Analysis
-
max time kernel
156s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2024, 16:26
Behavioral task
behavioral1
Sample
e517aa79eec7ba3386add8775ec069b0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
e517aa79eec7ba3386add8775ec069b0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
e517aa79eec7ba3386add8775ec069b0_NeikiAnalytics.exe
-
Size
368KB
-
MD5
e517aa79eec7ba3386add8775ec069b0
-
SHA1
8122455ed2abbf4d84653f280bd44a7b140b5bd5
-
SHA256
388d50abe44e90db3cc5e5f2b6d3d79776ec74d4fa7024390f1f0c70f427894f
-
SHA512
af7c03d7e3bff25b289588df7331a4266daa18d5a7b9aca20f78aa19729ccc57dc9fa89a7060dccf95e5efde50b5c4f07369416d2a4cf6b7c6fc4d8b055c2d5a
-
SSDEEP
6144:6LjGtaZSD0nQKGWrlTjZXvEQo9dfJBEdKFckUQ/4TIHD4xutM3VOEIuV5t6R+0IY:VaZSD0uaT9XvEhdfJkKSkU3kHyuaRB54
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmpcdfll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjpokm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qofjjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlldaape.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcjaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flfjdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plapdb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkhpmigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Linmlm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklbfaae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pomgcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnjkbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncpelbap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankdbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Diafkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahofidlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpiemj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdiohhbm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lldfcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmgecn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkqepi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhaeli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnjeqbkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pggbdgmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jehcfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gemkobia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebnocpfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjeiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlhidg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhdbdgjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbomfokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfcqjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jchaoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olfolp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alimnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilpaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Megdmhbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bebbeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgkeep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdleap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehkcgkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfpocjfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kelaef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nglhei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgkfqgce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhaeli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kppphe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaonccme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpjgjefj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aedfdjdl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdpgen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdmecdlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmgcidqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aclpkffa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cobciblp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejamdca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibkpmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhnlapbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad e517aa79eec7ba3386add8775ec069b0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhnkppbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bibpkiie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oooodcci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqgmgq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndbefkjk.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000800000002326c-6.dat family_berbew behavioral2/files/0x0008000000023274-14.dat family_berbew behavioral2/files/0x0007000000023276-22.dat family_berbew behavioral2/files/0x0007000000023278-30.dat family_berbew behavioral2/files/0x000700000002327a-38.dat family_berbew behavioral2/files/0x000700000002327c-47.dat family_berbew behavioral2/files/0x000700000002327e-54.dat family_berbew behavioral2/files/0x0007000000023282-62.dat family_berbew behavioral2/files/0x0007000000023285-70.dat family_berbew behavioral2/files/0x0007000000023287-78.dat family_berbew behavioral2/files/0x000800000002328a-81.dat family_berbew behavioral2/files/0x000800000002328a-86.dat family_berbew behavioral2/files/0x000700000002328c-94.dat family_berbew behavioral2/files/0x000700000002328e-97.dat family_berbew behavioral2/files/0x0007000000023291-110.dat family_berbew behavioral2/files/0x0007000000023299-117.dat family_berbew behavioral2/files/0x000700000002329e-121.dat family_berbew behavioral2/files/0x000700000002329e-126.dat family_berbew behavioral2/files/0x00070000000232a0-133.dat family_berbew behavioral2/files/0x0008000000023295-142.dat family_berbew behavioral2/files/0x0008000000023297-145.dat family_berbew behavioral2/files/0x000800000002329a-154.dat family_berbew behavioral2/files/0x00070000000232a3-166.dat family_berbew behavioral2/files/0x00070000000232a5-174.dat family_berbew behavioral2/files/0x00070000000232a7-182.dat family_berbew behavioral2/files/0x00070000000232a9-190.dat family_berbew behavioral2/files/0x00070000000232ab-197.dat family_berbew behavioral2/files/0x00070000000232ad-206.dat family_berbew behavioral2/files/0x00070000000232af-214.dat family_berbew behavioral2/files/0x00070000000232b1-222.dat family_berbew behavioral2/files/0x00070000000232b3-230.dat family_berbew behavioral2/files/0x00070000000232b5-238.dat family_berbew behavioral2/files/0x00070000000232b7-246.dat family_berbew behavioral2/files/0x00070000000232b9-254.dat family_berbew behavioral2/files/0x00070000000232bf-269.dat family_berbew behavioral2/files/0x00070000000232cd-311.dat family_berbew behavioral2/files/0x00070000000232d1-323.dat family_berbew behavioral2/files/0x00070000000232d5-335.dat family_berbew behavioral2/files/0x00070000000232dd-359.dat family_berbew behavioral2/files/0x000200000001e32b-377.dat family_berbew behavioral2/files/0x00070000000232f4-425.dat family_berbew behavioral2/files/0x00070000000232fa-443.dat family_berbew behavioral2/files/0x00070000000232fe-455.dat family_berbew behavioral2/files/0x0007000000023308-486.dat family_berbew behavioral2/files/0x0007000000023310-510.dat family_berbew behavioral2/files/0x0007000000023318-534.dat family_berbew behavioral2/files/0x0007000000023322-569.dat family_berbew behavioral2/files/0x0007000000023330-615.dat family_berbew behavioral2/files/0x000700000002333f-664.dat family_berbew behavioral2/files/0x0007000000023357-748.dat family_berbew behavioral2/files/0x000700000002335b-762.dat family_berbew behavioral2/files/0x0007000000023378-852.dat family_berbew behavioral2/files/0x000700000002337c-866.dat family_berbew behavioral2/files/0x0007000000023392-943.dat family_berbew behavioral2/files/0x0007000000023394-951.dat family_berbew behavioral2/files/0x00070000000233b3-1039.dat family_berbew behavioral2/files/0x00080000000233ba-1060.dat family_berbew behavioral2/files/0x00070000000233c6-1102.dat family_berbew behavioral2/files/0x00070000000233ce-1129.dat family_berbew behavioral2/files/0x00070000000233d6-1157.dat family_berbew behavioral2/files/0x00070000000233e8-1226.dat family_berbew behavioral2/files/0x00070000000233f4-1267.dat family_berbew behavioral2/files/0x00070000000233fb-1295.dat family_berbew behavioral2/files/0x0007000000023401-1316.