Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14/05/2024, 14:52
Behavioral task
behavioral1
Sample
cb269c081aa3e9bf65a888cd1c0b08e0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
cb269c081aa3e9bf65a888cd1c0b08e0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
cb269c081aa3e9bf65a888cd1c0b08e0_NeikiAnalytics.exe
-
Size
384KB
-
MD5
cb269c081aa3e9bf65a888cd1c0b08e0
-
SHA1
b655b66bc9f9756d3b57a7bfab93d910cc6af896
-
SHA256
566367eed512d69a2ce196b32252984218d62acc4b80c89a138768487353ca6c
-
SHA512
1850bc30123b897ab80d9c76a23fb7d89f3413cb0e821ed167f5bc2c51ef1ff21d2c9b7ef49dae73045f7f8de211e22f4024930e5d35e0a59e16bc46e492d811
-
SSDEEP
6144:o9qLlZFR3Rpui6yYPaIGckpyWO63t5YNpui6yYPaIGcky0PVd68LwYwI+8mkUr1s:oELlLbpV6yYPI3cpV6yYPZ0PVdvcY9+y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcodfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfeoijbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lacijjgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dedkogqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbdiknlb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flghognq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odljjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qhghge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijfkpnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eoconenj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmgof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mfenglqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecanojgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qffoejkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfiddm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkdod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofgmib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbapom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojqcnhkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igjbci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcmpgpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Minipm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jldkeeig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgaelcgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hehdfdek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihmnldib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiaqnagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofkgcobj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aoapcood.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcbeqaia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqmnpk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhnichde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkcjjhgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hepgkohh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcpgmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhnichde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paaidf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lamlphoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhpdkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jllhpkfk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhghge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdnjfojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Philfgdh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpdogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnlcdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmdgikhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pakdbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohbfeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqbohocd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjmpfdhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpqggh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhjhmhhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flekihpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcodfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eennefib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Philfgdh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pomncfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oakjnnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lccdghmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mackfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Namnmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdppaidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfkamk32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0008000000023257-6.dat