Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
17-05-2024 18:52
Behavioral task
behavioral1
Sample
18698c676bef4d5d72fbd95aad15b9b0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
18698c676bef4d5d72fbd95aad15b9b0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
18698c676bef4d5d72fbd95aad15b9b0_NeikiAnalytics.exe
-
Size
89KB
-
MD5
18698c676bef4d5d72fbd95aad15b9b0
-
SHA1
c8de2a0b2f943f4e07b4106bfde34e1e01fa3210
-
SHA256
3d41d61d082ff0c8c379626fcb69ae42865cc92499a5836804b1f71690bbec3a
-
SHA512
53a1d73b5dbb94f8532596d11df82d739340e61d9ce5dff56023801fbbc67e2ee4bafa1fc287ad8b0f7030cba1bf478d762f43b0d5cfb72b00a72746d5778fbb
-
SSDEEP
1536:12lUmU7y7FSGqFx3HVmVQn1h8vBAGwqhnEF+RQQKD68a+VMKKTRVGFtUhQfR1WRw:1cN8yBTqFx3HVl1hPGvEF+eQrr4MKy32
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njacpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcioiood.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jblpek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnqbanmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Banllbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Caebma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Doeiljfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjhlml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qffbbldm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfhhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbgbgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoaihhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flceckoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbjlfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqmjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bapiabak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkidenlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpbmco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbceejpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgfqmfde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alhhhcal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dohfbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odmgcgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pqpgdfnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddjejl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehgqln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdhdajea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpoefk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onhhamgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" 18698c676bef4d5d72fbd95aad15b9b0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmcojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgddhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mglack32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilidbbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbmhlihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmfhig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfknkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkljak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojgbfocc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qgqeappe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqncedbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njogjfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pqmjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pndohaqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfhfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adgbpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcagphom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfifmnij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdehlk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bagflcje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgjlelk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfbibnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjddphlq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacbfdao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dohfbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hopnqdan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcbihpel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klgqcqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Klljnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgfqmfde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmlcbbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcagphom.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000023289-6.dat family_berbew behavioral2/files/0x0007000000023432-14.dat family_berbew behavioral2/files/0x0007000000023434-22.dat family_berbew behavioral2/files/0x0007000000023437-30.dat family_berbew behavioral2/files/0x0007000000023439-38.dat family_berbew behavioral2/files/0x000700000002343b-46.dat family_berbew behavioral2/files/0x000700000002343d-54.dat family_berbew behavioral2/files/0x000700000002343f-62.dat family_berbew behavioral2/files/0x0007000000023441-70.dat family_berbew behavioral2/files/0x0007000000023443-78.dat family_berbew behavioral2/files/0x0007000000023445-87.dat family_berbew behavioral2/files/0x0007000000023447-96.dat family_berbew behavioral2/files/0x0007000000023449-104.dat family_berbew behavioral2/files/0x000700000002344b-112.dat family_berbew behavioral2/files/0x000700000002344d-121.dat family_berbew behavioral2/files/0x000700000002344f-130.dat family_berbew behavioral2/files/0x0007000000023451-139.dat family_berbew behavioral2/files/0x0007000000023453-148.dat family_berbew behavioral2/files/0x0007000000023455-157.dat family_berbew behavioral2/files/0x0007000000023457-161.dat family_berbew behavioral2/files/0x0007000000023457-166.dat family_berbew behavioral2/files/0x0007000000023459-175.dat family_berbew behavioral2/files/0x000700000002345b-184.dat family_berbew behavioral2/files/0x000700000002345d-193.dat family_berbew behavioral2/files/0x000700000002345f-202.dat family_berbew behavioral2/files/0x0007000000023461-210.dat family_berbew behavioral2/files/0x000800000002342f-219.dat family_berbew behavioral2/files/0x0007000000023464-228.dat family_berbew behavioral2/files/0x000d000000023388-236.dat family_berbew behavioral2/files/0x000800000002339a-245.dat family_berbew behavioral2/files/0x0007000000023467-253.dat family_berbew behavioral2/files/0x0007000000023469-257.dat family_berbew behavioral2/files/0x000700000002346b-270.dat family_berbew behavioral2/files/0x0007000000023470-288.dat family_berbew behavioral2/files/0x0007000000023474-302.dat family_berbew behavioral2/files/0x0007000000023488-369.dat family_berbew behavioral2/files/0x000700000002348e-389.dat family_berbew behavioral2/files/0x00070000000234af-508.dat family_berbew behavioral2/files/0x00070000000234bc-557.dat family_berbew behavioral2/files/0x00070000000234c0-570.dat family_berbew behavioral2/files/0x00070000000234c4-583.dat family_berbew behavioral2/files/0x00070000000234c8-598.dat family_berbew behavioral2/files/0x00070000000234da-659.dat family_berbew behavioral2/files/0x0007000000023500-783.dat family_berbew behavioral2/files/0x000700000002350b-815.dat family_berbew behavioral2/files/0x000700000002351b-870.dat family_berbew behavioral2/files/0x000700000002351f-884.dat family_berbew behavioral2/files/0x0007000000023523-898.dat family_berbew behavioral2/files/0x000700000002352a-919.dat family_berbew behavioral2/files/0x000700000002352e-933.dat family_berbew behavioral2/files/0x0007000000023538-961.dat family_berbew behavioral2/files/0x0007000000023546-1010.dat family_berbew behavioral2/files/0x000700000002354c-1031.dat family_berbew behavioral2/files/0x0007000000023556-1066.dat family_berbew behavioral2/files/0x0007000000023576-1175.dat family_berbew behavioral2/files/0x0007000000023584-1222.dat family_berbew behavioral2/files/0x000700000002358c-1250.dat family_berbew behavioral2/files/0x0007000000023592-1270.dat family_berbew behavioral2/files/0x0007000000023598-1291.dat family_berbew behavioral2/files/0x000700000002359e-1312.dat family_berbew behavioral2/files/0x00070000000235b3-1382.dat family_berbew behavioral2/files/0x0008000000023395-1557.dat family_berbew behavioral2/files/0x000800000002339d-1569.dat family_berbew behavioral2/files/0x0007000000023623-1820.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1672 Mpmokb32.exe 1336 Mkbchk32.exe 4292 Mjeddggd.exe 3492 Mpolqa32.exe 876 Mcnhmm32.exe 2976 Mkepnjng.exe 1480 Mncmjfmk.exe 1864 Mdmegp32.exe 1680 Mglack32.exe 4116 Mjjmog32.exe 4916 Mdpalp32.exe 2836 Njljefql.exe 1576 Nacbfdao.exe 4612 Ndbnboqb.exe 2956 Ngpjnkpf.exe 3328 Njogjfoj.exe 4196 Nddkgonp.exe 4512 Ngcgcjnc.exe 2392 Njacpf32.exe 3548 Ndghmo32.exe 3248 Nkqpjidj.exe 2276 Nnolfdcn.exe 4548 Ndidbn32.exe 2984 Nggqoj32.exe 4980 Nnaikd32.exe 2892 Nqpego32.exe 3124 Okeieh32.exe 1660 Oboaabga.exe 696 Odnnnnfe.exe 2492 Ogljjiei.exe 2588 Onfbfc32.exe 436 Oqdoboli.exe 4296 Okjbpglo.exe 540 Ojmcld32.exe 4016 Oqgkhnjf.exe 5060 Ogaceh32.exe 4288 Obfhba32.exe 1848 Odednmpm.exe 2632 Ogcpjhoq.exe 1764 Ojalgcnd.exe 1504 Obidhaog.exe 3832 Pcjapi32.exe 2020 Pkaiqf32.exe 2092 Pnpemb32.exe 2564 Pqnaim32.exe 1540 Pkceffcd.exe 1932 Pnbbbabh.exe 2980 Pqpnombl.exe 484 Pcojkhap.exe 4304 Pkfblfab.exe 4452 Pndohaqe.exe 