Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 06:13
Behavioral task
behavioral1
Sample
907b3b677b8bff6d483e2f8b2a6c07c0_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
907b3b677b8bff6d483e2f8b2a6c07c0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
907b3b677b8bff6d483e2f8b2a6c07c0_NeikiAnalytics.exe
-
Size
89KB
-
MD5
907b3b677b8bff6d483e2f8b2a6c07c0
-
SHA1
ff891ff22f1b4221c741dc3ce6d5981f0674216c
-
SHA256
bf2d31dd6a306b62ded7aac32a771279c3d211c0caac5a9657bbb9ad5c80211c
-
SHA512
f3c0c75092467968f35dff49b2bef4eeac9ceb3eeaae0a7b106b7971b047d01db44512efa0c73a07ca89fac48d46175fd7f6c4637253ca4df1b4362c4188ec2d
-
SSDEEP
1536:hotb6uZGNwZ261IY1qXLdoTXw5gj/9eXD1u2/1FdRQvED68a+VMKKTRVGFtUhQf1:mp6w04/1INL+TXw5G9C1u2ndev1r4MKr
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgopidgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgdpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bddcenpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlglfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahmjjoig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kijchhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbdjchgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmniml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhlgfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caageq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeekkafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bqkill32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jglklggl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pemomqcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njkkbehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dijbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lggejg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngomin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebnfbcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpjgaoqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qodeajbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfjapcii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpbopfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnicid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Impliekg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljhnlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbiejoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgipcogp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhknpmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igedlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Laqhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gipdap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpofii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpfepf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohnebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncofplba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohmhmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bklfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Illfdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfklhhcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Epikpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhamkipi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jkmgblok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Haoimcgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgpmmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcnmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igjeanmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcelmhen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eaindh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gijekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Najceeoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qodeajbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjnffjkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmalne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmdhcddh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iciaqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jocefm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jebfng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmmfmhll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnhpoamf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abponp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fplpll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbmingjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpkibf32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000700000002328e-6.dat