Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 14:37
Behavioral task
behavioral1
Sample
60e1796ea67f3dd43474078f14dfc9e0_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
60e1796ea67f3dd43474078f14dfc9e0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
60e1796ea67f3dd43474078f14dfc9e0_NeikiAnalytics.exe
-
Size
94KB
-
MD5
60e1796ea67f3dd43474078f14dfc9e0
-
SHA1
18e36078106418f620ced3eb0f7b2ff2c355495a
-
SHA256
0bde9adad9d49898d3cdb54fd6288385fbc24b3e71ff6aff0b1854118ac93d38
-
SHA512
6829951dc33101f792234e825ffe87a8fe891b97942f895f1d46f44914fee2cb023c505a93715a64512e377088dfce9f8105e288b746e236dfc86c04bfe08b92
-
SSDEEP
1536:L9t9acVlio4KbG/RXKxzPKZRtXP/f68sKndb/cLl2Lf4aIZTJ+7LhkiB0MPiKeEJ:JtUcVT4KbG/RXKxzsRN/f68ndLOWf4at
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idfbkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcefji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgninie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlljjjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmgechbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnigda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Begeknan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndemjoae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hodpgjha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpmfdcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biojif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afkbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebgacddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doobajme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajbdna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcfdgiid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfahhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmhideol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohhkjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipjoplgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffbicfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alegac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fejgko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdmddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjbcfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ampqjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npagjpcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alegac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdoclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lckdanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfbccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agdjkogm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olpdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkoplhip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alhjai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijgdngmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahjpbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hanlnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kklpekno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohaeia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqhijbog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiedjneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dchali32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieqeidnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmhmpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgjefg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljibgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aigchgkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnilobkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnneja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljffag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjcabmga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgjefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bemgilhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkodhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlkdkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hedocp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkolkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jabbhcfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnimnfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbpodagk.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000b000000014502-5.dat family_berbew behavioral1/files/0x0008000000014dae-20.dat family_berbew behavioral1/files/0x000700000001502c-39.dat family_berbew behavioral1/files/0x00070000000153d9-56.dat family_berbew behavioral1/files/0x0006000000015d44-89.dat family_berbew behavioral1/files/0x000600000001654a-156.dat family_berbew behavioral1/files/0x0006000000016813-181.dat family_berbew behavioral1/files/0x0006000000016c42-210.dat family_berbew behavioral1/files/0x0006000000016da4-281.dat family_berbew behavioral1/files/0x00050000000186d3-350.dat family_berbew behavioral1/files/0x0005000000019227-394.dat family_berbew behavioral1/files/0x000500000001934a-422.dat family_berbew behavioral1/files/0x0005000000019fa5-652.dat family_berbew behavioral1/files/0x000500000001a40c-681.dat family_berbew behavioral1/files/0x000500000001a416-701.dat family_berbew behavioral1/files/0x000500000001a481-718.dat family_berbew behavioral1/files/0x000500000001a49f-740.dat family_berbew behavioral1/files/0x000500000001a4bb-807.dat family_berbew behavioral1/files/0x000500000001a4c8-837.dat family_berbew behavioral1/files/0x000500000001a4d0-854.dat family_berbew behavioral1/files/0x000500000001a4e0-885.dat family_berbew behavioral1/files/0x000500000001a59b-906.dat family_berbew behavioral1/files/0x000500000001a4e5-894.dat family_berbew behavioral1/files/0x000500000001bf9a-925.dat family_berbew behavioral1/files/0x000500000001c855-1011.dat family_berbew behavioral1/files/0x000500000001c882-1028.dat family_berbew behavioral1/files/0x000500000001c89a-1078.dat family_berbew behavioral1/files/0x000500000001c8a3-1098.dat family_berbew behavioral1/files/0x000500000001c8b0-1128.dat family_berbew behavioral1/files/0x000500000001c8c9-1185.dat family_berbew behavioral1/files/0x000400000001ca97-1214.dat family_berbew behavioral1/files/0x000400000001cb3b-1238.dat family_berbew behavioral1/files/0x000400000001cb62-1266.dat family_berbew behavioral1/files/0x000400000001cb7a-1286.dat family_berbew behavioral1/files/0x000400000001cbb7-1330.dat family_berbew behavioral1/files/0x000400000001cbdd-1361.dat family_berbew behavioral1/files/0x000400000001cc04-1394.dat family_berbew behavioral1/files/0x000400000001cc18-1406.dat family_berbew behavioral1/files/0x000400000001cd45-1510.dat family_berbew behavioral1/files/0x000400000001cf54-1575.dat family_berbew behavioral1/files/0x000400000001d125-1638.dat family_berbew behavioral1/files/0x000400000001d240-1647.dat family_berbew behavioral1/files/0x000400000001d352-1670.dat family_berbew behavioral1/files/0x000400000001d394-1711.dat family_berbew behavioral1/files/0x000400000001d3a8-1736.dat family_berbew behavioral1/files/0x000400000001d3b0-1752.dat family_berbew behavioral1/files/0x000400000001d3c6-1775.dat family_berbew behavioral1/files/0x000400000001d496-1798.dat family_berbew behavioral1/files/0x000400000001d6d7-1839.dat family_berbew behavioral1/files/0x000400000001d70a-1871.dat family_berbew behavioral1/files/0x000400000001d828-1912.dat family_berbew behavioral1/files/0x000400000001d875-1935.dat family_berbew behavioral1/files/0x000400000001d970-2001.dat family_berbew behavioral1/files/0x000400000001d9a5-2024.dat family_berbew behavioral1/files/0x000400000001d9ba-2065.dat family_berbew behavioral1/files/0x000400000001d9d6-2121.dat family_berbew behavioral1/files/0x000400000001d9e1-2144.dat family_berbew behavioral1/files/0x000400000001da05-2211.dat family_berbew behavioral1/files/0x000400000001da17-2229.dat family_berbew behavioral1/files/0x000400000001da2c-2253.dat family_berbew behavioral1/files/0x000400000001da46-2269.dat family_berbew behavioral1/files/0x000400000001da56-2286.dat family_berbew behavioral1/files/0x000400000001da74-2318.dat family_berbew behavioral1/files/0x000400000001dad3-2368.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2744 Odjpkihg.exe 2604 Ojficpfn.exe 2408 Obnqem32.exe 2824 Ocomlemo.exe 2404 Ogjimd32.exe 2664 Ojieip32.exe 2500 Ondajnme.exe 2792 Oqcnfjli.exe 492 Ocajbekl.exe 320 Ogmfbd32.exe 1964 Ojkboo32.exe 2028 Pminkk32.exe 2080 Pphjgfqq.exe 1308 Pgobhcac.exe 1648 Pfbccp32.exe 588 Pjmodopf.exe 776 Pmlkpjpj.exe 628 Paggai32.exe 3060 Pcfcmd32.exe 2364 Pjpkjond.exe 1692 Pmnhfjmg.exe 1904 Plahag32.exe 1872 Ppmdbe32.exe 3004 Pchpbded.exe 832 Pbkpna32.exe 2740 Pfflopdh.exe 2596 Peiljl32.exe 2540 Pmqdkj32.exe 2400 Plcdgfbo.exe 2856 Ppoqge32.exe 2488 Pbmmcq32.exe 1356 Pfiidobe.exe 1364 Pigeqkai.exe 2836 Phjelg32.exe 1412 Ppamme32.exe 2628 Pbpjiphi.exe 1604 Penfelgm.exe 476 Qjknnbed.exe 2716 Qbbfopeg.exe 112 Qeqbkkej.exe 2732 Qeqbkkej.exe 788 Qhooggdn.exe 2988 Qjmkcbcb.exe 1464 Qnigda32.exe 764 Qmlgonbe.exe 1636 Qecoqk32.exe 2148 Adeplhib.exe 1496 Afdlhchf.exe 1620 Afdlhchf.exe 2528 Ajphib32.exe 3000 Ankdiqih.exe 2556 Aajpelhl.exe 2592 Aajpelhl.exe 1928 Aplpai32.exe 2660 Adhlaggp.exe 1276 Ahchbf32.exe 888 Affhncfc.exe 2832 Ajbdna32.exe 2712 Aiedjneg.exe 1408 Ampqjm32.exe 1428 Apomfh32.exe 1848 Adjigg32.exe 2980 Afiecb32.exe 536 Ajdadamj.exe -
