Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 13:07
Behavioral task
behavioral1
Sample
e94cb26812885cf7642b70e683547aa0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
e94cb26812885cf7642b70e683547aa0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
e94cb26812885cf7642b70e683547aa0_NeikiAnalytics.exe
-
Size
357KB
-
MD5
e94cb26812885cf7642b70e683547aa0
-
SHA1
b197f592b14d57d46409d45d715598f24b6a0bd6
-
SHA256
bb9d95175019cc12612de3acd43642cf373226a2f81103b0521af72d538139dc
-
SHA512
d96b5ba5be37496774ce45dd915cebee8b141b3bdbd2c11bcce60914f55abbec4ea85e3643b13d8320c4547f06705463bc923b66cd699944446ffc92ced6e1bb
-
SSDEEP
6144:749TFRFY1n6xJmPMwZoXpKtCe8AUReheFlfSZR0SvsuFrGoyeg3kl+fiXFOFLaJP:8954ZoXpKtCe1eehil6ZR5ZrQeg3kljt
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecpgmhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dccagcgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghelfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qqdbiopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kncofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igkdgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igchlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heokmmgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnneja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blgpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajejgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbdjbaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecnmpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmdgbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hihjhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmafennb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opplolac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijgdngmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifkacb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chcqpmep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjmkcbcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhffaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fncdgcqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kqiaclhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000c00000001443b-5.dat family_berbew behavioral1/files/0x0007000000014a9a-22.dat family_berbew behavioral1/files/0x0007000000014b4c-41.dat family_berbew behavioral1/files/0x0009000000014fa2-47.dat family_berbew behavioral1/files/0x0006000000015cff-63.dat family_berbew behavioral1/files/0x0006000000015d42-80.dat family_berbew behavioral1/files/0x0006000000015d56-91.dat family_berbew behavioral1/files/0x0006000000015d6b-104.dat family_berbew behavioral1/files/0x0006000000015d87-114.dat family_berbew behavioral1/files/0x0006000000015e32-135.dat family_berbew behavioral1/files/0x0006000000015f65-151.dat family_berbew behavioral1/files/0x000600000001610f-165.dat family_berbew behavioral1/files/0x000600000001630a-180.dat family_berbew behavioral1/files/0x000600000001658a-194.dat family_berbew behavioral1/files/0x0006000000016851-204.dat family_berbew behavioral1/files/0x0006000000016c44-217.dat family_berbew behavioral1/files/0x000600000001708b-332.dat family_berbew behavioral1/memory/1624-339-0x0000000000290000-0x00000000002C5000-memory.dmp family_berbew behavioral1/memory/2476-373-0x0000000000250000-0x0000000000285000-memory.dmp family_berbew behavioral1/files/0x00050000000194ad-495.dat family_berbew behavioral1/files/0x00050000000194e1-505.dat family_berbew behavioral1/files/0x00050000000195ab-517.dat family_berbew behavioral1/files/0x0005000000019618-561.dat family_berbew behavioral1/files/0x000500000001961c-580.dat family_berbew behavioral1/files/0x0005000000019624-600.dat family_berbew behavioral1/files/0x000500000001980d-636.dat family_berbew behavioral1/files/0x0005000000019902-644.dat family_berbew behavioral1/files/0x0005000000019c4b-666.dat family_berbew behavioral1/files/0x0005000000019ddd-688.dat family_berbew behavioral1/files/0x000500000001a08e-708.dat family_berbew behavioral1/files/0x000500000001a3fa-730.dat family_berbew behavioral1/files/0x000500000001a44b-741.dat family_berbew behavioral1/files/0x000500000001a453-754.dat family_berbew behavioral1/files/0x000500000001a48f-767.dat family_berbew