Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 14:21
Behavioral task
behavioral1
Sample
5afdcb70332b152d0eda993038d1b730_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5afdcb70332b152d0eda993038d1b730_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
5afdcb70332b152d0eda993038d1b730_NeikiAnalytics.exe
-
Size
128KB
-
MD5
5afdcb70332b152d0eda993038d1b730
-
SHA1
841ff43704345d77fee5d9d3d0c35bbdb948158c
-
SHA256
5e04604945833a651c5bd887a5e2d87289cd16305545556d4c5f5a4e598379fc
-
SHA512
5a83160aa51ce75ec917182b926c10a8674976a4375ad70fbb6077144099a1aa0f40acae3bc6abd19a81c91aa82759d64786e8223e0cbf8a19d96379049321eb
-
SSDEEP
3072:loUL8LMCzRpyjryD2NGu2/BhHmiImXJ2fYdV46nfPyxWhj8NCM/r:2a8LvzTy2aF4BhHmNEcYj9nhV8NCU
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acnlgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beihma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmqmma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olcbmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cknnpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbaemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdjagjco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhfajjoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcbpab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pncgmkmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdcoim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lenamdem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbpem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdfibe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceoibflm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kplpjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cegdnopg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcncpbmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deokon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbqlfkmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dahode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leihbeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifefimom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcbmka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Febgea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkdbpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcpclbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cefoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlkagbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obfhba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ednaqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfqlnm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpccdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afjlnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pndohaqe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbbgnpgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcbpab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohhpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgmngglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndfqbhia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peqcjkfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnnanphk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecoangbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bagflcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgallfcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dafbne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcbihpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajiknpjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dldpkoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmiflbel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anadoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbefaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbjcolha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llcpoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddgkpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmjlcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdmga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkjlge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bemlmgnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chpada32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekcpbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Accfbokl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmpcfdmg.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/116-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000023276-7.dat family_berbew behavioral2/memory/852-13-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00080000000233ed-15.dat family_berbew behavioral2/memory/3092-20-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233ef-23.dat family_berbew behavioral2/memory/2392-25-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233f1-31.dat family_berbew behavioral2/memory/1524-37-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233f3-39.dat family_berbew behavioral2/memory/552-45-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233f5-47.dat family_berbew behavioral2/memory/2428-49-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233f7-55.dat family_berbew behavioral2/memory/4992-61-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233f9-63.dat family_berbew behavioral2/memory/2824-69-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233fb-71.dat family_berbew behavioral2/memory/3936-73-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233fd-79.dat family_berbew behavioral2/memory/3576-81-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00070000000233ff-87.dat family_berbew behavioral2/memory/3316-88-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000023401-95.dat family_berbew behavioral2/memory/3604-96-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000023403-103.dat family_berbew behavioral2/memory/4724-104-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000023405-111.dat family_berbew behavioral2/memory/3816-113-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000023407-119.dat family_berbew behavioral2/memory/1088-120-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000023409-127.dat family_berbew behavioral2/memory/3240-129-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x000700000002340b-135.dat family_berbew behavioral2/memory/2916-136-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x000700000002340d-143.dat family_berbew behavioral2/memory/1968-144-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x000700000002340f-151.dat family_berbew behavioral2/memory/3724-153-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000023411-159.dat family_berbew behavioral2/memory/4728-161-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000023413-167.dat family_berbew behavioral2/memory/4836-173-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00080000000233eb-175.dat family_berbew behavioral2/memory/412-176-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000023416-183.dat family_berbew behavioral2/memory/1812-185-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000023418-192.dat family_berbew behavioral2/memory/3712-196-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022aa4-199.dat family_berbew behavioral2/memory/4628-201-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/3944-208-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x000700000002341b-207.dat family_berbew behavioral2/files/0x000d0000000006c3-215.dat family_berbew behavioral2/memory/4072-217-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x000700000002341e-223.dat family_berbew behavioral2/memory/4696-225-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000023420-231.dat family_berbew behavioral2/memory/3544-233-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000023422-239.dat family_berbew behavioral2/memory/3244-241-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000023424-247.dat family_berbew behavioral2/memory/4604-249-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000023426-255.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 852 Obfhba32.exe 3092 Ocgdji32.exe 2392 Okolkg32.exe 1524 Odgqdlnj.exe 552 Pgemphmn.exe 2428 Pjdilcla.exe 4992 Pclneicb.exe 2824 Pkceffcd.exe 3936 Pbmncp32.exe 3576 Pgjfkg32.exe 3316 Pndohaqe.exe 3604 Pengdk32.exe 4724 Pjkombfj.exe 3816 Pbbgnpgl.exe 1088 Peqcjkfp.exe 3240 Pkjlge32.exe 2916 Pbddcoei.exe 1968 Qgallfcq.exe 3724 Qnkdhpjn.exe 4728 Qeemej32.exe 4836 Qloebdig.exe 412 Qnnanphk.exe 1812 Acjjfggb.exe 3712 Ajdbcano.exe 4628 Abkjdnoa.exe 3944 Acmflf32.exe 4072 Abngjnmo.exe 4696 Acocaf32.exe 3544 Ajiknpjj.exe 3244 Aacckjaf.exe 4604 Ahmlgd32.exe 4904 Abbpem32.exe 1948 Adcmmeog.exe 1216 Alkdnboj.exe 2600 Ajneip32.exe 1420 Abemjmgg.exe 3588 Bdfibe32.exe 948 Blmacb32.exe 5012 Bbgipldd.exe 3948 Beeflhdh.exe 2408 Bhdbhcck.exe 2520 Bjbndobo.exe 3216 Bbifelba.exe 436 Blbknaib.exe 464 Bopgjmhe.exe 4848 Bhikcb32.exe 640 Bjghpn32.exe 3220 Bbnpqk32.exe 4184 Bemlmgnp.exe 920 Bhkhibmc.exe 4500 Boepel32.exe 1380 Cbqlfkmi.exe 3384 Ceoibflm.exe 1188 Chmeobkq.exe 4656 Cklaknjd.exe 1884 Chpada32.exe 1424 Cknnpm32.exe 4832 Cbefaj32.exe 4808 Cdfbibnb.exe 1700 Clnjjpod.exe 4476 Colffknh.exe 2592 Cefoce32.exe 2312 Clpgpp32.exe 4712 Conclk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Himldi32.exe Hfnphn32.exe File created C:\Windows\SysWOW64\Dboiieof.dll Odgqdlnj.exe