 wrote to memory of 3040 3948 Lqndhcdc.exe 100 PID 3948 wrote to memory of 3040 3948 Lqndhcdc.exe 100 PID 3948 wrote to memory of 3040 3948 Lqndhcdc.exe 100 PID 3040 wrote to memory of 1652 3040 Lmdemd32.exe 101 PID 3040 wrote to memory of 1652 3040 Lmdemd32.exe 101 PID 3040 wrote to memory of 1652 3040 Lmdemd32.exe 101 PID 1652 wrote to memory of 3336 1652 Lcnmin32.exe 102 PID 1652 wrote to memory of 3336 1652 Lcnmin32.exe 102 PID 1652 wrote to memory of 3336 1652 Lcnmin32.exe 102 PID 3336 wrote to memory of 4200 3336 Lndagg32.exe 103 PID 3336 wrote to memory of 4200 3336 Lndagg32.exe 103 PID 3336 wrote to memory of 4200 3336 Lndagg32.exe 103 PID 4200 wrote to memory of 4832 4200 Lqbncb32.exe 104 PID 4200 wrote to memory of 4832 4200 Lqbncb32.exe 104 PID 4200 wrote to memory of 4832 4200 Lqbncb32.exe 104 PID 4832 wrote to memory of 2316 4832 Lenicahg.exe 105 PID 4832 wrote to memory of 2316 4832 Lenicahg.exe 105 PID 4832 wrote to memory of 2316 4832 Lenicahg.exe 105 PID 2316 wrote to memory of 1512 2316 Mkhapk32.exe 106 PID 2316 wrote to memory of 1512 2316 Mkhapk32.exe 106 PID 2316 wrote to memory of 1512 2316 Mkhapk32.exe 106 PID 1512 wrote to memory of 1548 1512 Mnfnlf32.exe 107 PID 1512 wrote to memory of 1548 1512 Mnfnlf32.exe 107 PID 1512 wrote to memory of 1548 1512 Mnfnlf32.exe 107 PID 1548 wrote to memory of 2400 1548 Madjhb32.exe 108 PID 1548 wrote to memory of 2400 1548 Madjhb32.exe 108 PID 1548 wrote to memory of 2400 1548 Madjhb32.exe 108 PID 2400 wrote to memory of 2188 2400 Mccfdmmo.exe 109 PID 2400 wrote to memory of 2188 2400 Mccfdmmo.exe 109 PID 2400 wrote to memory of 2188 2400 Mccfdmmo.exe 109 PID 2188 wrote to memory of 2788 2188 Mgobel32.exe 110 PID 2188 wrote to memory of 2788 2188 Mgobel32.exe 110 PID 2188 wrote to memory of 2788 2188 Mgobel32.exe 110 PID 2788 wrote to memory of 376 2788 Mnhkbfme.exe 111 PID 2788 wrote to memory of 376 2788 Mnhkbfme.exe 111 PID 2788 wrote to memory of 376 2788 Mnhkbfme.exe 111 PID 376 wrote to memory of 1216 376 Mmkkmc32.exe 112 PID 376 wrote to memory of 1216 376 Mmkkmc32.exe 112 PID 376 wrote to memory of 1216 376 Mmkkmc32.exe 112 PID 1216 wrote to memory of 2276 1216 Mebcop32.exe 113 PID 1216 wrote to memory of 2276 1216 Mebcop32.exe 113 PID 1216 wrote to memory of 2276 1216 Mebcop32.exe 113 PID 2276 wrote to memory of 1532 2276 Mcecjmkl.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\56403b204843697e94304034a7871c04d96d2769fc15ff3c99fda0f406e52512_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\56403b204843697e94304034a7871c04d96d2769fc15ff3c99fda0f406e52512_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Kkgiimng.exeC:\Windows\system32\Kkgiimng.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\Kmieae32.exeC:\Windows\system32\Kmieae32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\Kdbjhbbd.exeC:\Windows\system32\Kdbjhbbd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Lqikmc32.exeC:\Windows\system32\Lqikmc32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Lknojl32.exeC:\Windows\system32\Lknojl32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Lkalplel.exeC:\Windows\system32\Lkalplel.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Lqndhcdc.exeC:\Windows\system32\Lqndhcdc.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Lmdemd32.exeC:\Windows\system32\Lmdemd32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Lcnmin32.exeC:\Windows\system32\Lcnmin32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Lndagg32.exeC:\Windows\system32\Lndagg32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\Lqbncb32.exeC:\Windows\system32\Lqbncb32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\Lenicahg.exeC:\Windows\system32\Lenicahg.