Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/05/2024, 16:36
Behavioral task
behavioral1
Sample
2ec10cc8461a5dc81a09ad0d119113f0_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
2ec10cc8461a5dc81a09ad0d119113f0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
2ec10cc8461a5dc81a09ad0d119113f0_NeikiAnalytics.exe
-
Size
199KB
-
MD5
2ec10cc8461a5dc81a09ad0d119113f0
-
SHA1
875cc477490b43e00f1bdeb852c06523838f980a
-
SHA256
3a55cd4c03cc9f27c1d54592d95d764c6e72db65dc2678527b2d2c932400b43d
-
SHA512
54ee9dcab819c0e7a8e6e2779bedd0f8496f43f0bab4b3da3e3a591e2537892e8223b369828680f8f987c0b64eae861453999f5a3f01de307e24a562a09c83a1
-
SSDEEP
6144:GWjzV8/hSZSCZj81+jq4peBK034YOmFz1h:Gc+cZSCG1+jheBbOmFxh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cogmkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hckjacjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmppcbjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abpcon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhemmlhc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gofkje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnicfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopgjmhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceckcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iikhfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehokgge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kikame32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qceiaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhohlbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adapgfqj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beeflhdh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkffog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Immapg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeklag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcijeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kefkme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npfkgjdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilidbbgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chjaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajkhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bemlmgnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kikame32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lljfpnjg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bobcpmfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbaemi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifjodl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlednamo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbpem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilidbbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iicbehnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kipkhdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nckndeni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iikhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlmllkja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcibama.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbgqohi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imoneg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clpgpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imakkfdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfoiokfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jifhaenk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Migjoaaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nloiakho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecjhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcefno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acqimo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmlpoqpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odocigqg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pflplnlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dejacond.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckedalaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhcpgmjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghopckpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kimnbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddpeoafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipknlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcllonma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odmgcgbi.exe -
