Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 13:15
Behavioral task
behavioral1
Sample
533483c23413d2bff1de8f3126cf600e0e1829739aac0e38c863a3965da64eed_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
533483c23413d2bff1de8f3126cf600e0e1829739aac0e38c863a3965da64eed_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
533483c23413d2bff1de8f3126cf600e0e1829739aac0e38c863a3965da64eed_NeikiAnalytics.exe
-
Size
94KB
-
MD5
23b1faf9f73822e6390379aac93df350
-
SHA1
9586a92cfc7d9a3df435a1baf67d9e240fde7b48
-
SHA256
533483c23413d2bff1de8f3126cf600e0e1829739aac0e38c863a3965da64eed
-
SHA512
cccf1828613c49095cf0440644d2011496ecbb51169ff5aa3e2b8efa7da69f99ccc844ea2d948da337902476cc8dfcc83f47bf9d6c3bd4679790168e81d89eeb
-
SSDEEP
1536:nnlTe3enfpPoSh8bmpgAcUHW/WmLPHq39KUIC0uGmVJHQj1BEsCOyiKbZ9rQJg:nxnAO4kQWmjH6KU90uGimj1ieybvrx
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoaihhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hijooifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieolehop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aabmqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nafokcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkihknfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkikkeeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpaghf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eapedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeiofcji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Demecd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qloebdig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Andgoobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iikhfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njefqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgcknmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beihma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcbiao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcojed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miifeq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbcilkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmmocpjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbklj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peljol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dccbbhld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdckfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehhgfdho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iikopmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajneip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opakbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifmcdblq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fllpbldb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flnlhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flceckoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gokdeeec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmdkch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kknafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdnjgmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldaeka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkncdifl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peqcjkfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipnjab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nebdoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjjhbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhajlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liggbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flnlhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbfkbhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cffdpghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ficgacna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijfboafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmnaakne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdkhapfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Andgoobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekemhj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fobiilai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chghdqbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edihepnm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eekaebcm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mplhql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmefhako.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljnnch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmlnbi32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/1636-4-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000023288-7.dat family_berbew behavioral2/memory/552-9-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/1860-17-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002340d-16.dat family_berbew behavioral2/files/0x000700000002340f-23.dat family_berbew behavioral2/memory/4556-29-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023411-31.dat family_berbew behavioral2/memory/4888-37-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/860-41-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023413-40.dat family_berbew behavioral2/files/0x0007000000023416-47.dat family_berbew behavioral2/memory/4692-49-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023418-55.dat family_berbew behavioral2/memory/2388-57-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/4708-64-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002341a-63.dat family_berbew behavioral2/files/0x000700000002341c-71.dat family_berbew behavioral2/memory/4768-73-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002341e-79.dat family_berbew behavioral2/memory/4860-81-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023420-87.dat family_berbew behavioral2/memory/2636-89-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023422-90.dat family_berbew behavioral2/memory/3836-97-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023424-103.dat family_berbew behavioral2/memory/1968-105-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023426-111.dat family_berbew behavioral2/memory/3964-113-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023428-119.dat family_berbew behavioral2/memory/1932-124-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002342a-127.dat family_berbew behavioral2/memory/8-128-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002342c-135.dat family_berbew behavioral2/memory/4976-137-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002342e-143.dat family_berbew behavioral2/memory/1232-145-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023430-151.dat family_berbew behavioral2/memory/216-153-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023432-159.dat family_berbew behavioral2/memory/5096-161-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023434-167.dat family_berbew behavioral2/memory/4464-169-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023436-175.dat family_berbew behavioral2/memory/2396-177-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023438-183.dat family_berbew behavioral2/memory/2836-185-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002343a-191.dat family_berbew behavioral2/memory/4824-193-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002343c-199.dat family_berbew behavioral2/memory/2880-205-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002343e-207.dat family_berbew behavioral2/memory/1988-208-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023440-215.dat family_berbew behavioral2/memory/4332-217-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000800000002340a-223.dat family_berbew behavioral2/memory/1148-229-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023443-231.dat family_berbew behavioral2/memory/2200-233-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023445-239.dat family_berbew behavioral2/memory/4732-242-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023447-248.dat family_berbew behavioral2/memory/4508-249-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023449-255.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 552 Elagacbk.exe 1860 Ebnoikqb.exe 4556 Efikji32.exe 4888 Ehhgfdho.exe 860 Eoapbo32.exe 4692 Eflhoigi.exe 2388 Ehjdldfl.exe 4708 Eodlho32.exe 4768 Ebbidj32.exe 4860 Ehlaaddj.exe 2636 Eqciba32.exe 3836 Ecbenm32.exe 1968 Ejlmkgkl.exe 3964 Emjjgbjp.exe 1932 Eoifcnid.exe 8 Fbgbpihg.exe 4976 Ffbnph32.exe 1232 Fhajlc32.exe 216 Fqhbmqqg.exe 5096 Fcgoilpj.exe 4464 Ficgacna.exe 2396 Fomonm32.exe 2836 Fbllkh32.exe 4824 Fifdgblo.exe 2880 Fopldmcl.exe 1988 Fbnhphbp.exe 4332 Fjepaecb.exe 1148 Fobiilai.exe 2200 Fbqefhpm.exe 4732 Fjhmgeao.exe 4508 Fmficqpc.exe 664 Gcpapkgp.exe 5116 Gbcakg32.exe 1012 Gjjjle32.exe 464 Gmhfhp32.exe 4684 Gcbnejem.exe 4748 