Analysis
-
max time kernel
111s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 05:42
Behavioral task
behavioral1
Sample
bbaf8cea908f231630239fd7a87b58d0_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
bbaf8cea908f231630239fd7a87b58d0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
bbaf8cea908f231630239fd7a87b58d0_NeikiAnalytics.exe
-
Size
1.4MB
-
MD5
bbaf8cea908f231630239fd7a87b58d0
-
SHA1
0bbcaca71aa9a61a2242811cb9ba9764a8996853
-
SHA256
6fc27dacd462a381c8156dd9d316502a9e9303f2bc1cc4ecc24017a1aeff61ac
-
SHA512
940bcb69b2ccc77db72dc36642223abfe2195edcb6cada223302ff937bc4634fefdaeaa8b1ba768dcaf5bbe1a2d1809c39928fa1d696828e26dc62c54c2d2d71
-
SSDEEP
12288:MDBs4CzXjOYpV6yYPI3cpV6yYPeHCXwpnsKvNA+XTvZHWuEo3oWL5g:MjCzXjOYWHWIpsKv2EvZHp3oWNg
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lljklo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gejhef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnphoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lenicahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mokfja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Abcgjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojalgcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kaehljpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfheof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odapnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhnbpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlnbgddc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdialn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bganhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkjhoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cijpahho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnkbcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lnldla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogjmdigk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdeqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfhnaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dekhneap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdamgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iomoenej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cijpahho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfjcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Abngjnmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbabgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pflibgil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blgifbil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpenfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfankifm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poomegpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qljcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qlmgopjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aqaffn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhbolp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnahdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgoakc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aelcfilb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odapnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhgbhfbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imakkfdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceckcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lojmcdgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fehfljca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dannij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hblkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cabomkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emmkiclm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oqgkhnjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olhlhjpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcelmhen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0008000000022f51-7.dat family_berbew behavioral2/files/0x0007000000023410-15.dat family_berbew behavioral2/files/0x0007000000023412-22.dat family_berbew behavioral2/files/0x0007000000023415-30.dat family_berbew behavioral2/files/0x0007000000023417-38.dat family_berbew behavioral2/files/0x0007000000023419-47.dat family_berbew behavioral2/files/0x000700000002341d-56.dat family_berbew behavioral2/files/0x000700000002341b-55.dat family_berbew behavioral2/files/0x000700000002341d-62.dat family_berbew behavioral2/files/0x000800000002340d-71.dat family_berbew behavioral2/files/0x0007000000023421-78.dat family_berbew