File created C:\Windows\SysWOW64\Adcmmeog.exe Abbpem32.exe File opened for modification C:\Windows\SysWOW64\Dahode32.exe Dkoggkjo.exe File created C:\Windows\SysWOW64\Gjeieojj.dll Lljfpnjg.exe File created C:\Windows\SysWOW64\Cagecd32.dll Pgjfkg32.exe File created C:\Windows\SysWOW64\Dgifdn32.dll Cehkhecb.exe File opened for modification C:\Windows\SysWOW64\Accfbokl.exe Aadifclh.exe File created C:\Windows\SysWOW64\Bjddphlq.exe Bfhhoi32.exe File opened for modification C:\Windows\SysWOW64\Cjinkg32.exe Chjaol32.exe File created C:\Windows\SysWOW64\Daqbip32.exe Dobfld32.exe File created C:\Windows\SysWOW64\Deoaid32.exe Dbaemi32.exe File created C:\Windows\SysWOW64\Fdnjgmle.exe Foabofnn.exe File created C:\Windows\SysWOW64\Poahbe32.dll Ddonekbl.exe File opened for modification C:\Windows\SysWOW64\Fkciihgg.exe Fdialn32.exe File opened for modification C:\Windows\SysWOW64\Pmoahijl.exe Ofeilobp.exe File created C:\Windows\SysWOW64\Amgapeea.exe Afmhck32.exe File opened for modification C:\Windows\SysWOW64\Cdcoim32.exe Cmiflbel.exe File created C:\Windows\SysWOW64\Cogflbdn.dll Dejacond.exe File created C:\Windows\SysWOW64\Jinpgcmg.dll Doqpak32.exe File opened for modification C:\Windows\SysWOW64\Glhonj32.exe Gfngap32.exe File opened for modification C:\Windows\SysWOW64\Nngokoej.exe Ngmgne32.exe File created C:\Windows\SysWOW64\Booogccm.dll Opakbi32.exe File created C:\Windows\SysWOW64\Cnkfcl32.dll Gmjlcj32.exe File created C:\Windows\SysWOW64\Jehokgge.exe Jbjcolha.exe File created C:\Windows\SysWOW64\Namdcd32.dll Kefkme32.exe File created C:\Windows\SysWOW64\Fpdaoioe.dll Deokon32.exe File created C:\Windows\SysWOW64\Dccbbhld.exe Dkljak32.exe File created C:\Windows\SysWOW64\Ffgqqaip.exe Fchddejl.exe File created C:\Windows\SysWOW64\Naoncahj.dll Hfnphn32.exe File created C:\Windows\SysWOW64\Jijjfldq.dll Bffkij32.exe File created C:\Windows\SysWOW64\Paadbk32.dll Fdialn32.exe File created C:\Windows\SysWOW64\Dekclg32.dll Gohhpe32.exe File created C:\Windows\SysWOW64\Ifjodl32.exe Iejcji32.exe File created C:\Windows\SysWOW64\Gmdkpdef.dll Onjegled.exe File created C:\Windows\SysWOW64\Cjinkg32.exe Chjaol32.exe File created C:\Windows\SysWOW64\Nhmkghpm.dll Pbddcoei.exe File created C:\Windows\SysWOW64\Fckajehi.exe Fkciihgg.exe File created C:\Windows\SysWOW64\Bagcnd32.dll Lphoelqn.exe File created C:\Windows\SysWOW64\Ageolo32.exe Adgbpc32.exe File created C:\Windows\SysWOW64\Jioaqfcc.exe Jedeph32.exe File opened for modification C:\Windows\SysWOW64\Klngdpdd.exe Kipkhdeq.exe File opened for modification C:\Windows\SysWOW64\Jcefno32.exe Jioaqfcc.exe File opened for modification C:\Windows\SysWOW64\Kbfbkj32.exe Klljnp32.exe File opened for modification C:\Windows\SysWOW64\Ngpccdlj.exe Npfkgjdn.exe File opened for modification C:\Windows\SysWOW64\Gohhpe32.exe Gmjlcj32.exe File created C:\Windows\SysWOW64\Lejfpelg.dll Hkdbpe32.exe File created C:\Windows\SysWOW64\Hflheb32.dll Lmdina32.exe File created C:\Windows\SysWOW64\Hlkolh32.dll Abemjmgg.exe File opened for modification C:\Windows\SysWOW64\Bhkhibmc.exe Bemlmgnp.exe File created C:\Windows\SysWOW64\Cecenn32.dll Dbaemi32.exe File created C:\Windows\SysWOW64\Eiecmmbf.dll Llcpoo32.exe File opened for modification C:\Windows\SysWOW64\Pcbmka32.exe Pqdqof32.exe File created C:\Windows\SysWOW64\Cpnfbohh.dll Pndohaqe.exe File created C:\Windows\SysWOW64\Dlgmpogj.exe Daaicfgd.exe File created C:\Windows\SysWOW64\Hfcicmqp.exe Hcdmga32.exe File created C:\Windows\SysWOW64\Pcppfaka.exe Pncgmkmj.exe File created C:\Windows\SysWOW64\Ooojbbid.dll Anfmjhmd.exe File created C:\Windows\SysWOW64\Cdcoim32.exe Cmiflbel.exe File opened for modification C:\Windows\SysWOW64\Pjdilcla.exe Pgemphmn.exe File created C:\Windows\SysWOW64\Qnnanphk.exe Qloebdig.exe File opened for modification C:\Windows\SysWOW64\Dddojq32.exe Dafbne32.exe File created C:\Windows\SysWOW64\Ekcpbj32.exe Eaklidoi.exe File created C:\Windows\SysWOW64\Odmkog32.dll Edkdkplj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8548 8464 WerFault.exe 386 