Malware Dropper & Backdoor - Berbew 63 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000b00000002339a-7.dat family_berbew behavioral2/files/0x000700000002341f-15.dat family_berbew behavioral2/files/0x0007000000023421-23.dat family_berbew behavioral2/files/0x0007000000023423-32.dat family_berbew behavioral2/files/0x0007000000023425-40.dat family_berbew behavioral2/files/0x0007000000023427-48.dat family_berbew behavioral2/files/0x0007000000023429-55.dat family_berbew behavioral2/files/0x000700000002342b-63.dat family_berbew behavioral2/files/0x000700000002342d-71.dat family_berbew behavioral2/files/0x000700000002342f-79.dat family_berbew behavioral2/files/0x0007000000023431-87.dat family_berbew behavioral2/files/0x0007000000023433-95.dat family_berbew behavioral2/files/0x0007000000023435-103.dat family_berbew behavioral2/files/0x0007000000023437-112.dat family_berbew behavioral2/files/0x0007000000023439-119.dat family_berbew behavioral2/files/0x000700000002343b-127.dat family_berbew behavioral2/files/0x000800000002341c-136.dat family_berbew behavioral2/files/0x000700000002343e-144.dat family_berbew behavioral2/files/0x0007000000023440-146.dat family_berbew behavioral2/files/0x0007000000023442-159.dat family_berbew behavioral2/files/0x0007000000023444-167.dat family_berbew behavioral2/files/0x0007000000023446-175.dat family_berbew behavioral2/files/0x0007000000023448-184.dat family_berbew behavioral2/files/0x000700000002344c-200.dat family_berbew behavioral2/files/0x000700000002344a-192.dat family_berbew behavioral2/files/0x000700000002344e-206.dat family_berbew behavioral2/files/0x0007000000023450-214.dat family_berbew behavioral2/files/0x0007000000023452-224.dat family_berbew behavioral2/files/0x0007000000023454-231.dat family_berbew behavioral2/files/0x0007000000023456-239.dat family_berbew behavioral2/files/0x0007000000023458-247.dat family_berbew behavioral2/files/0x000700000002345a-250.dat family_berbew behavioral2/files/0x000700000002346a-300.dat family_berbew behavioral2/files/0x00070000000234a6-474.dat family_berbew behavioral2/files/0x00070000000234b0-504.dat family_berbew behavioral2/files/0x00070000000234b4-516.dat family_berbew behavioral2/files/0x00070000000234d0-605.dat family_berbew behavioral2/files/0x00070000000234ff-777.dat family_berbew behavioral2/files/0x000700000002353b-983.dat family_berbew behavioral2/files/0x0007000000023541-1003.dat family_berbew behavioral2/files/0x0007000000023545-1017.dat family_berbew behavioral2/files/0x0007000000023549-1029.dat family_berbew behavioral2/files/0x000700000002354f-1050.dat family_berbew behavioral2/files/0x0007000000023553-1064.dat family_berbew behavioral2/files/0x0007000000023555-1072.dat family_berbew behavioral2/files/0x0007000000023567-1130.dat family_berbew behavioral2/files/0x000700000002356f-1155.dat family_berbew behavioral2/files/0x0007000000023573-1169.dat family_berbew behavioral2/files/0x000700000002357d-1201.dat family_berbew behavioral2/files/0x0007000000023583-1220.dat family_berbew behavioral2/files/0x000700000002358b-1248.dat family_berbew behavioral2/files/0x0007000000023597-1286.dat family_berbew behavioral2/files/0x000700000002359d-1305.dat family_berbew behavioral2/files/0x00070000000235a1-1319.dat family_berbew behavioral2/files/0x00070000000235a7-1339.dat family_berbew behavioral2/files/0x00070000000235af-1365.dat family_berbew behavioral2/files/0x00070000000235b3-1378.dat family_berbew behavioral2/files/0x00070000000235bf-1418.dat family_berbew behavioral2/files/0x00070000000235cb-1459.dat family_berbew behavioral2/files/0x00070000000235dd-1519.dat family_berbew behavioral2/files/0x00070000000235e1-1533.dat family_berbew behavioral2/files/0x00070000000235e9-1561.dat family_berbew behavioral2/files/0x00070000000235ed-1575.