behavioral2/files/0x0007000000023423-85.dat family_berbew behavioral2/files/0x0007000000023425-94.dat family_berbew behavioral2/files/0x0007000000023427-98.dat family_berbew behavioral2/files/0x0007000000023427-103.dat family_berbew behavioral2/files/0x000700000002342b-119.dat family_berbew behavioral2/files/0x0007000000023429-112.dat family_berbew behavioral2/files/0x000700000002342d-129.dat family_berbew behavioral2/files/0x000700000002342f-131.dat family_berbew behavioral2/files/0x0007000000023431-145.dat family_berbew behavioral2/files/0x0007000000023433-153.dat family_berbew behavioral2/files/0x0007000000023435-163.dat family_berbew behavioral2/files/0x0007000000023437-170.dat family_berbew behavioral2/files/0x000700000002343d-191.dat family_berbew behavioral2/files/0x000700000002343f-198.dat family_berbew behavioral2/files/0x0007000000023441-205.dat family_berbew behavioral2/files/0x0007000000023447-226.dat family_berbew behavioral2/files/0x000700000002344d-247.dat family_berbew behavioral2/files/0x000700000002344b-240.dat family_berbew behavioral2/files/0x0007000000023449-233.dat family_berbew behavioral2/files/0x0007000000023445-219.dat family_berbew behavioral2/files/0x0007000000023443-212.dat family_berbew behavioral2/files/0x000700000002343b-184.dat family_berbew behavioral2/files/0x0007000000023439-177.dat family_berbew behavioral2/files/0x00070000000234fb-781.dat family_berbew behavioral2/files/0x00070000000234ff-795.dat family_berbew behavioral2/files/0x0007000000023516-867.dat family_berbew behavioral2/files/0x0008000000023391-998.dat family_berbew behavioral2/files/0x0008000000023396-1010.dat family_berbew behavioral2/files/0x0007000000023548-1088.dat family_berbew behavioral2/files/0x0007000000023552-1122.dat family_berbew behavioral2/files/0x0007000000023561-1171.dat family_berbew behavioral2/files/0x000700000002356d-1213.dat family_berbew behavioral2/files/0x000700000002357a-1246.dat family_berbew behavioral2/files/0x0007000000023586-1297.dat family_berbew behavioral2/files/0x000700000002358a-1311.dat family_berbew behavioral2/files/0x000700000002358e-1325.dat family_berbew behavioral2/files/0x000700000002359b-1381.dat family_berbew behavioral2/files/0x00070000000235a7-1423.dat family_berbew behavioral2/files/0x00070000000235bb-1492.dat family_berbew behavioral2/files/0x00070000000235bf-1506.dat family_berbew behavioral2/files/0x00070000000235c7-1534.dat family_berbew behavioral2/files/0x00070000000235cb-1548.dat family_berbew behavioral2/files/0x00070000000235d3-1576.dat family_berbew behavioral2/files/0x00070000000235d9-1596.dat family_berbew behavioral2/files/0x00070000000235db-1604.dat family_berbew behavioral2/files/0x00070000000235e4-1631.dat family_berbew behavioral2/files/0x00070000000235ea-1651.dat family_berbew behavioral2/files/0x00070000000235ee-1664.dat family_berbew behavioral2/files/0x00070000000235f4-1685.dat family_berbew behavioral2/files/0x00070000000235fa-1705.dat family_berbew behavioral2/files/0x0007000000023606-1747.dat family_berbew behavioral2/files/0x000700000002360c-1769.dat family_berbew behavioral2/files/0x0007000000023616-1803.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4644 Hpbaqj32.exe 1300 Hfljmdjc.exe 4224 Hikfip32.exe 4204 Ipldfi32.exe 4596 Impepm32.exe 4844 Ibmmhdhm.exe 1712 Iannfk32.exe 4956 Icljbg32.exe 3040 Idacmfkj.exe 824 Iinlemia.exe 1532 Jpgdbg32.exe 4620 Jbfpobpb.exe 2444 Kgfoan32.exe 2664 Ldkojb32.exe 2140 Ldohebqh.exe 872 Lkiqbl32.exe 1780 Mgekbljc.exe 4828 Majopeii.exe 2080 Mdiklqhm.exe 3660 Mgghhlhq.exe 2156 Mnapdf32.exe 3156 Mamleegg.exe 1252 Mdkhapfj.exe 4988 Mgidml32.exe 556 Mjhqjg32.exe 3012 Mpaifalo.exe 5040 Mcpebmkb.exe 3404 Mjjmog32.exe 4384 Maaepd32.exe 2344 Mdpalp32.exe 5004 Nkjjij32.exe 3320 Nnhfee32.exe 3256 Nqfbaq32.exe 4456 Nceonl32.exe 2644 Nklfoi32.exe 3972 Nnjbke32.exe 4112 Nddkgonp.exe 3992 Ngcgcjnc.exe 1576 Njacpf32.exe 4976 Nbhkac32.exe 2052 Ncihikcg.exe 4660 Nkqpjidj.exe 2068 Nbkhfc32.exe 5028 Ndidbn32.exe 5036 Nggqoj32.exe 644 Nnaikd32.exe 3820 Ndkahnhh.exe 4060 Ogjmdigk.exe 4084 Ondeac32.exe 3520 Odnnnnfe.exe 2136 Ogljjiei.exe 4464 Ojjffddl.exe 4944 Obangb32.exe 4344 Occkojkm.exe 3908 Ojmcld32.exe 3784 Oqgkhnjf.exe 2964 Ogaceh32.exe 2204 Onklabip.exe 3016 Oqihnn32.exe 2284 Ogcpjhoq.exe 3744 Ojalgcnd.exe 1092 Obidhaog.exe 4460 Odgqdlnj.exe 3808 Pkaiqf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Oiihahme.exe Oigllh32.exe File created C:\Windows\SysWOW64\Bildbk32.dll Ggnedlao.exe File created C:\Windows\SysWOW64\Ckeimm32.exe Cdlqqcnl.exe File created