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfifmnij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epogol32.dll" Peqcjkfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keoakjca.dll" Chpada32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdjjckag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Miifeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjmnoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll" Bagflcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgallfcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll" Pcppfaka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfnphn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieakglmn.dll" Hmjdjgjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiljkifg.dll" Mlcifmbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clpgpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbaemi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dahode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll" Opdghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll" Cajlhqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daqbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgifdn32.dll" Cehkhecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faihkbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkmefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll" Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcfhof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clhkicgk.dll" Glhonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klljnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfgefhai.dll" Hmcojh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afjlnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olcbmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cehkhecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eofbch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fljcmlfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clbceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npfkgjdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifjodl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll" Afoeiklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilkojc32.dll" Pclneicb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdfibe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cknnpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmjocp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obfhba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libddmim.dll" Bjbndobo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iejcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecoangbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdlnbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpppnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nngokoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adcmmeog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beeflhdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beihma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glebhjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pclneicb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clnjjpod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpaqkn32.dll" Ehnglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mipaiqmd.dll" Qloebdig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll" Pqmjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dknpmdfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkjlge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdfbibnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eemnjbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cklaknjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekhjmiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcbifaej.dll" Icplcpgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pengdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajdbcano.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 116 wrote to memory of 852 116 5afdcb70332b152d0eda993038d1b730_NeikiAnalytics.exe 81 PID 116 wrote to memory of 852 116 5afdcb70332b152d0eda993038d1b730_NeikiAnalytics.exe 81 PID 116 wrote to memory of 852 116 5afdcb70332b152d0eda993038d1b730_NeikiAnalytics.exe 81 PID 852 wrote to memory of 3092 852 Obfhba32.exe 83 PID 852 wrote to memory of 3092 852 Obfhba32.exe 83 PID 852 wrote to memory of 3092 852 Obfhba32.exe 83 PID 3092 wrote to memory of 2392 3092 Ocgdji32.exe 84 PID 3092 wrote to memory of 2392 3092 Ocgdji32.exe 84 PID 3092 wrote to memory of 2392 3092 Ocgdji32.exe 84 PID 2392 wrote to memory of 1524 2392 Okolkg32.exe 86 PID 2392 wrote to memory of 1524 2392 Okolkg32.exe 86 PID 2392 wrote to memory of 1524 2392 Okolkg32.exe 86 PID 1524 wrote to memory of 552 1524 Odgqdlnj.exe 87 PID 1524 wrote to memory of 552 1524 Odgqdlnj.exe 87 PID 1524 wrote to memory of 552 1524 Odgqdlnj.exe 87 PID 552 wrote to memory of 2428 552 Pgemphmn.exe 88 PID 552 wrote to memory of 2428 552 Pgemphmn.exe 88 PID 552 wrote to memory of 2428 552 Pgemphmn.exe 88 PID 2428 wrote to memory of 4992 2428 Pjdilcla.exe 89 PID 2428 wrote to memory of 4992 2428 Pjdilcla.exe 89 PID 2428 wrote to memory of 4992 2428 Pjdilcla.exe 89 PID 4992 wrote to memory of 2824 4992 Pclneicb.exe 91 PID 4992 wrote to memory of 2824 4992 Pclneicb.exe 91 PID 4992 wrote to memory of 2824 