Analysis
-
max time kernel
139s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-05-2024 18:23
Behavioral task
behavioral1
Sample
3824a1dfae19f072d2f1afe014bd6cf0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
3824a1dfae19f072d2f1afe014bd6cf0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
3824a1dfae19f072d2f1afe014bd6cf0_NeikiAnalytics.exe
-
Size
1.2MB
-
MD5
3824a1dfae19f072d2f1afe014bd6cf0
-
SHA1
a286b1753a480274e3d3701e96fb023528315f00
-
SHA256
c96be5b9b71c1d1ae6b11e043ab1f1faa62369cd968c92ef4031284a770c0be2
-
SHA512
c4a002e134deeb83a5ad5085ff20a54ee98ac76e1470c39dece52652d272c802039960f5ff3703b1a3950a54c2de2ae6041cfa429f476d9ae7914d2f53b53f79
-
SSDEEP
12288:Q7lztzhEv7Fv4pnsKvNA+XTvZHWuEo3oW2to:QRBzhEFgpsKv2EvZHp3oW2to
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkhkblii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paqebike.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbkaiddd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejamdca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Codhgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omjnhiiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgbccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceihffad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnajjfjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlckik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcmgphma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dapkho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlfeeelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mchpibng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppeikjle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqomdppm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnnfghd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkgeipah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alqjiohm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fneoma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmpido32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkopgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaomij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdglfqjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oemofpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maefnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhcld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pakleh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdipce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inmggo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eainnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogfkpih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfnkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aopmpq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjjcof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bncllqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbeeco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjcllilo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mknjgajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljaooodf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emenhcdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgnffp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aploae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emihbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agqekeeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpldpddh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gijmlh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpomme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Behiec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocgbej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcgdcome.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmiffhkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aomipkic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnfnfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cidgdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bodano32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogljcokf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eejjdb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihbdja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhplnca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekeacmel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmodfqhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdiobd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddbfkh32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0008000000023272-6.dat family_berbew behavioral2/files/0x0008000000023277-14.dat family_berbew behavioral2/files/0x000800000002327a-17.dat family_berbew behavioral2/files/0x000700000002327c-30.dat family_berbew behavioral2/files/0x000700000002327e-38.dat family_berbew behavioral2/files/0x0007000000023280-42.dat family_berbew behavioral2/files/0x0007000000023282-56.dat family_berbew behavioral2/files/0x0007000000023285-63.dat family_berbew behavioral2/files/0x0007000000023287-71.dat family_berbew behavioral2/files/0x0007000000023289-79.dat family_berbew behavioral2/files/0x000700000002328b-87.dat family_berbew behavioral2/files/0x000700000002328d-96.dat family_berbew behavioral2/files/0x000700000002328f-105.dat family_berbew behavioral2/files/0x0007000000023291-114.dat family_berbew behavioral2/files/0x0007000000023293-123.dat family_berbew behavioral2/files/0x0007000000023296-132.dat family_berbew behavioral2/files/0x0007000000023298-141.dat family_berbew behavioral2/files/0x000700000002329a-150.dat family_berbew behavioral2/files/0x000700000002329c-159.dat family_berbew behavioral2/files/0x000700000002329e-168.dat family_berbew behavioral2/files/0x00070000000232a0-172.dat family_berbew behavioral2/files/0x00070000000232a2-182.dat family_berbew behavioral2/files/0x00070000000232a4-195.dat family_berbew behavioral2/files/0x00070000000232a6-204.dat family_berbew behavioral2/files/0x00070000000232a8-214.dat family_berbew behavioral2/files/0x00070000000232aa-223.dat family_berbew behavioral2/files/0x00070000000232ac-231.dat family_berbew behavioral2/files/0x00070000000232ae-240.dat family_berbew behavioral2/files/0x00070000000232b1-249.dat family_berbew behavioral2/files/0x00070000000232b4-258.dat family_berbew behavioral2/files/0x00070000000232b6-267.dat family_berbew behavioral2/files/0x00070000000232b9-276.dat family_berbew behavioral2/files/0x00080000000232c0-300.dat family_berbew behavioral2/files/0x00070000000232c4-308.dat family_berbew behavioral2/files/0x00070000000232d5-363.dat family_berbew behavioral2/files/0x00070000000232e4-384.dat family_berbew behavioral2/files/0x000700000001e2e1-398.dat family_berbew behavioral2/files/0x00070000000232e9-419.dat family_berbew behavioral2/files/0x00070000000232f6-460.dat family_berbew behavioral2/files/0x0008000000023302-502.dat family_berbew behavioral2/files/0x0007000000023304-510.dat family_berbew behavioral2/files/0x000400000001e3eb-523.dat family_berbew behavioral2/files/0x000700000002330c-537.dat family_berbew behavioral2/files/0x000700000002331c-592.dat family_berbew behavioral2/files/0x000700000002333b-697.dat family_berbew behavioral2/files/0x000700000002333f-711.dat family_berbew behavioral2/files/0x0007000000023345-732.dat family_berbew behavioral2/files/0x0007000000023349-745.dat family_berbew behavioral2/files/0x000700000002335b-808.dat family_berbew behavioral2/files/0x0007000000023363-836.dat family_berbew behavioral2/files/0x0007000000023368-850.dat family_berbew behavioral2/files/0x000700000002336c-864.dat family_berbew behavioral2/files/0x000700000002337a-913.dat family_berbew behavioral2/files/0x000700000002337e-927.dat family_berbew behavioral2/files/0x0007000000023384-948.dat family_berbew behavioral2/files/0x000700000002338a-969.dat family_berbew behavioral2/files/0x0007000000023399-1018.dat family_berbew behavioral2/files/0x00070000000233ad-1081.dat family_berbew behavioral2/files/0x00070000000233bb-1130.dat family_berbew behavioral2/files/0x00070000000233bf-1144.dat family_berbew behavioral2/files/0x00070000000233d9-1235.dat family_berbew behavioral2/files/0x00070000000233df-1256.dat family_berbew behavioral2/files/0x000b000000023015-1277.dat family_berbew behavioral2/files/0x00070000000233ef-1305.