Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 14:38
Behavioral task
behavioral1
Sample
614e81a2231648e9a3ca3bb3959160e0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
614e81a2231648e9a3ca3bb3959160e0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
614e81a2231648e9a3ca3bb3959160e0_NeikiAnalytics.exe
-
Size
340KB
-
MD5
614e81a2231648e9a3ca3bb3959160e0
-
SHA1
d3219a184b519b9ea17b7822ed5990d198145627
-
SHA256
3838af4397e00c4bfb326d08306af1d590e556abe30d401ab226bda003437058
-
SHA512
c8c5ce1986eb7556102cf38cea1468b9f99974de680530516abda2475eeb06a175206215d79c6a29ab86ed9be19efb021d8ab32b7c130bef749e7dec6b9293fe
-
SSDEEP
6144:X6cMvTvRIyedZwlNPjLs+H8rtMsQBJyJyymeH:Xwv6yGZwlNPjLYRMsXJvmeH
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mchjjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankckagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Appbcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibadnhmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfpmifoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmnkpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Polakmbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loofjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpeafo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eonfgbhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epmahmcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abldccka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnnobl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnphfppi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfenjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neibanod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdldmja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmmiaknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhngbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbblpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dooqceid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkeahf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfpmifoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhqeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpofpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gheola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpkchm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Encchoml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieligmho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpkdca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oepianef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcobdgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipgpcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flmecm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmjekahk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgkphj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlpadaac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlbnja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlbnja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccolja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igffmkno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkkpjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnpbgbdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjofanld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bipaodah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fohbqpki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddmchcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcemnopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhfjadim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biolckgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pikohg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bclcfnih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckijdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jblbpnhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eleobngo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onkmfofg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hogcil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbqgolpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acnpjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkccob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epmahmcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdjabn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdloab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaqlbmbn.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x0009000000016d24-5.dat family_berbew behavioral1/files/0x0007000000017090-19.dat family_berbew behavioral1/files/0x000500000001868c-38.dat family_berbew behavioral1/files/0x00050000000186a0-55.dat family_berbew behavioral1/files/0x0006000000018ae8-66.dat family_berbew behavioral1/files/0x0006000000018b33-74.dat family_berbew behavioral1/files/0x0006000000018b42-95.dat family_berbew behavioral1/files/0x0007000000016d89-102.dat family_berbew behavioral1/files/0x0006000000018b73-115.dat family_berbew behavioral1/files/0x0006000000018ba2-131.dat family_berbew behavioral1/files/0x00050000000192c9-149.dat family_berbew behavioral1/files/0x000500000001931b-162.dat family_berbew behavioral1/files/0x0005000000019368-175.dat family_berbew behavioral1/files/0x000500000001939b-184.dat family_berbew behavioral1/files/0x0005000000019410-199.dat family_berbew behavioral1/files/0x000500000001946f-220.dat family_berbew behavioral1/memory/3020-217-0x0000000000220000-0x0000000000264000-memory.dmp family_berbew behavioral1/files/0x0005000000019485-226.dat family_berbew behavioral1/files/0x00040000000194d6-236.dat family_berbew behavioral1/files/0x0005000000019570-301.dat family_berbew behavioral1/files/0x000500000001959e-312.dat family_berbew behavioral1/files/0x00050000000195a7-336.dat family_berbew behavioral1/files/0x0005000000019646-368.dat family_berbew behavioral1/files/0x00050000000195ba-357.dat family_berbew behavioral1/files/0x00050000000195a9-345.dat family_berbew behavioral1/files/0x00050000000195a4-325.dat family_berbew behavioral1/files/0x0005000000019521-289.dat family_berbew behavioral1/files/0x00050000000194f4-280.dat family_berbew behavioral1/files/0x00050000000194ef-268.dat family_berbew behavioral1/files/0x00050000000194ea-259.dat family_berbew behavioral1/files/0x00040000000194dc-246.dat family_berbew behavioral1/files/0x000500000001996e-379.dat family_berbew behavioral1/memory/2000-384-0x00000000003A0000-0x00000000003E4000-memory.dmp family_berbew behavioral1/memory/2000-383-0x00000000003A0000-0x00000000003E4000-memory.dmp family_berbew behavioral1/files/0x0005000000019bd7-389.dat family_berbew behavioral1/files/0x0005000000019bef-400.dat family_berbew behavioral1/files/0x0005000000019ce6-410.dat family_berbew behavioral1/files/0x0005000000019d59-423.dat family_berbew behavioral1/files/0x000500000001a013-445.dat family_berbew behavioral1/files/0x000500000001a2d0-456.dat family_berbew behavioral1/memory/2636-471-0x00000000001B0000-0x00000000001F4000-memory.dmp family_berbew behavioral1/files/0x000500000001a3c8-479.dat family_berbew behavioral1/files/0x000500000001a3d4-490.dat family_berbew behavioral1/files/0x000500000001a3c2-467.dat family_berbew behavioral1/files/0x000500000001a429-502.dat family_berbew behavioral1/files/0x000500000001a431-512.dat family_berbew behavioral1/files/0x000500000001a43b-522.dat family_berbew behavioral1/files/0x000500000001a443-533.dat family_berbew behavioral1/files/0x000500000001a447-543.dat family_berbew behavioral1/files/0x000500000001a44f-563.dat family_berbew behavioral1/files/0x000500000001a453-574.dat family_berbew behavioral1/files/0x000500000001a457-584.dat family_berbew behavioral1/files/0x000500000001a45b-594.dat family_berbew behavioral1/files/0x000500000001a467-628.dat family_berbew behavioral1/files/0x000500000001a46c-642.dat family_berbew behavioral1/files/0x000500000001a470-655.dat family_berbew behavioral1/files/0x000500000001a474-669.dat family_berbew behavioral1/files/0x000500000001a47d-693.dat family_berbew behavioral1/files/0x000500000001a484-706.dat family_berbew behavioral1/files/0x000500000001a489-723.dat family_berbew behavioral1/files/0x000500000001a543-735.dat family_berbew behavioral1/files/0x000500000001ad1c-748.dat family_berbew behavioral1/files/0x000500000001c288-759.dat family_berbew behavioral1/files/0x000500000001c6d5-774.