Analysis
-
max time kernel
146s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 15:49
Behavioral task
behavioral1
Sample
d939253a5b46fc7e1b1eb41c8bd30ca0_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
d939253a5b46fc7e1b1eb41c8bd30ca0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
d939253a5b46fc7e1b1eb41c8bd30ca0_NeikiAnalytics.exe
-
Size
669KB
-
MD5
d939253a5b46fc7e1b1eb41c8bd30ca0
-
SHA1
21ff05a70c4e9c591a7ab3379eea22b2c5a6e97a
-
SHA256
fa34762b06869475c4e8614b6cd24945b318944e7cba833ba2d7b932ab706d5d
-
SHA512
321325b9c17e1f272b89c3643958eb9f757305de424613728f101d0a90170f1f907474aa126579f70ac9164cc51e3062f469b4b458fede67e7f5b2d34037b220
-
SSDEEP
12288:1Oy2qeVKhMpQnqr+cI3a72LXrY6x46UbR/qYglMi:Qy2VchMpQnqrdX72LbY6x46uR/qYglMi
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmppcbjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Medgncoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qachgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fojlngce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhjfhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmbbhkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igmagnkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhonib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngpccdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocdqjceo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojnko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ploknb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biogppeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbbdjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fooeif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgokmgjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elbhjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hplicjok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflfac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfnkkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efgemb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fafdkmap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddinf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcbihpel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahippdbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohhpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhoipb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Milidebi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igmagnkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaehljpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piphgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnqfcbnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kechmoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehjlaaig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kijchhbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljgpkonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oekiqccc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmpqfq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fihnomjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpjlklok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbileede.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfoplpla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpmoiof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbgcih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhddjfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kechmoil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnipbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfeaopqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbiaapdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liddbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdgljmcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikbfgppo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnphmkji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebhglj32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0006000000022fa8-6.dat family_berbew behavioral2/files/0x000700000002349b-15.dat family_berbew behavioral2/files/0x000700000002349d-23.dat family_berbew behavioral2/files/0x00070000000234a1-33.dat family_berbew behavioral2/files/0x00070000000234a1-39.dat family_berbew behavioral2/files/0x00070000000234a3-45.dat family_berbew behavioral2/files/0x000700000002349f-31.dat family_berbew behavioral2/files/0x00070000000234a5-54.dat family_berbew behavioral2/files/0x00070000000234a7-62.dat family_berbew behavioral2/files/0x00070000000234a9-70.dat family_berbew behavioral2/files/0x0009000000023493-78.dat family_berbew behavioral2/files/0x00070000000234ac-86.dat family_berbew behavioral2/files/0x00070000000234ae-89.dat family_berbew behavioral2/files/0x00070000000234ae-94.dat family_berbew behavioral2/files/0x00070000000234b0-102.dat family_berbew behavioral2/files/0x00070000000234b2-110.dat family_berbew behavioral2/files/0x00070000000234b4-118.dat family_berbew behavioral2/files/0x00070000000234b7-126.dat family_berbew behavioral2/files/0x00070000000234b9-128.dat family_berbew behavioral2/files/0x00070000000234bb-142.dat family_berbew behavioral2/files/0x00070000000234bd-150.dat family_berbew behavioral2/files/0x00070000000234bf-159.dat family_berbew behavioral2/files/0x00070000000234c1-166.dat family_berbew behavioral2/files/0x00070000000234d1-221.dat family_berbew behavioral2/files/0x00070000000234d5-236.dat family_berbew behavioral2/files/0x00070000000234d7-243.dat family_berbew behavioral2/files/0x00070000000234d3-229.dat family_berbew behavioral2/files/0x00070000000234cf-215.dat family_berbew behavioral2/files/0x00070000000234cd-208.dat family_berbew behavioral2/files/0x00070000000234cb-201.dat family_berbew behavioral2/files/0x00070000000234c9-194.dat family_berbew behavioral2/files/0x00070000000234c7-187.dat family_berbew behavioral2/files/0x00070000000234c5-180.dat family_berbew behavioral2/files/0x00070000000234c3-173.dat family_berbew behavioral2/files/0x0007000000023573-718.dat family_berbew behavioral2/files/0x000700000002358b-791.dat family_berbew behavioral2/files/0x000700000002358f-803.dat family_berbew behavioral2/files/0x00070000000235c7-971.dat family_berbew behavioral2/files/0x00070000000235cf-995.dat family_berbew behavioral2/files/0x00070000000235fb-1145.dat family_berbew behavioral2/files/0x000700000002361e-1256.dat family_berbew behavioral2/files/0x0007000000023622-1271.dat family_berbew behavioral2/files/0x0007000000023626-1285.dat family_berbew behavioral2/files/0x0007000000023629-1298.dat family_berbew behavioral2/files/0x0007000000023635-1341.dat family_berbew behavioral2/files/0x000700000002363a-1360.dat family_berbew behavioral2/files/0x0007000000023642-1385.dat family_berbew behavioral2/files/0x0007000000023646-1397.dat family_berbew behavioral2/files/0x0007000000023648-1404.dat family_berbew behavioral2/files/0x000700000002364e-1422.dat family_berbew behavioral2/files/0x0007000000023651-1435.dat family_berbew behavioral2/files/0x0007000000023655-1448.dat family_berbew behavioral2/files/0x0007000000023663-1493.dat family_berbew behavioral2/files/0x0007000000023669-1513.dat family_berbew behavioral2/files/0x0007000000023683-1591.dat family_berbew behavioral2/files/0x000700000002368f-1632.dat family_berbew behavioral2/files/0x0007000000023699-1664.dat family_berbew behavioral2/files/0x00070000000236a8-1711.dat family_berbew behavioral2/files/0x00070000000236b4-1753.dat family_berbew behavioral2/files/0x00070000000236b8-1768.dat family_berbew behavioral2/files/0x00070000000236c9-1837.dat family_berbew behavioral2/files/0x00070000000236cb-1846.dat family_berbew behavioral2/files/0x00070000000236cf-1861.dat family_berbew behavioral2/files/0x00070000000236d1-1870.