Analysis
-
max time kernel
143s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 00:33
Behavioral task
behavioral1
Sample
4f6b39fb8a105d95f0383563658010b0_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
4f6b39fb8a105d95f0383563658010b0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
4f6b39fb8a105d95f0383563658010b0_NeikiAnalytics.exe
-
Size
229KB
-
MD5
4f6b39fb8a105d95f0383563658010b0
-
SHA1
89f88d6664ae1e0f8decd6ff3315314cba876b77
-
SHA256
c722b967cc7da1662ebe03d173b50a9dd6516565d93a4580d3906d1616386cb6
-
SHA512
c975d6cc4bd5179aa2436302859d6dce9d77f9679cb2c721c40189f7c1cef067f0d3776b295866bdddec8d9ccd3ac25f4476f6ead181603d569da0fb7565110c
-
SSDEEP
6144:3zP0iaV+bhxV271+HZ/pvkym/89bYEwPhCKvav:3zpbE7AIfFfvav
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gafmaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppjgoaoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aobilkcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgmgqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjlmclqa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glhonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmoeoidl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jodjhkkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igqkqiai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llhikacp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flkdfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnpppgdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnjafap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emoinpcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekiohclf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmhigf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phaahggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdbiedpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnhdkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqfngd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpkibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bejogg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmhale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffaong32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plpjoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dheibpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahhblemi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jimekgff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bffkij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmipblaq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnlkedai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gohhpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnhjohkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gadqlkep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbpajgmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbngllob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpgnjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffkjlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghopckpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfgjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaogak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkobjpin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkckeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfnphn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opdghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdpmbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnfihkqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000900000002297e-6.dat family_berbew behavioral2/files/0x0007000000023494-15.dat family_berbew behavioral2/files/0x0007000000023496-22.dat family_berbew behavioral2/files/0x0007000000023498-31.dat family_berbew behavioral2/files/0x000700000002349a-38.dat family_berbew behavioral2/files/0x000700000002349c-47.dat family_berbew behavioral2/files/0x000700000002349e-55.dat family_berbew