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 640 Cidgdg32.exe 4172 Dmkcpdao.exe 4004 Dghadidj.exe 2104 Elhfbp32.exe 216 Ephlnn32.exe 2020 Fneoma32.exe 3792 Gfemmb32.exe 4912 Igjlibib.exe 3904 Inhmqlmj.exe 1480 Kallod32.exe 1376 Ljijci32.exe 644 Mhhjhlqm.exe 812 Moglpedd.exe 4620 Ndkjik32.exe 2636 Pgllad32.exe 4776 Pgoigcip.exe 368 Qdllffpo.exe 4788 Afboah32.exe 3620 Bfieagka.exe 4528 Ciogobcm.exe 2856 Cfedmfqd.exe 4252 Dpglmjoj.exe 456 Eifffoob.exe 5036 Ebagdddp.exe 1404 Efopjbjg.exe 2224 Ehbihj32.exe 3912 Fgmllpng.exe 3136 Gomkkagl.exe 3972 Icklhnop.exe 4768 Iiokacgp.exe 3324 Jqklnp32.exe 4700 Kmpido32.exe 764 Lpghfi32.exe 1132 Mpqklh32.exe 2316 Nfdfoala.exe 3848 Nalgbi32.exe 1496 Omjnhiiq.exe 4484 Odfcjc32.exe 4312 Oalpigkb.exe 1960 Paaidf32.exe 432 Pnhjig32.exe 1508 Phpklp32.exe 832 Qajlje32.exe 3968 Qnamofdf.exe 2964 Ajaqjfbp.exe 4780 Bqnemp32.exe 4900 Cinpdl32.exe 3592 Cnmebblf.exe 1972 Canocm32.exe 2556 Dnghhqdk.exe 556 Eblgon32.exe 3048 Eeailhme.exe 1048 Flmonbbp.exe 1124 Fkbkoo32.exe 2688 Fkgejncb.exe 4612 Femigg32.exe 3504 Gbecljnl.exe 1696 Glngep32.exe 3992 Gkcdfl32.exe 4012 Gclimi32.exe 4856 Hcabhido.exe 4324 Hakidd32.exe 2192 Mpkkgbmi.exe 3676 Mpnglbkf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bplammmf.exe Bimoecio.exe File created C:\Windows\SysWOW64\Gggnif32.dll Hkkhjj32.exe File opened for modification C:\Windows\SysWOW64\Beeokgei.exe Bjokno32.exe File created C:\Windows\SysWOW64\Adocpjbi.dll Gkjhif32.exe File created C:\Windows\SysWOW64\Hgfaij32.exe Hmnmqdee.exe File opened for modification C:\Windows\SysWOW64\Akqfef32.exe Aojepe32.exe File created C:\Windows\SysWOW64\Gknohl32.dll Ciogobcm.exe File opened for modification C:\Windows\SysWOW64\Ndkjik32.exe Moglpedd.exe File opened for modification C:\Windows\SysWOW64\Bfchcijo.exe Bjlgnh32.exe File opened for modification C:\Windows\SysWOW64\Cooolhin.exe Bmofkm32.exe File created C:\Windows\SysWOW64\Mabnlh32.exe Lqndahiq.exe File opened for modification C:\Windows\SysWOW64\Oceepj32.exe Ofaeffpa.exe File created C:\Windows\SysWOW64\Ddmlgm32.dll Ajaqjfbp.exe File opened for modification C:\Windows\SysWOW64\Jaekkfcm.exe Jgpfmncg.exe File created C:\Windows\SysWOW64\Dcopke32.exe Dlckik32.exe File created C:\Windows\SysWOW64\Oidlhbem.dll Agpoqoaf.exe File opened for modification C:\Windows\SysWOW64\Nlfeeelm.exe Njghkb32.exe File created C:\Windows\SysWOW64\Beglqgcf.exe Beeokgei.exe File created C:\Windows\SysWOW64\Falmabki.exe Fhchhm32.exe File created C:\Windows\SysWOW64\Llgcin32.exe Lhijcohe.exe File opened for modification C:\Windows\SysWOW64\Jngbcj32.exe Jlgeig32.exe File opened for modification C:\Windows\SysWOW64\Blflmj32.exe Bqokhi32.exe File created C:\Windows\SysWOW64\Eceoanpo.exe Dogfkpih.exe File created C:\Windows\SysWOW64\Qkpdbm32.dll Eceoanpo.exe File created C:\Windows\SysWOW64\Mehpnbkg.dll Mcfkkmeo.exe File created C:\Windows\SysWOW64\Fbcblo32.dll Pnifoaba.exe File created C:\Windows\SysWOW64\Pmfhbm32.exe Pqpgnl32.exe File created C:\Windows\SysWOW64\Pobmogkn.dll Hnmnpano.exe File created C:\Windows\SysWOW64\Ppiomkim.dll Hglaookl.exe File created C:\Windows\SysWOW64\Alnakngf.dll Nejkfj32.exe File opened for modification C:\Windows\SysWOW64\Eainnn32.exe Efamkepl.exe File created C:\Windows\SysWOW64\Gqcahm32.dll Joahjcgb.exe File opened for modification C:\Windows\SysWOW64\Bjlgnh32.exe Bjjjhifm.exe File created C:\Windows\SysWOW64\Nalgbi32.exe Nfdfoala.exe File created C:\Windows\SysWOW64\Mbamcm32.exe Mppdbb32.exe File created C:\Windows\SysWOW64\Ofgogm32.dll Hlipfh32.exe File created C:\Windows\SysWOW64\Nkijbooo.exe Nneiikqe.exe File created C:\Windows\SysWOW64\Kfoapo32.exe Kdnincal.exe File created C:\Windows\SysWOW64\Jaadfkaa.dll Moglkikl.exe File created C:\Windows\SysWOW64\Jkdcffci.exe Jnqbmadp.exe File created C:\Windows\SysWOW64\Nojfamdo.dll Dobffj32.exe File opened for modification C:\Windows\SysWOW64\Emniheha.exe Eknpfj32.exe File created