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1676 Pcdldknm.exe 2332 Pehebbbh.exe 1608 Qnqjkh32.exe 1048 Adblnnbk.exe 2176 Anhpkg32.exe 704 Ahpddmia.exe 1736 Ajamfh32.exe 2612 Appbcn32.exe 2472 Bimphc32.exe 2876 Befnbd32.exe 2836 Chggdoee.exe 2852 Cpbkhabp.exe 1828 Clilmbhd.exe 2944 Cojeomee.exe 3020 Dfhgggim.exe 2976 Doqkpl32.exe 1892 Ddmchcnd.exe 308 Dcemnopj.exe 1556 Dmmbge32.exe 2440 Egebjmdn.exe 2196 Embkbdce.exe 2064 Eiilge32.exe 2740 Elieipej.exe 1764 Efoifiep.exe 2076 Faijggao.exe 2336 Fbhfajia.exe 2340 Fnogfk32.exe 1668 Fdlpnamm.exe 1972 Fikelhib.exe 2000 Gfoeel32.exe 884 Gipngg32.exe 2352 Ihbdhepp.exe 2672 Kapaaj32.exe 2460 Kenjgi32.exe 2664 Kaekljjo.exe 2856 Lhapocoi.exe 1352 Lmnhgjmp.exe 2636 Lpoaheja.exe 2936 Lodnjboi.exe 1812 Lbagpp32.exe 2828 Lhoohgdg.exe 2988 Mebpakbq.exe 3040 Mhcicf32.exe 1292 Malmllfb.exe 2060 Manjaldo.exe 2056 Mcofid32.exe 2804 Mdoccg32.exe 2956 Nikkkn32.exe 2284 Nohddd32.exe 1552 Neblqoel.exe 2264 Naimepkp.exe 2096 Nkaane32.exe 2120 Nlanhh32.exe 1436 Neibanod.exe 1344 Nndgeplo.exe 1096 Odnobj32.exe 1628 Oabplobe.exe 576 Okkddd32.exe 2848 Ogaeieoj.exe 2632 Onkmfofg.exe 364 Ohengmcf.exe 1816 Ofiopaap.exe 908 Pkfghh32.exe 2492 Pdnkanfg.exe -
Loads dropped DLL 64 IoCs
pid Process 2240 614e81a2231648e9a3ca3bb3959160e0_NeikiAnalytics.exe 2240 614e81a2231648e9a3ca3bb3959160e0_NeikiAnalytics.exe 1676 Pcdldknm.exe 1676 Pcdldknm.exe 2332 Pehebbbh.exe 2332 Pehebbbh.exe 1608 Qnqjkh32.exe 1608 Qnqjkh32.exe 1048 Adblnnbk.exe 1048 Adblnnbk.exe 2176 Anhpkg32.exe 2176 Anhpkg32.exe 704 Ahpddmia.exe 704 Ahpddmia.exe 1736 Ajamfh32.exe 1736 Ajamfh32.exe 2612 Appbcn32.exe 2612 Appbcn32.exe 2472 Bimphc32.exe 2472 Bimphc32.exe 2876 Befnbd32.exe 2876 Befnbd32.exe 2836 Chggdoee.exe 2836 Chggdoee.exe 2852 Cpbkhabp.exe 2852 Cpbkhabp.exe 1828 Clilmbhd.exe 1828 Clilmbhd.exe 2944 Cojeomee.exe 2944 Cojeomee.exe 3020 Dfhgggim.exe 3020 Dfhgggim.exe 2976 Doqkpl32.exe 2976 Doqkpl32.exe 1892 Ddmchcnd.exe 1892 Ddmchcnd.exe 308 Dcemnopj.exe 308 Dcemnopj.exe 1556 Dmmbge32.exe 1556 Dmmbge32.exe 2440 Egebjmdn.exe 2440 Egebjmdn.exe 2196 Embkbdce.exe 2196 Embkbdce.exe 2064 Eiilge32.exe 2064 Eiilge32.exe 2740 Elieipej.exe 2740 Elieipej.exe 1764 Efoifiep.exe 1764 Efoifiep.exe 2076 Faijggao.exe 2076 Faijggao.exe 2336 Fbhfajia.exe 2336 Fbhfajia.exe 2340 Fnogfk32.exe 2340 Fnogfk32.exe 1668 Fdlpnamm.exe 1668 Fdlpnamm.exe 1972 Fikelhib.exe 1972 Fikelhib.exe 2000 Gfoeel32.exe 2000 Gfoeel32.exe 884 Gipngg32.exe 884 Gipngg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pjbjjc32.exe Pjpmdd32.exe File created C:\Windows\SysWOW64\Abldccka.exe Amplklmj.exe File created C:\Windows\SysWOW64\Lldjmo32.dll Edmkei32.exe File created C:\Windows\SysWOW64\Iapcle32.dll Jkgelh32.exe File created C:\Windows\SysWOW64\Idmele32.dll Llomhllh.exe File opened for modification C:\Windows\SysWOW64\Oedclm32.exe Onkjocjd.exe File created C:\Windows\SysWOW64\Cpbkhabp.exe Chggdoee.exe File created C:\Windows\SysWOW64\Qcmkhi32.exe Qmcclolh.exe File created C:\Windows\SysWOW64\Lbkchj32.exe Lmnkpc32.exe File opened for modification C:\Windows\SysWOW64\Ipoqofjh.exe Hfflfp32.exe File created C:\Windows\SysWOW64\Lkccob32.exe Ldikbhfh.exe File created C:\Windows\SysWOW64\Gipngg32.exe Gfoeel32.exe File created C:\Windows\SysWOW64\Baigen32.exe Bllomg32.exe File opened for modification C:\Windows\SysWOW64\Fdjddf32.exe Fjdpgnee.exe File created C:\Windows\SysWOW64\Ooffmafi.dll Heqfdh32.exe File created C:\Windows\SysWOW64\Kpcbhlki.exe Kobfqc32.exe File created C:\Windows\SysWOW64\Mfijfdca.exe Mdhnnl32.exe File created C:\Windows\SysWOW64\Fdmjmenh.exe Faonqiod.exe File created C:\Windows\SysWOW64\Dmmjim32.dll Gknhjn32.exe File created C:\Windows\SysWOW64\Chhpgn32.exe Cbkgog32.exe File opened for modification C:\Windows\SysWOW64\Ljpqlqmd.exe Ljndga32.exe File created C:\Windows\SysWOW64\Kgmmoieh.dll Ecjkkp32.exe File opened for modification C:\Windows\SysWOW64\Bfncbp32.exe Afnfcl32.exe File opened for modification C:\Windows\SysWOW64\Fimclh32.exe Eaangfjf.exe File created C:\Windows\SysWOW64\Gknhjn32.exe Gnjhaj32.exe File created C:\Windows\SysWOW64\Dmgbpm32.dll Dleelp32.exe File created C:\Windows\SysWOW64\Efahjm32.dll Apdminod.exe File created C:\Windows\SysWOW64\Adblnnbk.exe Qnqjkh32.exe File created C:\Windows\SysWOW64\Fqkieogp.exe Fnmmidhm.exe File created C:\Windows\SysWOW64\Oegdcj32.exe Oomlfpdi.exe File opened for modification C:\Windows\SysWOW64\Gjnigb32.exe