family_berbew behavioral2/files/0x000700000002325d-14.dat family_berbew behavioral2/files/0x000700000002325f-22.dat family_berbew behavioral2/files/0x0007000000023261-30.dat family_berbew behavioral2/files/0x0007000000023263-38.dat family_berbew behavioral2/files/0x0007000000023265-46.dat family_berbew behavioral2/files/0x0007000000023267-54.dat family_berbew behavioral2/files/0x000700000002326a-62.dat family_berbew behavioral2/files/0x000700000002326b-70.dat family_berbew behavioral2/files/0x000700000002326d-78.dat family_berbew behavioral2/files/0x000700000002326f-86.dat family_berbew behavioral2/files/0x0007000000023271-89.dat family_berbew behavioral2/files/0x0007000000023273-102.dat family_berbew behavioral2/files/0x0007000000023275-110.dat family_berbew behavioral2/files/0x0007000000023277-118.dat family_berbew behavioral2/files/0x0007000000023279-126.dat family_berbew behavioral2/files/0x000700000002327b-134.dat family_berbew behavioral2/files/0x000700000002327d-137.dat family_berbew behavioral2/files/0x000700000002327f-150.dat family_berbew behavioral2/files/0x0007000000023281-158.dat family_berbew behavioral2/files/0x0007000000023284-166.dat family_berbew behavioral2/files/0x0007000000023286-174.dat family_berbew behavioral2/files/0x0007000000023288-182.dat family_berbew behavioral2/files/0x000700000002328a-190.dat family_berbew behavioral2/files/0x000700000002328c-197.dat family_berbew behavioral2/files/0x000700000002328e-206.dat family_berbew behavioral2/files/0x0007000000023290-215.dat family_berbew behavioral2/files/0x0007000000023292-222.dat family_berbew behavioral2/files/0x0007000000023294-230.dat family_berbew behavioral2/files/0x0007000000023296-238.dat family_berbew behavioral2/files/0x0007000000023298-246.dat family_berbew behavioral2/files/0x000700000002329a-254.dat family_berbew behavioral2/files/0x00070000000232a0-269.dat family_berbew behavioral2/files/0x00070000000232a5-287.dat family_berbew behavioral2/files/0x00070000000232b1-323.dat family_berbew behavioral2/files/0x00070000000232b5-335.dat family_berbew behavioral2/files/0x00070000000232bf-365.dat family_berbew behavioral2/files/0x00070000000232cd-407.dat family_berbew behavioral2/files/0x00070000000232d5-431.dat family_berbew behavioral2/files/0x00070000000232e1-467.dat family_berbew behavioral2/files/0x00070000000232e5-479.dat family_berbew behavioral2/files/0x0007000000023302-567.dat family_berbew behavioral2/files/0x0007000000023306-581.dat family_berbew behavioral2/files/0x000700000002330c-602.dat family_berbew behavioral2/files/0x000700000002330e-610.dat family_berbew behavioral2/files/0x000700000002331b-651.dat family_berbew behavioral2/files/0x0007000000023321-672.dat family_berbew behavioral2/files/0x000700000002332f-720.dat family_berbew behavioral2/files/0x0007000000023333-733.dat family_berbew behavioral2/files/0x000700000002333d-768.dat family_berbew behavioral2/files/0x0007000000023341-782.dat family_berbew behavioral2/files/0x0007000000023347-803.dat family_berbew behavioral2/files/0x000700000002334b-817.dat family_berbew behavioral2/files/0x0007000000023370-934.dat family_berbew behavioral2/files/0x0007000000023374-948.dat family_berbew behavioral2/files/0x000700000002337a-969.dat family_berbew behavioral2/files/0x0007000000023384-1004.dat family_berbew behavioral2/files/0x0007000000023396-1067.dat family_berbew behavioral2/files/0x000700000002339e-1095.dat family_berbew behavioral2/files/0x00070000000233ab-1128.dat family_berbew behavioral2/files/0x00070000000233b9-1170.dat family_berbew behavioral2/files/0x00070000000233c3-1205.dat family_berbew behavioral2/files/0x00070000000233cd-1240.dat family_berbew behavioral2/files/0x00070000000233d1-1255.