Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 14:38
Behavioral task
behavioral1
Sample
612bd63e17899da6425bce6318c125d0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
612bd63e17899da6425bce6318c125d0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
612bd63e17899da6425bce6318c125d0_NeikiAnalytics.exe
-
Size
199KB
-
MD5
612bd63e17899da6425bce6318c125d0
-
SHA1
c9687069b87b52cdecf93fd54c7a13806843b156
-
SHA256
4cfc1cfc6fd34247604a37a14e2632b1f8ae5af84d026f77031a2455684b1b65
-
SHA512
3232b174aa90faf0c9a675e3137c1de4cd0198f7abebc2657f28cd3c7220847783ba4201fd924aae795afeaa3fdbe79a712f1e6acee2f7676e9c1b5e31ba91e8
-
SSDEEP
6144:k7x5JWXSZSCZj81+jq4peBK034YOmFz1h:qJvZSCG1+jheBbOmFxh
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bobcpmfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbnjmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icplcpgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpijnqkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Banllbdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blbknaib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mncmjfmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajfoiqll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnnjen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cliaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gblngpbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mplhql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenahpha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laefdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heapdjlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onhhamgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmemac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdfibe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjmnoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjddphlq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfdhkhjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eabbjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbbdholl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofeilobp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeemej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odgqdlnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bblckl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkikkeeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kboljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcpebmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpnlpnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anpncp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jefbfgig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmnldp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojjolnaq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qecppkdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cefoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdkldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndaggimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceckcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcnhmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqdoboli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkmchi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmijbcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkbchk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klqcioba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhdil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acocaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqfbaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cecbmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clpgpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daolnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoaihhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcckif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffimfqgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkbchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lekehdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbdolh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Banllbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkkojgao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdgljmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjeoglgc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdhmnlcj.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x00090000000233c1-7.dat family_berbew behavioral2/files/0x00070000000233c8-15.dat family_berbew behavioral2/files/0x00070000000233ca-23.dat family_berbew behavioral2/files/0x00070000000233cc-26.dat family_berbew behavioral2/files/0x00070000000233ce-39.dat family_berbew behavioral2/files/0x00070000000233d0-47.dat family_berbew behavioral2/files/0x00070000000233d2-55.dat family_berbew behavioral2/files/0x00070000000233d4-63.dat family_berbew behavioral2/files/0x00070000000233d6-71.dat family_berbew behavioral2/files/0x00070000000233d8-74.dat family_berbew behavioral2/files/0x00070000000233da-87.dat family_berbew behavioral2/files/0x00070000000233dc-96.dat family_berbew behavioral2/files/0x00070000000233de-103.dat family_berbew behavioral2/files/0x00070000000233e0-111.dat family_berbew behavioral2/files/0x00070000000233e2-119.dat family_berbew behavioral2/files/0x00070000000233e4-127.dat family_berbew behavioral2/files/0x00070000000233e5-135.dat family_berbew behavioral2/files/0x00070000000233e7-143.dat family_berbew behavioral2/files/0x00070000000233e9-151.dat family_berbew behavioral2/files/0x00070000000233eb-160.dat family_berbew behavioral2/files/0x00070000000233ed-167.dat family_berbew behavioral2/files/0x00070000000233ef-175.dat family_berbew behavioral2/files/0x00070000000233f1-183.dat family_berbew behavioral2/files/0x00070000000233f3-191.dat family_berbew behavioral2/files/0x00070000000233f5-199.dat family_berbew behavioral2/files/0x00070000000233f7-207.dat family_berbew behavioral2/files/0x00070000000233f9-215.dat family_berbew behavioral2/files/0x00070000000233fb-223.dat family_berbew behavioral2/files/0x00070000000233fd-231.dat family_berbew behavioral2/files/0x00070000000233ff-239.dat family_berbew behavioral2/files/0x0007000000023401-247.dat family_berbew behavioral2/files/0x0007000000023403-255.dat family_berbew behavioral2/files/0x000700000002340d-282.dat family_berbew behavioral2/files/0x0007000000023411-294.dat family_berbew behavioral2/files/0x0007000000023419-318.dat family_berbew behavioral2/files/0x0007000000023421-342.dat family_berbew behavioral2/files/0x0007000000023435-402.dat family_berbew behavioral2/files/0x0007000000023439-414.dat family_berbew behavioral2/files/0x0007000000023443-444.dat family_berbew behavioral2/files/0x0007000000023449-462.dat family_berbew behavioral2/files/0x000700000002344f-480.dat family_berbew behavioral2/files/0x000700000002345b-516.dat family_berbew behavioral2/files/0x000700000002346d-575.dat family_berbew behavioral2/files/0x000700000002347d-631.dat family_berbew behavioral2/files/0x0007000000023481-645.dat family_berbew behavioral2/files/0x0007000000023499-729.dat family_berbew behavioral2/files/0x000700000002349d-743.dat family_berbew behavioral2/files/0x00070000000234a1-756.dat family_berbew behavioral2/files/0x00070000000234ab-791.dat family_berbew behavioral2/files/0x00070000000234c1-867.dat family_berbew behavioral2/files/0x00070000000234c5-881.dat family_berbew behavioral2/files/0x00070000000234cb-901.dat family_berbew behavioral2/files/0x00070000000234d7-941.dat family_berbew behavioral2/files/0x00070000000234dd-962.dat family_berbew behavioral2/files/0x00070000000234e3-983.dat family_berbew behavioral2/files/0x00070000000234ef-1024.dat family_berbew behavioral2/files/0x00070000000234fd-1072.dat family_berbew behavioral2/files/0x0007000000023515-1153.dat family_berbew behavioral2/files/0x0007000000023519-1167.dat family_berbew behavioral2/files/0x000700000002351f-1188.dat family_berbew behavioral2/files/0x000700000002352b-1230.dat family_berbew behavioral2/files/0x0007000000023531-1251.dat family_berbew behavioral2/files/0x0007000000023537-1270.dat family_berbew behavioral2/files/0x0007000000023547-1326.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1164 Laefdf32.exe 4820 Lgbnmm32.exe 1368 Mnlfigcc.exe 4600 Mgekbljc.exe 4448 Mpmokb32.exe 1692 Mkbchk32.exe 320 Mcnhmm32.exe 2932 Mncmjfmk.exe 2308 Mcpebmkb.exe 448 Mjjmog32.exe 4228 Mdpalp32.exe 1092 Njljefql.exe 1208 Nacbfdao.exe 4028 Nqfbaq32.exe 1564 Nafokcol.exe 4352 Njacpf32.exe 4680 Njcpee32.exe 5012 Njfmke32.exe 3420 Okeieh32.exe 2284 Ogljjiei.exe 1832 Oqdoboli.exe 3520 Ojmcld32.exe 1248 Ocegdjij.exe 2160 Obfhba32.exe 432 Ogcpjhoq.exe 4904 Odgqdlnj.exe 1508 Pkaiqf32.exe 4584 Pbkamqmd.exe 5100 Pnbbbabh.exe 4248 Pcojkhap.exe 540 Pabkdmpi.exe 4256 Pjkombfj.exe 2516 Pcccfh32.exe 4012 Pkjlge32.exe 2664 Qecppkdm.exe 2228 Qgallfcq.exe 4444 Qbgqio32.exe 2832 Qeemej32.exe 4948 Qjbena32.exe 1984 Aegikj32.exe 1252 Alabgd32.exe 4316 Anpncp32.exe 4296 Acmflf32.exe 4452 Ajfoiqll.exe 4632 Aaqgek32.exe 1472 Acocaf32.exe 3344 Andgoobc.exe 4936 Aeopki32.exe 1724 Ajkhdp32.exe 3512 Aaepqjpd.exe 4988 Adcmmeog.exe 3708 Aniajnnn.exe 4788 Bahmfj32.exe 3304 Bdfibe32.exe 3972 Bnlnon32.exe 3168 Bdhfhe32.exe 2064 Bnnjen32.exe 