Loads dropped DLL 64 IoCs
pid Process 2356 60e1796ea67f3dd43474078f14dfc9e0_NeikiAnalytics.exe 2356 60e1796ea67f3dd43474078f14dfc9e0_NeikiAnalytics.exe 2744 Odjpkihg.exe 2744 Odjpkihg.exe 2604 Ojficpfn.exe 2604 Ojficpfn.exe 2408 Obnqem32.exe 2408 Obnqem32.exe 2824 Ocomlemo.exe 2824 Ocomlemo.exe 2404 Ogjimd32.exe 2404 Ogjimd32.exe 2664 Ojieip32.exe 2664 Ojieip32.exe 2500 Ondajnme.exe 2500 Ondajnme.exe 2792 Oqcnfjli.exe 2792 Oqcnfjli.exe 492 Ocajbekl.exe 492 Ocajbekl.exe 320 Ogmfbd32.exe 320 Ogmfbd32.exe 1964 Ojkboo32.exe 1964 Ojkboo32.exe 2028 Pminkk32.exe 2028 Pminkk32.exe 2080 Pphjgfqq.exe 2080 Pphjgfqq.exe 1308 Pgobhcac.exe 1308 Pgobhcac.exe 1648 Pfbccp32.exe 1648 Pfbccp32.exe 588 Pjmodopf.exe 588 Pjmodopf.exe 776 Pmlkpjpj.exe 776 Pmlkpjpj.exe 628 Paggai32.exe 628 Paggai32.exe 3060 Pcfcmd32.exe 3060 Pcfcmd32.exe 2364 Pjpkjond.exe 2364 Pjpkjond.exe 1692 Pmnhfjmg.exe 1692 Pmnhfjmg.exe 1904 Plahag32.exe 1904 Plahag32.exe 1872 Ppmdbe32.exe 1872 Ppmdbe32.exe 3004 Pchpbded.exe 3004 Pchpbded.exe 832 Pbkpna32.exe 832 Pbkpna32.exe 2740 Pfflopdh.exe 2740 Pfflopdh.exe 2596 Peiljl32.exe 2596 Peiljl32.exe 2540 Pmqdkj32.exe 2540 Pmqdkj32.exe 2400 Plcdgfbo.exe 2400 Plcdgfbo.exe 2856 Ppoqge32.exe 2856 Ppoqge32.exe 2488 Pbmmcq32.exe 2488 Pbmmcq32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Icpigm32.exe Idmhkpml.exe File opened for modification C:\Windows\SysWOW64\Bbjbaa32.exe Bpleef32.exe File created C:\Windows\SysWOW64\Qkkmqnck.exe Qgoapp32.exe File created C:\Windows\SysWOW64\Cfgheegc.dll Bhfcpb32.exe File opened for modification C:\Windows\SysWOW64\Gbnccfpb.exe Gobgcg32.exe File opened for modification C:\Windows\SysWOW64\Glfhll32.exe Ghkllmoi.exe File opened for modification C:\Windows\SysWOW64\Ajejgp32.exe Aamfnkai.exe File created C:\Windows\SysWOW64\Baakhm32.exe Bocolb32.exe File created C:\Windows\SysWOW64\Npagjpcd.exe Nmbknddp.exe File created C:\Windows\SysWOW64\Mlcpdacl.dll Bdkgocpm.exe File created C:\Windows\SysWOW64\Imjcfnhk.dll Qbbhgi32.exe File opened for modification C:\Windows\SysWOW64\Aiinen32.exe Aenbdoii.exe File opened for modification C:\Windows\SysWOW64\Amejeljk.exe Aiinen32.exe File created C:\Windows\SysWOW64\Fgdqfpma.dll Cnippoha.exe File created C:\Windows\SysWOW64\Egadpgfp.dll Fcmgfkeg.exe File created C:\Windows\SysWOW64\Glaoalkh.exe Ghfbqn32.exe File opened for modification C:\Windows\SysWOW64\Hgmalg32.exe Hpbiommg.exe File created C:\Windows\SysWOW64\Onecbg32.exe Ojigbhlp.exe File created C:\Windows\SysWOW64\Hgeadcbc.dll Ankdiqih.exe File created C:\Windows\SysWOW64\Egamfkdh.exe Eiomkn32.exe File opened for modification C:\Windows\SysWOW64\Lckdanld.exe Lldlqakb.exe File opened for modification C:\Windows\SysWOW64\Gjakmc32.exe Gffoldhp.exe File created C:\Windows\SysWOW64\Jcjdpj32.exe Jdgdempa.exe File created C:\Windows\SysWOW64\Lgenio32.dll Okanklik.exe File created C:\Windows\SysWOW64\Ndejjf32.dll Aajpelhl.exe File created C:\Windows\SysWOW64\Gobgcg32.exe Gkgkbipp.exe File created C:\Windows\SysWOW64\Jkbcln32.exe Jmocpado.exe File opened for modification C:\Windows\SysWOW64\Jmogdj32.dll Aniimjbo.exe File created C:\Windows\SysWOW64\Jfoagoic.dll Kjfjbdle.exe File created C:\Windows\SysWOW64\Kfpgmdog.exe Kcakaipc.exe File opened for modification C:\Windows\SysWOW64\Paggai32.exe Pmlkpjpj.exe File created C:\Windows\SysWOW64\Gncffdfn.dll Balijo32.exe File created C:\Windows\SysWOW64\Dqlafm32.exe Dqlafm32.exe File created C:\Windows\SysWOW64\Clnlnhop.dll Enkece32.exe File created C:\Windows\SysWOW64\Hjjddchg.exe Henidd32.exe File opened for modification C:\Windows\SysWOW64\Kneicieh.exe Kaaijdgn.exe File opened for modification C:\Windows\SysWOW64\Kohkfj32.exe Kklpekno.exe File created C:\Windows\SysWOW64\Knjbnh32.exe Kjnfniii.exe File created C:\Windows\SysWOW64\Ilbgbe32.dll Pmanoifd.exe File created C:\Windows\SysWOW64\Bfadgq32.exe Bdbhke32.exe File opened for modification C:\Windows\SysWOW64\Jdbkjn32.exe Jqgoiokm.exe File opened for modification C:\Windows\SysWOW64\Mooaljkh.exe Mpmapm32.exe File created C:\Windows\SysWOW64\Eoqbnm32.dll Bajomhbl.exe File opened for modification C:\Windows\SysWOW64\Cgpgce32.exe Ccdlbf32.exe File created C:\Windows\SysWOW64\Bioqclil.exe Bjlqhoba.exe File created C:\Windows\SysWOW64\Hpbiommg.exe Hmdmcanc.exe File created C:\Windows\SysWOW64\Jkoplhip.exe Jgcdki32.exe File opened for modification C:\Windows\SysWOW64\Hhehek32.exe Hbhomd32.exe File created C:\Windows\SysWOW64\Oohqqlei.exe Nkmdpm32.exe File created C:\Windows\SysWOW64\Dcfdgiid.exe Ddcdkl32.exe File created C:\Windows\SysWOW64\Epieghdk.exe Epieghdk.exe File created C:\Windows\SysWOW64\Kcaipkch.dll