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Mkhapk32.exeC:\Windows\system32\Mkhapk32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Mnfnlf32.exeC:\Windows\system32\Mnfnlf32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Madjhb32.exeC:\Windows\system32\Madjhb32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Mccfdmmo.exeC:\Windows\system32\Mccfdmmo.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Mgobel32.exeC:\Windows\system32\Mgobel32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Mnhkbfme.exeC:\Windows\system32\Mnhkbfme.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Mmkkmc32.exeC:\Windows\system32\Mmkkmc32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\Mebcop32.exeC:\Windows\system32\Mebcop32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Mcecjmkl.exeC:\Windows\system32\Mcecjmkl.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Mkmkkjko.exeC:\Windows\system32\Mkmkkjko.exe23⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Mjokgg32.exeC:\Windows\system32\Mjokgg32.exe24⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Mnkggfkb.exeC:\Windows\system32\Mnkggfkb.exe25⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Maiccajf.exeC:\Windows\system32\Maiccajf.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Meepdp32.exeC:\Windows\system32\Meepdp32.exe27⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Mchppmij.exeC:\Windows\system32\Mchppmij.exe28⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Mkohaj32.exeC:\Windows\system32\Mkohaj32.exe29⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Mjahlgpf.exeC:\Windows\system32\Mjahlgpf.exe30⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Mmpdhboj.exeC:\Windows\system32\Mmpdhboj.exe31⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Megljppl.exeC:\Windows\system32\Megljppl.exe32⤵
- Executes dropped EXE
PID:3668 -
C:\Windows\SysWOW64\Mcjmel32.exeC:\Windows\system32\Mcjmel32.exe33⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Mkadfj32.exeC:\Windows\system32\Mkadfj32.exe34⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\Mnpabe32.exeC:\Windows\system32\Mnpabe32.exe35⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Manmoq32.exeC:\Windows\system32\Manmoq32.exe36⤵
- Executes dropped EXE
PID:3212 -
C:\Windows\SysWOW64\Nclikl32.exeC:\Windows\system32\Nclikl32.exe37⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Nlcalieg.exeC:\Windows\system32\Nlcalieg.exe38⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Nnbnhedj.exeC:\Windows\system32\Nnbnhedj.exe39⤵
- Executes dropped EXE
PID:4664 -
C:\Windows\SysWOW64\Napjdpcn.exeC:\Windows\system32\Napjdpcn.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3884 -
C:\Windows\SysWOW64\Nelfeo32.exeC:\Windows\system32\Nelfeo32.exe41⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Ngjbaj32.exeC:\Windows\system32\Ngjbaj32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Njinmf32.exeC:\Windows\system32\Njinmf32.exe43⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Nndjndbh.exeC:\Windows\system32\Nndjndbh.exe44⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Nabfjpak.exeC:\Windows\system32\Nabfjpak.exe45⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Ncabfkqo.exeC:\Windows\system32\Ncabfkqo.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3276 -