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2972 Bjghpn32.exe 2652 Baaplhef.exe 4816 Bdolhc32.exe 4552 Cojjqlpk.exe 4216 Cahfmgoo.exe 3416 Cdfbibnb.exe 4116 Cdkldb32.exe 2268 Clbceo32.exe 2376 Daaicfgd.exe 636 Dlijfneg.exe 2984 Dhpjkojk.exe 1760 Ddgkpp32.exe 5100 Ecjhcg32.exe 2988 Ehgqln32.exe 2644 Ednaqo32.exe 4676 Ekjfcipa.exe 2288 Eadopc32.exe 1160 Ehnglm32.exe 4948 Fhqcam32.exe 3836 Fojlngce.exe 1372 Faihkbci.exe 2896 Fkalchij.exe 4792 Fchddejl.exe 2124 Ffgqqaip.exe 940 Fdialn32.exe 4492 Flqimk32.exe 688 Fooeif32.exe 2668 Fckajehi.exe 2772 Ffimfqgm.exe 3144 Fhgjblfq.exe 4888 Fkffog32.exe 4512 Foabofnn.exe 4652 Fbpnkama.exe 3168 Fdnjgmle.exe 5072 Fhjfhl32.exe 4292 Gkhbdg32.exe 472 Gcojed32.exe 1584 Gbbkaako.exe 2976 Gdqgmmjb.exe 408 Ghlcnk32.exe 3468 Gkkojgao.exe 752 Gcagkdba.exe 900 Gbdgfa32.exe 4016 Gdcdbl32.exe 1392 Ghopckpi.exe 3064 Gkmlofol.exe 1032 Gohhpe32.exe 3644 Gbgdlq32.exe 4488 Gdeqhl32.exe 2004 Gmlhii32.exe 3412 Gokdeeec.exe 2732 Gbiaapdf.exe 4800 Gdhmnlcj.exe 3172 Gmoeoidl.exe 2336 Gkaejf32.exe 1972 Gcimkc32.exe 4364 Gfgjgo32.exe 3608 Gdjjckag.exe 3988 Hmabdibj.exe 4232 Hopnqdan.exe 2152 Hbnjmp32.exe 5064 Helfik32.exe 2012 Hmcojh32.exe 1896 Hkfoeega.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hakgmjoh.exe Goljqnpd.exe File created C:\Windows\SysWOW64\Hdpiid32.exe Hbbmmi32.exe File opened for modification C:\Windows\SysWOW64\Afelhf32.exe Qlmgopjq.exe File created C:\Windows\SysWOW64\Aobbbd32.dll Igpdfb32.exe File created C:\Windows\SysWOW64\Jioaqfcc.exe Jedeph32.exe File opened for modification C:\Windows\SysWOW64\Bgpgng32.exe Bqfoamfj.exe File created C:\Windows\SysWOW64\Jpmgll32.dll Igchfiof.exe File created C:\Windows\SysWOW64\Jipegn32.dll Eblimcdf.exe File opened for modification C:\Windows\SysWOW64\Dddllkbf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nbadcpbh.exe Nlglfe32.exe File created C:\Windows\SysWOW64\Pjkakfla.dll Process not Found File created C:\Windows\SysWOW64\Lgmngglp.exe Lpcfkm32.exe File created C:\Windows\SysWOW64\Ahchda32.exe Afelhf32.exe File created C:\Windows\SysWOW64\Hcmbee32.exe Hmpjmn32.exe File opened for modification C:\Windows\SysWOW64\Hfhgkmpj.exe Hoaojp32.exe File created C:\Windows\SysWOW64\Abbkcpma.exe Aleckinj.exe File created C:\Windows\SysWOW64\Klqcmdnk.dll Hffken32.exe File created C:\Windows\SysWOW64\Bhqndghj.dll Process not Found File created C:\Windows\SysWOW64\Hjjdjk32.dll Bmpcfdmg.exe File created C:\Windows\SysWOW64\Pmnbfhal.exe Process not Found File created C:\Windows\SysWOW64\Ooajidfn.dll Jeaikh32.exe File opened for modification C:\Windows\SysWOW64\Mgaokl32.exe Maggnali.exe File created C:\Windows\SysWOW64\Dokgdkeh.exe Chqogq32.exe File created C:\Windows\SysWOW64\Ehnglm32.exe Eadopc32.exe File opened for modification C:\Windows\SysWOW64\Bajqda32.exe Process not Found File created C:\Windows\SysWOW64\Jnpnbg32.dll Cgndoeag.exe File opened for modification C:\Windows\SysWOW64\Opqofe32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Adikdfna.exe Aolblopj.exe File created C:\Windows\SysWOW64\Eleqaiga.dll Process not Found File created C:\Windows\SysWOW64\Jqdoem32.exe Jkhgmf32.exe File opened for modification C:\Windows\SysWOW64\Jkaicd32.exe Jgenbfoa.exe File created C:\Windows\SysWOW64\Faikapbo.dll Akcjkfij.exe File opened