family_berbew behavioral2/files/0x0007000000023414-14.dat family_berbew behavioral2/files/0x0007000000023416-22.dat family_berbew behavioral2/files/0x0007000000023418-30.dat family_berbew behavioral2/files/0x000700000002341a-39.dat family_berbew behavioral2/files/0x000700000002341c-46.dat family_berbew behavioral2/files/0x000700000002341e-54.dat family_berbew behavioral2/files/0x0007000000023420-62.dat family_berbew behavioral2/files/0x0007000000023422-70.dat family_berbew behavioral2/files/0x0007000000023424-78.dat family_berbew behavioral2/files/0x0007000000023426-88.dat family_berbew behavioral2/files/0x0007000000023428-96.dat family_berbew behavioral2/files/0x000700000002342a-105.dat family_berbew behavioral2/files/0x000700000002342c-115.dat family_berbew behavioral2/files/0x000700000002342e-123.dat family_berbew behavioral2/files/0x0007000000023430-132.dat family_berbew behavioral2/files/0x0007000000023432-141.dat family_berbew behavioral2/files/0x0007000000023434-150.dat family_berbew behavioral2/files/0x0007000000023436-159.dat family_berbew behavioral2/files/0x0007000000023438-168.dat family_berbew behavioral2/files/0x000700000002343a-171.dat family_berbew behavioral2/files/0x000700000002343a-176.dat family_berbew behavioral2/files/0x0008000000023411-185.dat family_berbew behavioral2/files/0x000700000002343d-193.dat family_berbew behavioral2/files/0x000700000002343f-201.dat family_berbew behavioral2/files/0x0007000000023441-209.dat family_berbew behavioral2/files/0x0007000000023443-217.dat family_berbew behavioral2/files/0x0007000000023445-226.dat family_berbew behavioral2/files/0x0007000000023447-235.dat family_berbew behavioral2/files/0x000800000002344b-244.dat family_berbew behavioral2/files/0x000700000002344c-253.dat family_berbew behavioral2/files/0x000800000002344e-262.dat family_berbew behavioral2/files/0x0004000000022abf-271.dat family_berbew behavioral2/files/0x000700000002345c-310.dat family_berbew behavioral2/files/0x0007000000023484-491.dat family_berbew behavioral2/files/0x00070000000234b7-677.dat family_berbew behavioral2/files/0x00070000000234d7-788.dat family_berbew behavioral2/files/0x00070000000234ef-872.dat family_berbew behavioral2/files/0x00070000000234f1-880.dat family_berbew behavioral2/files/0x00070000000234fd-921.dat family_berbew behavioral2/files/0x0007000000023501-935.dat family_berbew behavioral2/files/0x0007000000023507-956.dat family_berbew behavioral2/files/0x000700000002350b-970.dat family_berbew behavioral2/files/0x000700000002350d-978.dat family_berbew behavioral2/files/0x0007000000023511-991.dat family_berbew behavioral2/files/0x0007000000023519-1019.dat family_berbew behavioral2/files/0x0007000000023525-1061.dat family_berbew behavioral2/files/0x000700000002352b-1082.dat family_berbew behavioral2/files/0x0007000000023531-1103.dat family_berbew behavioral2/files/0x0007000000023535-1117.dat family_berbew behavioral2/files/0x000700000002353b-1138.dat family_berbew behavioral2/files/0x0007000000023545-1173.dat family_berbew behavioral2/files/0x000700000002355d-1257.dat family_berbew behavioral2/files/0x0007000000023565-1285.dat family_berbew behavioral2/files/0x0007000000023569-1299.dat family_berbew behavioral2/files/0x0007000000023573-1334.dat family_berbew behavioral2/files/0x000700000002357f-1376.dat family_berbew behavioral2/files/0x0007000000023583-1389.dat family_berbew behavioral2/files/0x0007000000023589-1410.dat family_berbew behavioral2/files/0x0007000000023591-1438.dat family_berbew behavioral2/files/0x000700000002359b-1473.dat family_berbew behavioral2/files/0x000700000002359f-1487.dat family_berbew behavioral2/files/0x00070000000235a7-1515.dat family_berbew behavioral2/files/0x00070000000235b1-1550.