Godhgedg.exe File created C:\Windows\SysWOW64\Kadkmila.dll Eolljk32.exe File opened for modification C:\Windows\SysWOW64\Gqkqbe32.exe Gknhjn32.exe File opened for modification C:\Windows\SysWOW64\Bfkakbpp.exe Bhgaan32.exe File created C:\Windows\SysWOW64\Qgfhapbi.dll Cojeomee.exe File created C:\Windows\SysWOW64\Qcoljb32.dll Mcofid32.exe File opened for modification C:\Windows\SysWOW64\Hengep32.exe Hjhchg32.exe File created C:\Windows\SysWOW64\Blcdaojp.dll Encchoml.exe File opened for modification C:\Windows\SysWOW64\Bjlnaghp.exe Bmhmgbif.exe File created C:\Windows\SysWOW64\Gmbagf32.exe Gqkqbe32.exe File created C:\Windows\SysWOW64\Djqdgfho.dll Hgpeimhf.exe File opened for modification C:\Windows\SysWOW64\Pehebbbh.exe Pcdldknm.exe File created C:\Windows\SysWOW64\Haleefoe.exe Hhdqma32.exe File opened for modification C:\Windows\SysWOW64\Oklmhcdf.exe Oaciom32.exe File opened for modification C:\Windows\SysWOW64\Opcejd32.exe Okfmbm32.exe File created C:\Windows\SysWOW64\Cqlhlo32.exe Bgcdcjpf.exe File created C:\Windows\SysWOW64\Jcfddmhe.dll Pdnkanfg.exe File created C:\Windows\SysWOW64\Pcenmcea.exe Pipjpj32.exe File created C:\Windows\SysWOW64\Ffcahq32.exe Flkmokoa.exe File opened for modification C:\Windows\SysWOW64\Nfcdfiob.exe Nebgoa32.exe File created C:\Windows\SysWOW64\Kkigfdjo.exe Kpcbhlki.exe File created C:\Windows\SysWOW64\Mpaoojjb.exe Mnpbgbdd.exe File created C:\Windows\SysWOW64\Pgbejj32.exe Plheil32.exe File opened for modification C:\Windows\SysWOW64\Oebffm32.exe Opennf32.exe File created C:\Windows\SysWOW64\Lpoaheja.exe Lmnhgjmp.exe File created C:\Windows\SysWOW64\Qamqddlf.dll Dgalhgpg.exe File created C:\Windows\SysWOW64\Mpoppadq.exe Mhckloge.exe File created C:\Windows\SysWOW64\Goqeoiki.dll Iefeaj32.exe File opened for modification C:\Windows\SysWOW64\Jidngh32.exe Jffakm32.exe File opened for modification C:\Windows\SysWOW64\Pdnkanfg.exe Pkfghh32.exe File created C:\Windows\SysWOW64\Oajopl32.exe Oolbcaij.exe File created C:\Windows\SysWOW64\Anfeop32.exe Aiimfi32.exe File created C:\Windows\SysWOW64\Deoipl32.dll Fpkdca32.exe File created C:\Windows\SysWOW64\Bgdalf32.dll Pdjpmi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3748 3856 WerFault.exe 771 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghmohcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcobdgoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgfkchmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkpnjeha.dll" Hhfmbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dakpiajj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkeahf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbqmdahf.dll" Mnpbgbdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blgeahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqmepa32.dll" Agebam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncicbma.dll" Egihcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mheohk32.dll" Jonqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hibebeqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aapikqel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clilmbhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hagepa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmneebeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgnnfme.dll" Plfhdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aglhph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loofjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kodghqop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpejfjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfkjdikj.dll" Lcffgnnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikpmge32.dll" Bfncbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlamnm32.dll" Flkmokoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmggpigb.dll" Kninog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfpqgco.dll" Mpoppadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiglfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbamj32.dll" Dghjmlnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmnpoagb.dll" Lhoohgdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaoddodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbcldef.dll" Mmifiahi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekgfkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ankckagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klilah32.dll" Mjmiknng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjofanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngmcpn32.dll" Dhehfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmgakjn.dll" Eqnillbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imkeneja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppgdjqna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhbjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghdehmnj.dll" Igioiacg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oepianef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfkakbpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dihkimag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofkbnkh.dll" Qlbnja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifdijfdc.dll" Jinghn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mchadifq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkbkfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njobpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cojeomee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfhgggim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdnkanfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpalfabn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igioiacg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhklha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhapocoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jofdll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffecai32.dll" Llainlje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lojeda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiffeloi.dll" Pjbjjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhoapqd.dll" Fjnkpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbghdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjcedj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gilikd32.dll" Lgphke32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2240 wrote to memory of 1676 2240 614e81a2231648e9a3ca3bb3959160e0_NeikiAnalytics.exe 30 PID 2240 wrote to memory of 1676 2240 614e81a2231648e9a3ca3bb3959160e0_NeikiAnalytics.exe 30 PID 2240 wrote to memory of 1676 2240 614e81a2231648e9a3ca3bb3959160e0_NeikiAnalytics.exe 30 PID 2240 wrote to memory of 1676 2240 614e81a2231648e9a3ca3bb3959160e0_NeikiAnalytics.exe 30 PID 1676 wrote to memory of 2332 1676 Pcdldknm.exe 31 PID 1676 wrote to memory of 2332 1676 Pcdldknm.exe 31 PID 1676 wrote to memory of 2332 1676 Pcdldknm.exe 31 PID 1676 wrote to memory of 2332 1676 Pcdldknm.exe 31 PID 2332 wrote to memory of 1608 2332 Pehebbbh.exe 32 PID 2332 wrote to memory of 1608 2332 Pehebbbh.exe 32 PID 2332 wrote to memory of 1608 2332 Pehebbbh.exe 32 PID 2332 wrote to memory of 1608 2332 Pehebbbh.exe 32 PID 1608 wrote to memory of 1048 1608 Qnqjkh32.exe 33 PID 1608 wrote to memory of 1048 1608 Qnqjkh32.exe 33 PID 1608 wrote to memory of 1048 1608 Qnqjkh32.exe 33 PID 1608 wrote to memory of 1048 1608 Qnqjkh32.exe 33 PID 1048 wrote to memory of 2176 1048 Adblnnbk.exe 34 PID 1048 wrote to memory of 2176 1048 Adblnnbk.exe 34 PID 1048 wrote to memory of 2176 1048 Adblnnbk.exe 34 PID 1048 wrote to memory of 2176 1048 Adblnnbk.exe 34 PID 2176 wrote to memory of 704 2176 Anhpkg32.exe 35 PID 2176 wrote to memory of 704 2176 Anhpkg32.exe 35 PID 2176 wrote to memory of 704 2176 Anhpkg32.exe 35 PID 2176 wrote to memory of 704 2176 Anhpkg32.exe 35 PID 704 wrote to memory of 1736 704 Ahpddmia.exe 36 PID 704 wrote to memory of 1736 704 Ahpddmia.exe 36 PID 704 wrote to memory of 1736 704 Ahpddmia.exe 36 PID 704 wrote to memory of 1736 704 Ahpddmia.exe 36 PID 1736 wrote to memory of 2612 1736 Ajamfh32.exe 37 PID 1736 wrote to memory of 2612 1736 Ajamfh32.exe 37 PID 1736 wrote to memory of 2612 1736 Ajamfh32.exe 37 PID 1736 wrote to memory of 2612 1736 Ajamfh32.exe 37 PID 2612 wrote to memory of 2472 2612 Appbcn32.exe 38 PID 2612 wrote to memory of 2472 2612 Appbcn32.exe 38 PID 2612 wrote to memory of 2472 2612 Appbcn32.exe 38 PID 2612 wrote to memory of 2472 2612 Appbcn32.exe 38 PID 2472 wrote to memory of 2876 2472 Bimphc32.exe 39 PID 2472 wrote to