Analysis
-
max time kernel
145s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19/05/2024, 21:49
Behavioral task
behavioral1
Sample
4310fd316af8ba5aa9e87b00066e4540_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
4310fd316af8ba5aa9e87b00066e4540_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
4310fd316af8ba5aa9e87b00066e4540_NeikiAnalytics.exe
-
Size
565KB
-
MD5
4310fd316af8ba5aa9e87b00066e4540
-
SHA1
31de91b5570d4eff5d9c33bdabe0db8efe9b36d9
-
SHA256
a68f8f74c267f0c584c967bd1c40a8c09af3b9d128549b89bdb7b9442292f20a
-
SHA512
72f7c7c6373751d3d0c693dacd8eaf2fd9c0fcdae5bd87e8f1866f969c8cabc5d8bf3713405d68faa7d18cfea3c1cd9f0310246d2b60c8270522ea418c027ac8
-
SSDEEP
12288:+feydtuFjAh//+zrWAIAqWim/+zrWAI5KF8OX:+FtuFjAh/mvFimm09OX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckpjfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkoiefmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkgeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpnmbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emmkiclm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paoollik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onfbfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfealaol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nojanpej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohnebd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccgajfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oelolmnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdkhapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibcmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhfmdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikpjbq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjdebfnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clchbqoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lejgch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jddnfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omcjep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdpbon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qljcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qaflgago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eggmge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eemgplno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmniml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggnedlao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hglaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Giinpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnhpoamf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bohibc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfnphn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igcoqocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpglnhad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhafeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkfoeega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcioiood.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hacbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eemgplno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpeafcfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkbkdkpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echknh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klmpiiai.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/4260-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002328e-6.dat family_berbew behavioral2/memory/1744-8-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x00070000000233f4-14.dat family_berbew behavioral2/memory/1620-16-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x00070000000233f7-22.dat family_berbew behavioral2/memory/4856-24-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/2892-31-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x00070000000233f9-30.dat family_berbew behavioral2/files/0x00070000000233fb-38.dat family_berbew behavioral2/memory/2844-39-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x00070000000233fd-46.dat family_berbew behavioral2/memory/4868-48-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x00070000000233ff-54.dat family_berbew behavioral2/memory/4804-55-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023401-62.dat family_berbew behavioral2/memory/1200-63-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023403-70.dat family_berbew behavioral2/memory/2604-71-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023405-78.dat family_berbew behavioral2/memory/1520-80-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023407-86.dat family_berbew behavioral2/memory/4028-87-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023409-95.dat family_berbew behavioral2/memory/4792-96-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002340c-102.dat family_berbew behavioral2/memory/3224-104-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x00090000000233f1-111.dat family_berbew behavioral2/memory/4536-112-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002340f-119.dat family_berbew behavioral2/memory/2612-123-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023411-126.dat family_berbew