Analysis
-
max time kernel
139s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17/05/2024, 06:32
Behavioral task
behavioral1
Sample
c1d4e833282feb4ec53c54102d14d320_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
c1d4e833282feb4ec53c54102d14d320_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
c1d4e833282feb4ec53c54102d14d320_NeikiAnalytics.exe
-
Size
109KB
-
MD5
c1d4e833282feb4ec53c54102d14d320
-
SHA1
eac0756e07f89bf7bd8f0567e14c79dd5e3c1238
-
SHA256
292fa961d5e38a2a382ba251f1a6fa441e029a65b0aae7f11c55f0289e5556ff
-
SHA512
79a6a31d1a0fb9c06cefad7409d3cffcd447082fbbb7775515415090c4e015059e31231e9486b9dca5dcf5e098fec587e22bbf359049fc205245b657b83ca505
-
SSDEEP
3072:tzevDH6CevZ4EOssXJ9GLCqwzBu1DjHLMVDqqkSp:VMDH6/Z4E4J9Cwtu1DjrFqh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbabgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meiaib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgefeajb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmkadgpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdnidn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmbmibhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lingibiq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nilcjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njqmepik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqfdnhfk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bebblb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnmcjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blfdia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Deoaid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kplpjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocdqjceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fckajehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iehfdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfankifm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agoabn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgehcmmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghaliknf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jioaqfcc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klgqcqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lffhfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmbmibhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjmnoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abemjmgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iehfdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beglgani.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbceejpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lingibiq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbplc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdainc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdcbom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bchomn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceqnmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ednaqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojllan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnqbanmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oneklm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aclpap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmnpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liddbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njciko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckndeni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chmndlge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfbkeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfqlnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jplfcpin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnhahj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bapiabak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bldgdago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iiaephpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgqeappe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cenahpha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nckndeni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odkjng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiefcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpijnqkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kefkme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlefklpj.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/1516-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0008000000022f51-6.dat family_berbew behavioral2/memory/212-7-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x00070000000233ee-14.dat family_berbew behavioral2/memory/348-16-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x00070000000233f0-22.dat family_berbew behavioral2/memory/4856-24-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x00070000000233f2-30.dat family_berbew behavioral2/memory/2456-32-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x00070000000233f4-38.dat family_berbew behavioral2/memory/2680-44-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x00070000000233f6-46.dat family_berbew behavioral2/memory/3712-52-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x00070000000233f8-54.dat family_berbew behavioral2/memory/1812-56-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x00070000000233fa-62.dat family_berbew behavioral2/memory/928-64-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x00070000000233fc-70.dat family_berbew behavioral2/memory/2332-72-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x00070000000233fe-78.dat family_berbew behavioral2/memory/4704-80-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023400-81.dat family_berbew behavioral2/memory/3196-87-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023402-94.dat family_berbew behavioral2/memory/2412-96-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023404-102.dat family_berbew behavioral2/memory/3720-104-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023406-110.dat family_berbew behavioral2/memory/4552-112-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023408-118.dat family_berbew behavioral2/memory/3216-119-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002340a-121.dat family_berbew behavioral2/memory/4512-127-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002340c-134.dat family_berbew behavioral2/memory/4420-136-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002340e-142.dat family_berbew behavioral2/memory/2592-144-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/1948-152-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023410-151.dat family_berbew behavioral2/files/0x0007000000023412-158.dat family_berbew behavioral2/memory/1000-160-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023414-166.dat family_berbew behavioral2/memory/4920-167-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023416-174.dat family_berbew behavioral2/memory/4048-175-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x00080000000233ea-182.dat family_berbew behavioral2/memory/3304-184-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023419-190.dat family_berbew behavioral2/memory/3576-192-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002341b-198.dat family_berbew behavioral2/memory/3544-199-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002341d-206.dat family_berbew behavioral2/memory/1252-207-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002341f-214.dat family_berbew behavioral2/memory/3120-216-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023421-222.dat family_berbew behavioral2/memory/4252-224-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023424-230.dat family_berbew behavioral2/memory/1552-232-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023426-239.dat family_berbew behavioral2/memory/4044-240-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/4656-247-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023428-248.dat family_berbew behavioral2/files/0x000700000002342a-254.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 212 Ahmlgd32.exe 348 Abbpem32.exe 4856 Aealah32.exe 2456 Alkdnboj.exe 2680 Abemjmgg.exe 3712 Becifhfj.exe 1812 Blmacb32.exe 928 Bnlnon32.exe 2332 Beeflhdh.exe 4704 Blpnib32.exe 3196 Bbifelba.exe 2412 Bdkcmdhp.exe 3720 Bhfonc32.exe 4552 Bopgjmhe.exe 3216 Bejogg32.exe 4512 Bldgdago.exe 4420 Baaplhef.exe 2592 Bdolhc32.exe 1948 Blfdia32.exe 1000 Cbqlfkmi.exe 4920 Cdainc32.exe 4048 Cklaknjd.exe 3304 Cddecc32.exe 3576 Clkndpag.exe 3544 Cbefaj32.exe 1252 Cdfbibnb.exe 3120 Ckpjfm32.exe 4252 Cajcbgml.exe 1552 Cdiooblp.exe 4044 Conclk32.exe 4656 Camphf32.exe 4348 Dbllbibl.exe 408 Dekhneap.exe 628 Dhidjpqc.exe 3928 Dldpkoil.exe 1244 Docmgjhp.exe 3940 Daaicfgd.exe 4052 Dhkapp32.exe 1008 Dkjmlk32.exe 4616 Dbaemi32.exe 4972 Deoaid32.exe 3500 Dlijfneg.exe 4568 Dkljak32.exe 2788 Dafbne32.exe 4848 Dddojq32.exe 4104 Dkoggkjo.exe 1600 Dojcgi32.exe 2088 Dedkdcie.exe 4480 Dlncan32.exe 1360 Ekacmjgl.exe 4680 Eaklidoi.exe 4836 Edihepnm.exe 3568 Elppfmoo.exe 3592 Eoolbinc.exe 4116 Edkdkplj.exe 1580 Ehgqln32.exe 1932 Eoaihhlp.exe 972 Ecmeig32.exe 3512 Ednaqo32.exe 3552 Eleiam32.exe 1284 Ecoangbg.exe 2444 Edpnfo32.exe 112 Ekjfcipa.exe 1148 Ecandfpd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bdolhc32.exe Baaplhef.exe File created C:\Windows\SysWOW64\Kbhoqj32.exe Kpjcdn32.exe File opened for modification C:\Windows\SysWOW64\Lebkhc32.exe Lbdolh32.exe File opened for modification C:\Windows\SysWOW64\Qnhahj32.exe Pfaigm32.exe File created C:\Windows\SysWOW64\Qeobam32.dll Qgcbgo32.exe File created C:\Windows\SysWOW64\Ghaliknf.exe Gcddpdpo.exe File created C:\Windows\SysWOW64\Gcfqfc32.exe