memory of 2876 2472 Bimphc32.exe 39 PID 2472 wrote to memory of 2876 2472 Bimphc32.exe 39 PID 2472 wrote to memory of 2876 2472 Bimphc32.exe 39 PID 2876 wrote to memory of 2836 2876 Befnbd32.exe 40 PID 2876 wrote to memory of 2836 2876 Befnbd32.exe 40 PID 2876 wrote to memory of 2836 2876 Befnbd32.exe 40 PID 2876 wrote to memory of 2836 2876 Befnbd32.exe 40 PID 2836 wrote to memory of 2852 2836 Chggdoee.exe 41 PID 2836 wrote to memory of 2852 2836 Chggdoee.exe 41 PID 2836 wrote to memory of 2852 2836 Chggdoee.exe 41 PID 2836 wrote to memory of 2852 2836 Chggdoee.exe 41 PID 2852 wrote to memory of 1828 2852 Cpbkhabp.exe 42 PID 2852 wrote to memory of 1828 2852 Cpbkhabp.exe 42 PID 2852 wrote to memory of 1828 2852 Cpbkhabp.exe 42 PID 2852 wrote to memory of 1828 2852 Cpbkhabp.exe 42 PID 1828 wrote to memory of 2944 1828 Clilmbhd.exe 43 PID 1828 wrote to memory of 2944 1828 Clilmbhd.exe 43 PID 1828 wrote to memory of 2944 1828 Clilmbhd.exe 43 PID 1828 wrote to memory of 2944 1828 Clilmbhd.exe 43 PID 2944 wrote to memory of 3020 2944 Cojeomee.exe 44 PID 2944 wrote to memory of 3020 2944 Cojeomee.exe 44 PID 2944 wrote to memory of 3020 2944 Cojeomee.exe 44 PID 2944 wrote to memory of 3020 2944 Cojeomee.exe 44 PID 3020 wrote to memory of 2976 3020 Dfhgggim.exe 45 PID 3020 wrote to memory of 2976 3020 Dfhgggim.exe 45 PID 3020 wrote to memory of 2976 3020 Dfhgggim.exe 45 PID 3020 wrote to memory of 2976 3020 Dfhgggim.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\614e81a2231648e9a3ca3bb3959160e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\614e81a2231648e9a3ca3bb3959160e0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Pcdldknm.exeC:\Windows\system32\Pcdldknm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Pehebbbh.exeC:\Windows\system32\Pehebbbh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Qnqjkh32.exeC:\Windows\system32\Qnqjkh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Adblnnbk.exeC:\Windows\system32\Adblnnbk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Anhpkg32.exeC:\Windows\system32\Anhpkg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Ahpddmia.exeC:\Windows\system32\Ahpddmia.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\Ajamfh32.exeC:\Windows\system32\Ajamfh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Appbcn32.exeC:\Windows\system32\Appbcn32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Bimphc32.exeC:\Windows\system32\Bimphc32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Befnbd32.exeC:\Windows\system32\Befnbd32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Chggdoee.exeC:\Windows\system32\Chggdoee.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Cpbkhabp.exeC:\Windows\system32\Cpbkhabp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Clilmbhd.exeC:\Windows\system32\Clilmbhd.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Cojeomee.exeC:\Windows\system32\Cojeomee.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Dfhgggim.exeC:\Windows\system32\Dfhgggim.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Doqkpl32.exeC:\Windows\system32\Doqkpl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Ddmchcnd.exeC:\Windows\system32\Ddmchcnd.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1892 -
C:\Windows\SysWOW64\Dcemnopj.exeC:\Windows\system32\Dcemnopj.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:308 -
C:\Windows\SysWOW64\Dmmbge32.exeC:\Windows\system32\Dmmbge32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Egebjmdn.exeC:\Windows\system32\Egebjmdn.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Embkbdce.exeC:\Windows\system32\Embkbdce.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Eiilge32.exeC:\Windows\system32\Eiilge32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2064 -