C:\Windows\SysWOW64\Holhmcgf.dll Process not Found File created C:\Windows\SysWOW64\Fehfljca.exe Fefjfked.exe File opened for modification C:\Windows\SysWOW64\Bcelmhen.exe Biogppeg.exe File created C:\Windows\SysWOW64\Gnmlhf32.exe Process not Found File created C:\Windows\SysWOW64\Dfokdq32.dll Hkpheidp.exe File created C:\Windows\SysWOW64\Opngmi32.dll Cjecpkcg.exe File opened for modification C:\Windows\SysWOW64\Cjecpkcg.exe Bopocbcq.exe File opened for modification C:\Windows\SysWOW64\Ngjbaj32.exe Napjdpcn.exe File opened for modification C:\Windows\SysWOW64\Nhpiafnm.exe Npedmdab.exe File created C:\Windows\SysWOW64\Codhnb32.exe Cijpahho.exe File opened for modification C:\Windows\SysWOW64\Lmbhgd32.exe Lkalplel.exe File created C:\Windows\SysWOW64\Ckjfdocc.dll Qfmfefni.exe File opened for modification C:\Windows\SysWOW64\Ldfoad32.exe Process not Found File created C:\Windows\SysWOW64\Okokppbk.dll Kefkme32.exe File opened for modification C:\Windows\SysWOW64\Mgimcebb.exe Mdjagjco.exe File created C:\Windows\SysWOW64\Flbolp32.dll Kfqgab32.exe File created C:\Windows\SysWOW64\Leilnmkp.dll Mfeeabda.exe File created C:\Windows\SysWOW64\Ieojgc32.exe Ilfennic.exe File created C:\Windows\SysWOW64\Iogopi32.exe Ieojgc32.exe File created C:\Windows\SysWOW64\Jlingkpe.dll Ndaggimg.exe File created C:\Windows\SysWOW64\Klinjgke.dll Ajpqnneo.exe File created C:\Windows\SysWOW64\Eojpkdah.dll Hnphoj32.exe File created C:\Windows\SysWOW64\Jidinqpb.exe Iamamcop.exe File created C:\Windows\SysWOW64\Kalcik32.exe Process not Found File created C:\Windows\SysWOW64\Qfbobf32.exe Qoifflkg.exe File opened for modification C:\Windows\SysWOW64\Polppg32.exe Plndcl32.exe File created C:\Windows\SysWOW64\Fneggdhg.exe Enbjad32.exe File opened for modification C:\Windows\SysWOW64\Jidinqpb.exe Iamamcop.exe File created C:\Windows\SysWOW64\Cnacjn32.dll Mdkhapfj.exe File opened for modification C:\Windows\SysWOW64\Fjmkoeqi.exe Fpggamqc.exe File opened for modification C:\Windows\SysWOW64\Ngndaccj.exe Nmipdk32.exe File created C:\Windows\SysWOW64\Eclhcj32.dll Process not Found File created C:\Windows\SysWOW64\Bjlpjm32.exe Boflmdkk.exe File opened for modification C:\Windows\SysWOW64\Bjpjel32.exe Bmlilh32.exe File created C:\Windows\SysWOW64\Biepfnpi.dll Ipihpkkd.exe File created C:\Windows\SysWOW64\Ckfaapfi.dll Process not Found File opened for modification C:\Windows\SysWOW64\Epagkd32.exe Eigonjcj.exe File created C:\Windows\SysWOW64\Dpglbfpm.dll Meepdp32.exe File created C:\Windows\SysWOW64\Fhgbhfbe.exe Fehfljca.exe File created C:\Windows\SysWOW64\Keojhkpc.dll Foqkdp32.exe File created C:\Windows\SysWOW64\Pnhcelbo.dll Hghoeqmp.exe File opened for modification C:\Windows\SysWOW64\Kaehljpj.exe Knflpoqf.exe File opened for modification C:\Windows\SysWOW64\Cfnqklgh.exe Codhnb32.exe File created C:\Windows\SysWOW64\Gfqnichl.dll Bakgoh32.exe File created C:\Windows\SysWOW64\Njkoaebi.dll Oqgkhnjf.exe File opened for modification C:\Windows\SysWOW64\Bganhm32.exe Bmkjkd32.exe File created C:\Windows\SysWOW64\Blcnqjjo.dll Pfccogfc.exe File opened for modification C:\Windows\SysWOW64\Dkekjdck.exe Ddkbmj32.exe File opened for modification C:\Windows\SysWOW64\Klbnajqc.exe Keifdpif.exe File created C:\Windows\SysWOW64\Dgegjnih.dll Oanokhdb.exe File created C:\Windows\SysWOW64\Dinael32.exe Process not Found File created C:\Windows\SysWOW64\Hglppijc.dll Inomhbeq.exe File created C:\Windows\SysWOW64\Phedhmhi.exe Pefhlaie.exe File created C:\Windows\SysWOW64\Jgbjbp32.exe Jjoiil32.exe File created C:\Windows\SysWOW64\Kdigadjo.exe Kmaopfjm.exe File opened for modification C:\Windows\SysWOW64\Jpenfp32.exe Jilfifme.exe File created C:\Windows\SysWOW64\Nfohgqlg.exe Npepkf32.exe File opened for modification C:\Windows\SysWOW64\Peqcjkfp.exe Pnfkma32.exe File created C:\Windows\SysWOW64\Himldi32.exe Hcpclbfa.exe File created C:\Windows\SysWOW64\Mpaflkim.dll Process not Found File created C:\Windows\SysWOW64\Mjijkmod.dll