behavioral2/files/0x00070000000234a0-61.dat family_berbew behavioral2/files/0x00070000000234a2-71.dat family_berbew behavioral2/files/0x00070000000234a6-87.dat family_berbew behavioral2/files/0x00070000000234aa-97.dat family_berbew behavioral2/files/0x00070000000234a8-95.dat family_berbew behavioral2/files/0x00070000000234ac-111.dat family_berbew behavioral2/files/0x00070000000234b0-121.dat family_berbew behavioral2/files/0x00070000000234b2-135.dat family_berbew behavioral2/files/0x00070000000234b4-143.dat family_berbew behavioral2/files/0x00070000000234b6-151.dat family_berbew behavioral2/files/0x00070000000234bf-189.dat family_berbew behavioral2/files/0x00070000000234c5-215.dat family_berbew behavioral2/files/0x00070000000234ec-349.dat family_berbew behavioral2/files/0x00070000000234f2-366.dat family_berbew behavioral2/files/0x00070000000234f6-378.dat family_berbew behavioral2/files/0x0007000000023509-438.dat family_berbew behavioral2/files/0x000700000002350e-456.dat family_berbew behavioral2/files/0x0007000000023517-485.dat family_berbew behavioral2/files/0x000700000002351d-504.dat family_berbew behavioral2/files/0x0007000000023533-575.dat family_berbew behavioral2/files/0x000700000002353b-602.dat family_berbew behavioral2/files/0x000700000002356d-766.dat family_berbew behavioral2/files/0x000700000002357d-820.dat family_berbew behavioral2/files/0x00070000000235ad-983.dat family_berbew behavioral2/files/0x00070000000235c7-1061.dat family_berbew behavioral2/files/0x00070000000235f0-1192.dat family_berbew behavioral2/files/0x0007000000023608-1274.dat family_berbew behavioral2/files/0x000700000002362c-1396.dat family_berbew behavioral2/files/0x0007000000023632-1416.dat family_berbew behavioral2/files/0x0007000000023636-1429.dat family_berbew behavioral2/files/0x0007000000023628-1382.dat family_berbew behavioral2/files/0x0007000000023616-1321.dat family_berbew behavioral2/files/0x0007000000023614-1315.dat family_berbew behavioral2/files/0x00070000000235fc-1233.dat family_berbew behavioral2/files/0x00070000000235d9-1121.dat family_berbew behavioral2/files/0x00070000000235cb-1075.dat family_berbew behavioral2/files/0x0007000000023648-1486.dat family_berbew behavioral2/files/0x00070000000235bb-1028.dat family_berbew behavioral2/files/0x00070000000235b7-1014.dat family_berbew behavioral2/files/0x00070000000235a3-948.dat family_berbew behavioral2/files/0x000700000002359f-936.dat family_berbew behavioral2/files/0x0007000000023599-915.dat family_berbew behavioral2/files/0x0007000000023595-901.dat family_berbew behavioral2/files/0x0007000000023591-887.dat family_berbew behavioral2/files/0x0007000000023585-847.dat family_berbew behavioral2/files/0x0007000000023579-806.dat family_berbew behavioral2/files/0x0007000000023571-780.dat family_berbew behavioral2/files/0x0007000000023567-747.dat family_berbew behavioral2/files/0x0007000000023563-734.dat family_berbew behavioral2/files/0x0007000000023555-689.dat family_berbew behavioral2/files/0x000700000002354f-669.dat family_berbew behavioral2/files/0x0007000000023545-636.dat family_berbew behavioral2/files/0x000700000002352f-560.dat family_berbew behavioral2/files/0x000700000002352b-547.dat family_berbew behavioral2/files/0x0007000000023523-522.dat family_berbew behavioral2/files/0x0007000000023519-493.dat family_berbew behavioral2/files/0x0007000000023501-414.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1560 Ahhblemi.exe 1748 Aelcfilb.exe 2516 Ahkobekf.exe 368 Ahmlgd32.exe 1228 Ajkhdp32.exe 4428 Aealah32.exe 4020 Ajneip32.exe 3516 Abemjmgg.exe 2316 Bdfibe32.exe 3164 Bnlnon32.exe 4988 Bdhfhe32.exe 5040 Blpnib32.exe 3440 Bnnjen32.exe 3036 Bdkcmdhp.exe 620 Blbknaib.exe 224 Bejogg32.exe 3116 Bldgdago.exe 1836 Bbnpqk32.exe 8 Bdolhc32.exe 3448 Blfdia32.exe 4672 Boepel32.exe 2036 Cacmah32.exe 2600 Cdainc32.exe 396 Cbcilkjg.exe 3796 Cknnpm32.exe 3744 Cbefaj32.exe 1476 Cdfbibnb.exe 1048 Chbnia32.exe 4100 Ckpjfm32.exe 4464 Cajcbgml.exe 4840 Cdiooblp.exe 2132 Clpgpp32.exe 3740 