for modification C:\Windows\SysWOW64\Cihclh32.exe Bbnkonbd.exe File created C:\Windows\SysWOW64\Ocdglf32.dll Ndflak32.exe File created C:\Windows\SysWOW64\Gdqfah32.dll Cdfbibnb.exe File created C:\Windows\SysWOW64\Kngcje32.exe Klifnj32.exe File created C:\Windows\SysWOW64\Ojaelm32.exe Ogbipa32.exe File opened for modification C:\Windows\SysWOW64\Imiehfao.exe Ifomll32.exe File opened for modification C:\Windows\SysWOW64\Lpbopfag.exe Lemkcnaa.exe File created C:\Windows\SysWOW64\Kgipcogp.exe Knalji32.exe File created C:\Windows\SysWOW64\Bmijpchc.dll Process not Found File created C:\Windows\SysWOW64\Bjmnoi32.exe Aminee32.exe File opened for modification C:\Windows\SysWOW64\Bppfmigl.exe Bgeaifia.exe File opened for modification C:\Windows\SysWOW64\Mfqlfb32.exe Process not Found File created C:\Windows\SysWOW64\Ojenek32.dll Process not Found File created C:\Windows\SysWOW64\Bogkmgba.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cdkldb32.exe Cdfbibnb.exe File created C:\Windows\SysWOW64\Qqffjo32.exe Qhonib32.exe File created C:\Windows\SysWOW64\Lbgalmej.exe Kjpijpdg.exe File created C:\Windows\SysWOW64\Klplbbaq.dll Oelolmnd.exe File created C:\Windows\SysWOW64\Bhnikc32.exe Badanigc.exe File opened for modification C:\Windows\SysWOW64\Jfgdkd32.exe Jpmlnjco.exe File created C:\Windows\SysWOW64\Dmjhenbq.dll Kechmoil.exe File created C:\Windows\SysWOW64\Blciboie.dll Pldcjeia.exe File opened for modification C:\Windows\SysWOW64\Pfiddm32.exe Process not Found File created C:\Windows\SysWOW64\Knghil32.dll Emnbdioi.exe File created C:\Windows\SysWOW64\Fbajbi32.exe Fpbmfn32.exe File created C:\Windows\SysWOW64\Ngqagcag.exe Process not Found File created C:\Windows\SysWOW64\Hccdbf32.dll Process not Found File created C:\Windows\SysWOW64\Pffgom32.exe Process not Found File created C:\Windows\SysWOW64\Ildkgc32.exe Iifokh32.exe File created C:\Windows\SysWOW64\Kpjcdn32.exe Kmkfhc32.exe File created C:\Windows\SysWOW64\Bdffhl32.dll Cflkpblf.exe File created C:\Windows\SysWOW64\Kglmio32.exe Kdmqmc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11516 11472 Process not Found 1306 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdahg32.dll" Hkbdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplbgk32.dll" Legjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilqoobdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapmipen.dll" Jbiejoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdfggeba.dll" Ebhglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieakglmn.dll" Hmjdjgjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pqknig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll" Pqbdjfln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afoeiklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iipejo32.dll" Cabomkll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jglklggl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbpchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabjq32.dll" Gbnoiqdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aggegh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kiejmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpcpel32.dll" Jjpode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpqodfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ficlfj32.dll" Glkmmefl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fajnfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiebmc32.dll" Mjpbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekhobd32.dll" Albpkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lahoec32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlpkba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Albpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehgqln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icifbang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnofdl32.dll" Dmfeidbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfbiemdb.dll" Njpdnedf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jehhaaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgekdpbp.dll" Oondnini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmhdkknd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgnnai32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khkaedic.dll" Gokdeeec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Liddbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplmmdoj.dll" Lpcfkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjehmfch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmbmibhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll" Odocigqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll" Onhhamgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iickkbje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bohibc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpiljh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhicpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkhjph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fealin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kndojobi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcghka32.dll" Flngfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Badanigc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbjena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfhkccfn.dll" Jpmlnjco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epjajeqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccoecbmi.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aalebkhm.dll" Lbngllob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfqikef.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npedmdab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fffhifdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndfqbhia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpplna32.dll" Bjfjka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imkbnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3948 wrote to memory of 2972 3948 d939253a5b46fc7e1b1eb41c8bd30ca0_NeikiAnalytics.exe 84 PID 3948 wrote to memory of 2972 3948 d939253a5b46fc7e1b1eb41c8bd30ca0_NeikiAnalytics.exe 84 PID 3948 wrote to memory of 2972 3948 d939253a5b46fc7e1b1eb41c8bd30ca0_NeikiAnalytics.exe 84 PID 2972 wrote to memory of 2652 2972 Bjghpn32.exe 85 PID 2972 wrote to memory of 2652 2972 Bjghpn32.exe 85 PID 2972 wrote to memory of 2652 2972 Bjghpn32.exe 85 PID 2652 wrote to memory of 4816 2652 Baaplhef.exe 86 PID 2652 wrote to memory of 4816 2652 Baaplhef.exe 86 PID 2652 wrote to memory of 4816 2652 Baaplhef.exe 86 PID 4816 wrote to memory of 4552 4816 Bdolhc32.exe 87 PID 4816 wrote to memory of 4552 4816 Bdolhc32.exe 87 PID 4816 wrote to memory of 4552 4816 Bdolhc32.exe 87 PID 4552 wrote to memory of 4216 4552 Cojjqlpk.exe 88 PID 4552 wrote to memory of 4216 4552 Cojjqlpk.exe 88 PID 4552 wrote to memory of 4216 4552 Cojjqlpk.exe 88 PID 4216 wrote to memory of 3416 4216 Cahfmgoo.exe 89 PID 4216 wrote to memory of 3416 4216 Cahfmgoo.exe 89 PID 4216 wrote to memory of 3416 4216 Cahfmgoo.exe 89 PID 3416 wrote to memory of 4116 3416 Cdfbibnb.exe 90 PID 3416 wrote to memory of 4116 3416 Cdfbibnb.exe 90 PID 3416 wrote to memory of 4116 3416 Cdfbibnb.exe 90 PID 4116 wrote to memory of 2268 4116 Cdkldb32.exe 91 PID 4116 wrote to memory of 2268 4116 Cdkldb32.exe 91 PID 4116 wrote to memory of 2268 4116 Cdkldb32.exe 