3252 Pabkdmpi.exe 2432 Pcagphom.exe 3588 Pnfkma32.exe 3020 Peqcjkfp.exe 3692 Pkjlge32.exe 936 Pbddcoei.exe 5104 Qecppkdm.exe 1256 Qgallfcq.exe 3460 Qkmhlekj.exe 4848 Qnkdhpjn.exe 3300 Qajadlja.exe 3620 Qeemej32.exe 4664 Qgciaf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pnbbbabh.exe Pkceffcd.exe File created C:\Windows\SysWOW64\Cefoce32.exe Cbgbgj32.exe File created C:\Windows\SysWOW64\Ifndpaoq.dll Nnlhfn32.exe File created C:\Windows\SysWOW64\Qnhahj32.exe Qnhahj32.exe File created C:\Windows\SysWOW64\Lcoppd32.dll Onfbfc32.exe File created C:\Windows\SysWOW64\Gbbkaako.exe Gododflk.exe File created C:\Windows\SysWOW64\Jjhijoaa.dll Likjcbkc.exe File opened for modification C:\Windows\SysWOW64\Qqijje32.exe Qmmnjfnl.exe File created C:\Windows\SysWOW64\Ejdofn32.dll Conclk32.exe File created C:\Windows\SysWOW64\Ncianepl.exe Ndfqbhia.exe File opened for modification C:\Windows\SysWOW64\Ocdqjceo.exe Odapnf32.exe File created C:\Windows\SysWOW64\Ndqgbjkm.dll Jfhlejnh.exe File opened for modification C:\Windows\SysWOW64\Nqpego32.exe Nnaikd32.exe File opened for modification C:\Windows\SysWOW64\Jcioiood.exe Jlbgha32.exe File created C:\Windows\SysWOW64\Panfqmhb.dll Pfhfan32.exe File opened for modification C:\Windows\SysWOW64\Pnakhkol.exe Pjeoglgc.exe File created C:\Windows\SysWOW64\Qecppkdm.exe Pbddcoei.exe File opened for modification C:\Windows\SysWOW64\Lljfpnjg.exe Lmgfda32.exe File created C:\Windows\SysWOW64\Pfolbmje.exe Pgllfp32.exe File opened for modification C:\Windows\SysWOW64\Pkjlge32.exe Peqcjkfp.exe File created C:\Windows\SysWOW64\Ikkokgea.dll Lllcen32.exe File opened for modification C:\Windows\SysWOW64\Miifeq32.exe Mgkjhe32.exe File created C:\Windows\SysWOW64\Gbmgladp.dll Njnpppkn.exe File created C:\Windows\SysWOW64\Lipdae32.dll Pdpmpdbd.exe File opened for modification C:\Windows\SysWOW64\Qbimoo32.exe Qjbena32.exe File opened for modification C:\Windows\SysWOW64\Aqncedbp.exe Anogiicl.exe File created C:\Windows\SysWOW64\Hopnqdan.exe Hmabdibj.exe File created C:\Windows\SysWOW64\Jcinbcgc.dll Ibjjhn32.exe File created C:\Windows\SysWOW64\Glccbn32.dll Iicbehnq.exe File created C:\Windows\SysWOW64\Ijnlbk32.dll Cahfmgoo.exe File created C:\Windows\SysWOW64\Aolmfp32.dll Pkceffcd.exe File created C:\Windows\SysWOW64\Dcjfkm32.dll Eocenh32.exe File created C:\Windows\SysWOW64\Idodkeom.dll Npcoakfp.exe File created C:\Windows\SysWOW64\Jnmkhg32.dll Ojalgcnd.exe File created C:\Windows\SysWOW64\Manffk32.dll Clpgpp32.exe File created C:\Windows\SysWOW64\Eadopc32.exe Ecandfpd.exe File created C:\Windows\SysWOW64\Nekfmb32.dll Heocnk32.exe File created C:\Windows\SysWOW64\Ipdejo32.dll Ikbnacmd.exe File created C:\Windows\SysWOW64\Bemlmgnp.exe Baaplhef.exe File created C:\Windows\SysWOW64\Chncif32.dll Ehljfnpn.exe File created C:\Windows\SysWOW64\Jbeidl32.exe Jcbihpel.exe File created C:\Windows\SysWOW64\Ndkqipob.dll Cmgjgcgo.exe File created C:\Windows\SysWOW64\Addjcmqn.dll Ndidbn32.exe File created C:\Windows\SysWOW64\Jgefkimp.dll Mlefklpj.exe File opened for modification C:\Windows\SysWOW64\Balfaiil.exe Bnnjen32.exe File opened for modification C:\Windows\SysWOW64\Kedoge32.exe Kfankifm.exe File opened for modification C:\Windows\SysWOW64\Oponmilc.exe Nnqbanmo.exe File created C:\Windows\SysWOW64\Cegdnopg.exe Cmqmma32.exe File created C:\Windows\SysWOW64\Jidklf32.exe Jehokgge.exe File created C:\Windows\SysWOW64\Lfkgaokd.dll Fhqcam32.exe File created C:\Windows\SysWOW64\Canidb32.dll Kedoge32.exe File created C:\Windows\SysWOW64\Mmcdaagm.dll Ogbipa32.exe File opened for modification C:\Windows\SysWOW64\Bmngqdpj.exe Bnkgeg32.exe File opened for modification C:\Windows\SysWOW64\Cojjqlpk.exe Cknnpm32.exe File opened for modification C:\Windows\SysWOW64\Olmeci32.exe Onjegled.exe File opened for modification C:\Windows\SysWOW64\Njljefql.exe Mdpalp32.exe File created C:\Windows\SysWOW64\Knkkfojb.dll Ndokbi32.exe File created C:\Windows\SysWOW64\Ajanck32.exe Qffbbldm.exe File created C:\Windows\SysWOW64\Aeklkchg.exe Aqppkd32.exe File created C:\Windows\SysWOW64\Cjinkg32.exe Cfmajipb.exe File created C:\Windows\SysWOW64\Dhmgki32.exe Ddakjkqi.exe File created C:\Windows\SysWOW64\Nggqoj32.exe Ndidbn32.exe File created C:\Windows\SysWOW64\Ogfilp32.dll Cfmajipb.exe File opened for modification C:\Windows\SysWOW64\Iejcji32.exe Iblfnn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11412 12404 WerFault.exe 663 