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4512 Ghniielm.exe 632 Gohaeo32.exe 4244 Gafmaj32.exe 4296 Ghpendjj.exe 2012 Gkobjpin.exe 4964 Gfdfgiid.exe 2476 Gdgfce32.exe 5032 Gkaopp32.exe 2032 Hakgmjoh.exe 2868 Hheoid32.exe 2408 Hkckeo32.exe 864 Hbmcbime.exe 2272 Hhgloc32.exe 4616 Hkehkocf.exe 3208 Hoadkn32.exe 1252 Hfklhhcl.exe 3864 Hglipp32.exe 700 Hgoeep32.exe 3932 Hbdjchgn.exe 388 Hkmnln32.exe 4996 Ibffhhek.exe 4600 Igcoqocb.exe 4424 Inmgmijo.exe 4088 Ifdonfka.exe 1788 Ifgldfio.exe 3548 Ighhln32.exe 2620 Inbqhhfj.exe 804 Igjeanmj.exe 1044 Ifleoe32.exe 1444 Jodjhkkj.exe 4324 Jeqbpb32.exe 1640 Jgonlm32.exe 1140 Jfpojead.exe 3628 Jiokfpph.exe 1432 Jkmgblok.exe 912 Jeekkafl.exe 5116 Jgdhgmep.exe 3040 Jbileede.exe 4272 Jkaqnk32.exe 3652 Jpmlnjco.exe 1816 Jejefqaf.exe 1412 Jghabl32.exe 4772 Kppici32.exe 376 Kfjapcii.exe 704 Kihnmohm.exe 4808 Klfjijgq.exe 760 Kpbfii32.exe 2172 Knefeffd.exe 2992 Khmknk32.exe 1384 Kbbokdlk.exe 3816 Kimghn32.exe 3668 Kpgodhkd.exe 4664 Kfqgab32.exe 4596 Kechmoil.exe 404 Klmpiiai.exe 1812 Kbghfc32.exe 2948 Kfcdfbqo.exe 828 Lhdqnj32.exe 1272 Lpkiph32.exe 3608 Lbjelc32.exe 3272 Lfealaol.exe 4528 Lidmhmnp.exe 3332 Lhfmdj32.exe 4556 Lpneegel.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lfealaol.exe Lbjelc32.exe File created C:\Windows\SysWOW64\Bnhpfjhc.dll Obcceg32.exe File created C:\Windows\SysWOW64\Bmlilh32.exe Bhamkipi.exe File created C:\Windows\SysWOW64\Cmcolgbj.exe Cjecpkcg.exe File created C:\Windows\SysWOW64\Paedlhhc.dll Meepdp32.exe File opened for modification C:\Windows\SysWOW64\Dnpdegjp.exe Dkahilkl.exe File created C:\Windows\SysWOW64\Gikgni32.dll Bkibgh32.exe File created C:\Windows\SysWOW64\Hgelek32.exe Gpkchqdj.exe File created C:\Windows\SysWOW64\Jdgafjpn.exe Jbiejoaj.exe File created C:\Windows\SysWOW64\Qodeajbg.exe Qhjmdp32.exe File created C:\Windows\SysWOW64\Cpmapodj.exe Boldhf32.exe File created C:\Windows\SysWOW64\Pcepkfld.exe Pkogiikb.exe File created C:\Windows\SysWOW64\Akamff32.exe Alnmjjdb.exe File created C:\Windows\SysWOW64\Nphihiif.dll Oclkgccf.exe File opened for modification C:\Windows\SysWOW64\Khmknk32.exe Knefeffd.exe File created C:\Windows\SysWOW64\Ipncng32.dll Kpgodhkd.exe File opened for modification C:\Windows\SysWOW64\Npedmdab.exe Nbadcpbh.exe File created C:\Windows\SysWOW64\Ddcqedkk.exe Daediilg.exe File opened for modification C:\Windows\SysWOW64\Ghhhcomg.exe Gpaqbbld.exe File created C:\Windows\SysWOW64\Aleckinj.exe Ajggomog.exe File created C:\Windows\SysWOW64\Pbmmao32.dll Gdcliikj.exe File opened for modification C:\Windows\SysWOW64\Malpia32.exe Mnmdme32.exe File opened for modification C:\Windows\SysWOW64\Hakgmjoh.exe Gkaopp32.exe File created C:\Windows\SysWOW64\Qeekll32.dll Ehailbaa.exe File created C:\Windows\SysWOW64\Knhakh32.exe Kkjeomld.exe File created C:\Windows\SysWOW64\Ngbjmd32.dll Pahilmoc.exe File created C:\Windows\SysWOW64\Ongbqjjf.dll Dooaoj32.exe File opened for modification C:\Windows\SysWOW64\Ibhkfm32.exe Ipjoja32.exe File created C:\Windows\SysWOW64\Eeccjdie.dll Klhnfo32.exe File opened for modification C:\Windows\SysWOW64\Kpbfii32.exe Klfjijgq.exe File created C:\Windows\SysWOW64\Piomhofd.dll Injcmc32.exe File created C:\Windows\SysWOW64\Lebcnn32.dll Oaqbkn32.exe File created C:\Windows\SysWOW64\Bebjdgmj.exe Bnkbcj32.exe File created C:\Windows\SysWOW64\Heeeiopa.dll Chlflabp.exe File opened for modification C:\Windows\SysWOW64\Eifaim32.exe Efgemb32.exe File created C:\Windows\SysWOW64\Glkmmefl.exe Geaepk32.exe File created C:\Windows\SysWOW64\Pqlhmf32.dll Hoclopne.exe File created C:\Windows\SysWOW64\Kihnmohm.exe Kfjapcii.exe File opened for modification C:\Windows\SysWOW64\Biadeoce.exe Bcelmhen.exe File created C:\Windows\SysWOW64\Dpabql32.dll Hjchaf32.exe File opened for modification C:\Windows\SysWOW64\Ibmeoq32.exe Iggaah32.exe File created C:\Windows\SysWOW64\Kgjgne32.exe Kelkaj32.exe File created C:\Windows\SysWOW64\Abbkcpma.exe Aodogdmn.exe File created C:\Windows\SysWOW64\Iggjga32.exe Icknfcol.exe File opened for modification C:\Windows\SysWOW64\Jjoiil32.exe Jgpmmp32.exe File created C:\Windows\SysWOW64\Mnhkbfme.exe Mkjnfkma.exe File created C:\Windows\SysWOW64\Jbnffffp.dll Odoogi32.exe File created C:\Windows\SysWOW64\Haoimcgg.exe Hjhalefe.exe File created C:\Windows\SysWOW64\Mhielqhi.dll Jnpfop32.exe File created C:\Windows\SysWOW64\Fdepgkgj.exe Fpjcgm32.exe File opened for modification C:\Windows\SysWOW64\Hmechmip.exe Hkfglb32.exe File created C:\Windows\SysWOW64\Ifaciolc.dll Efpomccg.exe File created C:\Windows\SysWOW64\Jbhfhgch.dll