Gfqjafdq.exe 4744 Giofnacd.exe 4456 Gmkbnp32.exe 3132 Goiojk32.exe 5068 Gbgkfg32.exe 3320 Gfcgge32.exe 3988 Gmmocpjk.exe 4160 Gqikdn32.exe 1532 Gbjhlfhb.exe 1696 Gjapmdid.exe 220 Gmoliohh.exe 4624 Gqkhjn32.exe 3416 Gcidfi32.exe 3616 Gfhqbe32.exe 3984 Gifmnpnl.exe 3700 Gmaioo32.exe 4476 Hboagf32.exe 5060 Hfjmgdlf.exe 3200 Hihicplj.exe 4412 Hapaemll.exe 804 Hcnnaikp.exe 4472 Hfljmdjc.exe 3852 Hmfbjnbp.exe 1632 Hcqjfh32.exe 932 Hfofbd32.exe 2060 Himcoo32.exe 3396 Hpgkkioa.exe 1100 Hccglh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Blbknaib.exe Bdkcmdhp.exe File created C:\Windows\SysWOW64\Hppdbdbc.dll Ojoign32.exe File created C:\Windows\SysWOW64\Omfnojog.dll Jibeql32.exe File created C:\Windows\SysWOW64\Mpolqa32.exe Mamleegg.exe File created C:\Windows\SysWOW64\Dlddhggk.dll Nbkhfc32.exe File opened for modification C:\Windows\SysWOW64\Hiefcj32.exe Gdjjckag.exe File created C:\Windows\SysWOW64\Fjegoh32.dll Nnneknob.exe File opened for modification C:\Windows\SysWOW64\Cbcilkjg.exe Cogmkl32.exe File created C:\Windows\SysWOW64\Linjpeof.dll Eaklidoi.exe File opened for modification C:\Windows\SysWOW64\Fbgbpihg.exe Eoifcnid.exe File created C:\Windows\SysWOW64\Nnjbke32.exe Nceonl32.exe File created C:\Windows\SysWOW64\Oehldcbk.dll Bblckl32.exe File created C:\Windows\SysWOW64\Mhciec32.dll Ckpjfm32.exe File opened for modification C:\Windows\SysWOW64\Kdgljmcd.exe Klqcioba.exe File created C:\Windows\SysWOW64\Nilhco32.dll Jmbklj32.exe File created C:\Windows\SysWOW64\Lidmdfdo.dll Lkgdml32.exe File created C:\Windows\SysWOW64\Flfmin32.dll Mnlfigcc.exe File created C:\Windows\SysWOW64\Ojaelm32.exe Ofeilobp.exe File opened for modification C:\Windows\SysWOW64\Ejlmkgkl.exe Ecbenm32.exe File created C:\Windows\SysWOW64\Dofqcl32.dll Fqhbmqqg.exe File created C:\Windows\SysWOW64\Gbcakg32.exe Gcpapkgp.exe File created C:\Windows\SysWOW64\Ifoihl32.dll Pqbdjfln.exe File created C:\Windows\SysWOW64\Anadoi32.exe Afjlnk32.exe File opened for modification C:\Windows\SysWOW64\Hapaemll.exe Hihicplj.exe File created C:\Windows\SysWOW64\Pbbgnpgl.exe Pjkombfj.exe File created C:\Windows\SysWOW64\Mfilim32.dll Pjeoglgc.exe File created C:\Windows\SysWOW64\Laapnj32.dll Ickchq32.exe File created C:\Windows\SysWOW64\Jlineehd.dll Lpnlpnih.exe File opened for modification C:\Windows\SysWOW64\Lkiqbl32.exe Lcbiao32.exe File opened for modification C:\Windows\SysWOW64\Ogkcpbam.exe Opakbi32.exe File created C:\Windows\SysWOW64\Fcgoilpj.exe Fqhbmqqg.exe File created C:\Windows\SysWOW64\Hfachc32.exe Hccglh32.exe File created C:\Windows\SysWOW64\Jibeql32.exe Jfdida32.exe File created C:\Windows\SysWOW64\Dhbbhk32.dll Kpeiioac.exe File created C:\Windows\SysWOW64\Ojllan32.exe Ognpebpj.exe File created C:\Windows\SysWOW64\Nokpao32.dll Dgbdlf32.exe File created C:\Windows\SysWOW64\Jbkjjblm.exe Jdhine32.exe File opened for modification C:\Windows\SysWOW64\Bhikcb32.exe Bejogg32.exe File opened for modification C:\Windows\SysWOW64\Hfifmnij.exe Hbnjmp32.exe File created C:\Windows\SysWOW64\Hijooifk.exe Hflcbngh.exe File created C:\Windows\SysWOW64\Anfmjhmd.exe Afoeiklb.exe File created C:\Windows\SysWOW64\Agjbpg32.dll Dmcibama.exe File opened for modification C:\Windows\SysWOW64\Ipckgh32.exe Imdnklfp.exe File created C:\Windows\SysWOW64\Lihoogdd.dll Ifmcdblq.exe File opened for modification C:\Windows\SysWOW64\Liggbi32.exe Ldkojb32.exe File created C:\Windows\SysWOW64\Nbgngp32.dll Ddmaok32.exe File created C:\Windows\SysWOW64\Odgqdlnj.exe Okolkg32.exe File created C:\Windows\SysWOW64\Eabbjc32.exe Eocenh32.exe File created C:\Windows\SysWOW64\Madnnmem.dll Liddbc32.exe File created C:\Windows\SysWOW64\Ipnalhii.exe Ijaida32.exe File opened for modification C:\Windows\SysWOW64\Gfcgge32.exe Gbgkfg32.exe File created C:\Windows\SysWOW64\Bejkjg32.dll Hfljmdjc.exe File created C:\Windows\SysWOW64\Mjmcmj32.dll Peljol32.exe File created C:\Windows\SysWOW64\Hihbijhn.exe Hfifmnij.exe File opened for modification C:\Windows\SysWOW64\Kmfmmcbo.exe Kikame32.exe File created C:\Windows\SysWOW64\Dfdjmlhn.dll Ognpebpj.exe File created C:\Windows\SysWOW64\Eocenh32.exe Ekhjmiad.exe File created C:\Windows\SysWOW64\Njohbh32.dll Ibjjhn32.exe File created C:\Windows\SysWOW64\Mlhbal32.exe Miifeq32.exe File opened for modification C:\Windows\SysWOW64\Qnkdhpjn.exe Qcepkg32.exe File created C:\Windows\SysWOW64\Dlgnafam.dll Dhidjpqc.exe File opened for modification C:\Windows\SysWOW64\Hihbijhn.exe Hfifmnij.exe