4992 Pclneicb.exe 91 PID 2824 wrote to memory of 3936 2824 Pkceffcd.exe 92 PID 2824 wrote to memory of 3936 2824 Pkceffcd.exe 92 PID 2824 wrote to memory of 3936 2824 Pkceffcd.exe 92 PID 3936 wrote to memory of 3576 3936 Pbmncp32.exe 93 PID 3936 wrote to memory of 3576 3936 Pbmncp32.exe 93 PID 3936 wrote to memory of 3576 3936 Pbmncp32.exe 93 PID 3576 wrote to memory of 3316 3576 Pgjfkg32.exe 94 PID 3576 wrote to memory of 3316 3576 Pgjfkg32.exe 94 PID 3576 wrote to memory of 3316 3576 Pgjfkg32.exe 94 PID 3316 wrote to memory of 3604 3316 Pndohaqe.exe 95 PID 3316 wrote to memory of 3604 3316 Pndohaqe.exe 95 PID 3316 wrote to memory of 3604 3316 Pndohaqe.exe 95 PID 3604 wrote to memory of 4724 3604 Pengdk32.exe 96 PID 3604 wrote to memory of 4724 3604 Pengdk32.exe 96 PID 3604 wrote to memory of 4724 3604 Pengdk32.exe 96 PID 4724 wrote to memory of 3816 4724 Pjkombfj.exe 97 PID 4724 wrote to memory of 3816 4724 Pjkombfj.exe 97 PID 4724 wrote to memory of 3816 4724 Pjkombfj.exe 97 PID 3816 wrote to memory of 1088 3816 Pbbgnpgl.exe 98 PID 3816 wrote to memory of 1088 3816 Pbbgnpgl.exe 98 PID 3816 wrote to memory of 1088 3816 Pbbgnpgl.exe 98 PID 1088 wrote to memory of 3240 1088 Peqcjkfp.exe 99 PID 1088 wrote to memory of 3240 1088 Peqcjkfp.exe 99 PID 1088 wrote to memory of 3240 1088 Peqcjkfp.exe 99 PID 3240 wrote to memory of 2916 3240 Pkjlge32.exe 100 PID 3240 wrote to memory of 2916 3240 Pkjlge32.exe 100 PID 3240 wrote to memory of 2916 3240 Pkjlge32.exe 100 PID 2916 wrote to memory of 1968 2916 Pbddcoei.exe 101 PID 2916 wrote to memory of 1968 2916 Pbddcoei.exe 101 PID 2916 wrote to memory of 1968 2916 Pbddcoei.exe 101 PID 1968 wrote to memory of 3724 1968 Qgallfcq.exe 102 PID 1968 wrote to memory of 3724 1968 Qgallfcq.exe 102 PID 1968 wrote to memory of 3724 1968 Qgallfcq.exe 102 PID 3724 wrote to memory of 4728 3724 Qnkdhpjn.exe 103 PID 3724 wrote to memory of 4728 3724 Qnkdhpjn.exe 103 PID 3724 wrote to memory of 4728 3724 Qnkdhpjn.exe 103 PID 4728 wrote to memory of 4836 4728 Qeemej32.exe 104 PID 4728 wrote to memory of 4836 4728 Qeemej32.exe 104 PID 4728 wrote to memory of 4836 4728 Qeemej32.exe 104 PID 4836 wrote to memory of 412 4836 Qloebdig.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\5afdcb70332b152d0eda993038d1b730_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5afdcb70332b152d0eda993038d1b730_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\Pbbgnpgl.exeC:\Windows\system32\Pbbgnpgl.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe24⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:3712 -
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe26⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe27⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe28⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe29⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe31⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe32⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4904 -
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe35⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe36⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1420 -
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3588 -
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe39⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe40⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:3948 -
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe42⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe44⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe45⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe46⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe47⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe48⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe49⤵
- Executes dropped EXE
PID:3220 -
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4184 -
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe51⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe52⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3384 -
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe55⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:4656 -
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1424 -
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:4808 -
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe62⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Cefoce32.exeC:\Windows\system32\Cefoce32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe65⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe66⤵
- Drops file in System32 directory
- Modifies registry class
PID:3608 -
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe67⤵