Kfnfjehl.exe File created C:\Windows\SysWOW64\Mqdcnl32.exe Mjjkaabc.exe File opened for modification C:\Windows\SysWOW64\Pmblagmf.exe Pjdpelnc.exe File created C:\Windows\SysWOW64\Pipeabep.dll Caageq32.exe File created C:\Windows\SysWOW64\Fdffbake.exe Fagjfflb.exe File opened for modification C:\Windows\SysWOW64\Kjpijpdg.exe Kinmcg32.exe File created C:\Windows\SysWOW64\Abponp32.exe Aoabad32.exe File created C:\Windows\SysWOW64\Dfefkkqp.exe Ccgjopal.exe File created C:\Windows\SysWOW64\Dbdplc32.dll Ljaoeini.exe File created C:\Windows\SysWOW64\Jgbchj32.exe Jphkkpbp.exe File created C:\Windows\SysWOW64\Bgemej32.dll Ncqlkemc.exe File opened for modification C:\Windows\SysWOW64\Kjhcjq32.exe Kgjgne32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 17380 17300 WerFault.exe 1067 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdbeojmh.dll" Mnjqmpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qaqegecm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jiokfpph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Filiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papdfone.dll" Mhilfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Elnoopdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Akqfkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mjodla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hpdfnolo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnchkf32.dll" Iahlcaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpbdopck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Elnoopdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjgchm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkjeomld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndoell32.dll" Glipgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aokkahlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Epmmqheb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncnofeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binlfp32.dll" Nmfcok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Biogppeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oekiqccc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Inqbclob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnmoijje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnidloo.dll" Bheplb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njmqnobn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obnkfijp.dll" 907b3b677b8bff6d483e2f8b2a6c07c0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cmniml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gfmojenc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmcjpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdckomdh.dll" Mfhfhong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnmoekkn.dll" Cadlbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Leenhhdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmdhcddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qhmqdemc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aogbfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnecgoki.dll" Kniieo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ljclki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfojmmbg.dll" Paelfmaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfcklij.dll" Clchbqoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjbcplpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ojhpimhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Paiogf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kghlhg32.dll" Igjeanmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jiokfpph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djmibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccbakce.dll" Fjohde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkohe32.dll" Mglfplgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mqafhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhdbgapf.dll" Ppgegd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lbqklb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bqkill32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodneg32.dll" Gijekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nihipdhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qofcff