C:\Windows\SysWOW64\Pmiidnko.exe Ppeikjle.exe File opened for modification C:\Windows\SysWOW64\Plgpjhnf.exe Pfhklabb.exe File created C:\Windows\SysWOW64\Ifjfhh32.exe Iidiidgj.exe File created C:\Windows\SysWOW64\Pcojdnfm.exe Peimcaae.exe File created C:\Windows\SysWOW64\Acjjpllp.exe Ajbegg32.exe File created C:\Windows\SysWOW64\Jmhihbcg.dll Fffqjfom.exe File opened for modification C:\Windows\SysWOW64\Iioicn32.exe Hkkhjj32.exe File created C:\Windows\SysWOW64\Lnldeg32.exe Lqhdlc32.exe File created C:\Windows\SysWOW64\Ghanoeel.exe Gnfmapqo.exe File created C:\Windows\SysWOW64\Dmppgb32.dll Ajbegg32.exe File created C:\Windows\SysWOW64\Lekbmmcq.dll Dibmfb32.exe File opened for modification C:\Windows\SysWOW64\Emenhcdf.exe Deliaf32.exe File created C:\Windows\SysWOW64\Pjofcb32.exe Pnifoaba.exe File created C:\Windows\SysWOW64\Npkmcj32.exe Nnlqig32.exe File created C:\Windows\SysWOW64\Gfghkgkc.dll Jahgpf32.exe File created C:\Windows\SysWOW64\Dfgidngk.dll Jcplle32.exe File created C:\Windows\SysWOW64\Peoqoo32.dll Beeokgei.exe File opened for modification C:\Windows\SysWOW64\Ckkilhjm.exe Codhgg32.exe File created C:\Windows\SysWOW64\Jdibgo32.dll Hfgjad32.exe File opened for modification C:\Windows\SysWOW64\Hcpcehko.exe Hcmgphma.exe File created C:\Windows\SysWOW64\Imakdl32.exe Iicboncn.exe File created C:\Windows\SysWOW64\Bjokno32.exe Bccfleqi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3292 3724 WerFault.exe 791 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olnmdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjlij32.dll" Phnoac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plgpjhnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nndnocba.dll" Ffeaichg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogmidbal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpnheh32.dll" Dqomdppm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afakfgdq.dll" Codhgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gclimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqndahiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hifcqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peaokh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecpmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdglfqjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bddjijia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfemmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnhgidka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajbegg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdqcglqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfloio32.dll" Odfcjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hakidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkplilgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennaaohb.dll" Iaokdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mingbhon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmclgghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pojccmii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmamgp32.dll" Hgfaij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmapbofn.dll" Ifglmlol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjffngap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfjhpi32.dll" Gdglfqjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnondf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhehkamb.dll" Aploae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkhokkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceckleii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aljmal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffeaichg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iloimopp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lanpml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbeoe32.dll" Jcbibeki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akcmil32.dll" Cggnhlml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnklcn32.dll" Jkggfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dajfhepb.dll" Ljaooodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnamofdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paqebike.