File created C:\Windows\SysWOW64\Iikopmkd.exe Ifmcdblq.exe File created C:\Windows\SysWOW64\Cagobalc.exe Cmlcbbcj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13712 13528 WerFault.exe 712 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnlfigcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojhiqefo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll" Ngdmod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogkcpbam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceqnmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edihepnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngdmod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocnjidkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibccic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odpjcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekemhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kebbafoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdkhapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ienanm32.dll" Cacmah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olgkhn32.dll" Eeidoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjjhbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll" Chmndlge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhgejlhj.dll" Blbknaib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hihbijhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmnldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nljofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnlhfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clhkicgk.dll" Gdcdbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Heapdjlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jioaqfcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfhqbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klgqcqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbjcolha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmmnjfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjapmdid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll" Mjqjih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Heapdjlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmpgldhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckqfbfnl.dll" Bjghpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckcgkldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcojed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbiaapdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klljnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmgjgcgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibmmhdhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eaklidoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoolbinc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifbbmf32.dll" Anpncp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfmkjoa.dll" Gdjjckag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beglgani.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dddhpjof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hapaemll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmjhgem.dll" Pbmncp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnkdhpjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chokikeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lejfpelg.dll" Hbnjmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmcojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlhbal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cogmkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faihkbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojhkmkj.dll" Llemdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kedoge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll" Bmpcfdmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iinlemia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blfdia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Accfbokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeopki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhciec32.dll" Ckpjfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll" Cjkjpgfi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1636 wrote to memory of 552 1636 533483c23413d2bff1de8f3126cf600e0e1829739aac0e38c863a3965da64eed_NeikiAnalytics.exe 82 PID 1636 wrote to memory of 552 1636 533483c23413d2bff1de8f3126cf600e0e1829739aac0e38c863a3965da64eed_NeikiAnalytics.exe 