Gkoiefmj.exe File created C:\Windows\SysWOW64\Hafgeo32.dll Gcfqfc32.exe File created C:\Windows\SysWOW64\Dndgjk32.dll Iikhfg32.exe File opened for modification C:\Windows\SysWOW64\Qddfkd32.exe Qqijje32.exe File opened for modification C:\Windows\SysWOW64\Bffkij32.exe Bchomn32.exe File created C:\Windows\SysWOW64\Clkooklb.dll Gdqgmmjb.exe File created C:\Windows\SysWOW64\Jpnchp32.exe Jmpgldhg.exe File opened for modification C:\Windows\SysWOW64\Melnob32.exe Mcmabg32.exe File created C:\Windows\SysWOW64\Paihpaak.dll Fkalchij.exe File opened for modification C:\Windows\SysWOW64\Glhonj32.exe Gdqgmmjb.exe File opened for modification C:\Windows\SysWOW64\Klgqcqkl.exe Kiidgeki.exe File created C:\Windows\SysWOW64\Lgmngglp.exe Lbabgh32.exe File created C:\Windows\SysWOW64\Ihidnp32.dll Dkifae32.exe File created C:\Windows\SysWOW64\Ienanm32.dll Cbqlfkmi.exe File created C:\Windows\SysWOW64\Fqplhmkl.dll Jbhfjljd.exe File created C:\Windows\SysWOW64\Ebdijfii.dll Beglgani.exe File created C:\Windows\SysWOW64\Ceqnmpfo.exe Cmiflbel.exe File created C:\Windows\SysWOW64\Blpnib32.exe Beeflhdh.exe File opened for modification C:\Windows\SysWOW64\Blfdia32.exe Bdolhc32.exe File opened for modification C:\Windows\SysWOW64\Ednaqo32.exe Ecmeig32.exe File created C:\Windows\SysWOW64\Ejckel32.dll Jioaqfcc.exe File created C:\Windows\SysWOW64\Bjokdipf.exe Bganhm32.exe File created C:\Windows\SysWOW64\Djgjlelk.exe Dhhnpjmh.exe File opened for modification C:\Windows\SysWOW64\Bnlnon32.exe Blmacb32.exe File created C:\Windows\SysWOW64\Bncfnnbj.dll Ifjodl32.exe File opened for modification C:\Windows\SysWOW64\Jbeidl32.exe Jimekgff.exe File opened for modification C:\Windows\SysWOW64\Lphoelqn.exe Lllcen32.exe File opened for modification C:\Windows\SysWOW64\Bfkedibe.exe Bhhdil32.exe File created C:\Windows\SysWOW64\Dammlf32.dll Hmfkoh32.exe File created C:\Windows\SysWOW64\Pdmpje32.exe Pmfhig32.exe File created C:\Windows\SysWOW64\Dmjapi32.dll Bffkij32.exe File opened for modification C:\Windows\SysWOW64\Bapiabak.exe Bnbmefbg.exe File created C:\Windows\SysWOW64\Bganhm32.exe Bcebhoii.exe File opened for modification C:\Windows\SysWOW64\Daekdooc.exe Dogogcpo.exe File opened for modification C:\Windows\SysWOW64\Abemjmgg.exe Alkdnboj.exe File opened for modification C:\Windows\SysWOW64\Eaklidoi.exe Ekacmjgl.exe File created C:\Windows\SysWOW64\Llgjjnlj.exe Liimncmf.exe File created C:\Windows\SysWOW64\Ladjgikj.dll Ofnckp32.exe File opened for modification C:\Windows\SysWOW64\Acjclpcf.exe Aqkgpedc.exe File opened for modification C:\Windows\SysWOW64\Afoeiklb.exe Acqimo32.exe File opened for modification C:\Windows\SysWOW64\Fcfhof32.exe Fkopnh32.exe File created C:\Windows\SysWOW64\Lllcen32.exe Lingibiq.exe File opened for modification C:\Windows\SysWOW64\Mchhggno.exe Mpjlklok.exe File created C:\Windows\SysWOW64\Nilcjp32.exe Ngmgne32.exe File created C:\Windows\SysWOW64\Iqjikg32.dll Bclhhnca.exe File opened for modification C:\Windows\SysWOW64\Dhidjpqc.exe Dekhneap.exe File created C:\Windows\SysWOW64\Cmiflbel.exe Chmndlge.exe File created C:\Windows\SysWOW64\Pdfjifjo.exe Pqknig32.exe File created C:\Windows\SysWOW64\Oomibind.dll Pdkcde32.exe File opened for modification C:\Windows\SysWOW64\Baaplhef.exe Bldgdago.exe File created C:\Windows\SysWOW64\Djhgpa32.dll Ecmeig32.exe File opened for modification C:\Windows\SysWOW64\Hcbpab32.exe Hkkhqd32.exe File opened for modification C:\Windows\SysWOW64\Icnpmp32.exe Imdgqfbd.exe File created C:\Windows\SysWOW64\Nmpmkplp.dll Jpijnqkp.exe File opened for modification C:\Windows\SysWOW64\Ngbpidjh.exe Ndcdmikd.exe File created C:\Windows\SysWOW64\Qciaajej.dll Qdbiedpa.exe File created C:\Windows\SysWOW64\Kboeke32.dll Acjclpcf.exe File created C:\Windows\SysWOW64\Phiifkjp.dll Bmkjkd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10100 9764 WerFault.exe 469 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijlbqboa.dll" Hihbijhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocgmpccl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdmpje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpjgop32.dll" Eleiam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmhhehlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcllonma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llcpoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlefklpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dojcgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdcbom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll" Dmefhako.