Nmnqjp32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djfjpgfm.dll" Efkphnbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bheffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinclj32.dll" Dgeenfog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll" Olhlhjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gpcfmkff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Galoohke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edogedqq.dll" Bidqko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Blgifbil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dlncan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pgdokkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfokdq32.dll" Hkpheidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcleml32.dll" Jnlbojee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fgcjfbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mliapk32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lkiqbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccgldidg.dll" Ondeac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckcgkldl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Imakkfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmnegipj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gpolbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll" Ncfdie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Feocelll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ggbook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpbba32.dll" Eokqkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ocohmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Keifdpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dalchnkg.dll" Onklabip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgjpndjd.dll" Acjjfggb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pgefeajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bganhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmebabl.dll" Ibmmhdhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lcggio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mjjmog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Llcpoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Podmkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iebngial.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oglbla32.dll" Offnhpfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kocgbend.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jopaaj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Foghnabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibodeh32.dll" Cmmbbejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paplcg32.dll" Ejlbhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppipkl32.dll" Gikkfqmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lajagj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffmfchle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhbacd32.dll" Lepleocn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmfmmcbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qoifflkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nbgcih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmhinni.dll" Jdaaaeqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bapolp32.dll" Dafbne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahpmjejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gokbgpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lkalplel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ngqagcag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nddkgonp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehljfnpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpnkdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfplpfib.dll" Difpmfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoqfnpl.dll" Jeklag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jeekkafl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjliajmo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2476 wrote to memory of 4644 2476 bbaf8cea908f231630239fd7a87b58d0_NeikiAnalytics.exe 82 PID 2476 wrote to memory of 4644 2476 bbaf8cea908f231630239fd7a87b58d0_NeikiAnalytics.exe 82 PID 2476 wrote to memory of 4644 2476 bbaf8cea908f231630239fd7a87b58d0_NeikiAnalytics.exe 82 PID 4644 wrote to memory of 1300 4644 Hpbaqj32.exe 83 PID 4644 wrote to memory of 1300 4644 Hpbaqj32.exe 83 PID 4644 wrote to memory of 1300 4644 Hpbaqj32.exe 83 PID 1300 wrote to memory of 4224 1300 Hfljmdjc.exe 84 PID 1300 wrote to memory of 4224 1300 Hfljmdjc.exe 84 PID 1300 wrote to memory of 4224 1300 Hfljmdjc.exe 84 PID 4224 wrote to memory of 4204 4224 Hikfip32.exe 85 PID 4224 wrote to memory of 4204 4224 Hikfip32.exe 85 PID 4224 wrote to memory of 4204 4224 Hikfip32.exe 85 PID 4204 wrote to memory of 4596 4204 Ipldfi32.exe 86 PID 4204 wrote to memory of 4596 4204 Ipldfi32.exe 86 PID 4204 wrote to memory of 4596 4204 Ipldfi32.exe 86 PID 4596 wrote to memory of 4844 4596 Impepm32.exe 87 PID 4596 wrote to memory of 4844 4596 Impepm32.exe 87 PID 4596 wrote to memory of 4844 4596 Impepm32.exe 87 PID 4844 wrote to memory of 1712 4844 Ibmmhdhm.exe 88 PID 