behavioral2/memory/2236-127-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023413-134.dat family_berbew behavioral2/memory/4588-140-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023417-144.dat family_berbew behavioral2/memory/1104-146-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023415-143.dat family_berbew behavioral2/files/0x0007000000023417-151.dat family_berbew behavioral2/memory/3384-152-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023419-158.dat family_berbew behavioral2/memory/5112-160-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002341b-166.dat family_berbew behavioral2/memory/228-167-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002341d-174.dat family_berbew behavioral2/memory/4644-176-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002341f-182.dat family_berbew behavioral2/memory/3624-184-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023421-190.dat family_berbew behavioral2/memory/4084-192-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023423-198.dat family_berbew behavioral2/memory/1528-200-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023425-201.dat family_berbew behavioral2/memory/552-212-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023427-214.dat family_berbew behavioral2/memory/2312-216-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0008000000023429-222.dat family_berbew behavioral2/memory/2024-223-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002342c-230.dat family_berbew behavioral2/memory/2060-232-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000700000002342e-238.dat family_berbew behavioral2/memory/2280-244-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0007000000023430-247.dat family_berbew behavioral2/memory/1696-248-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1744 Jidbflcj.exe 1620 Jpojcf32.exe 4856 Jdmcidam.exe 2892 Kpccnefa.exe 2844 Kkihknfg.exe 4868 Kpepcedo.exe 4804 Kkkdan32.exe 1200 Kdcijcke.exe 2604 Kgdbkohf.exe 1520 Kpmfddnf.exe 4028 Kgfoan32.exe 4792 Lcmofolg.exe 3224 Lkdggmlj.exe 4536 Lpappc32.exe 2612 Lcpllo32.exe 2236 Laalifad.exe 4588 Lklnhlfb.exe 1104 Laefdf32.exe 3384 Lddbqa32.exe 5112 Mgekbljc.exe 228 Mdiklqhm.exe 4644 Mdkhapfj.exe 3624 Mpaifalo.exe 4084 Maaepd32.exe 1528 Nkjjij32.exe 552 Nqfbaq32.exe 2312 Njogjfoj.exe 2024 Nbhkac32.exe 2060 Njcpee32.exe 2280 Nggqoj32.exe 1696 Njfmke32.exe 2000 Ndkahnhh.exe 4132 Ojhiqefo.exe 1972 Ocqnij32.exe 3240 Onfbfc32.exe 3288 Odpjcm32.exe 3724 Okjbpglo.exe 2344 Obdkma32.exe 1076 Odbgim32.exe 3872 Ojopad32.exe 3472 Obfhba32.exe 4652 Ogcpjhoq.exe 1980 Oqkdcn32.exe 2272 Odgqdlnj.exe 900 Pkaiqf32.exe 4636 Pbkamqmd.exe 4072 Pclneicb.exe 4820 Pkceffcd.exe 860 Pbmncp32.exe 4712 Pgjfkg32.exe 2388 Pjhbgb32.exe 3016 Pcagphom.exe 408 Pkhoae32.exe 4340 Pbbgnpgl.exe 3148 Pgopffec.exe 1404 Pagdol32.exe 1444 Qkmhlekj.exe 3484 Qbgqio32.exe 3152 Qchmagie.exe 4704 Qloebdig.exe 4596 Aegikj32.exe 3012 Alabgd32.exe 1496 Aejfpjne.exe 2220 Ahhblemi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Olgncmim.exe Oemefcap.exe File opened for modification C:\Windows\SysWOW64\Kpdboimg.exe Kijjbofj.exe File created C:\Windows\SysWOW64\Ngqpijkf.dll Cimmggfl.exe File created C:\Windows\SysWOW64\Cmmbbejp.exe Cjnffjkl.exe File opened for modification C:\Windows\SysWOW64\Lnmkfh32.exe Ljaoeini.exe File created C:\Windows\SysWOW64\Npdopj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hejqldci.exe Process not Found File created C:\Windows\SysWOW64\Honcnp32.dll 4310fd316af8ba5aa9e87b00066e4540_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Djqblj32.exe Dbjkkl32.exe File created C:\Windows\SysWOW64\Foolmeif.dll Process not Found File opened for modification C:\Windows\SysWOW64\Oiknlagg.exe Ooejohhq.exe File created C:\Windows\SysWOW64\Bbekbm32.dll Lgcjdd32.exe File created C:\Windows\SysWOW64\Iemlnm32.dll Gbfldf32.exe File created C:\Windows\SysWOW64\Eiekog32.exe Process not Found File created C:\Windows\SysWOW64\Ejgcaq32.dll Agbkmijg.exe File created C:\Windows\SysWOW64\Doeiljfn.exe Demecd32.exe File created C:\Windows\SysWOW64\Ndokbi32.exe Mnebeogl.exe File created C:\Windows\SysWOW64\Ibcaknbi.exe Process not Found File created C:\Windows\SysWOW64\Kncaec32.exe Process not Found File created C:\Windows\SysWOW64\Jfqqddpi.dll Process not Found File created C:\Windows\SysWOW64\Alabgd32.exe Aegikj32.exe File created C:\Windows\SysWOW64\Iahgad32.exe Process not Found File created C:\Windows\SysWOW64\Dhbbhk32.dll Kpeiioac.exe File created C:\Windows\SysWOW64\Ogfilp32.dll Chjaol32.exe File opened for modification C:\Windows\SysWOW64\Elnoopdj.exe Efafgifc.exe File created C:\Windows\SysWOW64\Ieagmcmq.exe Process not Found File created C:\Windows\SysWOW64\Jnmljl32.dll Ahmlgd32.exe File opened for modification C:\Windows\SysWOW64\Oakbehfe.exe Process not Found File created C:\Windows\SysWOW64\Lqppgj32.dll Process not Found File created C:\Windows\SysWOW64\Faagecfk.dll Process not Found File created C:\Windows\SysWOW64\Kjqkei32.dll Ipnjab32.exe File opened for modification C:\Windows\SysWOW64\Lhdqnj32.exe Kbghfc32.exe File created C:\Windows\SysWOW64\Lblaabdp.exe Lpneegel.exe File created C:\Windows\SysWOW64\Flinkojm.exe Fikbocki.exe File created C:\Windows\SysWOW64\Klhhpnaf.dll Gdlfhj32.exe File created