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1700 Ebgpad32.exe 3912 Flfkkhid.exe 3264 Fngcmcfe.exe 3996 Flmqlg32.exe 4744 Gehbjm32.exe 1852 Gncchb32.exe 4932 Geohklaa.exe 4992 Glkmmefl.exe 1100 Hefnkkkj.exe 4048 Hpqldc32.exe 4100 Ibaeen32.exe 4524 Iebngial.exe 876 Ipjoja32.exe 2888 Igfclkdj.exe 1648 Jcmdaljn.exe 4756 Jenmcggo.exe 732 Jpenfp32.exe 3628 Jokkgl32.exe 2108 Kpjgaoqm.exe 5004 Knqepc32.exe 4856 Kgkfnh32.exe 4884 Kfpcoefj.exe 4592 Loighj32.exe 2844 Llodgnja.exe 3288 Mogcihaj.exe 1068 Mqkiok32.exe 4340 Nmbjcljl.exe 2004 Nmdgikhi.exe 2644 Njjdho32.exe 5016 Nfcabp32.exe 3856 Opnbae32.exe 2208 Ofkgcobj.exe 1944 Ojhpimhp.exe 1984 Pjkmomfn.exe 1964 Pfandnla.exe 4052 Pmnbfhal.exe 436 Pffgom32.exe 4568 Pfiddm32.exe 4112 Qacameaj.exe 1836 Aaenbd32.exe 2292 Aknbkjfh.exe 2432 Apjkcadp.exe 4516 Akpoaj32.exe 2820 Aaldccip.exe 4252 Amcehdod.exe 1996 Bpdnjple.exe 2836 Bpfkpp32.exe 2524 Bphgeo32.exe 1516 Bgelgi32.exe 5036 Cdimqm32.exe 2184 Cponen32.exe 1088 Chiblk32.exe 1636 Caageq32.exe 644 Ckjknfnh.exe 1188 Chnlgjlb.exe 2256 Dpiplm32.exe 1372 Dkndie32.exe 3636 Dolmodpi.exe 2304 Dnajppda.exe 4604 Dhgonidg.exe 456 Dhikci32.exe 1868 Eklajcmc.exe 1416 Eojiqb32.exe 2128 Egened32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ofdqcc32.exe Ookhfigk.exe File created C:\Windows\SysWOW64\Gjebiq32.exe Gqmnpk32.exe File opened for modification C:\Windows\SysWOW64\Lebijnak.exe Lpepbgbd.exe File created C:\Windows\SysWOW64\Mfenglqf.exe Mjnnbk32.exe File created C:\Windows\SysWOW64\Flfbcndo.exe Flcfnn32.exe File created C:\Windows\SysWOW64\Cgaqphgl.exe Cqghcn32.exe File created C:\Windows\SysWOW64\Qcncodki.exe Qbngeadf.exe File created C:\Windows\SysWOW64\Obncao32.dll Jglaepim.exe File created C:\Windows\SysWOW64\Mmmiiidk.dll Lhogamih.exe File created C:\Windows\SysWOW64\Hpkknmgd.exe Hbgkei32.exe File created C:\Windows\SysWOW64\Pakfglam.dll Ieeimlep.exe File opened for modification C:\Windows\SysWOW64\Hmbkfjko.exe Hcifmdeo.exe File created C:\Windows\SysWOW64\Llcdeegk.dll Malefbkc.exe File created C:\Windows\SysWOW64\Eoconenj.exe Ehifak32.exe File created C:\Windows\SysWOW64\Qacameaj.exe Pfiddm32.exe File created C:\Windows\SysWOW64\Hpigao32.dll Hfamia32.exe File created C:\Windows\SysWOW64\Pmnbfhal.exe Pfandnla.exe File opened for modification C:\Windows\SysWOW64\Ggoiap32.exe Fhnichde.exe File opened for modification C:\Windows\SysWOW64\Gbiockdj.exe Fajbjh32.exe File created C:\Windows\SysWOW64\Jpnakk32.exe Ilphdlqh.exe File created C:\Windows\SysWOW64\Djojepof.dll Fgiaemic.exe File created C:\Windows\SysWOW64\Kqgbobll.dll Nkgoke32.exe File created C:\Windows\SysWOW64\Chimmp32.dll Jmffnq32.exe File opened for modification C:\Windows\SysWOW64\Cgaqphgl.exe Cqghcn32.exe File opened for modification C:\Windows\SysWOW64\Jenmcggo.exe Jcmdaljn.exe File opened for modification C:\Windows\SysWOW64\Ckjknfnh.exe Caageq32.exe File opened for modification C:\Windows\SysWOW64\Enhifi32.exe Eaaiahei.exe File opened for modification C:\Windows\SysWOW64\Hcipcnac.exe Hfeoijbi.exe File created C:\Windows\SysWOW64\Bhamin32.dll Lccdghmc.exe File opened for modification C:\Windows\SysWOW64\Addhbo32.exe Anjpeelk.exe File created C:\Windows\SysWOW64\Iocbnhog.dll Mogcihaj.exe File opened for modification C:\Windows\SysWOW64\Oahnhncc.exe Oafacn32.exe File created C:\Windows\SysWOW64\Ignnjk32.exe Ihmnldib.exe File created C:\Windows\SysWOW64\Nmdgikhi.exe Nmbjcljl.exe File opened for modification C:\Windows\SysWOW64\Ecgodpgb.exe Ejojljqa.exe File created C:\Windows\SysWOW64\Jeolckne.exe Jnedgq32.exe File opened for modification C:\Windows\SysWOW64\Lddble32.exe Lacijjgi.exe File created C:\Windows\SysWOW64\Lhogamih.exe Ljkghi32.exe File opened for modification C:\Windows\SysWOW64\Oeopnmoa.exe Noehac32.exe File opened for modification C:\Windows\SysWOW64\Ohkijc32.exe Nmedmj32.exe File created C:\Windows\SysWOW64\Dccjlblm.dll Agcdnjcl.exe File created C:\Windows\SysWOW64\Bkcjjhgp.exe Bhennm32.exe File created C:\Windows\SysWOW64\Fallih32.dll Hbgkei32.exe File created C:\Windows\SysWOW64\Gilkbqmk.dll Fpfholhc.exe File created C:\Windows\SysWOW64\Bldcodde.dll Eipilmgh.exe File opened for modification C:\Windows\SysWOW64\Nqaiecjd.exe