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmjdjgjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lljfpnjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncfdie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ageolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjoheljj.dll" Pcagphom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmbcpkhj.dll" Balfaiil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fljcmlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbjcolha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll" Onjegled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bjddphlq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjmgfgdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gcddpdpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpebpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pqknig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll" Dfknkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njefqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll" Nnqbanmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ogkcpbam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qnhahj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbkdpj32.dll" Gcddpdpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pqpnombl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Clpgpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ickchq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pfjcgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Behbag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fcmnpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgmngglp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ojaelm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pqknig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Klqcioba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aqppkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bganhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ikbnacmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echmafdm.dll" Oqdoboli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Opdghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bemlmgnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjqaij32.dll" Dllfkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hbeqmoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kmijbcpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njnpppkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Higbhjml.dll" Qajadlja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkjmlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eolpmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Acqimo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjpckf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pcjapi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgempgqo.dll" Baaplhef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll" Qqfmde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qnkdhpjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fljcmlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fhjfhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mgkjhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nlaegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll" Qnhahj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} 18698c676bef4d5d72fbd95aad15b9b0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojalgcnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Deagdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pkceffcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqfok32.dll" Ieolehop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoecnk32.dll" Klgqcqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lgmngglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomaga32.dll" Lljfpnjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajhddjfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll" Ngcgcjnc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3200 wrote to memory of 1672 3200 18698c676bef4d5d72fbd95aad15b9b0_NeikiAnalytics.exe 82 PID 3200 wrote to memory of 1672 3200 18698c676bef4d5d72fbd95aad15b9b0_NeikiAnalytics.exe 82 PID 3200 wrote to memory of 1672 3200 18698c676bef4d5d72fbd95aad15b9b0_NeikiAnalytics.exe 82 PID 1672 wrote to memory of 1336 1672 Mpmokb32.exe 83 PID 1672 wrote to memory of 1336 1672 Mpmokb32.exe 83 PID 1672 wrote to memory of 1336 1672 Mpmokb32.exe 83 PID 1336 wrote to memory of 4292 1336 Mkbchk32.exe 84 PID 1336 wrote to memory of 4292 1336 Mkbchk32.exe 84 PID 1336 wrote to memory of 4292 1336 Mkbchk32.exe 84 PID 4292 wrote to memory of 3492 4292 Mjeddggd.exe 85 PID 4292 wrote to memory of 3492 4292 Mjeddggd.exe 85 PID 4292 wrote to memory of 3492 4292 Mjeddggd.exe 85 PID 3492 