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3164 Mllccpfj.exe 3704 Nkjckkcg.exe 1608 Ochamg32.exe 1460 Pilpfm32.exe 1128 Pkoemhao.exe 4676 Qihoak32.exe 3756 Abpcja32.exe 408 Bcicjbal.exe 1104 Cmpcdfll.exe 4084 Cpcila32.exe 4016 Dlqpaafg.exe 2656 Eljchpnl.exe 2212 Eibmlc32.exe 3128 Fgkfqgce.exe 4428 Gnckooob.exe 4508 Icnphd32.exe 2028 Ifaepolg.exe 60 Jfkhfmdm.exe 1880 Kceoppmo.exe 2820 Ljijci32.exe 4500 Lmjcdd32.exe 4156 Mehafq32.exe 4204 Mhhjhlqm.exe 228 Meadlo32.exe 3596 Necqbo32.exe 2000 Nehjmnei.exe 1960 Nkjlqd32.exe 1768 Ogjpld32.exe 2440 Qnpgdmjd.exe 3424 Qhghge32.exe 1808 Anfmeldl.exe 380 Bbniai32.exe 640 Blkgen32.exe 3276 Clmckmcq.exe 3976 Cpklql32.exe 2104 Cicqja32.exe 180 Cblebgfh.exe 3484 Chinkndp.exe 2076 Dbckcf32.exe 1148 Diopep32.exe 1832 Diamko32.exe 736 Ebokodfc.exe 4232 Ehkcgkdj.exe 212 Ebcdjc32.exe 4420 Ebeapc32.exe 688 Fempbm32.exe 4800 Ggoiap32.exe 3852 Glqkefff.exe 1924 Gjdknjep.exe 4716 Geklckkd.exe 2672 Hjieii32.exe 3880 Hgbonm32.exe 4424 Iobmmoed.exe 2828 Ifqoehhl.exe 1644 Igpkok32.exe 5044 Jcgldl32.exe 2972 Jgedjjki.exe 2088 Kfaglf32.exe 2260 Decmjjie.exe 4632 Fhflhcfa.exe 624 Facjlhil.exe 2340 Gehice32.exe 2716 Hiinoc32.exe 4068 Hhnkppbf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jfeoip32.exe Jianpl32.exe File created C:\Windows\SysWOW64\Fhpmql32.exe Fgppgi32.exe File created C:\Windows\SysWOW64\Jpdhan32.dll Jjlmmbfo.exe File opened for modification C:\Windows\SysWOW64\Fppjpmim.exe Fnpmej32.exe File created C:\Windows\SysWOW64\Ilepmjdo.exe Hblkddmn.exe File opened for modification C:\Windows\SysWOW64\Obanqgkl.exe Okgfdm32.exe File opened for modification C:\Windows\SysWOW64\Joahop32.exe Jehcfj32.exe File opened for modification C:\Windows\SysWOW64\Mhenpk32.exe Mgebfhcl.exe File opened for modification C:\Windows\SysWOW64\Mgdklb32.exe Mnlfclip.exe File opened for modification C:\Windows\SysWOW64\Cbcieqpd.exe Cdaigi32.exe File created C:\Windows\SysWOW64\Eilgkh32.dll Lbabpn32.exe File opened for modification C:\Windows\SysWOW64\Emniheha.exe Ehappnjj.exe File opened for modification C:\Windows\SysWOW64\Nlnbqjjq.exe Nedjdp32.exe File opened for modification C:\Windows\SysWOW64\Pilpfm32.exe Ochamg32.exe File opened for modification C:\Windows\SysWOW64\Lldfcn32.exe Lejngd32.exe File opened for modification C:\Windows\SysWOW64\Hgieipmo.exe Hjedpkne.exe File created C:\Windows\SysWOW64\Kcdakd32.exe Kmjinjnj.exe File created C:\Windows\SysWOW64\Pbhndb32.dll Dhndil32.exe File created C:\Windows\SysWOW64\Ejgdim32.exe Eqopqh32.exe File created C:\Windows\SysWOW64\Bfenncdp.exe Bmliem32.exe File created C:\Windows\SysWOW64\Lnmkpm32.exe Lqikfi32.exe File opened for modification C:\Windows\SysWOW64\Qhghge32.exe Qnpgdmjd.exe File opened for modification C:\Windows\SysWOW64\Kelaef32.exe Kieaqe32.exe File opened for modification C:\Windows\SysWOW64\Dbgnobpg.exe Doiabgqc.exe File opened for modification C:\Windows\SysWOW64\Kjjinp32.exe Kdmqfi32.exe File opened for modification C:\Windows\SysWOW64\Lcjchd32.exe Lnmkpm32.exe File created C:\Windows\SysWOW64\Foikga32.dll Ojajbdde.exe File created C:\Windows\SysWOW64\Kppphe32.exe Kfhkop32.exe File created C:\Windows\SysWOW64\Ankdbf32.exe Qaegcb32.exe File created C:\Windows\SysWOW64\Lpbkgeig.dll Mbgjlq32.exe File created C:\Windows\SysWOW64\Mcfpni32.dll Mnhkklbb.exe File created C:\Windows\SysWOW64\Clldhljp.exe Ceppfbef.exe File opened for modification C:\Windows\SysWOW64\Hdokok32.exe Hkggfe32.exe File opened for modification C:\Windows\SysWOW64\Jgpmffeh.exe Jjlmmbfo.exe File opened for modification C:\Windows\SysWOW64\Hpiemj32.exe Hbeece32.exe File created C:\Windows\SysWOW64\Cnbcoe32.dll Jngbcj32.exe File opened for modification C:\Windows\SysWOW64\Jfkhfmdm.exe Ifaepolg.exe File opened for modification C:\Windows\SysWOW64\Abjdbj32.exe Paennh32.exe File opened for modification C:\Windows\SysWOW64\Cdaigi32.exe Clfdcgkj.exe File created C:\Windows\SysWOW64\Abijfchj.dll Nlglpkpi.exe File created