Noblkqca.exe File created C:\Windows\SysWOW64\Mjaofnii.dll Binhnomg.exe File created C:\Windows\SysWOW64\Ppcjmk32.dll Adnilfnl.exe File created C:\Windows\SysWOW64\Dgihop32.exe Dggkipii.exe File opened for modification C:\Windows\SysWOW64\Pmnbfhal.exe Pfandnla.exe File created C:\Windows\SysWOW64\Coffgmig.dll Gihpkd32.exe File created C:\Windows\SysWOW64\Ojhiogdd.exe Oihmedma.exe File created C:\Windows\SysWOW64\Faoqjagk.dll Nkpbpp32.exe File created C:\Windows\SysWOW64\Gaobmboi.dll Omlkmign.exe File opened for modification C:\Windows\SysWOW64\Abemep32.exe Aimhmkgn.exe File created C:\Windows\SysWOW64\Klgnnd32.dll Bgkaip32.exe File opened for modification C:\Windows\SysWOW64\Flghognq.exe Fcodfa32.exe File created C:\Windows\SysWOW64\Kolfbd32.dll Bgelgi32.exe File opened for modification C:\Windows\SysWOW64\Nimmifgo.exe Nqaiecjd.exe File created C:\Windows\SysWOW64\Pgihanii.exe Oiehhjjp.exe File opened for modification C:\Windows\SysWOW64\Fkcpql32.exe Edihdb32.exe File opened for modification C:\Windows\SysWOW64\Oacmchcl.exe Ohkijc32.exe File created C:\Windows\SysWOW64\Qnamofdf.exe Qggebl32.exe File opened for modification C:\Windows\SysWOW64\Adkelplc.exe Qnamofdf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10896 10808 WerFault.exe 634 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kghfphob.dll" Igfclkdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pkjegb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" cb269c081aa3e9bf65a888cd1c0b08e0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fkcpql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hepgkohh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohpcjnil.dll" Ofgmib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pnknim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afpbkicl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kimgba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbnjicfj.dll" Anjpeelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klndfknp.dll" Nqaiecjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plpjjm32.dll" Dbjade32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hpqldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpenfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dckajh32.dll" Llodgnja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Caageq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmbnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cmnnimak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elgide32.dll" Bcbeqaia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iebngial.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfmgqph.dll" Bcpika32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Khakqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmmaj32.dll" Geohklaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odanidih.dll" Edihdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fpfholhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cohddjgl.dll" Pafkgphl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gipbck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bfpkbfdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gqmnpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jicdlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pdmikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Enhifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifenan32.dll" Jokkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ookhfigk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nandhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nhgmcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmbnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fcekfnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Flekihpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jfjakgpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gihpkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckoifgmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ofdqcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bgkaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilnjmilq.dll" Mbdiknlb