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlckik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljkffm32.dll" Jdhpba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oceepj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elhfbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbeeco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnondf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjqgggni.dll" Djgbmffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogljcokf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkihgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipmbcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpjgjefj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnmaeif.dll" Afboah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioclnblj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odnfkbla.dll" Aebjokda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqqkagjo.dll" Njmopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnmajl32.dll" Blkdgheg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oapljmgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmglog32.dll" Bbgiibja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jigdoglm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odjeepna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifjfhh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4740 wrote to memory of 640 4740 3824a1dfae19f072d2f1afe014bd6cf0_NeikiAnalytics.exe 91 PID 4740 wrote to memory of 640 4740 3824a1dfae19f072d2f1afe014bd6cf0_NeikiAnalytics.exe 91 PID 4740 wrote to memory of 640 4740 3824a1dfae19f072d2f1afe014bd6cf0_NeikiAnalytics.exe 91 PID 640 wrote to memory of 4172 640 Cidgdg32.exe 92 PID 640 wrote to memory of 4172 640 Cidgdg32.exe 92 PID 640 wrote to memory of 4172 640 Cidgdg32.exe 92 PID 4172 wrote to memory of 4004 4172 Dmkcpdao.exe 93 PID 4172 wrote to memory of 4004 4172 Dmkcpdao.exe 93 PID 4172 wrote to memory of 4004 4172 Dmkcpdao.exe 93 PID 4004 wrote to memory of 2104 4004 Dghadidj.exe 94 PID 4004 wrote to memory of 2104 4004 Dghadidj.exe 94 PID 4004 wrote to memory of 2104 4004 Dghadidj.exe 94 PID 2104 wrote to memory of 216 2104 Elhfbp32.exe 95 PID 2104 wrote to memory of 216 2104 Elhfbp32.exe 95 PID 2104 wrote to memory of 216 2104 Elhfbp32.exe 95 PID 216 wrote to memory of 2020 216 Ephlnn32.exe 96 PID 216 wrote to memory of 2020 216 Ephlnn32.exe 96 PID 216 wrote to memory of 2020 216 Ephlnn32.exe 96 PID 2020 wrote to memory of 3792 2020 Fneoma32.exe 97 PID 2020 wrote to memory of 3792 2020 Fneoma32.exe 97 PID 2020 wrote to memory of 3792 2020 Fneoma32.exe 97 PID 3792 wrote to memory of 4912 3792 Gfemmb32.exe 98 PID 3792 wrote to memory of 4912 3792 Gfemmb32.exe 98 PID 3792 wrote to memory of 4912 3792 Gfemmb32.exe 98 PID 4912 wrote to memory of 3904 4912 Igjlibib.exe 99 PID 4912 wrote to memory of 3904 4912 Igjlibib.exe 99 PID 4912 wrote to memory of 3904 4912 Igjlibib.exe 99 PID 3904 wrote to memory of 1480 3904 Inhmqlmj.exe 100 PID 3904 wrote to memory of 1480 3904 Inhmqlmj.exe 100 PID 3904 wrote to memory of 1480 3904 Inhmqlmj.exe 100 PID 1480 wrote to memory of 1376 1480 Kallod32.exe 101 PID 1480 wrote to memory of 1376 1480 Kallod32.exe 101 PID 1480 wrote to memory of 1376 1480 Kallod32.exe 101 PID 1376 wrote to memory of 644 1376 Ljijci32.exe 102 PID 1376 wrote to memory of 644 1376 Ljijci32.exe 102 PID 1376 wrote to memory of 644 1376 Ljijci32.exe 102 PID 644 wrote to memory of 812 644 Mhhjhlqm.exe 103 PID 644 wrote to memory of 812 644 Mhhjhlqm.exe 103 PID 644 wrote to memory of 812 644 Mhhjhlqm.exe 103 PID 812 wrote to memory of 4620 812 Moglpedd.exe 104 PID 812 wrote to memory of 4620 812 Moglpedd.exe 104 PID 812 wrote to memory of 4620 812 Moglpedd.exe 104 PID 4620 wrote to memory of 2636 4620 Ndkjik32.exe 105 PID 4620 wrote to memory of 2636 4620 Ndkjik32.exe 105 PID 4620 wrote to memory of 2636 4620 Ndkjik32.exe 105 PID 2636 wrote to memory of 4776 2636 Pgllad32.exe 106 PID 2636 wrote to memory of 