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2812 Alfkbc32.exe 3596 Abpcon32.exe 4520 Aeopki32.exe 4524 Adapgfqj.exe 5104 Ajkhdp32.exe 2728 Abbpem32.exe 1224 Blmacb32.exe 2640 Beeflhdh.exe 1624 Balfaiil.exe 2176 Bhfonc32.exe 2000 Bopgjmhe.exe 2208 Baocghgi.exe 3932 Bobcpmfc.exe 3960 Bemlmgnp.exe 2876 Bkidenlg.exe 3904 Ceoibflm.exe 568 Chmeobkq.exe 3152 Cogmkl32.exe 2212 Cojjqlpk.exe 4844 Cdfbibnb.exe 4500 Colffknh.exe 4944 Cdiooblp.exe 2980 Clpgpp32.exe 4264 Conclk32.exe 2852 Camphf32.exe 3352 Ckedalaj.exe 3548 Dbllbibl.exe 2100 Daolnf32.exe 1812 Ddpeoafg.exe 3924 Dbaemi32.exe 1528 Dkljak32.exe 4216 Dddojq32.exe 4128 Dahode32.exe 728 Dhbgqohi.exe 2220 Eolpmi32.exe 4424 Edihepnm.exe 2848 Elppfmoo.exe 3284 Ecjhcg32.exe 3128 Ehgqln32.exe 4964 Ekemhj32.exe 3964 Ednaqo32.exe 4908 Ekhjmiad.exe 4388 Eocenh32.exe 1620 Eemnjbaj.exe 2800 Elgfgl32.exe 3192 Eofbch32.exe 1532 Eadopc32.exe 3876 Ehnglm32.exe 3116 Fohoigfh.exe 760 Fafkecel.exe 1384 Fdegandp.exe 5024 Fojlngce.exe 2732 Fcfhof32.exe 4608 Ffddka32.exe 4364 Fhcpgmjf.exe 4400 Fomhdg32.exe 2412 Fakdpb32.exe 1876 Fdialn32.exe 4600 Fhemmlhc.exe 3572 Fooeif32.exe 3320 Fbnafb32.exe 972 Fhgjblfq.exe 4444 Fkffog32.exe 5044 Fcmnpe32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ndcdmikd.exe Nlmllkja.exe File created C:\Windows\SysWOW64\Lommhphi.dll Aminee32.exe File opened for modification C:\Windows\SysWOW64\Ckedalaj.exe Camphf32.exe File created C:\Windows\SysWOW64\Dbllbibl.exe Ckedalaj.exe File created C:\Windows\SysWOW64\Eolpmi32.exe Dhbgqohi.exe File opened for modification C:\Windows\SysWOW64\Ecjhcg32.exe Elppfmoo.exe File created C:\Windows\SysWOW64\Lpcqcc32.dll Hcmgfbhd.exe File created C:\Windows\SysWOW64\Pmdkch32.exe Pfjcgn32.exe File opened for modification C:\Windows\SysWOW64\Bhhdil32.exe Beihma32.exe File opened for modification C:\Windows\SysWOW64\Cndikf32.exe Chjaol32.exe File opened for modification C:\Windows\SysWOW64\Cojjqlpk.exe Cogmkl32.exe File opened for modification C:\Windows\SysWOW64\Ddpeoafg.exe Daolnf32.exe File created C:\Windows\SysWOW64\Linjpeof.dll Eolpmi32.exe File created C:\Windows\SysWOW64\Memcpg32.dll Jidklf32.exe File opened for modification C:\Windows\SysWOW64\Kmdqgd32.exe Kemhff32.exe File created C:\Windows\SysWOW64\Hqdeld32.dll Kimnbd32.exe File opened for modification C:\Windows\SysWOW64\Kdgljmcd.exe Kplpjn32.exe File created C:\Windows\SysWOW64\Iiggphnk.dll Aeopki32.exe File opened for modification C:\Windows\SysWOW64\Ednaqo32.exe Ekemhj32.exe File opened for modification C:\Windows\SysWOW64\Imoneg32.exe Iicbehnq.exe File opened for modification C:\Windows\SysWOW64\Qnhahj32.exe Pjjhbl32.exe File opened for modification C:\Windows\SysWOW64\Fafkecel.exe Fohoigfh.exe File created C:\Windows\SysWOW64\Icplcpgo.exe Ilidbbgl.exe File created C:\Windows\SysWOW64\Jfoiokfb.exe Icplcpgo.exe File created C:\Windows\SysWOW64\Ipnjafgo.dll Hkdbpe32.exe File created C:\Windows\SysWOW64\Immapg32.exe Hfcicmqp.exe File created C:\Windows\SysWOW64\Mmlpoqpg.exe Lphoelqn.exe File created C:\Windows\SysWOW64\Najmlf32.dll Oponmilc.exe File opened for modification C:\Windows\SysWOW64\Bkidenlg.exe Bemlmgnp.exe File created C:\Windows\SysWOW64\Jfcibe32.dll Bemlmgnp.exe File created C:\Windows\SysWOW64\Oapgek32.dll Conclk32.exe File created C:\Windows\SysWOW64\Odmgcgbi.exe Olfobjbg.exe File created C:\Windows\SysWOW64\Jmknaell.exe Jedeph32.exe File created C:\Windows\SysWOW64\Ncnaabfm.dll Jplfcpin.exe File created C:\Windows\SysWOW64\Hledan32.dll Kemhff32.exe File created C:\Windows\SysWOW64\Kdnidn32.exe Kpbmco32.exe File created C:\Windows\SysWOW64\Bnecbhin.dll Lphoelqn.exe File opened for modification C:\Windows\SysWOW64\Nnneknob.exe Ngdmod32.exe File opened for modification C:\Windows\SysWOW64\Ofnckp32.exe Odmgcgbi.exe File created C:\Windows\SysWOW64\Kngpec32.dll Dddhpjof.exe File opened for modification C:\Windows\SysWOW64\Ekemhj32.exe Ehgqln32.exe File created C:\Windows\SysWOW64\Cnaijinl.dll Gofkje32.exe File opened for modification C:\Windows\SysWOW64\Jlednamo.exe Jifhaenk.exe File opened for modification C:\Windows\SysWOW64\Clpgpp32.exe Cdiooblp.exe File created C:\Windows\SysWOW64\Ligqhc32.exe Lmppcbjd.exe File opened for modification C:\Windows\SysWOW64\Pmdkch32.exe Pfjcgn32.exe File created C:\Windows\SysWOW64\Hafgeo32.dll Gmlhii32.exe File created C:\Windows\SysWOW64\Jcinbcgc.dll Ifefimom.exe File opened for modification C:\Windows\SysWOW64\Eofbch32.exe Elgfgl32.exe File created C:\Windows\SysWOW64\Fhgjblfq.exe Fbnafb32.exe File created C:\Windows\SysWOW64\Fkffog32.exe Fhgjblfq.exe File opened for modification C:\Windows\SysWOW64\Hecmijim.exe Hbeqmoji.exe File opened for modification C:\Windows\SysWOW64\Jpnchp32.exe