wrote to memory of 876 3492 Mpolqa32.exe 86 PID 3492 wrote to memory of 876 3492 Mpolqa32.exe 86 PID 3492 wrote to memory of 876 3492 Mpolqa32.exe 86 PID 876 wrote to memory of 2976 876 Mcnhmm32.exe 87 PID 876 wrote to memory of 2976 876 Mcnhmm32.exe 87 PID 876 wrote to memory of 2976 876 Mcnhmm32.exe 87 PID 2976 wrote to memory of 1480 2976 Mkepnjng.exe 89 PID 2976 wrote to memory of 1480 2976 Mkepnjng.exe 89 PID 2976 wrote to memory of 1480 2976 Mkepnjng.exe 89 PID 1480 wrote to memory of 1864 1480 Mncmjfmk.exe 90 PID 1480 wrote to memory of 1864 1480 Mncmjfmk.exe 90 PID 1480 wrote to memory of 1864 1480 Mncmjfmk.exe 90 PID 1864 wrote to memory of 1680 1864 Mdmegp32.exe 91 PID 1864 wrote to memory of 1680 1864 Mdmegp32.exe 91 PID 1864 wrote to memory of 1680 1864 Mdmegp32.exe 91 PID 1680 wrote to memory of 4116 1680 Mglack32.exe 92 PID 1680 wrote to memory of 4116 1680 Mglack32.exe 92 PID 1680 wrote to memory of 4116 1680 Mglack32.exe 92 PID 4116 wrote to memory of 4916 4116 Mjjmog32.exe 93 PID 4116 wrote to memory of 4916 4116 Mjjmog32.exe 93 PID 4116 wrote to memory of 4916 4116 Mjjmog32.exe 93 PID 4916 wrote to memory of 2836 4916 Mdpalp32.exe 94 PID 4916 wrote to memory of 2836 4916 Mdpalp32.exe 94 PID 4916 wrote to memory of 2836 4916 Mdpalp32.exe 94 PID 2836 wrote to memory of 1576 2836 Njljefql.exe 95 PID 2836 wrote to memory of 1576 2836 Njljefql.exe 95 PID 2836 wrote to memory of 1576 2836 Njljefql.exe 95 PID 1576 wrote to memory of 4612 1576 Nacbfdao.exe 97 PID 1576 wrote to memory of 4612 1576 Nacbfdao.exe 97 PID 1576 wrote to memory of 4612 1576 Nacbfdao.exe 97 PID 4612 wrote to memory of 2956 4612 Ndbnboqb.exe 98 PID 4612 wrote to memory of 2956 4612 Ndbnboqb.exe 98 PID 4612 wrote to memory of 2956 4612 Ndbnboqb.exe 98 PID 2956 wrote to memory of 3328 2956 Ngpjnkpf.exe 99 PID 2956 wrote to memory of 3328 2956 Ngpjnkpf.exe 99 PID 2956 wrote to memory of 3328 2956 Ngpjnkpf.exe 99 PID 3328 wrote to memory of 4196 3328 Njogjfoj.exe 100 PID 3328 wrote to memory of 4196 3328 Njogjfoj.exe 100 PID 3328 wrote to memory of 4196 3328 Njogjfoj.exe 100 PID 4196 wrote to memory of 4512 4196 Nddkgonp.exe 101 PID 4196 wrote to memory of 4512 4196 Nddkgonp.exe 101 PID 4196 wrote to memory of 4512 4196 Nddkgonp.exe 101 PID 4512 wrote to memory of 2392 4512 Ngcgcjnc.exe 102 PID 4512 wrote to memory of 2392 4512 Ngcgcjnc.exe 102 PID 4512 wrote to memory of 2392 4512 Ngcgcjnc.exe 102 PID 2392 wrote to memory of 3548 2392 Njacpf32.exe 103 PID 2392 wrote to memory of 3548 2392 Njacpf32.exe 103 PID 2392 wrote to memory of 3548 2392 Njacpf32.exe 103 PID 3548 wrote to memory of 3248 3548 Ndghmo32.exe 104 PID 3548 wrote to memory of 3248 3548 Ndghmo32.exe 104 PID 3548 wrote to memory of 3248 3548 Ndghmo32.exe 104 PID 3248 wrote to memory of 2276 3248 Nkqpjidj.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\18698c676bef4d5d72fbd95aad15b9b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\18698c676bef4d5d72fbd95aad15b9b0_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe23⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4548 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe25⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4980 -
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe27⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe28⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe29⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe30⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe31⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:436 -
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe34⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe35⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe36⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe37⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe38⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe39⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe40⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe42⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:3832 -
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe44⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe45⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe46⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe48⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe50⤵
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe51⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe53⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe55⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe57⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:936 -