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Beeflhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghaddm32.dll" Cajcbgml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eoolbinc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmamoe32.dll" Jefbfgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lboeaifi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npcoakfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjddphlq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aabmqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libddmim.dll" Blpnib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glhonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iemppiab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmbha32.dll" Ibcmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npmagine.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajfhnjhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aqppkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll" Bgehcmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dekhneap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjeoglgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnfdcjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alkdnboj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bldgdago.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jioaqfcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phkjck32.dll" Lllcen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmnldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Beglgani.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cddecc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibjjhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgaocmg.dll" Kefkme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijnlbk32.dll" Cbefaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allebf32.dll" Ligqhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dafbne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klqcioba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Banllbdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aealah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Baaplhef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkjmlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hihbijhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafdhogo.dll" Miifeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qgcbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjpfk32.dll" Lgmngglp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lebkhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goaojagc.dll" Nphhmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnlaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll" Bjmnoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhfonc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghaliknf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ildkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghpcp32.dll" Mcmabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll" Aqkgpedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll" Aeniabfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afoeiklb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkjmlk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1516 wrote to memory of 212 1516 c1d4e833282feb4ec53c54102d14d320_NeikiAnalytics.exe 82 PID 1516 wrote to memory of 212 1516 c1d4e833282feb4ec53c54102d14d320_NeikiAnalytics.exe 82 PID 1516 wrote to memory of 212 1516 c1d4e833282feb4ec53c54102d14d320_NeikiAnalytics.exe 82 PID 212 wrote to memory of 348 212 Ahmlgd32.exe 83 PID 212 wrote to memory of 348 212 Ahmlgd32.exe 83 PID 212 wrote to memory of 348 212 Ahmlgd32.exe 83 PID 348 wrote to memory of 4856 348 Abbpem32.exe 84 PID 348 wrote to memory of 4856 348 Abbpem32.exe 84 PID 348 wrote to memory of 4856 348 Abbpem32.exe 84 PID 4856 wrote to memory of 2456 4856 Aealah32.exe 85 PID 4856 wrote to memory of 2456 4856 Aealah32.exe 85 PID 4856 wrote to memory of 2456 4856 Aealah32.exe 85 PID 2456 wrote to memory of 2680 2456 Alkdnboj.exe 86 PID 2456 wrote to memory of 2680 2456 Alkdnboj.exe 86 PID 2456 wrote to memory of 2680 2456 Alkdnboj.exe 86 PID 2680 wrote to memory of 3712 2680 Abemjmgg.exe 87 PID 2680 wrote to memory of 3712 2680 Abemjmgg.exe 87 PID 2680 wrote to memory of 3712 2680 Abemjmgg.exe 87 PID 3712 wrote to memory of 1812 3712 Becifhfj.exe 88 PID 3712 wrote to memory of 1812 3712 Becifhfj.exe 88 PID 3712 wrote to memory of 1812 3712 Becifhfj.exe 88 PID 1812 wrote to memory of 928 1812 Blmacb32.exe 89 PID 1812 wrote to memory of 928 1812 Blmacb32.exe 89 PID 1812 wrote to memory of 928 1812 Blmacb32.exe 89 PID 928 wrote to memory of 2332 928 Bnlnon32.exe 90 PID 928 wrote to memory of 2332 928 Bnlnon32.exe 90 PID 928 wrote to memory of 2332 928 Bnlnon32.exe 90 PID 2332 wrote to memory of 4704 2332 Beeflhdh.exe 91 PID 2332 wrote to memory of 4704 2332 Beeflhdh.exe 91 PID 2332 wrote to memory of 4704 2332 Beeflhdh.exe 91 PID 4704 wrote to memory of 3196 4704 Blpnib32.exe 92 PID 4704 wrote to memory of 3196 4704 Blpnib32.exe 92 PID 4704 wrote to memory of 3196 4704 Blpnib32.exe 92 PID 3196 