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ifleji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nohjfifo.dll" Pjoppf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dgomaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cdjblf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdenofm.dll" Ndpjnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Keekjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndnoffic.dll" Klmnkdal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eaaiahei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dicbfhni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oiagde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfcqod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbcimhh.dll" Fpnkdfko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kcgekjgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icembg32.dll" Eaaiahei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igmpohpi.dll" Dblnid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicimc32.dll" Mklpof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fpmeimpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qhbhapha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qbngeadf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4752 wrote to memory of 1700 4752 cb269c081aa3e9bf65a888cd1c0b08e0_NeikiAnalytics.exe 90 PID 4752 wrote to memory of 1700 4752 cb269c081aa3e9bf65a888cd1c0b08e0_NeikiAnalytics.exe 90 PID 4752 wrote to memory of 1700 4752 cb269c081aa3e9bf65a888cd1c0b08e0_NeikiAnalytics.exe 90 PID 1700 wrote to memory of 3912 1700 Ebgpad32.exe 91 PID 1700 wrote to memory of 3912 1700 Ebgpad32.exe 91 PID 1700 wrote to memory of 3912 1700 Ebgpad32.exe 91 PID 3912 wrote to memory of 3264 3912 Flfkkhid.exe 92 PID 3912 wrote to memory of 3264 3912 Flfkkhid.exe 92 PID 3912 wrote to memory of 3264 3912 Flfkkhid.exe 92 PID 3264 wrote to memory of 3996 3264 Fngcmcfe.exe 93 PID 3264 wrote to memory of 3996 3264 Fngcmcfe.exe 93 PID 3264 wrote to memory of 3996 3264 Fngcmcfe.exe 93 PID 3996 wrote to memory of 4744 3996 Flmqlg32.exe 94 PID 3996 wrote to memory of 4744 3996 Flmqlg32.exe 94 PID 3996 wrote to memory of 4744 3996 Flmqlg32.exe 94 PID 4744 wrote to memory of 1852 4744 Gehbjm32.exe 95 PID 4744 wrote to memory of 1852 4744 Gehbjm32.exe 95 PID 4744 wrote to memory of 1852 4744 Gehbjm32.exe 95 PID 1852 wrote to memory of 4932 1852 Gncchb32.exe 96 PID 1852 wrote to memory of 4932 1852 Gncchb32.exe 96 PID 1852 wrote to memory of 4932 1852 Gncchb32.exe 96 PID 4932 wrote to memory of 4992 4932 Geohklaa.exe 97 PID 4932 wrote to memory of 4992 4932 Geohklaa.exe 97 PID 4932 wrote to memory of 4992 4932 Geohklaa.exe 97 PID 4992 wrote to memory of 1100 4992 Glkmmefl.exe 98 PID 4992 wrote to memory of 1100 4992 Glkmmefl.exe 98 PID 4992 wrote to memory of 1100 4992 Glkmmefl.exe 98 PID 1100 wrote to memory of 4048 1100 Hefnkkkj.exe 99 PID 1100 wrote to memory of 4048 1100 Hefnkkkj.exe 99 PID 1100 wrote to memory of 4048 1100 Hefnkkkj.exe 99 PID 4048 wrote to memory of 4100 4048 Hpqldc32.exe 100 PID 4048 wrote to memory of 4100 4048 Hpqldc32.exe 100 PID 4048 wrote to memory of 4100 4048 Hpqldc32.exe 100 PID 4100 wrote to memory of 4524 4100 Ibaeen32.exe 101 PID 4100 wrote to memory of 4524 4100 Ibaeen32.exe 101 PID 4100 wrote to memory of 4524 4100 Ibaeen32.exe 101 PID 4524 wrote to memory of 876 4524 Iebngial.exe 102 PID 4524 wrote to memory of 876 4524 Iebngial.exe 102 PID 4524 wrote to memory of 876 4524 Iebngial.exe 102 PID 876 wrote to memory of 2888 876 Ipjoja32.exe 103 PID 876 wrote to memory of 2888 876 Ipjoja32.exe 103 PID 876 wrote to memory of 2888 876 Ipjoja32.exe 103 PID 2888 wrote to memory of 1648 2888 Igfclkdj.exe 104 PID 2888 wrote to memory of 1648 2888 Igfclkdj.exe 104 PID 2888 wrote to memory of 1648 2888 Igfclkdj.exe 104 PID 1648 wrote to memory of 4756 1648 Jcmdaljn.exe 105 PID 1648 wrote to memory of 4756 1648 Jcmdaljn.exe 105 PID 1648 wrote to memory of 4756 1648 Jcmdaljn.exe 105 PID 4756 wrote to memory of 732 4756 Jenmcggo.exe 106 PID 4756 wrote to memory of 732 4756 Jenmcggo.exe 106 PID 4756 wrote to memory of 732 4756 Jenmcggo.exe 