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe59⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe60⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe61⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:4848 -
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:3300 -
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe64⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe65⤵
- Executes dropped EXE
PID:4664 -
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe66⤵
- Drops file in System32 directory
PID:232 -
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe67⤵PID:1636
-
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe68⤵PID:1920
-
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe69⤵PID:4408
-
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe70⤵PID:976
-
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe71⤵PID:3980
-
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe72⤵PID:4952
-
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe73⤵PID:4660
-
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe74⤵PID:5056
-
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe75⤵PID:1176
-
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe76⤵PID:4724
-
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe77⤵PID:1644
-
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe78⤵PID:1376
-
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe79⤵PID:3244
-
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe80⤵PID:1100
-
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3560 -
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe82⤵PID:4596
-
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe83⤵PID:4188
-
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe84⤵PID:3052
-
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe85⤵PID:4576
-
C:\Windows\SysWOW64\Aniajnnn.exeC:\Windows\system32\Aniajnnn.exe86⤵PID:5128
-
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe87⤵PID:5172
-
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe88⤵PID:5224
-
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe89⤵PID:5268
-
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe90⤵PID:5312
-
C:\Windows\SysWOW64\Blpnib32.exeC:\Windows\system32\Blpnib32.exe91⤵PID:5352
-
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe92⤵
- Drops file in System32 directory
PID:5396 -
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe93⤵
- Modifies registry class
PID:5436 -
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe94⤵
- Modifies registry class
PID:5484 -
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe95⤵PID:5532
-
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe96⤵PID:5576
-
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe97⤵PID:5620
-
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe98⤵PID:5664
-
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe99⤵PID:5708
-
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe100⤵PID:5752
-
C:\Windows\SysWOW64\Bobcpmfc.exeC:\Windows\system32\Bobcpmfc.exe101⤵PID:5796
-
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:5832 -
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe103⤵
- Modifies registry class
PID:5876 -
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe104⤵PID:5924
-
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5964 -
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe106⤵PID:5996
-
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe107⤵PID:6052
-
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe108⤵PID:6096
-
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe109⤵PID:2424
-
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe110⤵PID:5200
-
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe111⤵PID:5288
-
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe112⤵
- Drops file in System32 directory
PID:5348 -
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe113⤵PID:5420
-
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe114⤵
- Drops file in System32 directory
PID:5476 -
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5572 -
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe116⤵PID:5612
-
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe117⤵PID:5696
-
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5760 -
C:\Windows\SysWOW64\Cefoce32.exeC:\Windows\system32\Cefoce32.exe119⤵PID:5840
-
C:\Windows\SysWOW64\Chdkoa32.exeC:\Windows\system32\Chdkoa32.exe120⤵PID:5908
-
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:5980
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-