Cehkhecb.exe 3672 Clbceo32.exe 4668 Ckedalaj.exe 4504 Dbllbibl.exe 3992 Ddmhja32.exe 2208 Dldpkoil.exe 3236 Docmgjhp.exe 2000 Daaicfgd.exe 1436 Dhkapp32.exe 3340 Dkjmlk32.exe 2592 Dadeieea.exe 3652 Deoaid32.exe 1348 Dkljak32.exe 1652 Dohfbj32.exe 2364 Dafbne32.exe 1020 Dddojq32.exe 1804 Dojcgi32.exe 4036 Dedkdcie.exe 4628 Eolpmi32.exe 4696 Eefhjc32.exe 2184 Ehedfo32.exe 3172 Eoolbinc.exe 2852 Eamhodmf.exe 740 Edkdkplj.exe 1092 Ehgqln32.exe 2488 Ekemhj32.exe 2380 Eoaihhlp.exe 2136 Eapedd32.exe 4012 Ehimanbq.exe 4364 Ecoangbg.exe 4648 Eemnjbaj.exe 4680 Ehljfnpn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Epmmqheb.exe Ekaapi32.exe File created C:\Windows\SysWOW64\Kpmdfonj.exe Kpjgaoqm.exe File created C:\Windows\SysWOW64\Npiiffqe.exe Njmqnobn.exe File opened for modification C:\Windows\SysWOW64\Ekpmbddq.exe Edfdej32.exe File created C:\Windows\SysWOW64\Looknpmn.dll Bpnihiio.exe File created C:\Windows\SysWOW64\Akcjcnpe.dll Process not Found File created C:\Windows\SysWOW64\Hfnphn32.exe Hbbdholl.exe File created C:\Windows\SysWOW64\Ahioknai.dll Ndaggimg.exe File created C:\Windows\SysWOW64\Qoifflkg.exe Qhonib32.exe File created C:\Windows\SysWOW64\Dndfnlpc.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ajaelc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ekqckmfb.exe Process not Found File created C:\Windows\SysWOW64\Gfdfgiid.exe Gahjgj32.exe File opened for modification C:\Windows\SysWOW64\Fpbflg32.exe Fmcjpl32.exe File created C:\Windows\SysWOW64\Fpejkd32.dll Gihgfk32.exe File created C:\Windows\SysWOW64\Eddnic32.exe Process not Found File created C:\Windows\SysWOW64\Ilabfj32.dll Blfdia32.exe File created C:\Windows\SysWOW64\Aaccdk32.dll Joiccj32.exe File opened for modification C:\Windows\SysWOW64\Dheibpje.exe Dkahilkl.exe File created C:\Windows\SysWOW64\Eifaim32.exe Efgemb32.exe File created C:\Windows\SysWOW64\Cehkhecb.exe Conclk32.exe File created C:\Windows\SysWOW64\Iifokh32.exe Iejcji32.exe File opened for modification C:\Windows\SysWOW64\Lfhdlh32.exe Ldjhpl32.exe File created C:\Windows\SysWOW64\Coohhlpe.exe Bakgoh32.exe File created C:\Windows\SysWOW64\Caecnh32.dll Process not Found File created C:\Windows\SysWOW64\Jclnjo32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bjokdipf.exe Bganhm32.exe File opened for modification C:\Windows\SysWOW64\Ncofplba.exe Nmenca32.exe File opened for modification C:\Windows\SysWOW64\Fncibg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Phincl32.exe Pamiaboj.exe File opened for modification C:\Windows\SysWOW64\Bafndi32.exe Bnkbcj32.exe File created C:\Windows\SysWOW64\Ekaapi32.exe Ebimgcfi.exe File opened for modification C:\Windows\SysWOW64\Ohlqcagj.exe Opeiadfg.exe File opened for modification C:\Windows\SysWOW64\Gigheh32.exe Fmqgpgoc.exe File opened for modification C:\Windows\SysWOW64\Iepaaico.exe Hemdlj32.exe File created C:\Windows\SysWOW64\Dbkqqe32.dll Process not Found File created C:\Windows\SysWOW64\Padnaq32.exe Process not Found File created C:\Windows\SysWOW64\Abemjmgg.exe Ajneip32.exe File opened for modification C:\Windows\SysWOW64\Kjmfjj32.exe Kgninn32.exe File created C:\Windows\SysWOW64\Ceacpg32.dll Ipknlb32.exe File created C:\Windows\SysWOW64\Kaafjamj.dll Feocelll.exe File opened for modification C:\Windows\SysWOW64\Padnaq32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Enigke32.exe Dbbffdlq.exe File created C:\Windows\SysWOW64\Kbpkkeen.dll Process not Found File created C:\Windows\SysWOW64\Khokadah.dll Process not Found File created C:\Windows\SysWOW64\Qjoankoi.exe Qdbiedpa.exe File created C:\Windows\SysWOW64\Igcoqocb.exe Ifbbig32.exe File opened for modification C:\Windows\SysWOW64\Bgnkhg32.exe Bcbohigp.exe File created C:\Windows\SysWOW64\Mobnnd32.dll Lmmolepp.exe File created C:\Windows\SysWOW64\Aagkhd32.exe Process not Found File created C:\Windows\SysWOW64\Ipimhnjc.dll Process not Found File created C:\Windows\SysWOW64\Ifcmmg32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Edfknb32.exe