Jlbgha32.exe File opened for modification C:\Windows\SysWOW64\Conclk32.exe Clpgpp32.exe File opened for modification C:\Windows\SysWOW64\Dhbgqohi.exe Dahode32.exe File created C:\Windows\SysWOW64\Eemnjbaj.exe Eocenh32.exe File created C:\Windows\SysWOW64\Hmphmhjc.dll Pjjhbl32.exe File opened for modification C:\Windows\SysWOW64\Baicac32.exe Bnkgeg32.exe File created C:\Windows\SysWOW64\Dmllipeg.exe Dddhpjof.exe File created C:\Windows\SysWOW64\Imakkfdg.exe Iejcji32.exe File created C:\Windows\SysWOW64\Maghgl32.dll Aclpap32.exe File created C:\Windows\SysWOW64\Bkidenlg.exe Bemlmgnp.exe File created C:\Windows\SysWOW64\Hfggmg32.dll Bfhhoi32.exe File created C:\Windows\SysWOW64\Hnmacdaj.dll Ibjjhn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7420 7324 WerFault.exe 323 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bopgjmhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daolnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjfaeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dobfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Balfaiil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Conclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehgqln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Heapdjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eemnjbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjgdmkj.dll" Fkffog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkebndc.dll" Hodgkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imakkfdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmknaell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jianff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lffhfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abpcon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkaejf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpmhl32.dll" Imoneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooajidfn.dll" Jfoiokfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qddfkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcjlcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifbkgjd.dll" Jimekgff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjddiqoc.dll" Jfcbjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aminee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnkgeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgempgqo.dll" Bobcpmfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkhbdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcdmga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnkjc32.dll" Kfmepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olmeci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 2ec10cc8461a5dc81a09ad0d119113f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecjhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibjjhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifjodl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlnnp32.dll" Jlednamo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjljbfog.dll" Fhemmlhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jianff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdabcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgpfak.dll" Jlnnmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoohalad.dll" Kdnidn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll" Odmgcgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll" Cnnlaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll" Olmeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beeflhdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbnafb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcojed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkkhqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifllil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jimekgff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lffhfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Camphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npibja32.dll" Ilidbbgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpoefk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmoahijl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkaejf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jblpek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onjegled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll" Bcebhoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll" Ceckcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igoedk32.dll" Elppfmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hijooifk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmdqgd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 