behavioral1/files/0x000500000001a4a9-780.dat family_berbew behavioral1/files/0x000500000001a0d0-722.dat family_berbew behavioral1/files/0x000500000001a026-698.dat family_berbew behavioral1/files/0x000500000001a4b5-793.dat family_berbew behavioral1/files/0x000500000001a4c9-821.dat family_berbew behavioral1/files/0x000500000001a4da-874.dat family_berbew behavioral1/files/0x000500000001a4e2-901.dat family_berbew behavioral1/files/0x000500000001a4e7-913.dat family_berbew behavioral1/files/0x000500000001a4f3-939.dat family_berbew behavioral1/files/0x000500000001a4fb-965.dat family_berbew behavioral1/files/0x000500000001a506-993.dat family_berbew behavioral1/files/0x000500000001a552-1039.dat family_berbew behavioral1/files/0x000500000001adaa-1067.dat family_berbew behavioral1/files/0x000500000001c88e-1130.dat family_berbew behavioral1/files/0x000500000001c89b-1160.dat family_berbew behavioral1/files/0x000500000001c89f-1171.dat family_berbew behavioral1/files/0x000500000001c8a6-1182.dat family_berbew behavioral1/files/0x000500000001c8bc-1237.dat family_berbew behavioral1/files/0x000500000001c8c4-1260.dat family_berbew behavioral1/files/0x000400000001c942-1281.dat family_berbew behavioral1/files/0x000400000001c94b-1301.dat family_berbew behavioral1/files/0x000400000001c961-1350.dat family_berbew behavioral1/files/0x000400000001c972-1376.dat family_berbew behavioral1/files/0x000400000001cb0d-1415.dat family_berbew behavioral1/files/0x000400000001cb75-1439.dat family_berbew behavioral1/files/0x000400000001cbdd-1555.dat family_berbew behavioral1/files/0x000400000001cbfb-1582.dat family_berbew behavioral1/files/0x000400000001cc20-1617.dat family_berbew behavioral1/files/0x000400000001cc98-1695.dat family_berbew behavioral1/files/0x000400000001cca4-1763.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2008 Penfelgm.exe 2552 Qjknnbed.exe 2640 Qjmkcbcb.exe 2696 Qnigda32.exe 2676 Afdlhchf.exe 2504 Amndem32.exe 2884 Adhlaggp.exe 2500 Affhncfc.exe 2880 Ampqjm32.exe 292 Ambmpmln.exe 500 Apajlhka.exe 1652 Afkbib32.exe 1452 Aiinen32.exe 2332 Aepojo32.exe 2164 Bpfcgg32.exe 784 Bbdocc32.exe 1668 Bhahlj32.exe 3056 Bkodhe32.exe 1612 Bhcdaibd.exe 556 Bommnc32.exe 2988 Bnpmipql.exe 692 Begeknan.exe 3032 Bghabf32.exe 1824 Bopicc32.exe 2360 Bpafkknm.exe 1624 Bgknheej.exe 2084 Bjijdadm.exe 2796 Baqbenep.exe 2476 Bdooajdc.exe 2556 Cjlgiqbk.exe 2548 Cljcelan.exe 1816 Cdakgibq.exe 2856 Cfbhnaho.exe 876 Cnippoha.exe 2540 Coklgg32.exe 2660 Cfeddafl.exe 1348 Chcqpmep.exe 2324 Cpjiajeb.exe 1052 Cciemedf.exe 1204 Chemfl32.exe 1120 Copfbfjj.exe 1524 Cbnbobin.exe 1568 Cdlnkmha.exe 2328 Clcflkic.exe 2288 Dbpodagk.exe 2816 Dflkdp32.exe 1832 Dhjgal32.exe 920 Dodonf32.exe 2620 Dngoibmo.exe 2120 Ddagfm32.exe 2600 Dgodbh32.exe 2440 Dkkpbgli.exe 2964 Dnilobkm.exe 2948 Dbehoa32.exe 2916 Ddcdkl32.exe 2260 Dkmmhf32.exe 2944 Dnlidb32.exe 2292 Dqjepm32.exe 1516 Ddeaalpg.exe 2076 Dgdmmgpj.exe 2088 Dfgmhd32.exe 1392 Dnneja32.exe 2716 Dmafennb.exe 2108 Doobajme.exe -
Loads dropped DLL 64 IoCs
pid Process 808 e94cb26812885cf7642b70e683547aa0_NeikiAnalytics.exe 808 e94cb26812885cf7642b70e683547aa0_NeikiAnalytics.exe 2008 Penfelgm.exe 2008 Penfelgm.exe 2552 Qjknnbed.exe 2552 Qjknnbed.exe 2640 Qjmkcbcb.exe 2640 Qjmkcbcb.exe 2696 Qnigda32.exe 2696 Qnigda32.exe 2676 Afdlhchf.exe 2676 Afdlhchf.exe 2504 Amndem32.exe 2504 Amndem32.exe 2884 Adhlaggp.exe 2884 Adhlaggp.exe 2500 Affhncfc.exe 2500 Affhncfc.exe 2880 Ampqjm32.exe 2880 Ampqjm32.exe 292 Ambmpmln.exe 292 Ambmpmln.exe 500 Apajlhka.exe 500 Apajlhka.exe 1652 Afkbib32.exe 1652 Afkbib32.exe 1452 Aiinen32.exe 1452 Aiinen32.exe 2332 Aepojo32.exe 2332 Aepojo32.exe 2164 Bpfcgg32.exe 2164 Bpfcgg32.exe 784 Bbdocc32.exe 784 Bbdocc32.exe 1668 Bhahlj32.exe 1668 Bhahlj32.exe 3056 Bkodhe32.exe 3056 Bkodhe32.exe 1612 Bhcdaibd.exe 1612 Bhcdaibd.exe 556 Bommnc32.exe 556 Bommnc32.exe 2988 Bnpmipql.exe 2988 Bnpmipql.exe 692 Begeknan.exe 692 Begeknan.exe 3032 Bghabf32.exe 3032 Bghabf32.exe 1824 Bopicc32.exe 1824 Bopicc32.exe 2360 Bpafkknm.exe 2360 Bpafkknm.exe 1624 Bgknheej.exe 1624 Bgknheej.exe 2084 Bjijdadm.exe 2084 Bjijdadm.exe 2796 Baqbenep.exe 2796 Baqbenep.exe 2476 Bdooajdc.exe 2476 Bdooajdc.exe 2556 Cjlgiqbk.exe 2556 Cjlgiqbk.exe 2548 Cljcelan.exe 2548 Cljcelan.