82 PID 1636 wrote to memory of 552 1636 533483c23413d2bff1de8f3126cf600e0e1829739aac0e38c863a3965da64eed_NeikiAnalytics.exe 82 PID 552 wrote to memory of 1860 552 Elagacbk.exe 83 PID 552 wrote to memory of 1860 552 Elagacbk.exe 83 PID 552 wrote to memory of 1860 552 Elagacbk.exe 83 PID 1860 wrote to memory of 4556 1860 Ebnoikqb.exe 84 PID 1860 wrote to memory of 4556 1860 Ebnoikqb.exe 84 PID 1860 wrote to memory of 4556 1860 Ebnoikqb.exe 84 PID 4556 wrote to memory of 4888 4556 Efikji32.exe 85 PID 4556 wrote to memory of 4888 4556 Efikji32.exe 85 PID 4556 wrote to memory of 4888 4556 Efikji32.exe 85 PID 4888 wrote to memory of 860 4888 Ehhgfdho.exe 86 PID 4888 wrote to memory of 860 4888 Ehhgfdho.exe 86 PID 4888 wrote to memory of 860 4888 Ehhgfdho.exe 86 PID 860 wrote to memory of 4692 860 Eoapbo32.exe 87 PID 860 wrote to memory of 4692 860 Eoapbo32.exe 87 PID 860 wrote to memory of 4692 860 Eoapbo32.exe 87 PID 4692 wrote to memory of 2388 4692 Eflhoigi.exe 88 PID 4692 wrote to memory of 2388 4692 Eflhoigi.exe 88 PID 4692 wrote to memory of 2388 4692 Eflhoigi.exe 88 PID 2388 wrote to memory of 4708 2388 Ehjdldfl.exe 89 PID 2388 wrote to memory of 4708 2388 Ehjdldfl.exe 89 PID 2388 wrote to memory of 4708 2388 Ehjdldfl.exe 89 PID 4708 wrote to memory of 4768 4708 Eodlho32.exe 90 PID 4708 wrote to memory of 4768 4708 Eodlho32.exe 90 PID 4708 wrote to memory of 4768 4708 Eodlho32.exe 90 PID 4768 wrote to memory of 4860 4768 Ebbidj32.exe 91 PID 4768 wrote to memory of 4860 4768 Ebbidj32.exe 91 PID 4768 wrote to memory of 4860 4768 Ebbidj32.exe 91 PID 4860 wrote to memory of 2636 4860 Ehlaaddj.exe 92 PID 4860 wrote to memory of 2636 4860 Ehlaaddj.exe 92 PID 4860 wrote to memory of 2636 4860 Ehlaaddj.exe 92 PID 2636 wrote to memory of 3836 2636 Eqciba32.exe 93 PID 2636 wrote to memory of 3836 2636 Eqciba32.exe 93 PID 2636 wrote to memory of 3836 2636 Eqciba32.exe 93 PID 3836 wrote to memory of 1968 3836 Ecbenm32.exe 94 PID 3836 wrote to memory of 1968 3836 Ecbenm32.exe 94 PID 3836 wrote to memory of 1968 3836 Ecbenm32.exe 94 PID 1968 wrote to memory of 3964 1968 Ejlmkgkl.exe 95 PID 1968 wrote to memory of 3964 1968 Ejlmkgkl.exe 95 PID 1968 wrote to memory of 3964 1968 Ejlmkgkl.exe 95 PID 3964 wrote to memory of 1932 3964 Emjjgbjp.exe 96 PID 3964 wrote to memory of 1932 3964 Emjjgbjp.exe 96 PID 3964 wrote to memory of 1932 3964 Emjjgbjp.exe 96 PID 1932 wrote to memory of 8 1932 Eoifcnid.exe 97 PID 1932 wrote to memory of 8 1932 Eoifcnid.exe 97 PID 1932 wrote to memory of 8 1932 Eoifcnid.exe 97 PID 8 wrote to memory of 4976 8 Fbgbpihg.exe 99 PID 8 wrote to memory of 4976 8 Fbgbpihg.exe 99 PID 8 wrote to memory of 4976 8 Fbgbpihg.exe 99 PID 4976 wrote to memory of 1232 4976 Ffbnph32.exe 100 PID 4976 wrote to memory of 1232 4976 Ffbnph32.exe 100 PID 4976 wrote to memory of 1232 4976 Ffbnph32.exe 100 PID 1232 wrote to memory of 216 1232 Fhajlc32.exe 101 PID 1232 wrote to memory of 216 1232 Fhajlc32.exe 101 PID 1232 wrote to memory of 216 1232 Fhajlc32.exe 101 PID 216 wrote to memory of 5096 216 Fqhbmqqg.exe 102 PID 216 wrote to memory of 5096 216 Fqhbmqqg.exe 102 PID 216 wrote to memory of 5096 216 Fqhbmqqg.exe 102 PID 5096 wrote to memory of 4464 5096 Fcgoilpj.exe 103 PID 5096 wrote to memory of 4464 5096 Fcgoilpj.exe 103 PID 5096 wrote to memory of 4464 5096 Fcgoilpj.exe 103 PID 4464 wrote to memory of 2396 4464 Ficgacna.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\533483c23413d2bff1de8f3126cf600e0e1829739aac0e38c863a3965da64eed_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\533483c23413d2bff1de8f3126cf600e0e1829739aac0e38c863a3965da64eed_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Elagacbk.exeC:\Windows\system32\Elagacbk.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Ebnoikqb.exeC:\Windows\system32\Ebnoikqb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Efikji32.exeC:\Windows\system32\Efikji32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\Ehhgfdho.exeC:\Windows\system32\Ehhgfdho.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Eoapbo32.exeC:\Windows\system32\Eoapbo32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Eflhoigi.exeC:\Windows\system32\Eflhoigi.