91 PID 2268 wrote to memory of 2376 2268 Clbceo32.exe 92 PID 2268 wrote to memory of 2376 2268 Clbceo32.exe 92 PID 2268 wrote to memory of 2376 2268 Clbceo32.exe 92 PID 2376 wrote to memory of 636 2376 Daaicfgd.exe 93 PID 2376 wrote to memory of 636 2376 Daaicfgd.exe 93 PID 2376 wrote to memory of 636 2376 Daaicfgd.exe 93 PID 636 wrote to memory of 2984 636 Dlijfneg.exe 94 PID 636 wrote to memory of 2984 636 Dlijfneg.exe 94 PID 636 wrote to memory of 2984 636 Dlijfneg.exe 94 PID 2984 wrote to memory of 1760 2984 Dhpjkojk.exe 95 PID 2984 wrote to memory of 1760 2984 Dhpjkojk.exe 95 PID 2984 wrote to memory of 1760 2984 Dhpjkojk.exe 95 PID 1760 wrote to memory of 5100 1760 Ddgkpp32.exe 96 PID 1760 wrote to memory of 5100 1760 Ddgkpp32.exe 96 PID 1760 wrote to memory of 5100 1760 Ddgkpp32.exe 96 PID 5100 wrote to memory of 2988 5100 Ecjhcg32.exe 98 PID 5100 wrote to memory of 2988 5100 Ecjhcg32.exe 98 PID 5100 wrote to memory of 2988 5100 Ecjhcg32.exe 98 PID 2988 wrote to memory of 2644 2988 Ehgqln32.exe 99 PID 2988 wrote to memory of 2644 2988 Ehgqln32.exe 99 PID 2988 wrote to memory of 2644 2988 Ehgqln32.exe 99 PID 2644 wrote to memory of 4676 2644 Ednaqo32.exe 100 PID 2644 wrote to memory of 4676 2644 Ednaqo32.exe 100 PID 2644 wrote to memory of 4676 2644 Ednaqo32.exe 100 PID 4676 wrote to memory of 2288 4676 Ekjfcipa.exe 102 PID 4676 wrote to memory of 2288 4676 Ekjfcipa.exe 102 PID 4676 wrote to memory of 2288 4676 Ekjfcipa.exe 102 PID 2288 wrote to memory of 1160 2288 Eadopc32.exe 103 PID 2288 wrote to memory of 1160 2288 Eadopc32.exe 103 PID 2288 wrote to memory of 1160 2288 Eadopc32.exe 103 PID 1160 wrote to memory of 4948 1160 Ehnglm32.exe 104 PID 1160 wrote to memory of 4948 1160 Ehnglm32.exe 104 PID 1160 wrote to memory of 4948 1160 Ehnglm32.exe 104 PID 4948 wrote to memory of 3836 4948 Fhqcam32.exe 105 PID 4948 wrote to memory of 3836 4948 Fhqcam32.exe 105 PID 4948 wrote to memory of 3836 4948 Fhqcam32.exe 105 PID 3836 wrote to memory of 1372 3836 Fojlngce.exe 106 PID 3836 wrote to memory of 1372 3836 Fojlngce.exe 106 PID 3836 wrote to memory of 1372 3836 Fojlngce.exe 106 PID 1372 wrote to memory of 2896 1372 Faihkbci.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\d939253a5b46fc7e1b1eb41c8bd30ca0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d939253a5b46fc7e1b1eb41c8bd30ca0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Ehgqln32.exeC:\Windows\system32\Ehgqln32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Fojlngce.exeC:\Windows\system32\Fojlngce.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\Faihkbci.exeC:\Windows\system32\Faihkbci.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe23⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe24⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Ffgqqaip.exeC:\Windows\system32\Ffgqqaip.exe25⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe26⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Flqimk32.exeC:\Windows\system32\Flqimk32.exe27⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Fooeif32.exeC:\Windows\system32\Fooeif32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Fckajehi.exeC:\Windows\system32\Fckajehi.exe29⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe30⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Fhgjblfq.exeC:\Windows\system32\Fhgjblfq.exe31⤵