212 wrote to memory of 2812 212 2ec10cc8461a5dc81a09ad0d119113f0_NeikiAnalytics.exe 83 PID 212 wrote to memory of 2812 212 2ec10cc8461a5dc81a09ad0d119113f0_NeikiAnalytics.exe 83 PID 212 wrote to memory of 2812 212 2ec10cc8461a5dc81a09ad0d119113f0_NeikiAnalytics.exe 83 PID 2812 wrote to memory of 3596 2812 Alfkbc32.exe 84 PID 2812 wrote to memory of 3596 2812 Alfkbc32.exe 84 PID 2812 wrote to memory of 3596 2812 Alfkbc32.exe 84 PID 3596 wrote to memory of 4520 3596 Abpcon32.exe 85 PID 3596 wrote to memory of 4520 3596 Abpcon32.exe 85 PID 3596 wrote to memory of 4520 3596 Abpcon32.exe 85 PID 4520 wrote to memory of 4524 4520 Aeopki32.exe 86 PID 4520 wrote to memory of 4524 4520 Aeopki32.exe 86 PID 4520 wrote to memory of 4524 4520 Aeopki32.exe 86 PID 4524 wrote to memory of 5104 4524 Adapgfqj.exe 87 PID 4524 wrote to memory of 5104 4524 Adapgfqj.exe 87 PID 4524 wrote to memory of 5104 4524 Adapgfqj.exe 87 PID 5104 wrote to memory of 2728 5104 Ajkhdp32.exe 88 PID 5104 wrote to memory of 2728 5104 Ajkhdp32.exe 88 PID 5104 wrote to memory of 2728 5104 Ajkhdp32.exe 88 PID 2728 wrote to memory of 1224 2728 Abbpem32.exe 89 PID 2728 wrote to memory of 1224 2728 Abbpem32.exe 89 PID 2728 wrote to memory of 1224 2728 Abbpem32.exe 89 PID 1224 wrote to memory of 2640 1224 Blmacb32.exe 91 PID 1224 wrote to memory of 2640 1224 Blmacb32.exe 91 PID 1224 wrote to memory of 2640 1224 Blmacb32.exe 91 PID 2640 wrote to memory of 1624 2640 Beeflhdh.exe 92 PID 2640 wrote to memory of 1624 2640 Beeflhdh.exe 92 PID 2640 wrote to memory of 1624 2640 Beeflhdh.exe 92 PID 1624 wrote to memory of 2176 1624 Balfaiil.exe 94 PID 1624 wrote to memory of 2176 1624 Balfaiil.exe 94 PID 1624 wrote to memory of 2176 1624 Balfaiil.exe 94 PID 2176 wrote to memory of 2000 2176 Bhfonc32.exe 95 PID 2176 wrote to memory of 2000 2176 Bhfonc32.exe 95 PID 2176 wrote to memory of 2000 2176 Bhfonc32.exe 95 PID 2000 wrote to memory of 2208 2000 Bopgjmhe.exe 96 PID 2000 wrote to memory of 2208 2000 Bopgjmhe.exe 96 PID 2000 wrote to memory of 2208 2000 Bopgjmhe.exe 96 PID 2208 wrote to memory of 3932 2208 Baocghgi.exe 97 PID 2208 wrote to memory of 3932 2208 Baocghgi.exe 97 PID 2208 wrote to memory of 3932 2208 Baocghgi.exe 97 PID 3932 wrote to memory of 3960 3932 Bobcpmfc.exe 98 PID 3932 wrote to memory of 3960 3932 Bobcpmfc.exe 98 PID 3932 wrote to memory of 3960 3932 Bobcpmfc.exe 98 PID 3960 wrote to memory of 2876 3960 Bemlmgnp.exe 100 PID 3960 wrote to memory of 2876 3960 Bemlmgnp.exe 100 PID 3960 wrote to memory of 2876 3960 Bemlmgnp.exe 100 PID 2876 wrote to memory of 3904 2876 Bkidenlg.exe 101 PID 2876 wrote to memory of 3904 2876 Bkidenlg.exe 101 PID 2876 wrote to memory of 3904 2876 Bkidenlg.exe 101 PID 3904 wrote to memory of 568 3904 Ceoibflm.exe 102 PID 3904 wrote to memory of 568 3904 Ceoibflm.exe 102 PID 3904 wrote to memory of 568 3904 Ceoibflm.exe 102 PID 568 wrote to memory of 3152 568 Chmeobkq.exe 103 PID 568 wrote to memory of 3152 568 Chmeobkq.exe 103 PID 568 wrote to memory of 3152 568 Chmeobkq.exe 103 PID 3152 wrote to memory of 2212 3152 Cogmkl32.exe 104 PID 3152 wrote to memory of 2212 3152 Cogmkl32.exe 104 PID 3152 wrote to memory of 2212 3152 Cogmkl32.exe 104 PID 2212 wrote to memory of 4844 2212 Cojjqlpk.exe 105 PID 2212 wrote to memory of 4844 2212 Cojjqlpk.exe 105 PID 2212 wrote to memory of 4844 2212 Cojjqlpk.exe 105 PID 4844 wrote to memory of 4500 4844 Cdfbibnb.exe 106 PID 4844 wrote to memory of 4500 4844 Cdfbibnb.exe 106 PID 4844 wrote to memory of 4500 4844 Cdfbibnb.exe 106 PID 4500 wrote to memory of 4944 4500 Colffknh.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ec10cc8461a5dc81a09ad0d119113f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2ec10cc8461a5dc81a09ad0d119113f0_NeikiAnalytics.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Bobcpmfc.exeC:\Windows\system32\Bobcpmfc.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4944 -