1708 Balfaiil.exe 2660 Blbknaib.exe 3044 Bblckl32.exe 1380 Bdmpcdfm.exe 3484 Bobcpmfc.exe 408 Bbnpqk32.exe 876 Bhkhibmc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Conclk32.exe Clpgpp32.exe File created C:\Windows\SysWOW64\Helfik32.exe Hbnjmp32.exe File created C:\Windows\SysWOW64\Ncnkogdb.dll Bnnjen32.exe File created C:\Windows\SysWOW64\Mkijij32.dll Cndikf32.exe File created C:\Windows\SysWOW64\Bidjkmlh.dll Lgbnmm32.exe File created C:\Windows\SysWOW64\Blbknaib.exe Balfaiil.exe File opened for modification C:\Windows\SysWOW64\Jioaqfcc.exe Jbeidl32.exe File created C:\Windows\SysWOW64\Jilkmnni.dll Ojoign32.exe File opened for modification C:\Windows\SysWOW64\Okeieh32.exe Njfmke32.exe File created C:\Windows\SysWOW64\Cleqadmh.dll Andgoobc.exe File created C:\Windows\SysWOW64\Ingbah32.dll Lebkhc32.exe File created C:\Windows\SysWOW64\Mplhql32.exe Mmnldp32.exe File opened for modification C:\Windows\SysWOW64\Njnpppkn.exe Ngpccdlj.exe File opened for modification C:\Windows\SysWOW64\Ncianepl.exe Nnlhfn32.exe File created C:\Windows\SysWOW64\Dchfiejc.dll Cdhhdlid.exe File created C:\Windows\SysWOW64\Nafokcol.exe Nqfbaq32.exe File created C:\Windows\SysWOW64\Fdmlkkap.dll Pkjlge32.exe File created C:\Windows\SysWOW64\Pjkolmml.dll Fakdpb32.exe File opened for modification C:\Windows\SysWOW64\Imdgqfbd.exe Ifjodl32.exe File created C:\Windows\SysWOW64\Qmkadgpo.exe Pjmehkqk.exe File opened for modification C:\Windows\SysWOW64\Bhhdil32.exe Banllbdn.exe File created C:\Windows\SysWOW64\Ngpccdlj.exe Ndaggimg.exe File created C:\Windows\SysWOW64\Hfligghk.dll Njciko32.exe File created C:\Windows\SysWOW64\Geegicjl.dll Mcpebmkb.exe File created C:\Windows\SysWOW64\Nmogab32.dll Demecd32.exe File opened for modification C:\Windows\SysWOW64\Dedkdcie.exe Dceohhja.exe File created C:\Windows\SysWOW64\Dlncan32.exe Dedkdcie.exe File created C:\Windows\SysWOW64\Fllifblf.dll Jbeidl32.exe File opened for modification C:\Windows\SysWOW64\Lpnlpnih.exe Leihbeib.exe File created C:\Windows\SysWOW64\Amddjegd.exe Afjlnk32.exe File opened for modification C:\Windows\SysWOW64\Acocaf32.exe Aaqgek32.exe File created C:\Windows\SysWOW64\Ghkmacoj.dll Jehokgge.exe File created C:\Windows\SysWOW64\Bnecbhin.dll Mgagbf32.exe File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe Dhocqigp.exe File created C:\Windows\SysWOW64\Mgekbljc.exe Mnlfigcc.exe File opened for modification C:\Windows\SysWOW64\Opakbi32.exe Oflgep32.exe File opened for modification C:\Windows\SysWOW64\Jmpgldhg.exe Jehokgge.exe File created C:\Windows\SysWOW64\Kmkfhc32.exe Kedoge32.exe File opened for modification C:\Windows\SysWOW64\Qmkadgpo.exe Pjmehkqk.exe File opened for modification C:\Windows\SysWOW64\Bhkhibmc.exe Bbnpqk32.exe File created C:\Windows\SysWOW64\Dhpjkojk.exe Dohfbj32.exe File opened for modification C:\Windows\SysWOW64\Nnqbanmo.exe Nfjjppmm.exe File created C:\Windows\SysWOW64\Cnffqf32.exe Cfpnph32.exe File opened for modification C:\Windows\SysWOW64\Dfnjafap.exe Daqbip32.exe File opened for modification C:\Windows\SysWOW64\Ddakjkqi.exe Daconoae.exe File created C:\Windows\SysWOW64\Flqimk32.exe Fdialn32.exe File created C:\Windows\SysWOW64\Hmjfkopm.dll Ffimfqgm.exe File created C:\Windows\SysWOW64\Ncmlocln.dll Kdgljmcd.exe File created C:\Windows\SysWOW64\Lemphdgj.dll Menjdbgj.exe File created C:\Windows\SysWOW64\Ceqnmpfo.exe Cnffqf32.exe File created C:\Windows\SysWOW64\Ipdejo32.dll Imoneg32.exe File created C:\Windows\SysWOW64\Gqffpbnb.dll Ojmcld32.exe File created C:\Windows\SysWOW64\Bkjhib32.dll Aaqgek32.exe File created C:\Windows\SysWOW64\Cecenn32.dll Doeiljfn.exe File created C:\Windows\SysWOW64\Bffkij32.exe Bchomn32.exe File opened for modification C:\Windows\SysWOW64\Laefdf32.exe 612bd63e17899da6425bce6318c125d0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Ilidbbgl.exe Ifllil32.exe File created C:\Windows\SysWOW64\Mmcdaagm.dll Ocgmpccl.exe File created C:\Windows\SysWOW64\Lpggmhkg.dll Cajlhqjp.exe File opened for modification C:\Windows\SysWOW64\Ddjejl32.exe Calhnpgn.exe File created C:\Windows\SysWOW64\Bblckl32.exe Blbknaib.exe File created C:\Windows\SysWOW64\Fkgoikdb.dll Imdgqfbd.exe File created C:\Windows\SysWOW64\Ndokbi32.exe Mnebeogl.exe File created C:\Windows\SysWOW64\Pclgkb32.exe Pqmjog32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8568 8476 WerFault.exe 398 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfgefhai.dll" Helfik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmlpoqpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adgbpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 