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohnefj32.dll" Mehjol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ealkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gologg32.dll" Jjgchm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mokmdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bkibgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpqodfij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gpkchqdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oocmii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qaalblgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhpicj32.dll" Nfcabp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2288 wrote to memory of 4512 2288 907b3b677b8bff6d483e2f8b2a6c07c0_NeikiAnalytics.exe 82 PID 2288 wrote to memory of 4512 2288 907b3b677b8bff6d483e2f8b2a6c07c0_NeikiAnalytics.exe 82 PID 2288 wrote to memory of 4512 2288 907b3b677b8bff6d483e2f8b2a6c07c0_NeikiAnalytics.exe 82 PID 4512 wrote to memory of 632 4512 Ghniielm.exe 83 PID 4512 wrote to memory of 632 4512 Ghniielm.exe 83 PID 4512 wrote to memory of 632 4512 Ghniielm.exe 83 PID 632 wrote to memory of 4244 632 Gohaeo32.exe 84 PID 632 wrote to memory of 4244 632 Gohaeo32.exe 84 PID 632 wrote to memory of 4244 632 Gohaeo32.exe 84 PID 4244 wrote to memory of 4296 4244 Gafmaj32.exe 85 PID 4244 wrote to memory of 4296 4244 Gafmaj32.exe 85 PID 4244 wrote to memory of 4296 4244 Gafmaj32.exe 85 PID 4296 wrote to memory of 2012 4296 Ghpendjj.exe 86 PID 4296 wrote to memory of 2012 4296 Ghpendjj.exe 86 PID 4296 wrote to memory of 2012 4296 Ghpendjj.exe 86 PID 2012 wrote to memory of 4964 2012 Gkobjpin.exe 88 PID 2012 wrote to memory of 4964 2012 Gkobjpin.exe 88 PID 2012 wrote to memory of 4964 2012 Gkobjpin.exe 88 PID 4964 wrote to memory of 2476 4964 Gfdfgiid.exe 89 PID 4964 wrote to memory of 2476 4964 Gfdfgiid.exe 89 PID 4964 wrote to memory of 2476 4964 Gfdfgiid.exe 89 PID 2476 wrote to memory of 5032 2476 Gdgfce32.exe 91 PID 2476 wrote to memory of 5032 2476 Gdgfce32.exe 91 PID 2476 wrote to memory of 5032 2476 Gdgfce32.exe 91 PID 5032 wrote to memory of 2032 5032 Gkaopp32.exe 92 PID 5032 wrote to memory of 2032 5032 Gkaopp32.exe 92 PID 5032 wrote to memory of 2032 5032 Gkaopp32.exe 92 PID 2032 wrote to memory of 2868 2032 Hakgmjoh.exe 93 PID 2032 wrote to memory of 2868 2032 Hakgmjoh.exe 93 PID 2032 wrote to memory of 2868 2032 Hakgmjoh.exe 93 PID 2868 wrote to memory of 2408 2868 Hheoid32.exe 94 PID 2868 wrote to memory of 2408 2868 Hheoid32.exe 94 PID 2868 wrote to memory of 2408 2868 Hheoid32.exe 94 PID 2408 wrote to memory of 864 2408 Hkckeo32.exe 96 PID 2408 wrote to memory of 864 2408 Hkckeo32.exe 96 PID 2408 wrote to memory of 864 2408 Hkckeo32.exe 96 PID 864 wrote to memory of 2272 864 Hbmcbime.exe 97 PID 864 wrote to memory of 2272 864 Hbmcbime.exe 97 PID 864 wrote to memory of 2272 864 Hbmcbime.exe 97 PID 2272 wrote to memory of 4616 2272 Hhgloc32.exe 98 PID 2272 wrote to memory of 4616 2272 Hhgloc32.exe 98 PID 2272 wrote to memory of 4616 2272 Hhgloc32.exe 98 PID 4616 wrote to memory of 3208 4616 Hkehkocf.exe 99 PID 4616 wrote to memory of 3208 4616 Hkehkocf.exe 99 PID 4616 wrote to memory of 3208 4616 Hkehkocf.exe 99 PID 3208 wrote to memory of 1252 3208 Hoadkn32.exe 100 PID 3208 wrote to memory of 1252 3208 Hoadkn32.exe 100 PID 3208 wrote to memory of 1252 3208 Hoadkn32.exe 100 PID 1252 wrote to memory of 3864 1252 Hfklhhcl.exe 101 PID 1252 wrote to memory of 3864 1252 Hfklhhcl.exe 101 PID 1252 wrote to memory of 3864 1252 Hfklhhcl.exe 101 PID 3864 wrote to memory of 700 3864 Hglipp32.exe 102 PID 3864 wrote to memory of 700 3864 Hglipp32.exe 102 PID 3864 wrote to memory of 700 3864 Hglipp32.exe 102 PID 700 wrote to memory of 3932 700 Hgoeep32.exe 103 PID 700 wrote to memory of 3932 700 Hgoeep32.exe 103 PID 700 wrote to memory of 3932 700 Hgoeep32.exe 103 PID 3932 wrote to memory of 388 3932 Hbdjchgn.exe 104 PID 3932 wrote to memory of 388 3932 Hbdjchgn.exe 104 PID 3932 wrote to memory of 388 3932 Hbdjchgn.exe 104 PID 388 wrote to memory of 4996 388 Hkmnln32.exe 105 PID 388 wrote to memory of 4996 388 Hkmnln32.exe 105 PID 388 wrote to memory of 4996 388 Hkmnln32.exe 105 PID 4996 wrote to memory of 4600 4996 Ibffhhek.