C:\Windows\SysWOW64\Elieipej.exeC:\Windows\system32\Elieipej.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Efoifiep.exeC:\Windows\system32\Efoifiep.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Faijggao.exeC:\Windows\system32\Faijggao.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Fbhfajia.exeC:\Windows\system32\Fbhfajia.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Fnogfk32.exeC:\Windows\system32\Fnogfk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Fdlpnamm.exeC:\Windows\system32\Fdlpnamm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Fikelhib.exeC:\Windows\system32\Fikelhib.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\Gfoeel32.exeC:\Windows\system32\Gfoeel32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Gipngg32.exeC:\Windows\system32\Gipngg32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Ihbdhepp.exeC:\Windows\system32\Ihbdhepp.exe33⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Kapaaj32.exeC:\Windows\system32\Kapaaj32.exe34⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Kenjgi32.exeC:\Windows\system32\Kenjgi32.exe35⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Kaekljjo.exeC:\Windows\system32\Kaekljjo.exe36⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Lhapocoi.exeC:\Windows\system32\Lhapocoi.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Lmnhgjmp.exeC:\Windows\system32\Lmnhgjmp.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1352 -
C:\Windows\SysWOW64\Lpoaheja.exeC:\Windows\system32\Lpoaheja.exe39⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Lodnjboi.exeC:\Windows\system32\Lodnjboi.exe40⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Lbagpp32.exeC:\Windows\system32\Lbagpp32.exe41⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Lhoohgdg.exeC:\Windows\system32\Lhoohgdg.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Mebpakbq.exeC:\Windows\system32\Mebpakbq.exe43⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Mhcicf32.exeC:\Windows\system32\Mhcicf32.exe44⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Malmllfb.exeC:\Windows\system32\Malmllfb.exe45⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Manjaldo.exeC:\Windows\system32\Manjaldo.exe46⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Mcofid32.exeC:\Windows\system32\Mcofid32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Mdoccg32.exeC:\Windows\system32\Mdoccg32.exe48⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Nikkkn32.exeC:\Windows\system32\Nikkkn32.exe49⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Nohddd32.exeC:\Windows\system32\Nohddd32.exe50⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Neblqoel.exeC:\Windows\system32\Neblqoel.exe51⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Naimepkp.exeC:\Windows\system32\Naimepkp.exe52⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Nkaane32.exeC:\Windows\system32\Nkaane32.exe53⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Nlanhh32.exeC:\Windows\system32\Nlanhh32.exe54⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Neibanod.exeC:\Windows\system32\Neibanod.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Nndgeplo.exeC:\Windows\system32\Nndgeplo.exe56⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Odnobj32.exeC:\Windows\system32\Odnobj32.exe57⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Oabplobe.exeC:\Windows\system32\Oabplobe.exe58⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Okkddd32.exeC:\Windows\system32\Okkddd32.exe59⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Ogaeieoj.exeC:\Windows\system32\Ogaeieoj.exe60⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Onkmfofg.exeC:\Windows\system32\Onkmfofg.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Ohengmcf.exeC:\Windows\system32\Ohengmcf.exe62⤵
- Executes dropped EXE
PID:364 -
C:\Windows\SysWOW64\Ofiopaap.exeC:\Windows\system32\Ofiopaap.exe63⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Pkfghh32.exeC:\Windows\system32\Pkfghh32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\Pdnkanfg.exeC:\Windows\system32\Pdnkanfg.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Pfnhkq32.exeC:\Windows\system32\Pfnhkq32.exe66⤵PID:1528
-
C:\Windows\SysWOW64\Pgodcich.exeC:\Windows\system32\Pgodcich.exe67⤵PID:3048
-
C:\Windows\SysWOW64\Pqgilnji.exeC:\Windows\system32\Pqgilnji.exe68⤵PID:2820
-
C:\Windows\SysWOW64\Pjpmdd32.exeC:\Windows\system32\Pjpmdd32.exe69⤵
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Pjbjjc32.exeC:\Windows\system32\Pjbjjc32.exe70⤵
- Modifies registry class
PID:892 -
C:\Windows\SysWOW64\Qgfkchmp.exeC:\Windows\system32\Qgfkchmp.exe71⤵
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Qmcclolh.exeC:\Windows\system32\Qmcclolh.exe72⤵