4776 2636 Pgllad32.exe 106 PID 2636 wrote to memory of 4776 2636 Pgllad32.exe 106 PID 4776 wrote to memory of 368 4776 Pgoigcip.exe 107 PID 4776 wrote to memory of 368 4776 Pgoigcip.exe 107 PID 4776 wrote to memory of 368 4776 Pgoigcip.exe 107 PID 368 wrote to memory of 4788 368 Qdllffpo.exe 108 PID 368 wrote to memory of 4788 368 Qdllffpo.exe 108 PID 368 wrote to memory of 4788 368 Qdllffpo.exe 108 PID 4788 wrote to memory of 3620 4788 Afboah32.exe 109 PID 4788 wrote to memory of 3620 4788 Afboah32.exe 109 PID 4788 wrote to memory of 3620 4788 Afboah32.exe 109 PID 3620 wrote to memory of 4528 3620 Bfieagka.exe 110 PID 3620 wrote to memory of 4528 3620 Bfieagka.exe 110 PID 3620 wrote to memory of 4528 3620 Bfieagka.exe 110 PID 4528 wrote to memory of 2856 4528 Ciogobcm.exe 111 PID 4528 wrote to memory of 2856 4528 Ciogobcm.exe 111 PID 4528 wrote to memory of 2856 4528 Ciogobcm.exe 111 PID 2856 wrote to memory of 4252 2856 Cfedmfqd.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\3824a1dfae19f072d2f1afe014bd6cf0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3824a1dfae19f072d2f1afe014bd6cf0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\Cidgdg32.exeC:\Windows\system32\Cidgdg32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Dmkcpdao.exeC:\Windows\system32\Dmkcpdao.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\Dghadidj.exeC:\Windows\system32\Dghadidj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\Elhfbp32.exeC:\Windows\system32\Elhfbp32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Ephlnn32.exeC:\Windows\system32\Ephlnn32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Fneoma32.exeC:\Windows\system32\Fneoma32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Gfemmb32.exeC:\Windows\system32\Gfemmb32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\Igjlibib.exeC:\Windows\system32\Igjlibib.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Inhmqlmj.exeC:\Windows\system32\Inhmqlmj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Kallod32.exeC:\Windows\system32\Kallod32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Ljijci32.exeC:\Windows\system32\Ljijci32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Mhhjhlqm.exeC:\Windows\system32\Mhhjhlqm.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\Moglpedd.exeC:\Windows\system32\Moglpedd.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Ndkjik32.exeC:\Windows\system32\Ndkjik32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Pgllad32.exeC:\Windows\system32\Pgllad32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Pgoigcip.exeC:\Windows\system32\Pgoigcip.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\Qdllffpo.exeC:\Windows\system32\Qdllffpo.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\Afboah32.exeC:\Windows\system32\Afboah32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\Bfieagka.exeC:\Windows\system32\Bfieagka.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\Ciogobcm.exeC:\Windows\system32\Ciogobcm.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\Cfedmfqd.exeC:\Windows\system32\Cfedmfqd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Dpglmjoj.exeC:\Windows\system32\Dpglmjoj.exe23⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Eifffoob.exeC:\Windows\system32\Eifffoob.exe24⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Ebagdddp.exeC:\Windows\system32\Ebagdddp.exe25⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Efopjbjg.exeC:\Windows\system32\Efopjbjg.exe26⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Ehbihj32.exeC:\Windows\system32\Ehbihj32.exe27⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Fgmllpng.exeC:\Windows\system32\Fgmllpng.exe28⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\Gomkkagl.exeC:\Windows\system32\Gomkkagl.exe29⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Icklhnop.exeC:\Windows\system32\Icklhnop.exe30⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Iiokacgp.exeC:\Windows\system32\Iiokacgp.exe31⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Jqklnp32.exeC:\Windows\system32\Jqklnp32.exe32⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Kmpido32.exeC:\Windows\system32\Kmpido32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Lpghfi32.exeC:\Windows\system32\Lpghfi32.exe34⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Mpqklh32.exeC:\Windows\system32\Mpqklh32.exe35⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Nfdfoala.exeC:\Windows\system32\Nfdfoala.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Nalgbi32.exeC:\Windows\system32\Nalgbi32.exe37⤵