106 PID 732 wrote to memory of 3628 732 Jpenfp32.exe 107 PID 732 wrote to memory of 3628 732 Jpenfp32.exe 107 PID 732 wrote to memory of 3628 732 Jpenfp32.exe 107 PID 3628 wrote to memory of 2108 3628 Jokkgl32.exe 108 PID 3628 wrote to memory of 2108 3628 Jokkgl32.exe 108 PID 3628 wrote to memory of 2108 3628 Jokkgl32.exe 108 PID 2108 wrote to memory of 5004 2108 Kpjgaoqm.exe 109 PID 2108 wrote to memory of 5004 2108 Kpjgaoqm.exe 109 PID 2108 wrote to memory of 5004 2108 Kpjgaoqm.exe 109 PID 5004 wrote to memory of 4856 5004 Knqepc32.exe 110 PID 5004 wrote to memory of 4856 5004 Knqepc32.exe 110 PID 5004 wrote to memory of 4856 5004 Knqepc32.exe 110 PID 4856 wrote to memory of 4884 4856 Kgkfnh32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb269c081aa3e9bf65a888cd1c0b08e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\cb269c081aa3e9bf65a888cd1c0b08e0_NeikiAnalytics.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Ebgpad32.exeC:\Windows\system32\Ebgpad32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Flfkkhid.exeC:\Windows\system32\Flfkkhid.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\Fngcmcfe.exeC:\Windows\system32\Fngcmcfe.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Flmqlg32.exeC:\Windows\system32\Flmqlg32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Gehbjm32.exeC:\Windows\system32\Gehbjm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Gncchb32.exeC:\Windows\system32\Gncchb32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Geohklaa.exeC:\Windows\system32\Geohklaa.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\Glkmmefl.exeC:\Windows\system32\Glkmmefl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Hefnkkkj.exeC:\Windows\system32\Hefnkkkj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Hpqldc32.exeC:\Windows\system32\Hpqldc32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\Ibaeen32.exeC:\Windows\system32\Ibaeen32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\Iebngial.exeC:\Windows\system32\Iebngial.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\Ipjoja32.exeC:\Windows\system32\Ipjoja32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Igfclkdj.exeC:\Windows\system32\Igfclkdj.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Jcmdaljn.exeC:\Windows\system32\Jcmdaljn.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Jenmcggo.exeC:\Windows\system32\Jenmcggo.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\Jpenfp32.exeC:\Windows\system32\Jpenfp32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SysWOW64\Jokkgl32.exeC:\Windows\system32\Jokkgl32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\Kpjgaoqm.exeC:\Windows\system32\Kpjgaoqm.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Knqepc32.exeC:\Windows\system32\Knqepc32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Kgkfnh32.exeC:\Windows\system32\Kgkfnh32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Kfpcoefj.exeC:\Windows\system32\Kfpcoefj.exe23⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Loighj32.exeC:\Windows\system32\Loighj32.exe24⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Llodgnja.exeC:\Windows\system32\Llodgnja.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Mogcihaj.exeC:\Windows\system32\Mogcihaj.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3288 -
C:\Windows\SysWOW64\Mqkiok32.exeC:\Windows\system32\Mqkiok32.exe27⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Nmbjcljl.exeC:\Windows\system32\Nmbjcljl.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4340 -
C:\Windows\SysWOW64\Nmdgikhi.exeC:\Windows\system32\Nmdgikhi.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Njjdho32.exeC:\Windows\system32\Njjdho32.exe30⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Nfcabp32.exeC:\Windows\system32\Nfcabp32.exe31⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Opnbae32.exeC:\Windows\system32\Opnbae32.exe32⤵
- Executes dropped EXE
PID:3856 -
C:\Windows\SysWOW64\Ofkgcobj.exeC:\Windows\system32\Ofkgcobj.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Ojhpimhp.exeC:\Windows\system32\Ojhpimhp.exe34⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Pjkmomfn.exeC:\Windows\system32\Pjkmomfn.exe35⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Pfandnla.exeC:\Windows\system32\Pfandnla.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Pmnbfhal.exeC:\Windows\system32\Pmnbfhal.exe37⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Pffgom32.exeC:\Windows\system32\Pffgom32.exe38⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Pfiddm32.exeC:\Windows\system32\Pfiddm32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4568 -
C:\Windows\SysWOW64\Qacameaj.exeC:\Windows\system32\Qacameaj.exe40⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Aaenbd32.exeC:\Windows\system32\Aaenbd32.exe41⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Aknbkjfh.exeC:\Windows\system32\Aknbkjfh.exe42⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Apjkcadp.exeC:\Windows\system32\Apjkcadp.exe43⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Akpoaj32.exeC:\Windows\system32\Akpoaj32.exe44⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Aaldccip.exeC:\Windows\system32\Aaldccip.exe45⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Amcehdod.exeC:\Windows\system32\Amcehdod.exe46⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Bpdnjple.exeC:\Windows\system32\Bpdnjple.exe47⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Bpfkpp32.exeC:\Windows\system32\Bpfkpp32.exe48⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Bphgeo32.exeC:\Windows\system32\Bphgeo32.exe49⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Bgelgi32.exeC:\Windows\system32\Bgelgi32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Cdimqm32.exeC:\Windows\system32\Cdimqm32.exe51⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Cponen32.exeC:\Windows\system32\Cponen32.exe52⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Chiblk32.exeC:\Windows\system32\Chiblk32.exe53⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Caageq32.exeC:\Windows\system32\Caageq32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Ckjknfnh.exeC:\Windows\system32\Ckjknfnh.exe55⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Chnlgjlb.exeC:\Windows\system32\Chnlgjlb.exe56⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Dpiplm32.exeC:\Windows\system32\Dpiplm32.exe57⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Dkndie32.exeC:\Windows\system32\Dkndie32.exe58⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Dolmodpi.exeC:\Windows\system32\Dolmodpi.exe59⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Dnajppda.exeC:\Windows\system32\Dnajppda.exe60⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Dhgonidg.exeC:\Windows\system32\Dhgonidg.exe61⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Dhikci32.exeC:\Windows\system32\Dhikci32.exe62⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Eklajcmc.exeC:\Windows\system32\Eklajcmc.exe63⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Eojiqb32.exeC:\Windows\system32\Eojiqb32.exe64⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Egened32.exeC:\Windows\system32\Egened32.exe65⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Eqncnj32.exeC:\Windows\system32\Eqncnj32.exe66⤵PID:2608
-
C:\Windows\SysWOW64\Fooclapd.exeC:\Windows\system32\Fooclapd.exe67⤵PID:3360
-
C:\Windows\SysWOW64\Fkfcqb32.exeC:\Windows\system32\Fkfcqb32.exe68⤵PID:4396
-
C:\Windows\SysWOW64\Fijdjfdb.exeC:\Windows\system32\Fijdjfdb.exe69⤵PID:2212
-
C:\Windows\SysWOW64\Fkjmlaac.exeC:\Windows\system32\Fkjmlaac.exe70⤵PID:2788
-
C:\Windows\SysWOW64\Fecadghc.exeC:\Windows\system32\Fecadghc.exe71⤵PID:1192
-
C:\Windows\SysWOW64\Fajbjh32.exeC:\Windows\system32\Fajbjh32.exe72⤵
- Drops file in System32 directory
PID:3712 -
C:\Windows\SysWOW64\Gbiockdj.exeC:\Windows\system32\Gbiockdj.exe73⤵PID:3752
-
C:\Windows\SysWOW64\Gnpphljo.exeC:\Windows\system32\Gnpphljo.exe74⤵PID:3564
-
C:\Windows\SysWOW64\Gbnhoj32.exeC:\Windows\system32\Gbnhoj32.exe75⤵PID:1444
-
C:\Windows\SysWOW64\Gihpkd32.exeC:\Windows\system32\Gihpkd32.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:3084 -
C:\Windows\SysWOW64\Gbpedjnb.exeC:\Windows\system32\Gbpedjnb.exe77⤵PID:5180
-
C:\Windows\SysWOW64\Hpfbcn32.exeC:\Windows\system32\Hpfbcn32.exe78⤵PID:5228