612bd63e17899da6425bce6318c125d0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpmokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll" Nnqbanmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiecmmbf.dll" Lpnlpnih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocgmpccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll" Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikhen32.dll" Gdqgmmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iehfdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpnlpnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lllcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkhmbin.dll" Mgfqmfde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajckij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkdbpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icifbang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfelggh.dll" Mplhql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceckcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll" Mjjmog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbpnkama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgoikdb.dll" Imdgqfbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Menjdbgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njacpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elgfgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpppj32.dll" Hckjacjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpqiemge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchdhnom.dll" Melnob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Helfik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcccfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bahmfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdcdbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epogol32.dll" Pcccfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkkojgao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqplhmkl.dll" Jpijnqkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajfoiqll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Balfaiil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dceohhja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkaejf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogibpb32.dll" Lepncd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjddphlq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cenahpha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkdbpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoiafcic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbgmcnhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeanii32.dll" Jmhale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll" Ajanck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdqejn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oflgep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffpbnb.dll" Ojmcld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlmllkja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbgqio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdencjac.dll" Bobcpmfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlcifmbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll" Nlmllkja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cndikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnlnon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkgldj32.dll" Balfaiil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmbha32.dll" Icplcpgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfgkj32.dll" Nilcjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll" Ofeilobp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdialn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjegoo32.dll" Hbpgbo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1328 wrote to memory of 1164 1328 612bd63e17899da6425bce6318c125d0_NeikiAnalytics.exe 81 PID 1328 wrote to memory of 1164 1328 612bd63e17899da6425bce6318c125d0_NeikiAnalytics.exe 81 PID 1328 wrote to memory of 1164 1328 612bd63e17899da6425bce6318c125d0_NeikiAnalytics.exe 81 PID 1164 wrote to memory of 4820 1164 Laefdf32.exe 82 PID 1164 wrote to memory of 4820 1164 Laefdf32.exe 82 PID 1164 wrote to memory of 4820 1164 Laefdf32.exe 82 PID 4820 wrote to memory of 1368 4820 Lgbnmm32.exe 83 PID 4820 wrote to memory of 1368 4820 Lgbnmm32.exe 83 PID 4820 wrote to memory of 1368 4820 Lgbnmm32.exe 83 PID 1368 wrote to memory of 4600 1368 Mnlfigcc.exe 84 PID 1368 wrote to memory of 4600 1368 Mnlfigcc.exe 84 PID 1368 wrote to memory of 4600 1368 Mnlfigcc.exe 84 PID 4600 wrote to memory of 4448 4600 Mgekbljc.exe 85 PID 4600 wrote to memory of 4448 4600 Mgekbljc.exe 85 PID 4600 wrote to memory