Process not Found File created C:\Windows\SysWOW64\Fohoigfh.exe Fljcmlfd.exe File created C:\Windows\SysWOW64\Codqon32.dll Nilcjp32.exe File created C:\Windows\SysWOW64\Adopjh32.dll Iemppiab.exe File opened for modification C:\Windows\SysWOW64\Adndoe32.exe Aoalgn32.exe File opened for modification C:\Windows\SysWOW64\Jhifomdj.exe Process not Found File created C:\Windows\SysWOW64\Bnnjen32.exe Blpnib32.exe File created C:\Windows\SysWOW64\Kenggi32.exe Kqpoakco.exe File created C:\Windows\SysWOW64\Kbbhqn32.exe Kenggi32.exe File created C:\Windows\SysWOW64\Fbiipkjk.dll Maggnali.exe File created C:\Windows\SysWOW64\Opqofe32.exe Onocomdo.exe File created C:\Windows\SysWOW64\Hjqaij32.dll Dddojq32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 15148 15116 Process not Found 1409 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdijbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaccdk32.dll" Joiccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmdnljan.dll" Bqmeal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gppcmeem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clpgpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjegoo32.dll" Hflcbngh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bffkij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikaggmii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onocomdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klngdpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llgjjnlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fddanicf.dll" Gkobjpin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Holfoqcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahioknai.dll" Ndaggimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnicah32.dll" Npedmdab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpelhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojhkmkj.dll" Lmbmibhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioenpjfm.dll" Bblnindg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fihnomjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkpimfpo.dll" Ggcfja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnndm32.dll" Hkckeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bifmqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmoin32.dll" Hpmpnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flkdfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfkafocc.dll" Ilmmni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqmfklog.dll" Ahpmjejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklgfgfg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbfpack.dll" Jkhgmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blfdia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Foabofnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifdonfka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llhikacp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgihfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhmgagf.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caecnh32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceacpg32.dll" Ipknlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fefjfked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfmojenc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Famcfn32.dll" Ljaoeini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fiaael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhoaad32.dll" Nhpiafnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajmdgelp.dll" Dmfeidbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpkibf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eolpmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgihfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haplhc32.dll" Kenggi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbefaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiknll32.dll" Fhqcam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kngcje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gldglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcfndog.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eemnjbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkiocibf.dll" Lqkgbcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhpicj32.dll" Nfcabp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldanqkki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlbbkfoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Embkoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjmfjj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1936 wrote to memory of 1560 1936 4f6b39fb8a105d95f0383563658010b0_NeikiAnalytics.exe 82 PID 1936 wrote to memory of 1560 1936 4f6b39fb8a105d95f0383563658010b0_NeikiAnalytics.exe 82 PID 1936 wrote to memory of 1560 1936 4f6b39fb8a105d95f0383563658010b0_NeikiAnalytics.exe 82 PID 1560 wrote to memory of 1748 1560 Ahhblemi.exe 83 PID 1560 wrote to memory of 1748 1560 Ahhblemi.exe 83 PID 1560 wrote to memory of 1748 1560 Ahhblemi.exe 83 PID 1748 wrote to memory of 2516 1748 Aelcfilb.exe 84 PID 1748 wrote to memory of 2516 1748 Aelcfilb.exe 84 PID 1748 wrote to memory of 2516 1748 Aelcfilb.exe 84 PID 2516 wrote to memory of 368 2516 Ahkobekf.exe 85 PID 2516 wrote to memory of 368 2516 Ahkobekf.exe 85 PID 2516 wrote to memory of 368 2516 Ahkobekf.exe 85 PID 368 wrote to memory of 1228 368 Ahmlgd32.exe 86 PID 368 wrote to memory of 1228 368 Ahmlgd32.exe 86 PID 368 wrote to memory of 1228 368 Ahmlgd32.exe 86 PID 1228 wrote to memory of 4428 1228 Ajkhdp32.exe 87 PID 1228 wrote to memory of 4428 1228 Ajkhdp32.exe 87 PID 1228 wrote to memory of 4428 1228 Ajkhdp32.exe 87 PID 4428 wrote to memory of 4020 4428 Aealah32.exe 88 PID 4428 wrote to memory of 4020 4428 Aealah32.exe 88 PID 4428 wrote to memory of 4020 4428 Aealah32.exe 88 PID 4020 wrote to memory of 3516 4020 Ajneip32.exe 90 PID 4020 wrote to memory of 3516 4020 Ajneip32.exe 90 PID 4020 wrote to memory of 3516 4020 Ajneip32.exe 90 PID 3516 wrote to memory of 2316 3516 Abemjmgg.exe 91 PID 3516 wrote to memory of 2316 3516 Abemjmgg.exe 91 PID 3516 wrote to memory of 2316 3516 Abemjmgg.exe 91 PID 2316 wrote to memory of 3164 2316 Bdfibe32.exe 92 PID 2316 wrote to memory of 3164 2316 Bdfibe32.exe 92 PID 2316 wrote to memory of 3164 2316 Bdfibe32.exe 92 PID 3164 wrote to memory of 4988 3164 Bnlnon32.exe 94 PID 3164 wrote to memory of 4988 3164 Bnlnon32.exe 94 PID 3164 wrote to memory of 4988 3164 Bnlnon32.exe 94 PID 4988 wrote to memory of 5040 4988 Bdhfhe32.exe 95 PID 4988 wrote to memory of 5040 4988 Bdhfhe32.exe 95 PID 4988 wrote to memory of 5040 4988 Bdhfhe32.exe 95 PID 5040 wrote to memory of 3440 5040 Blpnib32.exe 96 PID 5040 wrote to memory of 3440 5040 Blpnib32.exe 96 PID 5040 wrote to memory of 3440 5040 Blpnib32.exe 96 PID 3440 wrote to memory of 3036 3440 Bnnjen32.exe 98 PID 3440 wrote to memory of 3036 3440 Bnnjen32.exe 98 PID 3440 wrote to memory of 3036 3440 Bnnjen32.exe 98 PID 3036 wrote to memory of 620 3036 Bdkcmdhp.exe 99 PID 3036 wrote to memory of 620 3036 Bdkcmdhp.exe 99 PID 3036 wrote to memory of 620 3036 Bdkcmdhp.exe 99 PID 620 wrote to memory of 224 620 Blbknaib.exe 100 PID 620 wrote to memory of 224 620 Blbknaib.exe 100 PID 620 wrote to memory of 224 620 Blbknaib.exe 100 PID 224 wrote to memory of 3116 224 Bejogg32.exe 101 PID 224 wrote to memory of 3116 224 Bejogg32.exe 101 PID 224 wrote to memory of 3116 224 Bejogg32.exe 101 PID 3116 wrote to memory of 1836 3116 Bldgdago.exe 102 PID 3116 wrote to memory of 1836 3116 Bldgdago.exe 102 PID 3116 wrote to memory of 1836 3116 Bldgdago.exe 102 PID 1836 wrote to memory of 8 1836 Bbnpqk32.exe 103 PID 1836 wrote to memory of 8 1836 Bbnpqk32.exe 103 PID 1836 wrote to memory of 8 1836 Bbnpqk32.exe 103 PID 8 wrote to memory of 3448 8 Bdolhc32.exe 104 PID 8 wrote to memory of 3448 8 Bdolhc32.exe 104 PID 8 wrote to memory of 3448 8 Bdolhc32.exe 104 PID 3448 wrote to memory of 4672 3448 Blfdia32.exe 105 PID 3448 wrote to memory of 4672 3448 Blfdia32.exe 105 PID 3448 wrote to memory of 4672 3448 Blfdia32.exe 105 PID 4672 wrote to memory of 2036 4672 Boepel32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f6b39fb8a105d95f0383563658010b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4f6b39fb8a105d95f0383563658010b0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Blpnib32.exeC:\Windows\system32\Blpnib32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Bldgdago.exeC:\Windows\system32\Bldgdago.