-
C:\Windows\SysWOW64\Hlmchoan.exeC:\Windows\system32\Hlmchoan.exe79⤵PID:5268
-
C:\Windows\SysWOW64\Hbgkei32.exeC:\Windows\system32\Hbgkei32.exe80⤵
- Drops file in System32 directory
PID:5312 -
C:\Windows\SysWOW64\Hpkknmgd.exeC:\Windows\system32\Hpkknmgd.exe81⤵PID:5356
-
C:\Windows\SysWOW64\Hehdfdek.exeC:\Windows\system32\Hehdfdek.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5400 -
C:\Windows\SysWOW64\Hpmhdmea.exeC:\Windows\system32\Hpmhdmea.exe83⤵PID:5440
-
C:\Windows\SysWOW64\Hejqldci.exeC:\Windows\system32\Hejqldci.exe84⤵PID:5504
-
C:\Windows\SysWOW64\Ieagmcmq.exeC:\Windows\system32\Ieagmcmq.exe85⤵PID:5548
-
C:\Windows\SysWOW64\Ilphdlqh.exeC:\Windows\system32\Ilphdlqh.exe86⤵
- Drops file in System32 directory
PID:5592 -
C:\Windows\SysWOW64\Jpnakk32.exeC:\Windows\system32\Jpnakk32.exe87⤵PID:5644
-
C:\Windows\SysWOW64\Jlikkkhn.exeC:\Windows\system32\Jlikkkhn.exe88⤵PID:5688
-
C:\Windows\SysWOW64\Jllhpkfk.exeC:\Windows\system32\Jllhpkfk.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5732 -
C:\Windows\SysWOW64\Klndfj32.exeC:\Windows\system32\Klndfj32.exe90⤵PID:5776
-
C:\Windows\SysWOW64\Kheekkjl.exeC:\Windows\system32\Kheekkjl.exe91⤵PID:5820
-
C:\Windows\SysWOW64\Kpqggh32.exeC:\Windows\system32\Kpqggh32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5872 -
C:\Windows\SysWOW64\Lpepbgbd.exeC:\Windows\system32\Lpepbgbd.exe93⤵
- Drops file in System32 directory
PID:5916 -
C:\Windows\SysWOW64\Lebijnak.exeC:\Windows\system32\Lebijnak.exe94⤵PID:5964
-
C:\Windows\SysWOW64\Mhjhmhhd.exeC:\Windows\system32\Mhjhmhhd.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6020 -
C:\Windows\SysWOW64\Mablfnne.exeC:\Windows\system32\Mablfnne.exe96⤵PID:6080
-
C:\Windows\SysWOW64\Mbdiknlb.exeC:\Windows\system32\Mbdiknlb.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6124 -
C:\Windows\SysWOW64\Mjnnbk32.exeC:\Windows\system32\Mjnnbk32.exe98⤵
- Drops file in System32 directory
PID:5188 -
C:\Windows\SysWOW64\Mfenglqf.exeC:\Windows\system32\Mfenglqf.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5260 -
C:\Windows\SysWOW64\Nciopppp.exeC:\Windows\system32\Nciopppp.exe100⤵PID:5348
-
C:\Windows\SysWOW64\Nckkfp32.exeC:\Windows\system32\Nckkfp32.exe101⤵PID:5424
-
C:\Windows\SysWOW64\Noblkqca.exeC:\Windows\system32\Noblkqca.exe102⤵
- Drops file in System32 directory
PID:5492 -
C:\Windows\SysWOW64\Nqaiecjd.exeC:\Windows\system32\Nqaiecjd.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:5580 -
C:\Windows\SysWOW64\Nimmifgo.exeC:\Windows\system32\Nimmifgo.exe104⤵PID:5624
-
C:\Windows\SysWOW64\Ncbafoge.exeC:\Windows\system32\Ncbafoge.exe105⤵PID:5708
-
C:\Windows\SysWOW64\Njljch32.exeC:\Windows\system32\Njljch32.exe106⤵PID:5784
-
C:\Windows\SysWOW64\Ooibkpmi.exeC:\Windows\system32\Ooibkpmi.exe107⤵PID:5844
-
C:\Windows\SysWOW64\Oiagde32.exeC:\Windows\system32\Oiagde32.exe108⤵
- Modifies registry class
PID:5904 -
C:\Windows\SysWOW64\Ojqcnhkl.exeC:\Windows\system32\Ojqcnhkl.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5952 -
C:\Windows\SysWOW64\Oifppdpd.exeC:\Windows\system32\Oifppdpd.exe110⤵PID:6060
-
C:\Windows\SysWOW64\Oihmedma.exeC:\Windows\system32\Oihmedma.exe111⤵
- Drops file in System32 directory
PID:6136 -
C:\Windows\SysWOW64\Ojhiogdd.exeC:\Windows\system32\Ojhiogdd.exe112⤵PID:5276
-
C:\Windows\SysWOW64\Ppdbgncl.exeC:\Windows\system32\Ppdbgncl.exe113⤵PID:5336
-
C:\Windows\SysWOW64\Pjjfdfbb.exeC:\Windows\system32\Pjjfdfbb.exe114⤵PID:5488
-
C:\Windows\SysWOW64\Pafkgphl.exeC:\Windows\system32\Pafkgphl.exe115⤵
- Modifies registry class
PID:5604 -
C:\Windows\SysWOW64\Pjoppf32.exeC:\Windows\system32\Pjoppf32.exe116⤵
- Modifies registry class
PID:5716 -
C:\Windows\SysWOW64\Pfepdg32.exeC:\Windows\system32\Pfepdg32.exe117⤵PID:5828
-
C:\Windows\SysWOW64\Pakdbp32.exeC:\Windows\system32\Pakdbp32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5960 -
C:\Windows\SysWOW64\Pjcikejg.exeC:\Windows\system32\Pjcikejg.exe119⤵PID:6036
-
C:\Windows\SysWOW64\Qapnmopa.exeC:\Windows\system32\Qapnmopa.exe120⤵PID:5216
-
C:\Windows\SysWOW64\Amfobp32.exeC:\Windows\system32\Amfobp32.exe121⤵PID:5408
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-