of 4448 4600 Mgekbljc.exe 85 PID 4448 wrote to memory of 1692 4448 Mpmokb32.exe 86 PID 4448 wrote to memory of 1692 4448 Mpmokb32.exe 86 PID 4448 wrote to memory of 1692 4448 Mpmokb32.exe 86 PID 1692 wrote to memory of 320 1692 Mkbchk32.exe 87 PID 1692 wrote to memory of 320 1692 Mkbchk32.exe 87 PID 1692 wrote to memory of 320 1692 Mkbchk32.exe 87 PID 320 wrote to memory of 2932 320 Mcnhmm32.exe 88 PID 320 wrote to memory of 2932 320 Mcnhmm32.exe 88 PID 320 wrote to memory of 2932 320 Mcnhmm32.exe 88 PID 2932 wrote to memory of 2308 2932 Mncmjfmk.exe 89 PID 2932 wrote to memory of 2308 2932 Mncmjfmk.exe 89 PID 2932 wrote to memory of 2308 2932 Mncmjfmk.exe 89 PID 2308 wrote to memory of 448 2308 Mcpebmkb.exe 90 PID 2308 wrote to memory of 448 2308 Mcpebmkb.exe 90 PID 2308 wrote to memory of 448 2308 Mcpebmkb.exe 90 PID 448 wrote to memory of 4228 448 Mjjmog32.exe 91 PID 448 wrote to memory of 4228 448 Mjjmog32.exe 91 PID 448 wrote to memory of 4228 448 Mjjmog32.exe 91 PID 4228 wrote to memory of 1092 4228 Mdpalp32.exe 92 PID 4228 wrote to memory of 1092 4228 Mdpalp32.exe 92 PID 4228 wrote to memory of 1092 4228 Mdpalp32.exe 92 PID 1092 wrote to memory of 1208 1092 Njljefql.exe 93 PID 1092 wrote to memory of 1208 1092 Njljefql.exe 93 PID 1092 wrote to memory of 1208 1092 Njljefql.exe 93 PID 1208 wrote to memory of 4028 1208 Nacbfdao.exe 94 PID 1208 wrote to memory of 4028 1208 Nacbfdao.exe 94 PID 1208 wrote to memory of 4028 1208 Nacbfdao.exe 94 PID 4028 wrote to memory of 1564 4028 Nqfbaq32.exe 95 PID 4028 wrote to memory of 1564 4028 Nqfbaq32.exe 95 PID 4028 wrote to memory of 1564 4028 Nqfbaq32.exe 95 PID 1564 wrote to memory of 4352 1564 Nafokcol.exe 96 PID 1564 wrote to memory of 4352 1564 Nafokcol.exe 96 PID 1564 wrote to memory of 4352 1564 Nafokcol.exe 96 PID 4352 wrote to memory of 4680 4352 Njacpf32.exe 97 PID 4352 wrote to memory of 4680 4352 Njacpf32.exe 97 PID 4352 wrote to memory of 4680 4352 Njacpf32.exe 97 PID 4680 wrote to memory of 5012 4680 Njcpee32.exe 98 PID 4680 wrote to memory of 5012 4680 Njcpee32.exe 98 PID 4680 wrote to memory of 5012 4680 Njcpee32.exe 98 PID 5012 wrote to memory of 3420 5012 Njfmke32.exe 99 PID 5012 wrote to memory of 3420 5012 Njfmke32.exe 99 PID 5012 wrote to memory of 3420 5012 Njfmke32.exe 99 PID 3420 wrote to memory of 2284 3420 Okeieh32.exe 100 PID 3420 wrote to memory of 2284 3420 Okeieh32.exe 100 PID 3420 wrote to memory of 2284 3420 Okeieh32.exe 100 PID 2284 wrote to memory of 1832 2284 Ogljjiei.exe 101 PID 2284 wrote to memory of 1832 2284 Ogljjiei.exe 101 PID 2284 wrote to memory of 1832 2284 Ogljjiei.exe 101 PID 1832 wrote to memory of 3520 1832 Oqdoboli.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\612bd63e17899da6425bce6318c125d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\612bd63e17899da6425bce6318c125d0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3520 -
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe24⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe25⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe26⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe28⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe29⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe30⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe31⤵
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe32⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe33⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4012 -
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe37⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:4444 -
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe40⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe41⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe42⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe44⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4452 -
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4632 -
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3344 -
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe49⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe50⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe51⤵
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe52⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Aniajnnn.exeC:\Windows\system32\Aniajnnn.exe53⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:4788 -
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:3972 -
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe57⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe62⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Bobcpmfc.exeC:\Windows\system32\Bobcpmfc.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3484 -