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4264 -
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3352 -
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe28⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Ddpeoafg.exeC:\Windows\system32\Ddpeoafg.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Dbaemi32.exeC:\Windows\system32\Dbaemi32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Dkljak32.exeC:\Windows\system32\Dkljak32.exe32⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe33⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Dahode32.exeC:\Windows\system32\Dahode32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4128 -
C:\Windows\SysWOW64\Dhbgqohi.exeC:\Windows\system32\Dhbgqohi.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:728 -
C:\Windows\SysWOW64\Eolpmi32.exeC:\Windows\system32\Eolpmi32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Edihepnm.exeC:\Windows\system32\Edihepnm.exe37⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3284 -
C:\Windows\SysWOW64\Ehgqln32.exeC:\Windows\system32\Ehgqln32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3128 -
C:\Windows\SysWOW64\Ekemhj32.exeC:\Windows\system32\Ekemhj32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4964 -
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe42⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Ekhjmiad.exeC:\Windows\system32\Ekhjmiad.exe43⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Eocenh32.exeC:\Windows\system32\Eocenh32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4388 -
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Elgfgl32.exeC:\Windows\system32\Elgfgl32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Eofbch32.exeC:\Windows\system32\Eofbch32.exe47⤵
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe48⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe49⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3116 -
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe51⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Fdegandp.exeC:\Windows\system32\Fdegandp.exe52⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Fojlngce.exeC:\Windows\system32\Fojlngce.exe53⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe54⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Ffddka32.exeC:\Windows\system32\Ffddka32.exe55⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Fomhdg32.exeC:\Windows\system32\Fomhdg32.exe57⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Fakdpb32.exeC:\Windows\system32\Fakdpb32.exe58⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe59⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4600 -
C:\Windows\SysWOW64\Fooeif32.exeC:\Windows\system32\Fooeif32.exe61⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\Fbnafb32.exeC:\Windows\system32\Fbnafb32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3320 -
C:\Windows\SysWOW64\Fhgjblfq.exeC:\Windows\system32\Fhgjblfq.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:972 -
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4444 -
C:\Windows\SysWOW64\Fcmnpe32.exeC:\Windows\system32\Fcmnpe32.exe65⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe66⤵PID:2192
-
C:\Windows\SysWOW64\Gkhbdg32.exeC:\Windows\system32\Gkhbdg32.exe67⤵
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Gcojed32.exeC:\Windows\system32\Gcojed32.exe68⤵
- Modifies registry class
PID:4940 -
C:\Windows\SysWOW64\Gfngap32.exeC:\Windows\system32\Gfngap32.exe69⤵PID:2036
-
C:\Windows\SysWOW64\Gkkojgao.exeC:\Windows\system32\Gkkojgao.exe70⤵PID:2652
-
C:\Windows\SysWOW64\Gofkje32.exeC:\Windows\system32\Gofkje32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4980 -
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe72⤵PID:1656
-
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3100 -
C:\Windows\SysWOW64\Gcddpdpo.exeC:\Windows\system32\Gcddpdpo.exe74⤵PID:3984
-
C:\Windows\SysWOW64\Gmlhii32.exeC:\Windows\system32\Gmlhii32.exe75⤵
- Drops file in System32 directory
PID:4236 -
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe76⤵PID:4828
-
C:\Windows\SysWOW64\Gkaejf32.exeC:\Windows\system32\Gkaejf32.exe77⤵
- Modifies registry class
PID:1208 -
C:\Windows\SysWOW64\Gcimkc32.exeC:\Windows\system32\Gcimkc32.exe78⤵PID:4984
-
C:\Windows\SysWOW64\Gfgjgo32.exeC:\Windows\system32\Gfgjgo32.exe79⤵PID:2116