C:\Windows\SysWOW64\Aggean32.exe Amaqde32.exe File created C:\Windows\SysWOW64\Eoccii32.exe Ebocpd32.exe File opened for modification C:\Windows\SysWOW64\Ggoiap32.exe Fempbm32.exe File created C:\Windows\SysWOW64\Ncgkma32.exe Nbfoeiei.exe File opened for modification C:\Windows\SysWOW64\Babmjj32.exe Afmhma32.exe File opened for modification C:\Windows\SysWOW64\Amaqde32.exe Ajqgbjoh.exe File opened for modification C:\Windows\SysWOW64\Bnjkbi32.exe Bgpceogl.exe File created C:\Windows\SysWOW64\Hpibnjck.dll Dnajjfjo.exe File created C:\Windows\SysWOW64\Dcmjpl32.exe Dnqaheai.exe File created C:\Windows\SysWOW64\Fdpgen32.exe Fkgbli32.exe File created C:\Windows\SysWOW64\Pbfkdhnj.dll Calmcg32.exe File created C:\Windows\SysWOW64\Iamlhdea.dll Kfaglf32.exe File opened for modification C:\Windows\SysWOW64\Faeihogj.exe Fijdcljo.exe File created C:\Windows\SysWOW64\Gkcekn32.dll Njokei32.exe File created C:\Windows\SysWOW64\Joahop32.exe Jehcfj32.exe File created C:\Windows\SysWOW64\Hmeqhlfm.dll Kmbkfp32.exe File created C:\Windows\SysWOW64\Iopghggd.dll Mbjnlfnn.exe File opened for modification C:\Windows\SysWOW64\Lgnihd32.exe Kjjinp32.exe File created C:\Windows\SysWOW64\Jlijdbin.dll Njekfenc.exe File opened for modification C:\Windows\SysWOW64\Dkndbkop.exe Dafpjf32.exe File created C:\Windows\SysWOW64\Kblkap32.exe Kokbpe32.exe File created C:\Windows\SysWOW64\Kgnfpi32.dll Clldhljp.exe File created C:\Windows\SysWOW64\Kelaef32.exe Kieaqe32.exe File created C:\Windows\SysWOW64\Lafmjb32.dll Nlihek32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9204 3080 WerFault.exe 934 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqqchjad.dll" Gmfpeoga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jmccnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibjqlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbpqnpmi.dll" Kkhpmigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Onicbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpmodg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncbaabom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nimioo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmgecn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ilhcmpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihbcjk32.dll" Cdhmjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qpibke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ladpcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lldfcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohgjgid.dll" Pefhfgoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obanqgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fkopgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Babmjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Injcginc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjbhbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kabpan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgffci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njekfenc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjhpccnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpjdiadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhbmin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ikcmklih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fajogllp.dll" Lqndahiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbdcofa.dll" Jbccbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ehbgjenf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgnihd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Naecieef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bkgleegf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pnfiia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eibmlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbcildbi.dll" Ncgkma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ilpaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Acnefoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkcekn32.dll" Njokei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffqgddjj.dll" Kmegkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkaedk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lojjdcbk.dll" Cfakon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lofklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjjkkghp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnhcfa32.dll" Mqhmbqlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmmdl32.dll" Ahofidlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkjpklj.dll" Llpofd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eqopqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkolggfe.dll" Lpbojlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgejeooc.dll" Bcddlhgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjofcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chkokq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilqfjc32.dll" Gjmmfq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpbgnlfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lnadkmhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ogndki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Haefqjeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kgiibnib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qihoak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgmhaapa.dll" Eibmlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mfofjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hekpnp32.dll" Eeimqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Meadlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qciebg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1596 wrote to memory of 3164 1596 e517aa79eec7ba3386add8775ec069b0_NeikiAnalytics.exe 89 PID 1596 wrote to memory of 3164 1596 e517aa79eec7ba3386add8775ec069b0_NeikiAnalytics.exe 89 PID 1596 wrote to memory of 3164 1596 e517aa79eec7ba3386add8775ec069b0_NeikiAnalytics.exe 89 PID 3164 wrote to memory of 3704 3164 Mllccpfj.exe 90 PID 3164 wrote to memory of 3704 3164 Mllccpfj.exe 90 PID 3164 wrote to memory of 3704 3164 Mllccpfj.exe 90 PID 3704 wrote to memory of 1608 3704 Nkjckkcg.exe 91 PID 3704 wrote to memory of 1608 3704 Nkjckkcg.exe 91 PID 3704 wrote to memory of 1608 3704 Nkjckkcg.exe 91 PID 1608 wrote to memory of 1460 1608 Ochamg32.exe 92 PID 1608 wrote to memory of 1460 1608 Ochamg32.exe 92 PID 1608 wrote to memory of 1460 1608 Ochamg32.exe 92 PID 1460 wrote to memory of 1128 1460 Pilpfm32.exe 93 PID 1460 wrote to memory of 1128 1460 Pilpfm32.exe 93 PID 1460 wrote to memory of 1128 1460 Pilpfm32.exe 93 PID 1128 wrote to memory of 4676 1128 Pkoemhao.exe 94 PID 1128 wrote to memory of 4676 1128 Pkoemhao.exe 94 PID 1128 wrote to memory of 4676 1128 Pkoemhao.exe 94 PID 4676 wrote to memory of 3756 4676 Qihoak32.exe 96 PID 4676 wrote to memory of 3756 4676 Qihoak32.exe 96 PID 4676 wrote to memory of 3756 4676 Qihoak32.exe 96 PID 3756 wrote to memory of 408 3756 Abpcja32.exe 98 PID 3756 wrote to memory of 408 3756 Abpcja32.exe 98 PID 3756 wrote to memory of 408 3756 Abpcja32.exe 98 PID 408 wrote to memory of 1104 408 Bcicjbal.exe 99 PID 408 wrote to memory of 1104 408 Bcicjbal.exe 99 PID 408 wrote to memory of 1104 408 Bcicjbal.exe 99 PID 1104 wrote to memory of 4084 1104 Cmpcdfll.exe 100 PID 1104 wrote to memory of 4084 1104 Cmpcdfll.exe 100 PID 1104 wrote to memory of 4084 1104 Cmpcdfll.exe 100 PID 4084 wrote to memory of 4016 4084 Cpcila32.exe 101 PID 4084 wrote to memory of 4016 4084 Cpcila32.exe 101 PID 4084 wrote to memory of 4016 4084 Cpcila32.exe 101 PID 4016 wrote to memory of 2656 4016 Dlqpaafg.exe 102 PID 4016 wrote to memory of 2656 4016 Dlqpaafg.exe 102 PID 4016 wrote to memory of 2656 4016 Dlqpaafg.exe 102 PID 2656 wrote to memory of 2212 2656 Eljchpnl.exe 103 PID 2656 wrote to memory of 2212 2656 Eljchpnl.exe 103 PID 2656 wrote to memory of 2212 2656 Eljchpnl.exe 103 PID 2212 wrote to memory of 3128 2212 Eibmlc32.exe 104 PID 2212 wrote to memory of 3128 2212 Eibmlc32.exe 104 PID 2212 wrote to memory of 3128 2212 Eibmlc32.exe 104 PID 3128 wrote to memory of 4428 3128 Fgkfqgce.exe 105 PID 3128 wrote to memory of 4428 3128 Fgkfqgce.exe 105 PID 3128 wrote to memory of 4428 3128 Fgkfqgce.exe 105 PID 4428 