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\907b3b677b8bff6d483e2f8b2a6c07c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\907b3b677b8bff6d483e2f8b2a6c07c0_NeikiAnalytics.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Ghniielm.exeC:\Windows\system32\Ghniielm.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Gohaeo32.exeC:\Windows\system32\Gohaeo32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Gkobjpin.exeC:\Windows\system32\Gkobjpin.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Gkaopp32.exeC:\Windows\system32\Gkaopp32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Hakgmjoh.exeC:\Windows\system32\Hakgmjoh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Hheoid32.exeC:\Windows\system32\Hheoid32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Hkckeo32.exeC:\Windows\system32\Hkckeo32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Hbmcbime.exeC:\Windows\system32\Hbmcbime.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Hfklhhcl.exeC:\Windows\system32\Hfklhhcl.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\Hbdjchgn.exeC:\Windows\system32\Hbdjchgn.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe23⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Inmgmijo.exeC:\Windows\system32\Inmgmijo.exe24⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe25⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe26⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe27⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe28⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Igjeanmj.exeC:\Windows\system32\Igjeanmj.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:804 -
C:\Windows\SysWOW64\Ifleoe32.exeC:\Windows\system32\Ifleoe32.exe30⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe31⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Jeqbpb32.exeC:\Windows\system32\Jeqbpb32.exe32⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Jgonlm32.exeC:\Windows\system32\Jgonlm32.exe33⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe34⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:3628 -
C:\Windows\SysWOW64\Jkmgblok.exeC:\Windows\system32\Jkmgblok.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Jeekkafl.exeC:\Windows\system32\Jeekkafl.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe38⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Jbileede.exeC:\Windows\system32\Jbileede.exe39⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe40⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Jpmlnjco.exeC:\Windows\system32\Jpmlnjco.exe41⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe42⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe43⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe44⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Kfjapcii.exeC:\Windows\system32\Kfjapcii.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:376 -
C:\Windows\SysWOW64\Kihnmohm.exeC:\Windows\system32\Kihnmohm.exe46⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4808 -
C:\Windows\SysWOW64\Kpbfii32.exeC:\Windows\system32\Kpbfii32.exe48⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Knefeffd.exeC:\Windows\system32\Knefeffd.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Khmknk32.exeC:\Windows\system32\Khmknk32.exe50⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Kbbokdlk.exeC:\Windows\system32\Kbbokdlk.exe51⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe52⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3668 -
C:\Windows\SysWOW64\Kfqgab32.exeC:\Windows\system32\Kfqgab32.exe54⤵
- Executes dropped EXE
PID:4664 -
C:\Windows\SysWOW64\Kechmoil.exeC:\Windows\system32\Kechmoil.exe55⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Klmpiiai.exeC:\Windows\system32\Klmpiiai.exe56⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Kbghfc32.exeC:\Windows\system32\Kbghfc32.exe57⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe58⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe59⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe60⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Lbjelc32.exeC:\Windows\system32\Lbjelc32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3608 -
C:\Windows\SysWOW64\Lfealaol.exeC:\Windows\system32\Lfealaol.exe62⤵
- Executes dropped EXE
PID:3272 -