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\Omjnhiiq.exeC:\Windows\system32\Omjnhiiq.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Odfcjc32.exeC:\Windows\system32\Odfcjc32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:4484 -
C:\Windows\SysWOW64\Oalpigkb.exeC:\Windows\system32\Oalpigkb.exe40⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Paaidf32.exeC:\Windows\system32\Paaidf32.exe41⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Pnhjig32.exeC:\Windows\system32\Pnhjig32.exe42⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Phpklp32.exeC:\Windows\system32\Phpklp32.exe43⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Qajlje32.exeC:\Windows\system32\Qajlje32.exe44⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Qnamofdf.exeC:\Windows\system32\Qnamofdf.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:3968 -
C:\Windows\SysWOW64\Ajaqjfbp.exeC:\Windows\system32\Ajaqjfbp.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\Bqnemp32.exeC:\Windows\system32\Bqnemp32.exe47⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Cinpdl32.exeC:\Windows\system32\Cinpdl32.exe48⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Cnmebblf.exeC:\Windows\system32\Cnmebblf.exe49⤵
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\Canocm32.exeC:\Windows\system32\Canocm32.exe50⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Dnghhqdk.exeC:\Windows\system32\Dnghhqdk.exe51⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Eblgon32.exeC:\Windows\system32\Eblgon32.exe52⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Eeailhme.exeC:\Windows\system32\Eeailhme.exe53⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Flmonbbp.exeC:\Windows\system32\Flmonbbp.exe54⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Fkbkoo32.exeC:\Windows\system32\Fkbkoo32.exe55⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Fkgejncb.exeC:\Windows\system32\Fkgejncb.exe56⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Femigg32.exeC:\Windows\system32\Femigg32.exe57⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Gbecljnl.exeC:\Windows\system32\Gbecljnl.exe58⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Glngep32.exeC:\Windows\system32\Glngep32.exe59⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Gkcdfl32.exeC:\Windows\system32\Gkcdfl32.exe60⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Gclimi32.exeC:\Windows\system32\Gclimi32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:4012 -
C:\Windows\SysWOW64\Hcabhido.exeC:\Windows\system32\Hcabhido.exe62⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Hakidd32.exeC:\Windows\system32\Hakidd32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:4324 -
C:\Windows\SysWOW64\Mpkkgbmi.exeC:\Windows\system32\Mpkkgbmi.exe64⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Mpnglbkf.exeC:\Windows\system32\Mpnglbkf.exe65⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Mppdbb32.exeC:\Windows\system32\Mppdbb32.exe66⤵
- Drops file in System32 directory
PID:1136 -
C:\Windows\SysWOW64\Mbamcm32.exeC:\Windows\system32\Mbamcm32.exe67⤵PID:3976
-
C:\Windows\SysWOW64\Njmopj32.exeC:\Windows\system32\Njmopj32.exe68⤵
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Niblafgi.exeC:\Windows\system32\Niblafgi.exe69⤵PID:1328
-
C:\Windows\SysWOW64\Nfhipj32.exeC:\Windows\system32\Nfhipj32.exe70⤵PID:736
-
C:\Windows\SysWOW64\Njfafhjf.exeC:\Windows\system32\Njfafhjf.exe71⤵PID:32
-
C:\Windows\SysWOW64\Obccpj32.exeC:\Windows\system32\Obccpj32.exe72⤵PID:3384
-
C:\Windows\SysWOW64\Obfpejcl.exeC:\Windows\system32\Obfpejcl.exe73⤵PID:4560
-