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\Blfdia32.exeC:\Windows\system32\Blfdia32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe23⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Cdainc32.exeC:\Windows\system32\Cdainc32.exe24⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe25⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe26⤵
- Executes dropped EXE
PID:3796 -
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3744 -
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe28⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe29⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe30⤵
- Executes dropped EXE
PID:4100 -
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe31⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe32⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe34⤵
- Drops file in System32 directory
PID:4352 -
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe35⤵
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe36⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe37⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe38⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe39⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe40⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe41⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe42⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe43⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe44⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Dadeieea.exeC:\Windows\system32\Dadeieea.exe45⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe46⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Dkljak32.exeC:\Windows\system32\Dkljak32.exe47⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe48⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe49⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1020 -
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe51⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe52⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Eolpmi32.exeC:\Windows\system32\Eolpmi32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:4628 -
C:\Windows\SysWOW64\Eefhjc32.exeC:\Windows\system32\Eefhjc32.exe54⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe55⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe56⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Eamhodmf.exeC:\Windows\system32\Eamhodmf.exe57⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe58⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Ehgqln32.exeC:\Windows\system32\Ehgqln32.exe59⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Ekemhj32.exeC:\Windows\system32\Ekemhj32.exe60⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe61⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Eapedd32.exeC:\Windows\system32\Eapedd32.exe62⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Ehimanbq.exeC:\Windows\system32\Ehimanbq.exe63⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe64⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:4648 -
C:\Windows\SysWOW64\Ehljfnpn.exeC:\Windows\system32\Ehljfnpn.exe66⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Elgfgl32.exeC:\Windows\system32\Elgfgl32.exe67⤵PID:5028
-
C:\Windows\SysWOW64\Eofbch32.exeC:\Windows\system32\Eofbch32.exe68⤵PID:2716
-
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe69⤵PID:4572
-
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe70⤵PID:1464