C:\Windows\SysWOW64\Lidmhmnp.exeC:\Windows\system32\Lidmhmnp.exe63⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe64⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe65⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Lnqeqd32.exeC:\Windows\system32\Lnqeqd32.exe66⤵PID:4660
-
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe67⤵PID:3220
-
C:\Windows\SysWOW64\Lejnmncd.exeC:\Windows\system32\Lejnmncd.exe68⤵PID:3972
-
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe69⤵PID:2912
-
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe70⤵PID:1404
-
C:\Windows\SysWOW64\Locbfd32.exeC:\Windows\system32\Locbfd32.exe71⤵PID:1264
-
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe72⤵PID:1724
-
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe73⤵PID:4976
-
C:\Windows\SysWOW64\Lpbopfag.exeC:\Windows\system32\Lpbopfag.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3092 -
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe75⤵
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe76⤵PID:5088
-
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe77⤵PID:1604
-
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe78⤵PID:2044
-
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe79⤵PID:3536
-
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe80⤵PID:3800
-
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe81⤵PID:5036
-
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe82⤵PID:2504
-
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe83⤵PID:1948
-
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe84⤵PID:4524
-
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe85⤵PID:2760
-
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe86⤵PID:3416
-
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe87⤵PID:3924
-
C:\Windows\SysWOW64\Mpieqeko.exeC:\Windows\system32\Mpieqeko.exe88⤵PID:1084
-
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe89⤵PID:808
-
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe90⤵PID:512
-
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe91⤵PID:3452
-
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe92⤵PID:1572
-
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe93⤵PID:1932
-
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe94⤵
- Modifies registry class
PID:4508 -
C:\Windows\SysWOW64\Mlbbkfoq.exeC:\Windows\system32\Mlbbkfoq.exe95⤵PID:1792
-
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe96⤵PID:1220
-
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe97⤵
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Mifcejnj.exeC:\Windows\system32\Mifcejnj.exe98⤵PID:1608
-
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe99⤵PID:2372
-
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe100⤵PID:3656
-
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe101⤵PID:5108
-
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe102⤵PID:5136
-
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5188 -
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe104⤵PID:5232
-
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe105⤵
- Drops file in System32 directory
PID:5272 -
C:\Windows\SysWOW64\Npedmdab.exeC:\Windows\system32\Npedmdab.exe106⤵PID:5316
-
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5360 -
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe108⤵PID:5404
-
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe109⤵PID:5448
-
C:\Windows\SysWOW64\Ngaionfl.exeC:\Windows\system32\Ngaionfl.exe110⤵PID:5492
-
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe111⤵PID:5536
-
C:\Windows\SysWOW64\Nomncpcg.exeC:\Windows\system32\Nomncpcg.exe112⤵PID:5580
-
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe113⤵PID:5624
-
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe114⤵PID:5668
-
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe115⤵PID:5712
-
C:\Windows\SysWOW64\Ohgoaehe.exeC:\Windows\system32\Ohgoaehe.exe116⤵PID:5756
-
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe117⤵PID:5800
-
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe118⤵PID:5844
-
C:\Windows\SysWOW64\Oigllh32.exeC:\Windows\system32\Oigllh32.exe119⤵PID:5888
-
C:\Windows\SysWOW64\Opadhb32.exeC:\Windows\system32\Opadhb32.exe120⤵PID:5932
-
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe121⤵PID:5976
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-