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Ehjdldfl.exeC:\Windows\system32\Ehjdldfl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Eodlho32.exeC:\Windows\system32\Eodlho32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\Ebbidj32.exeC:\Windows\system32\Ebbidj32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Ehlaaddj.exeC:\Windows\system32\Ehlaaddj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Eqciba32.exeC:\Windows\system32\Eqciba32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Ecbenm32.exeC:\Windows\system32\Ecbenm32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\Ejlmkgkl.exeC:\Windows\system32\Ejlmkgkl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Emjjgbjp.exeC:\Windows\system32\Emjjgbjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Eoifcnid.exeC:\Windows\system32\Eoifcnid.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Fbgbpihg.exeC:\Windows\system32\Fbgbpihg.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Fhajlc32.exeC:\Windows\system32\Fhajlc32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Fqhbmqqg.exeC:\Windows\system32\Fqhbmqqg.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Ficgacna.exeC:\Windows\system32\Ficgacna.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe23⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe24⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe25⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Fopldmcl.exeC:\Windows\system32\Fopldmcl.exe26⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe27⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Fjepaecb.exeC:\Windows\system32\Fjepaecb.exe28⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Fbqefhpm.exeC:\Windows\system32\Fbqefhpm.exe30⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Fjhmgeao.exeC:\Windows\system32\Fjhmgeao.exe31⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Fmficqpc.exeC:\Windows\system32\Fmficqpc.exe32⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Gcpapkgp.exeC:\Windows\system32\Gcpapkgp.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:664 -
C:\Windows\SysWOW64\Gbcakg32.exeC:\Windows\system32\Gbcakg32.exe34⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Gjjjle32.exeC:\Windows\system32\Gjjjle32.exe35⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Gmhfhp32.exeC:\Windows\system32\Gmhfhp32.exe36⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Gcbnejem.exeC:\Windows\system32\Gcbnejem.exe37⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Gfqjafdq.exeC:\Windows\system32\Gfqjafdq.exe38⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Giofnacd.exeC:\Windows\system32\Giofnacd.exe39⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe40⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Goiojk32.exeC:\Windows\system32\Goiojk32.exe41⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Gbgkfg32.exeC:\Windows\system32\Gbgkfg32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5068 -
C:\Windows\SysWOW64\Gfcgge32.exeC:\Windows\system32\Gfcgge32.exe43⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Gmmocpjk.exeC:\Windows\system32\Gmmocpjk.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe45⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Gbjhlfhb.exeC:\Windows\system32\Gbjhlfhb.exe46⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Gjapmdid.exeC:\Windows\system32\Gjapmdid.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Gmoliohh.exeC:\Windows\system32\Gmoliohh.exe48⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Gqkhjn32.exeC:\Windows\system32\Gqkhjn32.exe49⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Gcidfi32.exeC:\Windows\system32\Gcidfi32.exe50⤵
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3616 -
C:\Windows\SysWOW64\Gifmnpnl.exeC:\Windows\system32\Gifmnpnl.exe52⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe53⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe54⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Hfjmgdlf.exeC:\Windows\system32\Hfjmgdlf.exe55⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3200 -
C:\Windows\SysWOW64\Hapaemll.exeC:\Windows\system32\Hapaemll.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:4412 -
C:\Windows\SysWOW64\Hcnnaikp.exeC:\Windows\system32\Hcnnaikp.exe58⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4472 -
C:\Windows\SysWOW64\Hmfbjnbp.exeC:\Windows\system32\Hmfbjnbp.exe60⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe61⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe62⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe63⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Hpgkkioa.exeC:\Windows\system32\Hpgkkioa.exe64⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1100 -