wrote to memory of 2412 3196 Bbifelba.exe 93 PID 3196 wrote to memory of 2412 3196 Bbifelba.exe 93 PID 3196 wrote to memory of 2412 3196 Bbifelba.exe 93 PID 2412 wrote to memory of 3720 2412 Bdkcmdhp.exe 94 PID 2412 wrote to memory of 3720 2412 Bdkcmdhp.exe 94 PID 2412 wrote to memory of 3720 2412 Bdkcmdhp.exe 94 PID 3720 wrote to memory of 4552 3720 Bhfonc32.exe 95 PID 3720 wrote to memory of 4552 3720 Bhfonc32.exe 95 PID 3720 wrote to memory of 4552 3720 Bhfonc32.exe 95 PID 4552 wrote to memory of 3216 4552 Bopgjmhe.exe 96 PID 4552 wrote to memory of 3216 4552 Bopgjmhe.exe 96 PID 4552 wrote to memory of 3216 4552 Bopgjmhe.exe 96 PID 3216 wrote to memory of 4512 3216 Bejogg32.exe 98 PID 3216 wrote to memory of 4512 3216 Bejogg32.exe 98 PID 3216 wrote to memory of 4512 3216 Bejogg32.exe 98 PID 4512 wrote to memory of 4420 4512 Bldgdago.exe 99 PID 4512 wrote to memory of 4420 4512 Bldgdago.exe 99 PID 4512 wrote to memory of 4420 4512 Bldgdago.exe 99 PID 4420 wrote to memory of 2592 4420 Baaplhef.exe 100 PID 4420 wrote to memory of 2592 4420 Baaplhef.exe 100 PID 4420 wrote to memory of 2592 4420 Baaplhef.exe 100 PID 2592 wrote to memory of 1948 2592 Bdolhc32.exe 101 PID 2592 wrote to memory of 1948 2592 Bdolhc32.exe 101 PID 2592 wrote to memory of 1948 2592 Bdolhc32.exe 101 PID 1948 wrote to memory of 1000 1948 Blfdia32.exe 103 PID 1948 wrote to memory of 1000 1948 Blfdia32.exe 103 PID 1948 wrote to memory of 1000 1948 Blfdia32.exe 103 PID 1000 wrote to memory of 4920 1000 Cbqlfkmi.exe 104 PID 1000 wrote to memory of 4920 1000 Cbqlfkmi.exe 104 PID 1000 wrote to memory of 4920 1000 Cbqlfkmi.exe 104 PID 4920 wrote to memory of 4048 4920 Cdainc32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1d4e833282feb4ec53c54102d14d320_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c1d4e833282feb4ec53c54102d14d320_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Blpnib32.exeC:\Windows\system32\Blpnib32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\Bldgdago.exeC:\Windows\system32\Bldgdago.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Blfdia32.exeC:\Windows\system32\Blfdia32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\Cdainc32.exeC:\Windows\system32\Cdainc32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe23⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Cddecc32.exeC:\Windows\system32\Cddecc32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:3304 -
C:\Windows\SysWOW64\Clkndpag.exeC:\Windows\system32\Clkndpag.exe25⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:3544 -
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe27⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe28⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4252 -
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe30⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe31⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe32⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe33⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:408 -
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe35⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe36⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe37⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe38⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe39⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1008 -
C:\Windows\SysWOW64\Dbaemi32.exeC:\Windows\system32\Dbaemi32.exe41⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe43⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Dkljak32.exeC:\Windows\system32\Dkljak32.exe44⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe46⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Dkoggkjo.exeC:\Windows\system32\Dkoggkjo.exe47⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe49⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe50⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1360 -
C:\Windows\SysWOW64\Eaklidoi.exeC:\Windows\system32\Eaklidoi.exe52⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Edihepnm.exeC:\Windows\system32\Edihepnm.exe53⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe54⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:3592 -
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe56⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Ehgqln32.exeC:\Windows\system32\Ehgqln32.exe57⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe58⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Ecmeig32.exeC:\Windows\system32\Ecmeig32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:972 -
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:3552 -
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe62⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe63⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe64⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Ecandfpd.exeC:\Windows\system32\Ecandfpd.exe65⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe66⤵PID:3880