wrote to memory of 4508 4428 Gnckooob.exe 106 PID 4428 wrote to memory of 4508 4428 Gnckooob.exe 106 PID 4428 wrote to memory of 4508 4428 Gnckooob.exe 106 PID 4508 wrote to memory of 2028 4508 Icnphd32.exe 107 PID 4508 wrote to memory of 2028 4508 Icnphd32.exe 107 PID 4508 wrote to memory of 2028 4508 Icnphd32.exe 107 PID 2028 wrote to memory of 60 2028 Ifaepolg.exe 108 PID 2028 wrote to memory of 60 2028 Ifaepolg.exe 108 PID 2028 wrote to memory of 60 2028 Ifaepolg.exe 108 PID 60 wrote to memory of 1880 60 Jfkhfmdm.exe 109 PID 60 wrote to memory of 1880 60 Jfkhfmdm.exe 109 PID 60 wrote to memory of 1880 60 Jfkhfmdm.exe 109 PID 1880 wrote to memory of 2820 1880 Kceoppmo.exe 110 PID 1880 wrote to memory of 2820 1880 Kceoppmo.exe 110 PID 1880 wrote to memory of 2820 1880 Kceoppmo.exe 110 PID 2820 wrote to memory of 4500 2820 Ljijci32.exe 111 PID 2820 wrote to memory of 4500 2820 Ljijci32.exe 111 PID 2820 wrote to memory of 4500 2820 Ljijci32.exe 111 PID 4500 wrote to memory of 4156 4500 Lmjcdd32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\e517aa79eec7ba3386add8775ec069b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e517aa79eec7ba3386add8775ec069b0_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Mllccpfj.exeC:\Windows\system32\Mllccpfj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\Nkjckkcg.exeC:\Windows\system32\Nkjckkcg.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\Ochamg32.exeC:\Windows\system32\Ochamg32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Pilpfm32.exeC:\Windows\system32\Pilpfm32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Pkoemhao.exeC:\Windows\system32\Pkoemhao.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Qihoak32.exeC:\Windows\system32\Qihoak32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Abpcja32.exeC:\Windows\system32\Abpcja32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\Bcicjbal.exeC:\Windows\system32\Bcicjbal.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\Cmpcdfll.exeC:\Windows\system32\Cmpcdfll.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Cpcila32.exeC:\Windows\system32\Cpcila32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\Dlqpaafg.exeC:\Windows\system32\Dlqpaafg.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\Eljchpnl.exeC:\Windows\system32\Eljchpnl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Eibmlc32.exeC:\Windows\system32\Eibmlc32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Fgkfqgce.exeC:\Windows\system32\Fgkfqgce.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\Gnckooob.exeC:\Windows\system32\Gnckooob.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Icnphd32.exeC:\Windows\system32\Icnphd32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\Ifaepolg.exeC:\Windows\system32\Ifaepolg.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Jfkhfmdm.exeC:\Windows\system32\Jfkhfmdm.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\Kceoppmo.exeC:\Windows\system32\Kceoppmo.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Ljijci32.exeC:\Windows\system32\Ljijci32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Lmjcdd32.exeC:\Windows\system32\Lmjcdd32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Mehafq32.exeC:\Windows\system32\Mehafq32.exe23⤵
- Executes dropped EXE
PID:4156 -
C:\Windows\SysWOW64\Mhhjhlqm.exeC:\Windows\system32\Mhhjhlqm.exe24⤵
- Executes dropped EXE
PID:4204 -
C:\Windows\SysWOW64\Meadlo32.exeC:\Windows\system32\Meadlo32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:228 -
C:\Windows\SysWOW64\Necqbo32.exeC:\Windows\system32\Necqbo32.exe26⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Nehjmnei.exeC:\Windows\system32\Nehjmnei.exe27⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Nkjlqd32.exeC:\Windows\system32\Nkjlqd32.exe28⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Ogjpld32.exeC:\Windows\system32\Ogjpld32.exe29⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Qnpgdmjd.exeC:\Windows\system32\Qnpgdmjd.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Qhghge32.exeC:\Windows\system32\Qhghge32.exe31⤵
- Executes dropped EXE
PID:3424 -