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe66⤵PID:2212
-
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe67⤵PID:3152
-
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe68⤵PID:4760
-
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe69⤵PID:1036
-
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe70⤵PID:540
-
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe71⤵PID:4064
-
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe72⤵PID:1340
-
C:\Windows\SysWOW64\Icgqggce.exeC:\Windows\system32\Icgqggce.exe73⤵PID:3496
-
C:\Windows\SysWOW64\Ijaida32.exeC:\Windows\system32\Ijaida32.exe74⤵
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Ipnalhii.exeC:\Windows\system32\Ipnalhii.exe75⤵PID:4728
-
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe76⤵
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe77⤵PID:4740
-
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe78⤵PID:3228
-
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe79⤵PID:3880
-
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4268 -
C:\Windows\SysWOW64\Imdnklfp.exeC:\Windows\system32\Imdnklfp.exe81⤵
- Drops file in System32 directory
PID:3136 -
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe82⤵PID:3588
-
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4176 -
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4428 -
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe85⤵PID:1528
-
C:\Windows\SysWOW64\Ipegmg32.exeC:\Windows\system32\Ipegmg32.exe86⤵PID:3116
-
C:\Windows\SysWOW64\Ibccic32.exeC:\Windows\system32\Ibccic32.exe87⤵
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Iinlemia.exeC:\Windows\system32\Iinlemia.exe88⤵
- Modifies registry class
PID:4776 -
C:\Windows\SysWOW64\Jdcpcf32.exeC:\Windows\system32\Jdcpcf32.exe89⤵PID:3660
-
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe90⤵PID:1056
-
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe91⤵PID:4900
-
C:\Windows\SysWOW64\Jmkdlkph.exeC:\Windows\system32\Jmkdlkph.exe92⤵PID:4596
-
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe93⤵PID:2404
-
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe94⤵PID:2400
-
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe95⤵
- Drops file in System32 directory
PID:5132 -
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe96⤵
- Drops file in System32 directory
PID:5176 -
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5220 -
C:\Windows\SysWOW64\Jaimbj32.exeC:\Windows\system32\Jaimbj32.exe98⤵PID:5260
-
C:\Windows\SysWOW64\Jdhine32.exeC:\Windows\system32\Jdhine32.exe99⤵
- Drops file in System32 directory
PID:5308 -
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe100⤵PID:5352
-
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe101⤵PID:5392
-
C:\Windows\SysWOW64\Jidbflcj.exeC:\Windows\system32\Jidbflcj.exe102⤵PID:5436
-
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe103⤵PID:5476
-
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe104⤵PID:5528
-
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe105⤵PID:5564
-
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe106⤵PID:5616
-
C:\Windows\SysWOW64\Jfhbppbc.exeC:\Windows\system32\Jfhbppbc.exe107⤵PID:5656
-
C:\Windows\SysWOW64\Jmbklj32.exeC:\Windows\system32\Jmbklj32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5704 -
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5748 -
C:\Windows\SysWOW64\Jfkoeppq.exeC:\Windows\system32\Jfkoeppq.exe110⤵PID:5788
-
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe111⤵PID:5828
-
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe112⤵PID:5880
-
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe113⤵PID:5924
-
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5976 -
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe115⤵PID:6024
-
C:\Windows\SysWOW64\Kacphh32.exeC:\Windows\system32\Kacphh32.exe116⤵PID:6080
-
C:\Windows\SysWOW64\Kdaldd32.exeC:\Windows\system32\Kdaldd32.exe117⤵PID:6136
-
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe118⤵PID:5164
-
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe119⤵PID:5244
-
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe120⤵PID:5292
-
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5376 -
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5444
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-