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe32⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Foabofnn.exeC:\Windows\system32\Foabofnn.exe33⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe34⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe35⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Gkhbdg32.exeC:\Windows\system32\Gkhbdg32.exe37⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Gcojed32.exeC:\Windows\system32\Gcojed32.exe38⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Gbbkaako.exeC:\Windows\system32\Gbbkaako.exe39⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe40⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Ghlcnk32.exeC:\Windows\system32\Ghlcnk32.exe41⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Gkkojgao.exeC:\Windows\system32\Gkkojgao.exe42⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Gcagkdba.exeC:\Windows\system32\Gcagkdba.exe43⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Gbdgfa32.exeC:\Windows\system32\Gbdgfa32.exe44⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Gdcdbl32.exeC:\Windows\system32\Gdcdbl32.exe45⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe46⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Gkmlofol.exeC:\Windows\system32\Gkmlofol.exe47⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe49⤵
- Executes dropped EXE
PID:3644 -
C:\Windows\SysWOW64\Gdeqhl32.exeC:\Windows\system32\Gdeqhl32.exe50⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Gmlhii32.exeC:\Windows\system32\Gmlhii32.exe51⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Gokdeeec.exeC:\Windows\system32\Gokdeeec.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:3412 -
C:\Windows\SysWOW64\Gbiaapdf.exeC:\Windows\system32\Gbiaapdf.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Gdhmnlcj.exeC:\Windows\system32\Gdhmnlcj.exe54⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe55⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Gkaejf32.exeC:\Windows\system32\Gkaejf32.exe56⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Gcimkc32.exeC:\Windows\system32\Gcimkc32.exe57⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Gfgjgo32.exeC:\Windows\system32\Gfgjgo32.exe58⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Gdjjckag.exeC:\Windows\system32\Gdjjckag.exe59⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Hmabdibj.exeC:\Windows\system32\Hmabdibj.exe60⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Hopnqdan.exeC:\Windows\system32\Hopnqdan.exe61⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Hbnjmp32.exeC:\Windows\system32\Hbnjmp32.exe62⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Helfik32.exeC:\Windows\system32\Helfik32.exe63⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Hmcojh32.exeC:\Windows\system32\Hmcojh32.exe64⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe65⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Hcmgfbhd.exeC:\Windows\system32\Hcmgfbhd.exe66⤵PID:1848
-
C:\Windows\SysWOW64\Hflcbngh.exeC:\Windows\system32\Hflcbngh.exe67⤵PID:3268
-
C:\Windows\SysWOW64\Hijooifk.exeC:\Windows\system32\Hijooifk.exe68⤵PID:3052
-
C:\Windows\SysWOW64\Hmfkoh32.exeC:\Windows\system32\Hmfkoh32.exe69⤵PID:4832
-
C:\Windows\SysWOW64\Hodgkc32.exeC:\Windows\system32\Hodgkc32.exe70⤵PID:5116
-
C:\Windows\SysWOW64\Hbbdholl.exeC:\Windows\system32\Hbbdholl.exe71⤵PID:220
-
C:\Windows\SysWOW64\Heapdjlp.exeC:\Windows\system32\Heapdjlp.exe72⤵PID:3688
-
C:\Windows\SysWOW64\Himldi32.exeC:\Windows\system32\Himldi32.exe73⤵PID:4840
-
C:\Windows\SysWOW64\Hofdacke.exeC:\Windows\system32\Hofdacke.exe74⤵PID:3848
-
C:\Windows\SysWOW64\Hcbpab32.exeC:\Windows\system32\Hcbpab32.exe75⤵PID:3732
-
C:\Windows\SysWOW64\Hmjdjgjo.exeC:\Windows\system32\Hmjdjgjo.exe76⤵
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Hkmefd32.exeC:\Windows\system32\Hkmefd32.exe77⤵PID:3420
-
C:\Windows\SysWOW64\Iiaephpc.exeC:\Windows\system32\Iiaephpc.exe78⤵PID:3792
-
C:\Windows\SysWOW64\Ipknlb32.exeC:\Windows\system32\Ipknlb32.exe79⤵PID:352