C:\Windows\SysWOW64\Nlhkgi32.exeC:\Windows\system32\Nlhkgi32.exe47⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Njkkbehl.exeC:\Windows\system32\Njkkbehl.exe48⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Nmigoagp.exeC:\Windows\system32\Nmigoagp.exe49⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Neqopnhb.exeC:\Windows\system32\Neqopnhb.exe50⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Nhokljge.exeC:\Windows\system32\Nhokljge.exe51⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Nlkgmh32.exeC:\Windows\system32\Nlkgmh32.exe52⤵
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Nnicid32.exeC:\Windows\system32\Nnicid32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1244 -
C:\Windows\SysWOW64\Nagpeo32.exeC:\Windows\system32\Nagpeo32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1284 -
C:\Windows\SysWOW64\Neclenfo.exeC:\Windows\system32\Neclenfo.exe55⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Nhahaiec.exeC:\Windows\system32\Nhahaiec.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Njpdnedf.exeC:\Windows\system32\Njpdnedf.exe57⤵
- Executes dropped EXE
PID:4648 -
C:\Windows\SysWOW64\Nnkpnclp.exeC:\Windows\system32\Nnkpnclp.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\Najmjokc.exeC:\Windows\system32\Najmjokc.exe59⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Oeehkn32.exeC:\Windows\system32\Oeehkn32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4432 -
C:\Windows\SysWOW64\Ohcegi32.exeC:\Windows\system32\Ohcegi32.exe61⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Oloahhki.exeC:\Windows\system32\Oloahhki.exe62⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Onnmdcjm.exeC:\Windows\system32\Onnmdcjm.exe63⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Ohhnbhok.exeC:\Windows\system32\Ohhnbhok.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:5032 -
C:\Windows\SysWOW64\Ojgjndno.exeC:\Windows\system32\Ojgjndno.exe65⤵
- Executes dropped EXE
PID:5148 -
C:\Windows\SysWOW64\Oobfob32.exeC:\Windows\system32\Oobfob32.exe66⤵PID:5184
-
C:\Windows\SysWOW64\Omegjomb.exeC:\Windows\system32\Omegjomb.exe67⤵
- Drops file in System32 directory
PID:5220 -
C:\Windows\SysWOW64\Oelolmnd.exeC:\Windows\system32\Oelolmnd.exe68⤵
- Drops file in System32 directory
PID:5260 -
C:\Windows\SysWOW64\Odoogi32.exeC:\Windows\system32\Odoogi32.exe69⤵PID:5292
-
C:\Windows\SysWOW64\Olfghg32.exeC:\Windows\system32\Olfghg32.exe70⤵PID:5328
-
C:\Windows\SysWOW64\Ojigdcll.exeC:\Windows\system32\Ojigdcll.exe71⤵
- Modifies registry class
PID:5364 -
C:\Windows\SysWOW64\Omgcpokp.exeC:\Windows\system32\Omgcpokp.exe72⤵PID:5400
-
C:\Windows\SysWOW64\Oacoqnci.exeC:\Windows\system32\Oacoqnci.exe73⤵PID:5440
-
C:\Windows\SysWOW64\Oeokal32.exeC:\Windows\system32\Oeokal32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5476 -
C:\Windows\SysWOW64\Ohmhmh32.exeC:\Windows\system32\Ohmhmh32.exe75⤵
- Drops file in System32 directory
PID:5512 -
C:\Windows\SysWOW64\Okkdic32.exeC:\Windows\system32\Okkdic32.exe76⤵PID:5548
-
C:\Windows\SysWOW64\Oogpjbbb.exeC:\Windows\system32\Oogpjbbb.exe77⤵PID:5584
-
C:\Windows\SysWOW64\Paelfmaf.exeC:\Windows\system32\Paelfmaf.exe78⤵PID:5620
-
C:\Windows\SysWOW64\Pddhbipj.exeC:\Windows\system32\Pddhbipj.exe79⤵PID:5652
-
C:\Windows\SysWOW64\Plkpcfal.exeC:\Windows\system32\Plkpcfal.exe80⤵PID:5692
-
C:\Windows\SysWOW64\Pknqoc32.exeC:\Windows\system32\Pknqoc32.exe81⤵PID:5748
-
C:\Windows\SysWOW64\Pahilmoc.exeC:\Windows\system32\Pahilmoc.exe82⤵PID:5836
-
C:\Windows\SysWOW64\Pdfehh32.exeC:\Windows\system32\Pdfehh32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5872 -