-
C:\Windows\SysWOW64\Hkdbpe32.exeC:\Windows\system32\Hkdbpe32.exe80⤵
- Drops file in System32 directory
PID:3812 -
C:\Windows\SysWOW64\Hckjacjg.exeC:\Windows\system32\Hckjacjg.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4628 -
C:\Windows\SysWOW64\Hfifmnij.exeC:\Windows\system32\Hfifmnij.exe82⤵PID:4948
-
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe83⤵PID:3384
-
C:\Windows\SysWOW64\Hcmgfbhd.exeC:\Windows\system32\Hcmgfbhd.exe84⤵
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Hijooifk.exeC:\Windows\system32\Hijooifk.exe85⤵
- Modifies registry class
PID:4772 -
C:\Windows\SysWOW64\Hodgkc32.exeC:\Windows\system32\Hodgkc32.exe86⤵
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Heapdjlp.exeC:\Windows\system32\Heapdjlp.exe87⤵
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe88⤵PID:4976
-
C:\Windows\SysWOW64\Hkkhqd32.exeC:\Windows\system32\Hkkhqd32.exe89⤵
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Hbeqmoji.exeC:\Windows\system32\Hbeqmoji.exe90⤵
- Drops file in System32 directory
PID:5084 -
C:\Windows\SysWOW64\Hecmijim.exeC:\Windows\system32\Hecmijim.exe91⤵PID:2364
-
C:\Windows\SysWOW64\Hcdmga32.exeC:\Windows\system32\Hcdmga32.exe92⤵
- Modifies registry class
PID:400 -
C:\Windows\SysWOW64\Hfcicmqp.exeC:\Windows\system32\Hfcicmqp.exe93⤵
- Drops file in System32 directory
PID:3468 -
C:\Windows\SysWOW64\Immapg32.exeC:\Windows\system32\Immapg32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4876 -
C:\Windows\SysWOW64\Ipknlb32.exeC:\Windows\system32\Ipknlb32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4892 -
C:\Windows\SysWOW64\Ibjjhn32.exeC:\Windows\system32\Ibjjhn32.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:1204 -
C:\Windows\SysWOW64\Ifefimom.exeC:\Windows\system32\Ifefimom.exe97⤵
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Iicbehnq.exeC:\Windows\system32\Iicbehnq.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4356 -
C:\Windows\SysWOW64\Imoneg32.exeC:\Windows\system32\Imoneg32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3580 -
C:\Windows\SysWOW64\Ipnjab32.exeC:\Windows\system32\Ipnjab32.exe100⤵PID:828
-
C:\Windows\SysWOW64\Iblfnn32.exeC:\Windows\system32\Iblfnn32.exe101⤵PID:5168
-
C:\Windows\SysWOW64\Iejcji32.exeC:\Windows\system32\Iejcji32.exe102⤵
- Drops file in System32 directory
PID:5212 -
C:\Windows\SysWOW64\Imakkfdg.exeC:\Windows\system32\Imakkfdg.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5256 -
C:\Windows\SysWOW64\Ickchq32.exeC:\Windows\system32\Ickchq32.exe104⤵PID:5300
-
C:\Windows\SysWOW64\Ifjodl32.exeC:\Windows\system32\Ifjodl32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5344 -
C:\Windows\SysWOW64\Iihkpg32.exeC:\Windows\system32\Iihkpg32.exe106⤵PID:5388
-
C:\Windows\SysWOW64\Ilghlc32.exeC:\Windows\system32\Ilghlc32.exe107⤵PID:5432
-
C:\Windows\SysWOW64\Icnpmp32.exeC:\Windows\system32\Icnpmp32.exe108⤵PID:5468
-
C:\Windows\SysWOW64\Ifllil32.exeC:\Windows\system32\Ifllil32.exe109⤵
- Modifies registry class
PID:5512 -
C:\Windows\SysWOW64\Iikhfg32.exeC:\Windows\system32\Iikhfg32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5556 -
C:\Windows\SysWOW64\Ilidbbgl.exeC:\Windows\system32\Ilidbbgl.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5600 -
C:\Windows\SysWOW64\Icplcpgo.exeC:\Windows\system32\Icplcpgo.exe112⤵
- Drops file in System32 directory
PID:5648 -
C:\Windows\SysWOW64\Jfoiokfb.exeC:\Windows\system32\Jfoiokfb.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5688 -
C:\Windows\SysWOW64\Jimekgff.exeC:\Windows\system32\Jimekgff.exe114⤵
- Modifies registry class
PID:5732 -
C:\Windows\SysWOW64\Jmhale32.exeC:\Windows\system32\Jmhale32.exe115⤵PID:5780
-
C:\Windows\SysWOW64\Jpgmha32.exeC:\Windows\system32\Jpgmha32.exe116⤵PID:5824
-
C:\Windows\SysWOW64\Jbeidl32.exeC:\Windows\system32\Jbeidl32.exe117⤵PID:5868
-
C:\Windows\SysWOW64\Jedeph32.exeC:\Windows\system32\Jedeph32.exe118⤵
- Drops file in System32 directory
PID:5912 -
C:\Windows\SysWOW64\Jmknaell.exeC:\Windows\system32\Jmknaell.exe119⤵
- Modifies registry class
PID:5956 -
C:\Windows\SysWOW64\Jlnnmb32.exeC:\Windows\system32\Jlnnmb32.exe120⤵
- Modifies registry class
PID:6000 -
C:\Windows\SysWOW64\Jcefno32.exeC:\Windows\system32\Jcefno32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6044
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-