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:408 -
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe65⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe66⤵PID:3744
-
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe67⤵PID:5088
-
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1852 -
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe69⤵PID:1080
-
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe70⤵PID:2684
-
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe71⤵PID:1524
-
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2980 -
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe73⤵PID:3992
-
C:\Windows\SysWOW64\Cefoce32.exeC:\Windows\system32\Cefoce32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3260 -
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5028 -
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe76⤵PID:3508
-
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4952 -
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe78⤵PID:4036
-
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4048 -
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe80⤵PID:2152
-
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe81⤵PID:3080
-
C:\Windows\SysWOW64\Demecd32.exeC:\Windows\system32\Demecd32.exe82⤵
- Drops file in System32 directory
PID:4396 -
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe83⤵
- Drops file in System32 directory
PID:4024 -
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe84⤵PID:3332
-
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe85⤵
- Drops file in System32 directory
PID:3428 -
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe86⤵PID:1928
-
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:4520 -
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe88⤵
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe89⤵PID:2196
-
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe90⤵PID:1760
-
C:\Windows\SysWOW64\Eefhjc32.exeC:\Windows\system32\Eefhjc32.exe91⤵PID:3904
-
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe92⤵PID:2936
-
C:\Windows\SysWOW64\Ekcpbj32.exeC:\Windows\system32\Ekcpbj32.exe93⤵PID:1060
-
C:\Windows\SysWOW64\Eamhodmf.exeC:\Windows\system32\Eamhodmf.exe94⤵PID:1408
-
C:\Windows\SysWOW64\Ehgqln32.exeC:\Windows\system32\Ehgqln32.exe95⤵PID:5040
-
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4488 -
C:\Windows\SysWOW64\Eapedd32.exeC:\Windows\system32\Eapedd32.exe97⤵PID:696
-
C:\Windows\SysWOW64\Ehimanbq.exeC:\Windows\system32\Ehimanbq.exe98⤵PID:4992
-
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe99⤵PID:3772
-
C:\Windows\SysWOW64\Eocenh32.exeC:\Windows\system32\Eocenh32.exe100⤵PID:4476
-
C:\Windows\SysWOW64\Eabbjc32.exeC:\Windows\system32\Eabbjc32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2512 -
C:\Windows\SysWOW64\Elgfgl32.exeC:\Windows\system32\Elgfgl32.exe102⤵
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Eofbch32.exeC:\Windows\system32\Eofbch32.exe103⤵PID:2876
-
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe104⤵PID:5092
-
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe105⤵PID:1312
-
C:\Windows\SysWOW64\Fkmchi32.exeC:\Windows\system32\Fkmchi32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3660 -
C:\Windows\SysWOW64\Fcckif32.exeC:\Windows\system32\Fcckif32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3648 -
C:\Windows\SysWOW64\Fdegandp.exeC:\Windows\system32\Fdegandp.exe108⤵PID:4880
-
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe109⤵PID:3928
-
C:\Windows\SysWOW64\Ffddka32.exeC:\Windows\system32\Ffddka32.exe110⤵PID:1624
-
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe111⤵PID:3124
-
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe112⤵PID:2848
-
C:\Windows\SysWOW64\Fakdpb32.exeC:\Windows\system32\Fakdpb32.exe113⤵
- Drops file in System32 directory
PID:4920 -
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe114⤵
- Drops file in System32 directory
- Modifies registry class
PID:5064 -
C:\Windows\SysWOW64\Flqimk32.exeC:\Windows\system32\Flqimk32.exe115⤵PID:2008
-
C:\Windows\SysWOW64\Fckajehi.exeC:\Windows\system32\Fckajehi.exe116⤵PID:624
-
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe118⤵PID:972
-
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe119⤵
- Modifies registry class
PID:3664 -
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe120⤵PID:3464
-
C:\Windows\SysWOW64\Gkhbdg32.exeC:\Windows\system32\Gkhbdg32.exe121⤵PID:2040
-
C:\Windows\SysWOW64\Gbbkaako.exeC:\Windows\system32\Gbbkaako.exe122⤵PID:2424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-