C:\Windows\SysWOW64\Anfmeldl.exeC:\Windows\system32\Anfmeldl.exe32⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Bbniai32.exeC:\Windows\system32\Bbniai32.exe33⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Blkgen32.exeC:\Windows\system32\Blkgen32.exe34⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Clmckmcq.exeC:\Windows\system32\Clmckmcq.exe35⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Cpklql32.exeC:\Windows\system32\Cpklql32.exe36⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Cicqja32.exeC:\Windows\system32\Cicqja32.exe37⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Cblebgfh.exeC:\Windows\system32\Cblebgfh.exe38⤵
- Executes dropped EXE
PID:180 -
C:\Windows\SysWOW64\Chinkndp.exeC:\Windows\system32\Chinkndp.exe39⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Dbckcf32.exeC:\Windows\system32\Dbckcf32.exe40⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Diopep32.exeC:\Windows\system32\Diopep32.exe41⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Diamko32.exeC:\Windows\system32\Diamko32.exe42⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Ebokodfc.exeC:\Windows\system32\Ebokodfc.exe43⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Ehkcgkdj.exeC:\Windows\system32\Ehkcgkdj.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Ebcdjc32.exeC:\Windows\system32\Ebcdjc32.exe45⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Ebeapc32.exeC:\Windows\system32\Ebeapc32.exe46⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Fempbm32.exeC:\Windows\system32\Fempbm32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:688 -
C:\Windows\SysWOW64\Ggoiap32.exeC:\Windows\system32\Ggoiap32.exe48⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Glqkefff.exeC:\Windows\system32\Glqkefff.exe49⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Gjdknjep.exeC:\Windows\system32\Gjdknjep.exe50⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Geklckkd.exeC:\Windows\system32\Geklckkd.exe51⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Hjieii32.exeC:\Windows\system32\Hjieii32.exe52⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Hgbonm32.exeC:\Windows\system32\Hgbonm32.exe53⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\Iobmmoed.exeC:\Windows\system32\Iobmmoed.exe54⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Ifqoehhl.exeC:\Windows\system32\Ifqoehhl.exe55⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Igpkok32.exeC:\Windows\system32\Igpkok32.exe56⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Jcgldl32.exeC:\Windows\system32\Jcgldl32.exe57⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Jgedjjki.exeC:\Windows\system32\Jgedjjki.exe58⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Kfaglf32.exeC:\Windows\system32\Kfaglf32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Decmjjie.exeC:\Windows\system32\Decmjjie.exe60⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Fhflhcfa.exeC:\Windows\system32\Fhflhcfa.exe61⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Facjlhil.exeC:\Windows\system32\Facjlhil.exe62⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Gehice32.exeC:\Windows\system32\Gehice32.exe63⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Hiinoc32.exeC:\Windows\system32\Hiinoc32.exe64⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Hhnkppbf.exeC:\Windows\system32\Hhnkppbf.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Hafpiehg.exeC:\Windows\system32\Hafpiehg.exe66⤵PID:700
-
C:\Windows\SysWOW64\Hojpbigq.exeC:\Windows\system32\Hojpbigq.exe67⤵PID:3404
-
C:\Windows\SysWOW64\Hipdpbgf.exeC:\Windows\system32\Hipdpbgf.exe68⤵PID:2124
-
C:\Windows\SysWOW64\Ilcjgm32.exeC:\Windows\system32\Ilcjgm32.exe69⤵PID:2756
-
C:\Windows\SysWOW64\Jllmml32.exeC:\Windows\system32\Jllmml32.exe70⤵PID:3528
-
C:\Windows\SysWOW64\Jfdafa32.exeC:\Windows\system32\Jfdafa32.exe71⤵PID:3856
-
C:\Windows\SysWOW64\Jchaoe32.exeC:\Windows\system32\Jchaoe32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1472 -
C:\Windows\SysWOW64\Jlafhkfe.exeC:\Windows\system32\Jlafhkfe.exe73⤵PID:3808
-