C:\Windows\SysWOW64\Plpjoe32.exeC:\Windows\system32\Plpjoe32.exe84⤵PID:5920
-
C:\Windows\SysWOW64\Pmaffnce.exeC:\Windows\system32\Pmaffnce.exe85⤵
- Drops file in System32 directory
PID:5964 -
C:\Windows\SysWOW64\Pehngkcg.exeC:\Windows\system32\Pehngkcg.exe86⤵PID:6008
-
C:\Windows\SysWOW64\Plbfdekd.exeC:\Windows\system32\Plbfdekd.exe87⤵PID:6056
-
C:\Windows\SysWOW64\Pmcclm32.exeC:\Windows\system32\Pmcclm32.exe88⤵
- Modifies registry class
PID:6100 -
C:\Windows\SysWOW64\Pejkmk32.exeC:\Windows\system32\Pejkmk32.exe89⤵
- Modifies registry class
PID:4740 -
C:\Windows\SysWOW64\Pldcjeia.exeC:\Windows\system32\Pldcjeia.exe90⤵PID:5144
-
C:\Windows\SysWOW64\Qmepam32.exeC:\Windows\system32\Qmepam32.exe91⤵
- Drops file in System32 directory
PID:5204 -
C:\Windows\SysWOW64\Qemhbj32.exeC:\Windows\system32\Qemhbj32.exe92⤵PID:5252
-
C:\Windows\SysWOW64\Qoelkp32.exeC:\Windows\system32\Qoelkp32.exe93⤵
- Drops file in System32 directory
PID:5356 -
C:\Windows\SysWOW64\Qachgk32.exeC:\Windows\system32\Qachgk32.exe94⤵PID:1332
-
C:\Windows\SysWOW64\Qdbdcg32.exeC:\Windows\system32\Qdbdcg32.exe95⤵PID:5460
-
C:\Windows\SysWOW64\Aogiap32.exeC:\Windows\system32\Aogiap32.exe96⤵PID:5500
-
C:\Windows\SysWOW64\Aafemk32.exeC:\Windows\system32\Aafemk32.exe97⤵PID:2244
-
C:\Windows\SysWOW64\Ahpmjejp.exeC:\Windows\system32\Ahpmjejp.exe98⤵PID:5592
-
C:\Windows\SysWOW64\Aknifq32.exeC:\Windows\system32\Aknifq32.exe99⤵PID:4464
-
C:\Windows\SysWOW64\Anmfbl32.exeC:\Windows\system32\Anmfbl32.exe100⤵PID:5680
-
C:\Windows\SysWOW64\Adfnofpd.exeC:\Windows\system32\Adfnofpd.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5780 -
C:\Windows\SysWOW64\Ahbjoe32.exeC:\Windows\system32\Ahbjoe32.exe102⤵PID:5844
-
C:\Windows\SysWOW64\Akqfkp32.exeC:\Windows\system32\Akqfkp32.exe103⤵PID:5760
-
C:\Windows\SysWOW64\Anobgl32.exeC:\Windows\system32\Anobgl32.exe104⤵PID:5796
-
C:\Windows\SysWOW64\Aefjii32.exeC:\Windows\system32\Aefjii32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5908 -
C:\Windows\SysWOW64\Ahdged32.exeC:\Windows\system32\Ahdged32.exe106⤵PID:5988
-
C:\Windows\SysWOW64\Aonoao32.exeC:\Windows\system32\Aonoao32.exe107⤵
- Modifies registry class
PID:6080 -
C:\Windows\SysWOW64\Aamknj32.exeC:\Windows\system32\Aamknj32.exe108⤵PID:3956
-
C:\Windows\SysWOW64\Adkgje32.exeC:\Windows\system32\Adkgje32.exe109⤵PID:5156
-
C:\Windows\SysWOW64\Albpkc32.exeC:\Windows\system32\Albpkc32.exe110⤵PID:5336
-
C:\Windows\SysWOW64\Akepfpcl.exeC:\Windows\system32\Akepfpcl.exe111⤵PID:5424
-
C:\Windows\SysWOW64\Aaohcj32.exeC:\Windows\system32\Aaohcj32.exe112⤵PID:2744
-
C:\Windows\SysWOW64\Adndoe32.exeC:\Windows\system32\Adndoe32.exe113⤵
- Drops file in System32 directory
PID:4676 -
C:\Windows\SysWOW64\Alelqb32.exeC:\Windows\system32\Alelqb32.exe114⤵PID:5636
-
C:\Windows\SysWOW64\Bochmn32.exeC:\Windows\system32\Bochmn32.exe115⤵PID:5728
-
C:\Windows\SysWOW64\Bemqih32.exeC:\Windows\system32\Bemqih32.exe116⤵PID:5804
-
C:\Windows\SysWOW64\Bhkmec32.exeC:\Windows\system32\Bhkmec32.exe117⤵PID:5948
-
C:\Windows\SysWOW64\Bkjiao32.exeC:\Windows\system32\Bkjiao32.exe118⤵
- Modifies registry class
PID:6088 -
C:\Windows\SysWOW64\Bnhenj32.exeC:\Windows\system32\Bnhenj32.exe119⤵PID:6124
-
C:\Windows\SysWOW64\Bepmoh32.exeC:\Windows\system32\Bepmoh32.exe120⤵
- Drops file in System32 directory
PID:5464 -
C:\Windows\SysWOW64\Bhnikc32.exeC:\Windows\system32\Bhnikc32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5556 -
C:\Windows\SysWOW64\Bklfgo32.exeC:\Windows\system32\Bklfgo32.exe122⤵
- Drops file in System32 directory
PID:3296
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-