C:\Windows\SysWOW64\Konidd32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Aokkahlo.exe Process not Found File opened for modification C:\Windows\SysWOW64\Iicbehnq.exe Ifefimom.exe File created C:\Windows\SysWOW64\Hpaoan32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dgpeha32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pfjcgn32.exe Pclgkb32.exe File created C:\Windows\SysWOW64\Knegmo32.dll Ohlimd32.exe File created C:\Windows\SysWOW64\Knknhqjn.dll Dlieda32.exe File created C:\Windows\SysWOW64\Oogpjbbb.exe Olicnfco.exe File opened for modification C:\Windows\SysWOW64\Lmdina32.exe Lboeaifi.exe File created C:\Windows\SysWOW64\Gknkpjfb.exe Gphgbafl.exe File opened for modification C:\Windows\SysWOW64\Phincl32.exe Papfgbmg.exe File opened for modification C:\Windows\SysWOW64\Dfnbgc32.exe Dmennnni.exe File created C:\Windows\SysWOW64\Pqknpl32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ajjokd32.exe Process not Found File created C:\Windows\SysWOW64\Ndmojj32.dll Process not Found File created C:\Windows\SysWOW64\Fjmfmh32.exe Process not Found File created C:\Windows\SysWOW64\Bpnihiio.exe Bmomlnjk.exe File created C:\Windows\SysWOW64\Hdokdg32.exe Hpcodihc.exe File created C:\Windows\SysWOW64\Llnnmhfe.exe Process not Found File created C:\Windows\SysWOW64\Lihfcm32.exe Lbnngbbn.exe File opened for modification C:\Windows\SysWOW64\Chqogq32.exe Cfbcke32.exe File created C:\Windows\SysWOW64\Aoofle32.exe Ajbmdn32.exe File created C:\Windows\SysWOW64\Akhkncql.dll Dflfac32.exe File opened for modification C:\Windows\SysWOW64\Jebfng32.exe Process not Found File created C:\Windows\SysWOW64\Lifjnm32.exe Lblaabdp.exe File created C:\Windows\SysWOW64\Ffhoqj32.dll Kebbafoj.exe File opened for modification C:\Windows\SysWOW64\Nklbmllg.exe Neoieenp.exe File opened for modification C:\Windows\SysWOW64\Jkimho32.exe Jlhljhbg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5484 5528 Process not Found 1591 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll" Cjinkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mockmala.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aalebkhm.dll" Lnbklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cepohhai.dll" Kijjbofj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqfbaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahmlgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plpqil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mipcob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll" Pdkcde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlcalieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npbblbdb.dll" Djcoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldjicq32.dll" Gfbploob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apoigbgj.dll" Idcepgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liabph32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hopnqdan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqqlehck.dll" Helfik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jedeph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohnebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgmgqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll" Mpaifalo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdbiedpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keojhkpc.dll" Gaogak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pabblb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkjnfkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oibqpk32.dll" Nlmdbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbnpqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpppj32.dll" Hopnqdan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bchomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkaopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmofagfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaelmc32.dll" Ajkhdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gingkqkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polcjq32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edkdkplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phaedfje.dll" Jlkagbej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibcmom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kefkme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cqpbglno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdigjdia.dll" Kgopidgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgopidgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qeodhjmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbqdpi32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmdqgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Niniei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keajjc32.dll" Hoiafcic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdncmghi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpneegel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjibekmc.dll" Nlcalieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbkmokh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokmd32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bldgdago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkaobnio.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4260 wrote to memory of 1744 4260 4310fd316af8ba5aa9e87b00066e4540_NeikiAnalytics.exe 83 PID 4260 wrote to memory of 1744 4260 4310fd316af8ba5aa9e87b00066e4540_NeikiAnalytics.exe 83 PID 4260 wrote to memory of 1744 4260 4310fd316af8ba5aa9e87b00066e4540_NeikiAnalytics.exe 83 PID 1744 wrote to memory of 1620 1744 Jidbflcj.exe 84 PID 1744 wrote to memory of 1620 1744 Jidbflcj.exe 84 PID 1744 wrote to memory of 1620 1744 Jidbflcj.exe 84 PID 1620 wrote to memory of 4856 1620 Jpojcf32.exe 85 PID 1620 wrote to memory of 4856 1620 Jpojcf32.exe 85 PID 1620 wrote to memory of 4856 1620 Jpojcf32.exe 85 PID 4856 wrote to memory of 2892 4856 Jdmcidam.exe 86 PID 4856 wrote to memory of 2892 4856 Jdmcidam.exe 86 PID 4856 wrote to memory of 2892 4856 Jdmcidam.exe 86 PID 2892 wrote to memory of 2844 2892 Kpccnefa.exe 87 PID 2892 wrote to memory of 2844 2892 Kpccnefa.exe 87 PID 2892 wrote to memory of 2844 2892 Kpccnefa.exe 87 PID 2844 wrote to memory of 4868 2844 Kkihknfg.exe 88 PID 2844 wrote to memory of 4868 2844 Kkihknfg.exe 88 PID 2844 wrote to memory of 4868 2844 Kkihknfg.exe 88 PID 4868 wrote to memory of 4804 4868 Kpepcedo.exe 89 PID 4868 wrote to memory of 4804 4868 Kpepcedo.exe 89 PID 4868 wrote to memory of 4804 4868 Kpepcedo.exe 89 PID 4804 wrote to memory of 1200 4804 Kkkdan32.exe 91 PID 4804 wrote to memory of 1200 4804 Kkkdan32.exe 91 PID 4804 wrote to memory of 1200 4804 Kkkdan32.exe 91 PID 1200 wrote to memory of 2604 1200 Kdcijcke.exe 92 PID 1200 wrote to memory of 2604 1200 Kdcijcke.exe 92 PID 1200 wrote to memory of 2604 1200 Kdcijcke.exe 92 PID 2604 wrote to memory of 1520 2604 Kgdbkohf.exe 94 PID 2604 wrote to memory of 1520 2604 Kgdbkohf.exe 94 PID 2604 wrote to memory of 1520 2604 Kgdbkohf.exe 94 PID 1520 wrote to memory of 4028 1520 Kpmfddnf.exe 95 PID 1520 wrote to memory of 4028 1520 Kpmfddnf.exe 95 PID 1520 wrote to memory of 4028 1520 Kpmfddnf.exe 95 PID 4028 wrote to memory of 4792 4028 Kgfoan32.exe 96 PID 4028 wrote to memory of 4792 4028 Kgfoan32.exe 96 PID 4028 wrote to memory of 4792 4028 Kgfoan32.exe 96 PID 4792 wrote to memory of 3224 4792 Lcmofolg.exe 97 PID 4792 wrote to memory of 3224 4792 Lcmofolg.exe 97 PID 4792 wrote to memory of 3224 4792 Lcmofolg.exe 97 PID 3224 wrote to memory of 4536 3224 Lkdggmlj.exe 98 PID 3224 wrote to memory of 4536 3224 Lkdggmlj.exe 98 PID 3224 wrote to memory of 4536 3224 Lkdggmlj.exe 98 PID 4536 wrote to memory of 2612 4536 Lpappc32.exe 99 PID 4536 wrote to memory of 2612 4536 Lpappc32.exe 99 PID 4536 wrote to memory of 2612 4536 Lpappc32.exe 99 PID 2612 wrote to memory of 2236 2612 Lcpllo32.exe 100 PID 2612 wrote to memory of 2236 2612 Lcpllo32.exe 100 PID 2612 wrote to memory of 2236 2612 Lcpllo32.exe 100 PID 2236 wrote to memory of 4588 2236 Laalifad.exe 101 PID 2236 wrote to memory of 4588 2236 Laalifad.exe 101 PID 2236 wrote to memory of 4588 2236 Laalifad.exe 101 PID 4588 wrote to memory of 1104 4588 Lklnhlfb.exe 102 PID 4588 wrote to memory of 1104 4588 Lklnhlfb.exe 102 PID 4588 wrote to memory of 1104 4588 Lklnhlfb.exe 102 PID 1104 wrote to memory of 3384 1104 Laefdf32.exe 104 PID 1104 wrote to memory of 3384 1104 Laefdf32.exe 104 PID 1104 wrote to memory of 3384 1104 Laefdf32.exe 104 PID 3384 wrote to memory of 5112 3384 Lddbqa32.exe 105 PID 3384 wrote to memory of 5112 3384 Lddbqa32.exe 105 PID 3384 wrote to memory of 5112 3384 Lddbqa32.exe 105 PID 5112 wrote to memory of 228 5112 Mgekbljc.exe 106 PID 5112 wrote to memory of 228 5112 Mgekbljc.exe 106 PID 5112 wrote to memory of 228 5112 Mgekbljc.exe 106 PID 228 wrote to memory of 4644 228 Mdiklqhm.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\4310fd316af8ba5aa9e87b00066e4540_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4310fd316af8ba5aa9e87b00066e4540_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\Jidbflcj.exeC:\Windows\system32\Jidbflcj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Lklnhlfb.exeC:\Windows\system32\Lklnhlfb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:3624 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe25⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe26⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:552 -
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe28⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe29⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe30⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe31⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe32⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe33⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe34⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe35⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe37⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe38⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe39⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe40⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe41⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe42⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe43⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe44⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe45⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe46⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe47⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe48⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe49⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe50⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe51⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Pjhbgb32.exeC:\Windows\system32\Pjhbgb32.exe52⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe53⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe54⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Pbbgnpgl.exeC:\Windows\system32\Pbbgnpgl.exe55⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe56⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe57⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe58⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe59⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe60⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe61⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4596 -
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe63⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe64⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe65⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe66⤵PID:3180
-
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe67⤵PID:1300
-
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe68⤵PID:4168
-
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe69⤵PID:3668
-
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:3612 -
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe71⤵
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe72⤵PID:1488
-
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe73⤵PID:636
-
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe74⤵PID:1168
-
C:\Windows\SysWOW64\Aniajnnn.exeC:\Windows\system32\Aniajnnn.exe75⤵PID:1968
-
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe76⤵PID:3360
-
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe77⤵PID:4432
-
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe78⤵PID:4876
-
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe79⤵PID:5124
-
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe80⤵PID:5168
-
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe81⤵PID:5208
-
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe82⤵PID:5256
-
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe83⤵PID:5300
-
C:\Windows\SysWOW64\Bldgdago.exeC:\Windows\system32\Bldgdago.exe84⤵
- Modifies registry class
PID:5344 -
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe85⤵
- Modifies registry class
PID:5400 -
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe86⤵PID:5464
-
C:\Windows\SysWOW64\Blfdia32.exeC:\Windows\system32\Blfdia32.exe87⤵PID:5512
-
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe88⤵PID:5560
-
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe89⤵PID:5616
-
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe90⤵PID:5664
-
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe91⤵PID:5712
-
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe92⤵PID:5756
-
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe93⤵PID:5800
-
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe94⤵PID:5844
-
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe95⤵PID:5884
-
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe96⤵PID:5932
-
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe97⤵PID:5980
-
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6024 -
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe99⤵PID:6064
-
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe100⤵PID:6112
-
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe101⤵PID:4348
-
C:\Windows\SysWOW64\Ckcgkldl.exeC:\Windows\system32\Ckcgkldl.exe102⤵PID:5200
-
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe103⤵PID:5264
-
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe104⤵PID:5336
-
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe105⤵PID:5456
-
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe106⤵PID:5520
-
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe107⤵PID:5600
-
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe108⤵PID:5652
-
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe109⤵PID:5752
-
C:\Windows\SysWOW64\Demecd32.exeC:\Windows\system32\Demecd32.exe110⤵
- Drops file in System32 directory
PID:5784 -
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe111⤵PID:5876
-
C:\Windows\SysWOW64\Ddbbeade.exeC:\Windows\system32\Ddbbeade.exe112⤵PID:5940
-
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe113⤵PID:6012
-
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe114⤵PID:6092
-
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe115⤵PID:5136
-
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe116⤵PID:5224
-
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe117⤵PID:5388
-
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe118⤵PID:5508
-
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5660 -
C:\Windows\SysWOW64\Eefhjc32.exeC:\Windows\system32\Eefhjc32.exe120⤵PID:5740
-
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe121⤵PID:5868
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-