Ggpimica.exe File opened for modification C:\Windows\SysWOW64\Ioijbj32.exe Iknnbklc.exe File created C:\Windows\SysWOW64\Iemkjqde.dll Lbqabkql.exe File opened for modification C:\Windows\SysWOW64\Efaibbij.exe Eqdajkkb.exe File created C:\Windows\SysWOW64\Fjlhneio.exe Ffpmnf32.exe File created C:\Windows\SysWOW64\Ollfnfje.dll Jqfffqpm.exe File opened for modification C:\Windows\SysWOW64\Pnjdhmdo.exe Pogclp32.exe File created C:\Windows\SysWOW64\Anlfbi32.exe Anlfbi32.exe File created C:\Windows\SysWOW64\Amqccfed.exe Annbhi32.exe File created C:\Windows\SysWOW64\Aigchgkh.exe Aigchgkh.exe File created C:\Windows\SysWOW64\Nofmgl32.dll Pgobhcac.exe File created C:\Windows\SysWOW64\Dfdceg32.dll Adeplhib.exe File created C:\Windows\SysWOW64\Efncicpm.exe Ebbgid32.exe -
Program crash 1 IoCs
pid pid_target Process 10060 10036 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjjddchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqnejn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbkbgjcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpokk32.dll" Pbmmcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cljcelan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondlhmp.dll" Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijigk32.dll" Hpbiommg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmclhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fncann32.dll" Dhmcfkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hicodd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhpfqama.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkkemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffjeaid.dll" Leljop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oghopm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajpjakhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckiigmcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aljgfioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihomanac.dll" Begeknan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gogangdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijeghgoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdgdempa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiqpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpekon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ailkjmpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfbhnaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjapnke.dll" Dbbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcakaipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acmhepko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfpnmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfflopdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgogg32.dll" Mmahdggc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onhgbmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngdifkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbikgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfnmfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajphib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abmbhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpcmpijk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjlnif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acmmle32.dll" Aibajhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnkga32.dll" Qqeicede.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baadng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cngcjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpjiajeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epaogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncffdfn.dll" Balijo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fioija32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkbcln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfgdhjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqapllgh.dll" Gmbdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfmjgeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll" Ckiigmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgknheej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmjejphb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaqcoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhehek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hanlnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdjgo32.dll" Npojdpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amejeljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alpmfdcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpcmpijk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgobhcac.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2744 2356 60e1796ea67f3dd43474078f14dfc9e0_NeikiAnalytics.exe 28 PID 2356 wrote to memory of 2744 2356 60e1796ea67f3dd43474078f14dfc9e0_NeikiAnalytics.exe 28 PID 2356 wrote to memory of 2744 2356 60e1796ea67f3dd43474078f14dfc9e0_NeikiAnalytics.exe 28 PID 2356 wrote to memory of 2744 2356 60e1796ea67f3dd43474078f14dfc9e0_NeikiAnalytics.exe 28 PID 2744 wrote to memory of 2604 2744 Odjpkihg.exe 29 PID 2744 wrote to memory of 2604 2744 Odjpkihg.exe 29 PID 2744 wrote to memory of 2604 2744 Odjpkihg.exe 29 PID 2744 wrote to memory of 2604 2744 Odjpkihg.exe 29 PID 2604 wrote to memory of 2408 2604 Ojficpfn.exe 30 PID 2604 wrote to memory of 2408 2604 Ojficpfn.exe 30 PID 2604 wrote to memory of 2408 2604 Ojficpfn.exe 30 PID 2604 wrote to memory of 2408 2604 Ojficpfn.exe 30 PID 2408 wrote to memory of 2824 2408 Obnqem32.exe 31 PID 2408 wrote to memory of 2824 2408 Obnqem32.exe 31 PID 2408 wrote to memory of 2824 2408 Obnqem32.exe 31 PID 2408 wrote to memory of 2824 2408 Obnqem32.exe 31 PID 2824 wrote to memory of 2404 2824 Ocomlemo.exe 32 PID 2824 wrote to memory of 2404 2824 Ocomlemo.exe 32 PID 2824 wrote to memory of 2404 2824 Ocomlemo.exe 32 PID 2824 wrote to memory of 2404 2824 Ocomlemo.exe 32 PID 2404 wrote to memory of 2664 2404 Ogjimd32.exe 33 PID 2404 wrote to memory of 2664 2404 Ogjimd32.exe 33 PID 2404 wrote to memory of 2664 2404 Ogjimd32.exe 33 PID 2404 wrote to memory of 2664 2404 Ogjimd32.exe 33 PID 2664 wrote to memory of 2500 2664 Ojieip32.exe 34 PID 2664 wrote to memory of 2500 2664 Ojieip32.exe 34 PID 2664 wrote to memory of 2500 2664 Ojieip32.exe 34 PID 2664 wrote to memory of 2500 2664 Ojieip32.exe 34 PID 2500 wrote to memory of 2792 2500 Ondajnme.exe 35 PID 2500 wrote to memory of 2792 2500 Ondajnme.exe 35 PID 2500 wrote to memory of 2792 2500 Ondajnme.exe 35 PID 2500 wrote to memory of 2792 2500 Ondajnme.exe 35 PID 2792 wrote to memory of 492 2792 Oqcnfjli.exe 36 PID 2792 wrote to memory of 492 2792 Oqcnfjli.exe 36 PID 2792 wrote to memory of 492 2792 Oqcnfjli.exe 36 PID 2792 wrote to memory of 492 2792 Oqcnfjli.exe 36 PID 492 wrote to memory of 320 492 Ocajbekl.exe 37 PID 492 wrote to memory of 320 492 Ocajbekl.exe 37 PID 492 wrote to memory of 320 492 Ocajbekl.exe 37 PID 492 wrote to memory of 320 492 Ocajbekl.exe 37 PID 320 wrote to memory of 1964 320 Ogmfbd32.exe 38 PID 320 wrote to memory of 1964 320 Ogmfbd32.exe 38 PID 320 wrote to memory of 1964 320 Ogmfbd32.exe 38 PID 320 wrote to memory of 1964 320 Ogmfbd32.exe 38 PID 1964 wrote to memory of 2028 1964 Ojkboo32.exe 39 PID 1964 wrote to memory of 2028 1964 Ojkboo32.exe 39 PID 1964 wrote to memory of 2028 1964 Ojkboo32.exe 39 PID 1964 wrote to memory of 2028 1964 Ojkboo32.exe 39 PID 2028 wrote to memory of 2080 2028 Pminkk32.exe 40 PID 2028 wrote to memory of 2080 2028 Pminkk32.exe 40 PID 2028 wrote to memory of 2080 2028 Pminkk32.exe 40 PID 2028 wrote to memory of 2080 2028 Pminkk32.exe 40 PID 2080 wrote to memory of 1308 2080 Pphjgfqq.exe 41 PID 2080 wrote to memory of 1308 2080 Pphjgfqq.exe 41 PID 2080 wrote to memory of 1308 2080 Pphjgfqq.exe 41 PID 2080 wrote to memory of 1308 2080 Pphjgfqq.exe 41 PID 1308 wrote to memory of 1648 1308 Pgobhcac.exe 42 PID 1308 wrote to memory of 1648 1308 Pgobhcac.exe 42 PID 1308 wrote to memory of 1648 1308 Pgobhcac.exe 42 PID 1308 wrote to memory of 1648 1308 Pgobhcac.exe 42 PID 1648 wrote to memory of 588 1648 Pfbccp32.exe 43 PID 1648 wrote to memory of 588 1648 Pfbccp32.exe 43 PID 1648 wrote to memory of 588 1648 Pfbccp32.exe 43 PID 1648 wrote to memory of 588 1648 Pfbccp32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\60e1796ea67f3dd43474078f14dfc9e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\60e1796ea67f3dd43474078f14dfc9e0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:588 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:776 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:628 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1904 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2540 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe33⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe34⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe35⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe36⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe37⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe38⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe39⤵
- Executes dropped EXE