4844 wrote to memory of 1712 4844 Ibmmhdhm.exe 88 PID 4844 wrote to memory of 1712 4844 Ibmmhdhm.exe 88 PID 1712 wrote to memory of 4956 1712 Iannfk32.exe 90 PID 1712 wrote to memory of 4956 1712 Iannfk32.exe 90 PID 1712 wrote to memory of 4956 1712 Iannfk32.exe 90 PID 4956 wrote to memory of 3040 4956 Icljbg32.exe 92 PID 4956 wrote to memory of 3040 4956 Icljbg32.exe 92 PID 4956 wrote to memory of 3040 4956 Icljbg32.exe 92 PID 3040 wrote to memory of 824 3040 Idacmfkj.exe 93 PID 3040 wrote to memory of 824 3040 Idacmfkj.exe 93 PID 3040 wrote to memory of 824 3040 Idacmfkj.exe 93 PID 824 wrote to memory of 1532 824 Iinlemia.exe 94 PID 824 wrote to memory of 1532 824 Iinlemia.exe 94 PID 824 wrote to memory of 1532 824 Iinlemia.exe 94 PID 1532 wrote to memory of 4620 1532 Jpgdbg32.exe 95 PID 1532 wrote to memory of 4620 1532 Jpgdbg32.exe 95 PID 1532 wrote to memory of 4620 1532 Jpgdbg32.exe 95 PID 4620 wrote to memory of 2444 4620 Jbfpobpb.exe 97 PID 4620 wrote to memory of 2444 4620 Jbfpobpb.exe 97 PID 4620 wrote to memory of 2444 4620 Jbfpobpb.exe 97 PID 2444 wrote to memory of 2664 2444 Kgfoan32.exe 98 PID 2444 wrote to memory of 2664 2444 Kgfoan32.exe 98 PID 2444 wrote to memory of 2664 2444 Kgfoan32.exe 98 PID 2664 wrote to memory of 2140 2664 Ldkojb32.exe 99 PID 2664 wrote to memory of 2140 2664 Ldkojb32.exe 99 PID 2664 wrote to memory of 2140 2664 Ldkojb32.exe 99 PID 2140 wrote to memory of 872 2140 Ldohebqh.exe 100 PID 2140 wrote to memory of 872 2140 Ldohebqh.exe 100 PID 2140 wrote to memory of 872 2140 Ldohebqh.exe 100 PID 872 wrote to memory of 1780 872 Lkiqbl32.exe 101 PID 872 wrote to memory of 1780 872 Lkiqbl32.exe 101 PID 872 wrote to memory of 1780 872 Lkiqbl32.exe 101 PID 1780 wrote to memory of 4828 1780 Mgekbljc.exe 102 PID 1780 wrote to memory of 4828 1780 Mgekbljc.exe 102 PID 1780 wrote to memory of 4828 1780 Mgekbljc.exe 102 PID 4828 wrote to memory of 2080 4828 Majopeii.exe 103 PID 4828 wrote to memory of 2080 4828 Majopeii.exe 103 PID 4828 wrote to memory of 2080 4828 Majopeii.exe 103 PID 2080 wrote to memory of 3660 2080 Mdiklqhm.exe 104 PID 2080 wrote to memory of 3660 2080 Mdiklqhm.exe 104 PID 2080 wrote to memory of 3660 2080 Mdiklqhm.exe 104 PID 3660 wrote to memory of 2156 3660 Mgghhlhq.exe 105 PID 3660 wrote to memory of 2156 3660 Mgghhlhq.exe 105 PID 3660 wrote to memory of 2156 3660 Mgghhlhq.exe 105 PID 2156 wrote to memory of 3156 2156 Mnapdf32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbaf8cea908f231630239fd7a87b58d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\bbaf8cea908f231630239fd7a87b58d0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Hikfip32.exeC:\Windows\system32\Hikfip32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Iinlemia.exeC:\Windows\system32\Iinlemia.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe23⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1252 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe25⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe26⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe27⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe28⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:3404 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe30⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe31⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe32⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe33⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe34⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe35⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe36⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe37⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:4112 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe39⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe40⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe41⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe42⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe43⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe44⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe45⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe46⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe47⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe48⤵
- Executes dropped EXE
PID:3820 -
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4084 -
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe51⤵
- Executes dropped EXE
PID:3520 -