C:\Windows\SysWOW64\Jcknee32.exeC:\Windows\system32\Jcknee32.exe74⤵PID:4988
-
C:\Windows\SysWOW64\Jmccnk32.exeC:\Windows\system32\Jmccnk32.exe75⤵
- Modifies registry class
PID:4880 -
C:\Windows\SysWOW64\Jmepcj32.exeC:\Windows\system32\Jmepcj32.exe76⤵PID:3656
-
C:\Windows\SysWOW64\Kmhlijpm.exeC:\Windows\system32\Kmhlijpm.exe77⤵PID:3580
-
C:\Windows\SysWOW64\Kmjinjnj.exeC:\Windows\system32\Kmjinjnj.exe78⤵
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Kcdakd32.exeC:\Windows\system32\Kcdakd32.exe79⤵PID:2920
-
C:\Windows\SysWOW64\Kokbpe32.exeC:\Windows\system32\Kokbpe32.exe80⤵
- Drops file in System32 directory
PID:4608 -
C:\Windows\SysWOW64\Kblkap32.exeC:\Windows\system32\Kblkap32.exe81⤵PID:3432
-
C:\Windows\SysWOW64\Lmfhjhdm.exeC:\Windows\system32\Lmfhjhdm.exe82⤵PID:5144
-
C:\Windows\SysWOW64\Lpgalc32.exeC:\Windows\system32\Lpgalc32.exe83⤵PID:5200
-
C:\Windows\SysWOW64\Llmbqdfb.exeC:\Windows\system32\Llmbqdfb.exe84⤵PID:5244
-
C:\Windows\SysWOW64\Llpofd32.exeC:\Windows\system32\Llpofd32.exe85⤵
- Modifies registry class
PID:5288 -
C:\Windows\SysWOW64\Mfjlolpp.exeC:\Windows\system32\Mfjlolpp.exe86⤵PID:5332
-
C:\Windows\SysWOW64\Mlialb32.exeC:\Windows\system32\Mlialb32.exe87⤵PID:5372
-
C:\Windows\SysWOW64\Mfofjk32.exeC:\Windows\system32\Mfofjk32.exe88⤵
- Modifies registry class
PID:5420 -
C:\Windows\SysWOW64\Njokei32.exeC:\Windows\system32\Njokei32.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:5520 -
C:\Windows\SysWOW64\Niiaae32.exeC:\Windows\system32\Niiaae32.exe90⤵PID:5564
-
C:\Windows\SysWOW64\Odnfonag.exeC:\Windows\system32\Odnfonag.exe91⤵PID:5608
-
C:\Windows\SysWOW64\Qciebg32.exeC:\Windows\system32\Qciebg32.exe92⤵
- Modifies registry class
PID:5688 -
C:\Windows\SysWOW64\Bdhkchlg.exeC:\Windows\system32\Bdhkchlg.exe93⤵PID:5744
-
C:\Windows\SysWOW64\Bqahmhpi.exeC:\Windows\system32\Bqahmhpi.exe94⤵PID:5784
-
C:\Windows\SysWOW64\Ccbaoc32.exeC:\Windows\system32\Ccbaoc32.exe95⤵PID:5868
-
C:\Windows\SysWOW64\Ddnmeejo.exeC:\Windows\system32\Ddnmeejo.exe96⤵PID:5912
-
C:\Windows\SysWOW64\Dnfanjqp.exeC:\Windows\system32\Dnfanjqp.exe97⤵PID:5956
-
C:\Windows\SysWOW64\Eeimqc32.exeC:\Windows\system32\Eeimqc32.exe98⤵
- Modifies registry class
PID:6000 -
C:\Windows\SysWOW64\Eapmedef.exeC:\Windows\system32\Eapmedef.exe99⤵PID:6048
-
C:\Windows\SysWOW64\Fhalcm32.exeC:\Windows\system32\Fhalcm32.exe100⤵PID:6092
-
C:\Windows\SysWOW64\Fmndkd32.exeC:\Windows\system32\Fmndkd32.exe101⤵PID:5128
-
C:\Windows\SysWOW64\Fnmqegle.exeC:\Windows\system32\Fnmqegle.exe102⤵PID:5192
-
C:\Windows\SysWOW64\Fegiba32.exeC:\Windows\system32\Fegiba32.exe103⤵PID:5272
-
C:\Windows\SysWOW64\Fjdajhbi.exeC:\Windows\system32\Fjdajhbi.exe104⤵PID:5352
-
C:\Windows\SysWOW64\Fejegaao.exeC:\Windows\system32\Fejegaao.exe105⤵PID:5156
-
C:\Windows\SysWOW64\Ghmkol32.exeC:\Windows\system32\Ghmkol32.exe106⤵PID:5572
-
C:\Windows\SysWOW64\Gokmfe32.exeC:\Windows\system32\Gokmfe32.exe107⤵PID:5676
-
C:\Windows\SysWOW64\Hkggfe32.exeC:\Windows\system32\Hkggfe32.exe108⤵
- Drops file in System32 directory
PID:5752 -
C:\Windows\SysWOW64\Hdokok32.exeC:\Windows\system32\Hdokok32.exe109⤵PID:1116
-
C:\Windows\SysWOW64\Ikpjmd32.exeC:\Windows\system32\Ikpjmd32.exe110⤵PID:5768
-
C:\Windows\SysWOW64\Ihdjfhhc.exeC:\Windows\system32\Ihdjfhhc.exe111⤵PID:2288
-
C:\Windows\SysWOW64\Jahnkl32.exeC:\Windows\system32\Jahnkl32.exe112⤵PID:5904
-
C:\Windows\SysWOW64\Jakkplbc.exeC:\Windows\system32\Jakkplbc.exe113⤵PID:5952
-
C:\Windows\SysWOW64\Jehcfj32.exeC:\Windows\system32\Jehcfj32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5992 -
C:\Windows\SysWOW64\Joahop32.exeC:\Windows\system32\Joahop32.exe115⤵PID:3480
-
C:\Windows\SysWOW64\Kkhidaeo.exeC:\Windows\system32\Kkhidaeo.exe116⤵PID:6136
-
C:\Windows\SysWOW64\Lbpmbipk.exeC:\Windows\system32\Lbpmbipk.exe117⤵PID:2268
-
C:\Windows\SysWOW64\Nmhglopl.exeC:\Windows\system32\Nmhglopl.exe118⤵PID:5464
-
C:\Windows\SysWOW64\Nbepdfnc.exeC:\Windows\system32\Nbepdfnc.exe119⤵PID:5668
-
C:\Windows\SysWOW64\Nmjdaoni.exeC:\Windows\system32\Nmjdaoni.exe120⤵PID:5764
-
C:\Windows\SysWOW64\Nnlqig32.exeC:\Windows\system32\Nnlqig32.exe121⤵PID:5812
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-