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Qcmkhi32.exeC:\Windows\system32\Qcmkhi32.exe73⤵PID:2248
-
C:\Windows\SysWOW64\Qaqlbmbn.exeC:\Windows\system32\Qaqlbmbn.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2052 -
C:\Windows\SysWOW64\Abbhje32.exeC:\Windows\system32\Abbhje32.exe75⤵PID:2420
-
C:\Windows\SysWOW64\Acadchoo.exeC:\Windows\system32\Acadchoo.exe76⤵PID:592
-
C:\Windows\SysWOW64\Aphehidc.exeC:\Windows\system32\Aphehidc.exe77⤵PID:1500
-
C:\Windows\SysWOW64\Aalofa32.exeC:\Windows\system32\Aalofa32.exe78⤵PID:2684
-
C:\Windows\SysWOW64\Ahfgbkpl.exeC:\Windows\system32\Ahfgbkpl.exe79⤵PID:2972
-
C:\Windows\SysWOW64\Aankkqfl.exeC:\Windows\system32\Aankkqfl.exe80⤵PID:3064
-
C:\Windows\SysWOW64\Admgglep.exeC:\Windows\system32\Admgglep.exe81⤵PID:964
-
C:\Windows\SysWOW64\Beldao32.exeC:\Windows\system32\Beldao32.exe82⤵PID:1392
-
C:\Windows\SysWOW64\Bfmqigba.exeC:\Windows\system32\Bfmqigba.exe83⤵PID:3044
-
C:\Windows\SysWOW64\Bmgifa32.exeC:\Windows\system32\Bmgifa32.exe84⤵PID:1728
-
C:\Windows\SysWOW64\Bfpmog32.exeC:\Windows\system32\Bfpmog32.exe85⤵PID:1388
-
C:\Windows\SysWOW64\Bmjekahk.exeC:\Windows\system32\Bmjekahk.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:900 -
C:\Windows\SysWOW64\Bdcnhk32.exeC:\Windows\system32\Bdcnhk32.exe87⤵PID:2844
-
C:\Windows\SysWOW64\Biqfpb32.exeC:\Windows\system32\Biqfpb32.exe88⤵PID:1612
-
C:\Windows\SysWOW64\Bdfjnkne.exeC:\Windows\system32\Bdfjnkne.exe89⤵PID:1584
-
C:\Windows\SysWOW64\Bpmkbl32.exeC:\Windows\system32\Bpmkbl32.exe90⤵PID:872
-
C:\Windows\SysWOW64\Cbkgog32.exeC:\Windows\system32\Cbkgog32.exe91⤵
- Drops file in System32 directory
PID:1316 -
C:\Windows\SysWOW64\Chhpgn32.exeC:\Windows\system32\Chhpgn32.exe92⤵PID:1016
-
C:\Windows\SysWOW64\Cobhdhha.exeC:\Windows\system32\Cobhdhha.exe93⤵PID:1648
-
C:\Windows\SysWOW64\Dgildi32.exeC:\Windows\system32\Dgildi32.exe94⤵PID:2488
-
C:\Windows\SysWOW64\Dleelp32.exeC:\Windows\system32\Dleelp32.exe95⤵
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\Dfniee32.exeC:\Windows\system32\Dfniee32.exe96⤵PID:2540
-
C:\Windows\SysWOW64\Dbejjfek.exeC:\Windows\system32\Dbejjfek.exe97⤵PID:3016
-
C:\Windows\SysWOW64\Edjlgq32.exeC:\Windows\system32\Edjlgq32.exe98⤵PID:2764
-
C:\Windows\SysWOW64\Egihcl32.exeC:\Windows\system32\Egihcl32.exe99⤵
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Ebnmpemq.exeC:\Windows\system32\Ebnmpemq.exe100⤵PID:1372
-
C:\Windows\SysWOW64\Egkehllh.exeC:\Windows\system32\Egkehllh.exe101⤵PID:2140
-
C:\Windows\SysWOW64\Enenef32.exeC:\Windows\system32\Enenef32.exe102⤵PID:2304
-
C:\Windows\SysWOW64\Fqffgapf.exeC:\Windows\system32\Fqffgapf.exe103⤵PID:808
-
C:\Windows\SysWOW64\Fjnkpf32.exeC:\Windows\system32\Fjnkpf32.exe104⤵
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Fpkchm32.exeC:\Windows\system32\Fpkchm32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1964 -
C:\Windows\SysWOW64\Fladmn32.exeC:\Windows\system32\Fladmn32.exe106⤵PID:1236
-
C:\Windows\SysWOW64\Fejifdab.exeC:\Windows\system32\Fejifdab.exe107⤵PID:2072
-
C:\Windows\SysWOW64\Fnbmoi32.exeC:\Windows\system32\Fnbmoi32.exe108⤵PID:2268
-
C:\Windows\SysWOW64\Fhkagonc.exeC:\Windows\system32\Fhkagonc.exe109⤵PID:2552
-
C:\Windows\SysWOW64\Facfpddd.exeC:\Windows\system32\Facfpddd.exe110⤵PID:1780
-
C:\Windows\SysWOW64\Gbbbjg32.exeC:\Windows\system32\Gbbbjg32.exe111⤵PID:1160
-
C:\Windows\SysWOW64\Gmlckehe.exeC:\Windows\system32\Gmlckehe.exe112⤵PID:2932
-
C:\Windows\SysWOW64\Gecklbih.exeC:\Windows\system32\Gecklbih.exe113⤵PID:2812
-
C:\Windows\SysWOW64\Gpmllpef.exeC:\Windows\system32\Gpmllpef.exe114⤵PID:2600
-
C:\Windows\SysWOW64\Gfgdij32.exeC:\Windows\system32\Gfgdij32.exe115⤵PID:2228
-
C:\Windows\SysWOW64\Gmamfddp.exeC:\Windows\system32\Gmamfddp.exe116⤵PID:2124
-
C:\Windows\SysWOW64\Gmcikd32.exeC:\Windows\system32\Gmcikd32.exe117⤵PID:2348
-
C:\Windows\SysWOW64\Heonpf32.exeC:\Windows\system32\Heonpf32.exe118⤵PID:2192
-
C:\Windows\SysWOW64\Hogcil32.exeC:\Windows\system32\Hogcil32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2468 -
C:\Windows\SysWOW64\Hhogaamj.exeC:\Windows\system32\Hhogaamj.exe120⤵PID:1136
-
C:\Windows\SysWOW64\Hechkfkc.exeC:\Windows\system32\Hechkfkc.exe121⤵PID:464
-
C:\Windows\SysWOW64\Hbghdj32.exeC:\Windows\system32\Hbghdj32.exe122⤵
- Modifies registry class
PID:2996
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-