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe52⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe53⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe54⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe55⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe56⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3784 -
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe58⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe60⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe61⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe63⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe64⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe65⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe66⤵PID:468
-
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe67⤵PID:3832
-
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe68⤵PID:1276
-
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe69⤵PID:1108
-
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe70⤵PID:3008
-
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe71⤵PID:1004
-
C:\Windows\SysWOW64\Pjhbgb32.exeC:\Windows\system32\Pjhbgb32.exe72⤵PID:1732
-
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe73⤵PID:3224
-
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe74⤵PID:3468
-
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe75⤵PID:4796
-
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe76⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe77⤵PID:5116
-
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe78⤵PID:1064
-
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe79⤵PID:1688
-
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe80⤵PID:1140
-
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe81⤵PID:1060
-
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe82⤵PID:3748
-
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe83⤵PID:2684
-
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe84⤵PID:5132
-
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe85⤵PID:5168
-
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe86⤵PID:5204
-
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe87⤵
- Modifies registry class
PID:5240 -
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe88⤵PID:5276
-
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe89⤵PID:5312
-
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe90⤵PID:5348
-
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe91⤵PID:5384
-
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5420 -
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5456 -
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe94⤵PID:5492
-
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe95⤵PID:5528
-
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe96⤵PID:5564
-
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe97⤵PID:5604
-
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe98⤵PID:5636
-
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe99⤵PID:6000
-
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe100⤵PID:6032
-
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe101⤵PID:6068
-
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe102⤵PID:6104
-
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe103⤵PID:6140
-
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe104⤵PID:2448
-
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe105⤵PID:1540
-
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe106⤵PID:5156
-
C:\Windows\SysWOW64\Blfdia32.exeC:\Windows\system32\Blfdia32.exe107⤵PID:5224
-
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe108⤵PID:5272
-
C:\Windows\SysWOW64\Cdainc32.exeC:\Windows\system32\Cdainc32.exe109⤵PID:5332
-
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe110⤵PID:5380
-
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe111⤵PID:5416
-
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe112⤵PID:5468
-
C:\Windows\SysWOW64\Clkndpag.exeC:\Windows\system32\Clkndpag.exe113⤵PID:4896
-
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe114⤵PID:5552
-
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe115⤵PID:5596
-
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe116⤵PID:4360
-
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe117⤵PID:5732
-
C:\Windows\SysWOW64\Cefoce32.exeC:\Windows\system32\Cefoce32.exe118⤵PID:6056
-
C:\Windows\SysWOW64\Ckcgkldl.exeC:\Windows\system32\Ckcgkldl.exe119⤵
- Modifies registry class
PID:6136 -
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe120⤵PID:4024
-
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5236
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-