-
C:\Windows\SysWOW64\Imoneg32.exeC:\Windows\system32\Imoneg32.exe80⤵PID:5032
-
C:\Windows\SysWOW64\Ipnjab32.exeC:\Windows\system32\Ipnjab32.exe81⤵PID:1932
-
C:\Windows\SysWOW64\Icifbang.exeC:\Windows\system32\Icifbang.exe82⤵
- Modifies registry class
PID:5132 -
C:\Windows\SysWOW64\Ifgbnlmj.exeC:\Windows\system32\Ifgbnlmj.exe83⤵PID:5168
-
C:\Windows\SysWOW64\Iifokh32.exeC:\Windows\system32\Iifokh32.exe84⤵
- Drops file in System32 directory
PID:5204 -
C:\Windows\SysWOW64\Ildkgc32.exeC:\Windows\system32\Ildkgc32.exe85⤵PID:5244
-
C:\Windows\SysWOW64\Ickchq32.exeC:\Windows\system32\Ickchq32.exe86⤵PID:5280
-
C:\Windows\SysWOW64\Ifjodl32.exeC:\Windows\system32\Ifjodl32.exe87⤵PID:5320
-
C:\Windows\SysWOW64\Imdgqfbd.exeC:\Windows\system32\Imdgqfbd.exe88⤵PID:5368
-
C:\Windows\SysWOW64\Ipbdmaah.exeC:\Windows\system32\Ipbdmaah.exe89⤵PID:5412
-
C:\Windows\SysWOW64\Ibqpimpl.exeC:\Windows\system32\Ibqpimpl.exe90⤵PID:5448
-
C:\Windows\SysWOW64\Ieolehop.exeC:\Windows\system32\Ieolehop.exe91⤵PID:5488
-
C:\Windows\SysWOW64\Imfdff32.exeC:\Windows\system32\Imfdff32.exe92⤵PID:5524
-
C:\Windows\SysWOW64\Ipdqba32.exeC:\Windows\system32\Ipdqba32.exe93⤵PID:5560
-
C:\Windows\SysWOW64\Icplcpgo.exeC:\Windows\system32\Icplcpgo.exe94⤵PID:5592
-
C:\Windows\SysWOW64\Ibcmom32.exeC:\Windows\system32\Ibcmom32.exe95⤵PID:5628
-
C:\Windows\SysWOW64\Jeaikh32.exeC:\Windows\system32\Jeaikh32.exe96⤵
- Drops file in System32 directory
PID:5664 -
C:\Windows\SysWOW64\Jimekgff.exeC:\Windows\system32\Jimekgff.exe97⤵PID:5700
-
C:\Windows\SysWOW64\Jlkagbej.exeC:\Windows\system32\Jlkagbej.exe98⤵PID:5736
-
C:\Windows\SysWOW64\Jpgmha32.exeC:\Windows\system32\Jpgmha32.exe99⤵PID:5772
-
C:\Windows\SysWOW64\Jcbihpel.exeC:\Windows\system32\Jcbihpel.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5808 -
C:\Windows\SysWOW64\Jfaedkdp.exeC:\Windows\system32\Jfaedkdp.exe101⤵PID:5844
-
C:\Windows\SysWOW64\Jedeph32.exeC:\Windows\system32\Jedeph32.exe102⤵
- Drops file in System32 directory
PID:5880 -
C:\Windows\SysWOW64\Jioaqfcc.exeC:\Windows\system32\Jioaqfcc.exe103⤵PID:5916
-
C:\Windows\SysWOW64\Jlnnmb32.exeC:\Windows\system32\Jlnnmb32.exe104⤵PID:5952
-
C:\Windows\SysWOW64\Jpijnqkp.exeC:\Windows\system32\Jpijnqkp.exe105⤵PID:5988
-
C:\Windows\SysWOW64\Jbhfjljd.exeC:\Windows\system32\Jbhfjljd.exe106⤵PID:6024
-
C:\Windows\SysWOW64\Jfcbjk32.exeC:\Windows\system32\Jfcbjk32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6060 -
C:\Windows\SysWOW64\Jianff32.exeC:\Windows\system32\Jianff32.exe108⤵PID:6096
-
C:\Windows\SysWOW64\Jlpkba32.exeC:\Windows\system32\Jlpkba32.exe109⤵
- Modifies registry class
PID:5140 -
C:\Windows\SysWOW64\Jbjcolha.exeC:\Windows\system32\Jbjcolha.exe110⤵PID:516
-
C:\Windows\SysWOW64\Klljnp32.exeC:\Windows\system32\Klljnp32.exe111⤵PID:5428
-
C:\Windows\SysWOW64\Kedoge32.exeC:\Windows\system32\Kedoge32.exe112⤵PID:5476
-
C:\Windows\SysWOW64\Kmkfhc32.exeC:\Windows\system32\Kmkfhc32.exe113⤵
- Drops file in System32 directory
PID:5508 -
C:\Windows\SysWOW64\Kpjcdn32.exeC:\Windows\system32\Kpjcdn32.exe114⤵PID:5588
-
C:\Windows\SysWOW64\Kdeoemeg.exeC:\Windows\system32\Kdeoemeg.exe115⤵PID:5660
-
C:\Windows\SysWOW64\Kefkme32.exeC:\Windows\system32\Kefkme32.exe116⤵PID:2744
-
C:\Windows\SysWOW64\Kibgmdcn.exeC:\Windows\system32\Kibgmdcn.exe117⤵PID:5732
-
C:\Windows\SysWOW64\Klqcioba.exeC:\Windows\system32\Klqcioba.exe118⤵PID:5900
-
C:\Windows\SysWOW64\Kdgljmcd.exeC:\Windows\system32\Kdgljmcd.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5832 -
C:\Windows\SysWOW64\Lffhfh32.exeC:\Windows\system32\Lffhfh32.exe120⤵PID:5756
-
C:\Windows\SysWOW64\Liddbc32.exeC:\Windows\system32\Liddbc32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-