-
C:\Windows\SysWOW64\Fljcmlfd.exeC:\Windows\system32\Fljcmlfd.exe71⤵
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe72⤵PID:4416
-
C:\Windows\SysWOW64\Fcckif32.exeC:\Windows\system32\Fcckif32.exe73⤵PID:1828
-
C:\Windows\SysWOW64\Febgea32.exeC:\Windows\system32\Febgea32.exe74⤵PID:2004
-
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe75⤵
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe76⤵PID:1556
-
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe77⤵PID:3776
-
C:\Windows\SysWOW64\Ffddka32.exeC:\Windows\system32\Ffddka32.exe78⤵PID:2552
-
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe79⤵PID:4692
-
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe80⤵PID:4996
-
C:\Windows\SysWOW64\Fomhdg32.exeC:\Windows\system32\Fomhdg32.exe81⤵PID:4616
-
C:\Windows\SysWOW64\Fakdpb32.exeC:\Windows\system32\Fakdpb32.exe82⤵PID:3184
-
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe83⤵PID:1456
-
C:\Windows\SysWOW64\Flqimk32.exeC:\Windows\system32\Flqimk32.exe84⤵PID:384
-
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe85⤵PID:4700
-
C:\Windows\SysWOW64\Fooeif32.exeC:\Windows\system32\Fooeif32.exe86⤵PID:4828
-
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe87⤵PID:4172
-
C:\Windows\SysWOW64\Fdlnbm32.exeC:\Windows\system32\Fdlnbm32.exe88⤵PID:3040
-
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe89⤵PID:3408
-
C:\Windows\SysWOW64\Foabofnn.exeC:\Windows\system32\Foabofnn.exe90⤵
- Modifies registry class
PID:5136 -
C:\Windows\SysWOW64\Fcmnpe32.exeC:\Windows\system32\Fcmnpe32.exe91⤵PID:5184
-
C:\Windows\SysWOW64\Ffkjlp32.exeC:\Windows\system32\Ffkjlp32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5224 -
C:\Windows\SysWOW64\Glebhjlg.exeC:\Windows\system32\Glebhjlg.exe93⤵PID:5268
-
C:\Windows\SysWOW64\Gbbkaako.exeC:\Windows\system32\Gbbkaako.exe94⤵PID:5312
-
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe95⤵PID:5356
-
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5400 -
C:\Windows\SysWOW64\Gkkojgao.exeC:\Windows\system32\Gkkojgao.exe97⤵PID:5440
-
C:\Windows\SysWOW64\Gcagkdba.exeC:\Windows\system32\Gcagkdba.exe98⤵PID:5484
-
C:\Windows\SysWOW64\Gbdgfa32.exeC:\Windows\system32\Gbdgfa32.exe99⤵PID:5528
-
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe100⤵PID:5572
-
C:\Windows\SysWOW64\Gdcdbl32.exeC:\Windows\system32\Gdcdbl32.exe101⤵PID:5612
-
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5648 -
C:\Windows\SysWOW64\Gmjlcj32.exeC:\Windows\system32\Gmjlcj32.exe103⤵PID:5700
-
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5740 -
C:\Windows\SysWOW64\Gcddpdpo.exeC:\Windows\system32\Gcddpdpo.exe105⤵PID:5776
-
C:\Windows\SysWOW64\Gfbploob.exeC:\Windows\system32\Gfbploob.exe106⤵PID:5828
-
C:\Windows\SysWOW64\Gdeqhl32.exeC:\Windows\system32\Gdeqhl32.exe107⤵PID:5868
-
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe108⤵PID:5916
-
C:\Windows\SysWOW64\Gmlhii32.exeC:\Windows\system32\Gmlhii32.exe109⤵PID:5952
-
C:\Windows\SysWOW64\Gokdeeec.exeC:\Windows\system32\Gokdeeec.exe110⤵PID:6000
-
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe111⤵PID:6036
-
C:\Windows\SysWOW64\Gbiaapdf.exeC:\Windows\system32\Gbiaapdf.exe112⤵PID:6088
-
C:\Windows\SysWOW64\Gdhmnlcj.exeC:\Windows\system32\Gdhmnlcj.exe113⤵PID:6124
-
C:\Windows\SysWOW64\Gicinj32.exeC:\Windows\system32\Gicinj32.exe114⤵PID:5144
-
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5220 -
C:\Windows\SysWOW64\Gomakdcp.exeC:\Windows\system32\Gomakdcp.exe116⤵PID:5276
-
C:\Windows\SysWOW64\Gblngpbd.exeC:\Windows\system32\Gblngpbd.exe117⤵PID:5332
-
C:\Windows\SysWOW64\Gfgjgo32.exeC:\Windows\system32\Gfgjgo32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5392 -
C:\Windows\SysWOW64\Hiefcj32.exeC:\Windows\system32\Hiefcj32.exe119⤵PID:5476
-
C:\Windows\SysWOW64\Hkdbpe32.exeC:\Windows\system32\Hkdbpe32.exe120⤵PID:5516
-
C:\Windows\SysWOW64\Hopnqdan.exeC:\Windows\system32\Hopnqdan.exe121⤵PID:5552
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-