-
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe67⤵PID:2740
-
C:\Windows\SysWOW64\Fkmchi32.exeC:\Windows\system32\Fkmchi32.exe68⤵PID:2556
-
C:\Windows\SysWOW64\Fcckif32.exeC:\Windows\system32\Fcckif32.exe69⤵PID:1612
-
C:\Windows\SysWOW64\Febgea32.exeC:\Windows\system32\Febgea32.exe70⤵PID:3376
-
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe71⤵PID:2888
-
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe72⤵
- Drops file in System32 directory
PID:4584 -
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe73⤵PID:3456
-
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe74⤵PID:324
-
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe75⤵
- Drops file in System32 directory
PID:4272 -
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe76⤵PID:416
-
C:\Windows\SysWOW64\Fckajehi.exeC:\Windows\system32\Fckajehi.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3392 -
C:\Windows\SysWOW64\Fdlnbm32.exeC:\Windows\system32\Fdlnbm32.exe78⤵PID:4284
-
C:\Windows\SysWOW64\Foabofnn.exeC:\Windows\system32\Foabofnn.exe79⤵PID:5012
-
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe80⤵PID:1524
-
C:\Windows\SysWOW64\Glebhjlg.exeC:\Windows\system32\Glebhjlg.exe81⤵PID:4496
-
C:\Windows\SysWOW64\Gbbkaako.exeC:\Windows\system32\Gbbkaako.exe82⤵PID:4444
-
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe83⤵
- Drops file in System32 directory
PID:1028 -
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe84⤵
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Gcagkdba.exeC:\Windows\system32\Gcagkdba.exe85⤵PID:3608
-
C:\Windows\SysWOW64\Gdcdbl32.exeC:\Windows\system32\Gdcdbl32.exe86⤵PID:4960
-
C:\Windows\SysWOW64\Gmjlcj32.exeC:\Windows\system32\Gmjlcj32.exe87⤵PID:4356
-
C:\Windows\SysWOW64\Gcddpdpo.exeC:\Windows\system32\Gcddpdpo.exe88⤵
- Drops file in System32 directory
PID:4132 -
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4536 -
C:\Windows\SysWOW64\Gkoiefmj.exeC:\Windows\system32\Gkoiefmj.exe90⤵
- Drops file in System32 directory
PID:64 -
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe91⤵
- Drops file in System32 directory
PID:224 -
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe92⤵PID:1292
-
C:\Windows\SysWOW64\Gicinj32.exeC:\Windows\system32\Gicinj32.exe93⤵PID:5140
-
C:\Windows\SysWOW64\Gkaejf32.exeC:\Windows\system32\Gkaejf32.exe94⤵PID:5192
-
C:\Windows\SysWOW64\Gcimkc32.exeC:\Windows\system32\Gcimkc32.exe95⤵PID:5236
-
C:\Windows\SysWOW64\Hiefcj32.exeC:\Windows\system32\Hiefcj32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5280 -
C:\Windows\SysWOW64\Hopnqdan.exeC:\Windows\system32\Hopnqdan.exe97⤵PID:5324
-
C:\Windows\SysWOW64\Hbnjmp32.exeC:\Windows\system32\Hbnjmp32.exe98⤵PID:5368
-
C:\Windows\SysWOW64\Hihbijhn.exeC:\Windows\system32\Hihbijhn.exe99⤵
- Modifies registry class
PID:5412 -
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe100⤵PID:5456
-
C:\Windows\SysWOW64\Hcmgfbhd.exeC:\Windows\system32\Hcmgfbhd.exe101⤵PID:5500
-
C:\Windows\SysWOW64\Hflcbngh.exeC:\Windows\system32\Hflcbngh.exe102⤵PID:5544
-
C:\Windows\SysWOW64\Heocnk32.exeC:\Windows\system32\Heocnk32.exe103⤵PID:5588
-
C:\Windows\SysWOW64\Hmfkoh32.exeC:\Windows\system32\Hmfkoh32.exe104⤵
- Drops file in System32 directory
PID:5632 -
C:\Windows\SysWOW64\Hkikkeeo.exeC:\Windows\system32\Hkikkeeo.exe105⤵PID:5676
-
C:\Windows\SysWOW64\Hcpclbfa.exeC:\Windows\system32\Hcpclbfa.exe106⤵PID:5732
-
C:\Windows\SysWOW64\Hfnphn32.exeC:\Windows\system32\Hfnphn32.exe107⤵PID:5776
-
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe108⤵
- Modifies registry class
PID:5820 -
C:\Windows\SysWOW64\Hkkhqd32.exeC:\Windows\system32\Hkkhqd32.exe109⤵
- Drops file in System32 directory
PID:5864 -
C:\Windows\SysWOW64\Hcbpab32.exeC:\Windows\system32\Hcbpab32.exe110⤵PID:5916
-
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5960 -
C:\Windows\SysWOW64\Hioiji32.exeC:\Windows\system32\Hioiji32.exe112⤵PID:6008
-
C:\Windows\SysWOW64\Hkmefd32.exeC:\Windows\system32\Hkmefd32.exe113⤵PID:6064
-
C:\Windows\SysWOW64\Hcdmga32.exeC:\Windows\system32\Hcdmga32.exe114⤵PID:6132
-
C:\Windows\SysWOW64\Hfcicmqp.exeC:\Windows\system32\Hfcicmqp.exe115⤵PID:5176
-
C:\Windows\SysWOW64\Iiaephpc.exeC:\Windows\system32\Iiaephpc.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5264 -
C:\Windows\SysWOW64\Ikpaldog.exeC:\Windows\system32\Ikpaldog.exe117⤵PID:5348
-
C:\Windows\SysWOW64\Ipknlb32.exeC:\Windows\system32\Ipknlb32.exe118⤵PID:5396
-
C:\Windows\SysWOW64\Ibjjhn32.exeC:\Windows\system32\Ibjjhn32.exe119⤵
- Modifies registry class
PID:5492 -
C:\Windows\SysWOW64\Iehfdi32.exeC:\Windows\system32\Iehfdi32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5624 -
C:\Windows\SysWOW64\Iicbehnq.exeC:\Windows\system32\Iicbehnq.exe121⤵PID:5716
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-