PID:476 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe40⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe41⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe42⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe43⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe44⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe46⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe47⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe49⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe50⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe53⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe55⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe56⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe57⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe58⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe62⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe63⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe64⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe65⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe66⤵PID:356
-
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe67⤵PID:1652
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe68⤵PID:572
-
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1112 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe70⤵PID:2516
-
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe71⤵
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe72⤵
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe73⤵
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2032 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe75⤵PID:2280
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe76⤵PID:1040
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe77⤵PID:2052
-
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe78⤵
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe79⤵PID:2008
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe80⤵
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe81⤵PID:2512
-
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe82⤵PID:272
-
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe83⤵PID:380
-
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe84⤵PID:2568
-
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe85⤵PID:2344
-
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe86⤵PID:568
-
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:828 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe88⤵PID:2428
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe89⤵PID:1292
-
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe90⤵PID:1240
-
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe91⤵PID:948
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe92⤵PID:1700
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe93⤵PID:2192
-
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe94⤵PID:1880
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe96⤵PID:1732
-
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe98⤵PID:1772
-
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe99⤵
- Modifies registry class
PID:1220 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe100⤵PID:936
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe101⤵PID:2152
-
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe102⤵PID:2688
-
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe103⤵PID:2972
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe104⤵PID:840
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe105⤵PID:2292
-
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe106⤵PID:1852
-
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe107⤵
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe108⤵PID:2752
-
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe109⤵PID:2644
-
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe110⤵PID:1936
-
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe111⤵PID:616
-
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe112⤵PID:752
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe113⤵PID:2576
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe114⤵PID:1752
-
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe115⤵PID:2668
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe116⤵
- Modifies registry class
PID:636 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe117⤵
- Modifies registry class
PID:280 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe118⤵PID:2244
-
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe119⤵PID:1632
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe120⤵
- Drops file in System32 directory
PID:1392 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe121⤵PID:2420
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe122⤵PID:1932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-