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe68⤵
- Drops file in System32 directory
PID:4364 -
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe69⤵PID:1016
-
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:60 -
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe71⤵
- Drops file in System32 directory
PID:3084 -
C:\Windows\SysWOW64\Dlgmpogj.exeC:\Windows\system32\Dlgmpogj.exe72⤵PID:4056
-
C:\Windows\SysWOW64\Dbaemi32.exeC:\Windows\system32\Dbaemi32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3332 -
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe74⤵PID:1148
-
C:\Windows\SysWOW64\Dkljak32.exeC:\Windows\system32\Dkljak32.exe75⤵
- Drops file in System32 directory
PID:4432 -
C:\Windows\SysWOW64\Dccbbhld.exeC:\Windows\system32\Dccbbhld.exe76⤵PID:4092
-
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3228 -
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe78⤵PID:3536
-
C:\Windows\SysWOW64\Dkoggkjo.exeC:\Windows\system32\Dkoggkjo.exe79⤵
- Drops file in System32 directory
PID:4308 -
C:\Windows\SysWOW64\Dahode32.exeC:\Windows\system32\Dahode32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5108 -
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:876 -
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe82⤵PID:3704
-
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe83⤵PID:4044
-
C:\Windows\SysWOW64\Eaklidoi.exeC:\Windows\system32\Eaklidoi.exe84⤵
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Ekcpbj32.exeC:\Windows\system32\Ekcpbj32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2404 -
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe86⤵
- Drops file in System32 directory
PID:3088 -
C:\Windows\SysWOW64\Eapedd32.exeC:\Windows\system32\Eapedd32.exe87⤵PID:3772
-
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3728 -
C:\Windows\SysWOW64\Ekhjmiad.exeC:\Windows\system32\Ekhjmiad.exe89⤵
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe91⤵
- Modifies registry class
PID:4612 -
C:\Windows\SysWOW64\Elgfgl32.exeC:\Windows\system32\Elgfgl32.exe92⤵PID:3344
-
C:\Windows\SysWOW64\Eofbch32.exeC:\Windows\system32\Eofbch32.exe93⤵
- Modifies registry class
PID:1444 -
C:\Windows\SysWOW64\Ecandfpd.exeC:\Windows\system32\Ecandfpd.exe94⤵PID:4488
-
C:\Windows\SysWOW64\Eepjpb32.exeC:\Windows\system32\Eepjpb32.exe95⤵PID:3416
-
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe96⤵
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Fljcmlfd.exeC:\Windows\system32\Fljcmlfd.exe97⤵
- Modifies registry class
PID:4012 -
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe98⤵PID:3052
-
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe99⤵PID:4620
-
C:\Windows\SysWOW64\Febgea32.exeC:\Windows\system32\Febgea32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4652 -
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe101⤵PID:5136
-
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe102⤵PID:5180
-
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe103⤵
- Modifies registry class
PID:5220 -
C:\Windows\SysWOW64\Faihkbci.exeC:\Windows\system32\Faihkbci.exe104⤵
- Modifies registry class
PID:5264 -
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe105⤵PID:5312
-
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe106⤵PID:5356
-
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe107⤵PID:5400
-
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe108⤵
- Drops file in System32 directory
PID:5444 -
C:\Windows\SysWOW64\Ffgqqaip.exeC:\Windows\system32\Ffgqqaip.exe109⤵PID:5484
-
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe110⤵
- Drops file in System32 directory
PID:5540 -
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe111⤵
- Drops file in System32 directory
PID:5584 -
C:\Windows\SysWOW64\Fckajehi.exeC:\Windows\system32\Fckajehi.exe112⤵PID:5624
-
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe113⤵PID:5672
-
C:\Windows\SysWOW64\Fdlnbm32.exeC:\Windows\system32\Fdlnbm32.exe114⤵
- Modifies registry class
PID:5716 -
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe115⤵PID:5760
-
C:\Windows\SysWOW64\Foabofnn.exeC:\Windows\system32\Foabofnn.exe116⤵
- Drops file in System32 directory
PID:5800 -
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe117⤵PID:5840
-
C:\Windows\SysWOW64\Glebhjlg.exeC:\Windows\system32\Glebhjlg.exe118⤵
- Modifies registry class
PID:5884 -
C:\Windows\SysWOW64\Gfngap32.exeC:\Windows\system32\Gfngap32.exe119⤵
- Drops file in System32 directory
PID:5928 -
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe120⤵
- Modifies registry class
PID:5972 -
C:\Windows\SysWOW64\Gmjlcj32.exeC:\Windows\system32\Gmjlcj32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6016 -
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-