C:\Windows\SysWOW64\Ofdhlh32.exeC:\Windows\system32\Ofdhlh32.exe74⤵PID:960
-
C:\Windows\SysWOW64\Okaabg32.exeC:\Windows\system32\Okaabg32.exe75⤵PID:5172
-
C:\Windows\SysWOW64\Pmbjcb32.exeC:\Windows\system32\Pmbjcb32.exe76⤵PID:5216
-
C:\Windows\SysWOW64\Piikhc32.exeC:\Windows\system32\Piikhc32.exe77⤵PID:5260
-
C:\Windows\SysWOW64\Pkigbfja.exeC:\Windows\system32\Pkigbfja.exe78⤵PID:5304
-
C:\Windows\SysWOW64\Pllppnnm.exeC:\Windows\system32\Pllppnnm.exe79⤵PID:5348
-
C:\Windows\SysWOW64\Qlajkm32.exeC:\Windows\system32\Qlajkm32.exe80⤵PID:5412
-
C:\Windows\SysWOW64\Anqfepaj.exeC:\Windows\system32\Anqfepaj.exe81⤵PID:5456
-
C:\Windows\SysWOW64\Akdfndpd.exeC:\Windows\system32\Akdfndpd.exe82⤵PID:5516
-
C:\Windows\SysWOW64\Aneppo32.exeC:\Windows\system32\Aneppo32.exe83⤵PID:5560
-
C:\Windows\SysWOW64\Aljmal32.exeC:\Windows\system32\Aljmal32.exe84⤵
- Modifies registry class
PID:5604 -
C:\Windows\SysWOW64\Acgacegg.exeC:\Windows\system32\Acgacegg.exe85⤵PID:5656
-
C:\Windows\SysWOW64\Bloflk32.exeC:\Windows\system32\Bloflk32.exe86⤵PID:5724
-
C:\Windows\SysWOW64\Bjcfeola.exeC:\Windows\system32\Bjcfeola.exe87⤵PID:5776
-
C:\Windows\SysWOW64\Bqokhi32.exeC:\Windows\system32\Bqokhi32.exe88⤵
- Drops file in System32 directory
PID:5824 -
C:\Windows\SysWOW64\Blflmj32.exeC:\Windows\system32\Blflmj32.exe89⤵PID:5876
-
C:\Windows\SysWOW64\Bjjmfn32.exeC:\Windows\system32\Bjjmfn32.exe90⤵PID:5932
-
C:\Windows\SysWOW64\Ccbaoc32.exeC:\Windows\system32\Ccbaoc32.exe91⤵PID:5980
-
C:\Windows\SysWOW64\Cnhell32.exeC:\Windows\system32\Cnhell32.exe92⤵PID:6024
-
C:\Windows\SysWOW64\Ccendc32.exeC:\Windows\system32\Ccendc32.exe93⤵PID:6072
-
C:\Windows\SysWOW64\Cmmbmiag.exeC:\Windows\system32\Cmmbmiag.exe94⤵PID:6120
-
C:\Windows\SysWOW64\Cnmoglij.exeC:\Windows\system32\Cnmoglij.exe95⤵PID:5168
-
C:\Windows\SysWOW64\Cmblhh32.exeC:\Windows\system32\Cmblhh32.exe96⤵PID:5244
-
C:\Windows\SysWOW64\Dkehlo32.exeC:\Windows\system32\Dkehlo32.exe97⤵PID:4556
-
C:\Windows\SysWOW64\Dgliapic.exeC:\Windows\system32\Dgliapic.exe98⤵PID:5408
-
C:\Windows\SysWOW64\Dgnffp32.exeC:\Windows\system32\Dgnffp32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5464 -
C:\Windows\SysWOW64\Dqigee32.exeC:\Windows\system32\Dqigee32.exe100⤵PID:5556
-
C:\Windows\SysWOW64\Ecjpfp32.exeC:\Windows\system32\Ecjpfp32.exe101⤵PID:5620
-
C:\Windows\SysWOW64\Enaaiifb.exeC:\Windows\system32\Enaaiifb.exe102⤵PID:5720
-
C:\Windows\SysWOW64\Ekeacmel.exeC:\Windows\system32\Ekeacmel.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5792 -
C:\Windows\SysWOW64\Eglbhnkp.exeC:\Windows\system32\Eglbhnkp.exe104⤵PID:5864
-
C:\Windows\SysWOW64\Eljknl32.exeC:\Windows\system32\Eljknl32.exe105⤵PID:5960
-
C:\Windows\SysWOW64\Fagcfc32.exeC:\Windows\system32\Fagcfc32.exe106⤵PID:6032
-
C:\Windows\SysWOW64\Fhchhm32.exeC:\Windows\system32\Fhchhm32.exe107⤵
- Drops file in System32 directory
PID:6112 -
C:\Windows\SysWOW64\Falmabki.exeC:\Windows\system32\Falmabki.exe108⤵PID:5188
-
C:\Windows\SysWOW64\Fejegaao.exeC:\Windows\system32\Fejegaao.exe109⤵PID:5300
-
C:\Windows\SysWOW64\Fnbjpf32.exeC:\Windows\system32\Fnbjpf32.exe110⤵PID:5440
-
C:\Windows\SysWOW64\Genobp32.exeC:\Windows\system32\Genobp32.exe111⤵PID:5568
-
C:\Windows\SysWOW64\Gaepgacn.exeC:\Windows\system32\Gaepgacn.exe112⤵PID:5644
-
C:\Windows\SysWOW64\Goipae32.exeC:\Windows\system32\Goipae32.exe113⤵PID:5760
-
C:\Windows\SysWOW64\Gokmfe32.exeC:\Windows\system32\Gokmfe32.exe114⤵PID:5832
-
C:\Windows\SysWOW64\Glajeiml.exeC:\Windows\system32\Glajeiml.exe115⤵PID:5976
-
C:\Windows\SysWOW64\Hmecba32.exeC:\Windows\system32\Hmecba32.exe116⤵PID:6108
-
C:\Windows\SysWOW64\Hlipfh32.exeC:\Windows\system32\Hlipfh32.exe117⤵
- Drops file in System32 directory
PID:5140 -
C:\Windows\SysWOW64\Hhpaki32.exeC:\Windows\system32\Hhpaki32.exe118⤵PID:5328
-
C:\Windows\SysWOW64\Iefnjm32.exeC:\Windows\system32\Iefnjm32.exe119⤵PID:5508
-
C:\Windows\SysWOW64\Iaokdn32.exeC:\Windows\system32\Iaokdn32.exe120⤵
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Ioclnblj.exeC:\Windows\system32\Ioclnblj.exe121⤵
- Modifies registry class
PID:640
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-