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jhjikp32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Phnnho32.exe Padeldeo.exe File created C:\Windows\SysWOW64\Gkfcag32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nggggoda.exe Process not Found File created C:\Windows\SysWOW64\Lclknm32.dll Process not Found File created C:\Windows\SysWOW64\Qiekgbjc.dll Process not Found File created C:\Windows\SysWOW64\Phbgcnig.exe Pdgkco32.exe File created C:\Windows\SysWOW64\Nmfmhhoj.dll Ifkacb32.exe File created C:\Windows\SysWOW64\Aknlofim.exe Process not Found File created C:\Windows\SysWOW64\Fhlkgj32.dll Ilkpogmm.exe File opened for modification C:\Windows\SysWOW64\Olmcchlg.exe Process not Found File created C:\Windows\SysWOW64\Gdidec32.dll Cnmehnan.exe File created C:\Windows\SysWOW64\Nhadao32.dll Qmgibqjc.exe File created C:\Windows\SysWOW64\Nagbgl32.exe Process not Found File created C:\Windows\SysWOW64\Omioekbo.exe Process not Found File created C:\Windows\SysWOW64\Ldflna32.dll Jqfffqpm.exe File created C:\Windows\SysWOW64\Mdcagkgd.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ebodiofk.exe Ekelld32.exe File created C:\Windows\SysWOW64\Jhcfhi32.dll Lfdmggnm.exe File created C:\Windows\SysWOW64\Dgdpfp32.exe Ddfcje32.exe File created C:\Windows\SysWOW64\Chemfl32.exe Cciemedf.exe File created C:\Windows\SysWOW64\Lgahjhop.dll Alhmjbhj.exe File created C:\Windows\SysWOW64\Dhbhmb32.exe Process not Found File created C:\Windows\SysWOW64\Nlhhkjkc.dll Process not Found File created C:\Windows\SysWOW64\Cfanmogq.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dgiaefgg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Knhhaaki.exe Kjllab32.exe File created C:\Windows\SysWOW64\Fqglggcp.exe Process not Found File created C:\Windows\SysWOW64\Aplifb32.exe Alpmfdcb.exe File created C:\Windows\SysWOW64\Lomgjb32.exe Process not Found File created C:\Windows\SysWOW64\Bfncpcoc.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cqdfehii.exe Process not Found File created C:\Windows\SysWOW64\Olpilg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gonale32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dookgcij.exe Dkcofe32.exe File opened for modification C:\Windows\SysWOW64\Hbggif32.exe Process not Found File created C:\Windows\SysWOW64\Bhcool32.dll Process not Found File created C:\Windows\SysWOW64\Fdilpjih.dll Egafleqm.exe File created C:\Windows\SysWOW64\Enlejpga.dll Jghmfhmb.exe File opened for modification C:\Windows\SysWOW64\Ajnpecbj.exe Process not Found File created C:\Windows\SysWOW64\Hbcfdk32.dll Process not Found File created C:\Windows\SysWOW64\Njjhknaf.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bcbfbp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Chcqpmep.exe Cfeddafl.exe File opened for modification C:\Windows\SysWOW64\Ioooiack.exe Process not Found File created C:\Windows\SysWOW64\Nceclqan.exe Ndbcpd32.exe File created C:\Windows\SysWOW64\Oopnlacm.exe Oqmmpd32.exe File created C:\Windows\SysWOW64\Nfdkoc32.exe Process not Found File created C:\Windows\SysWOW64\Pecgea32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lnecigcp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Njpihk32.exe Process not Found File created C:\Windows\SysWOW64\Pfioffab.dll Albjlcao.exe File created C:\Windows\SysWOW64\Bghjhp32.exe Boqbfb32.exe File created C:\Windows\SysWOW64\Fiihdlpc.exe Ffklhqao.exe File created C:\Windows\SysWOW64\Efjlgmlf.exe Dgdpfp32.exe File opened for modification C:\Windows\SysWOW64\Ndmecgba.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jimbkh32.exe Process not Found File created C:\Windows\SysWOW64\Bbmcibjp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pahogc32.exe Pojbkh32.exe File created C:\Windows\SysWOW64\Abbfnh32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ioakoq32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pmmneg32.exe Process not Found File created C:\Windows\SysWOW64\Pdaheq32.exe Pqemdbaj.exe File created C:\Windows\SysWOW64\Lbcpac32.exe Lpedeg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9888 2828 Process not Found 2453 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnmbpf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cddfocpb.dll" Kcdnao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojfaijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlhkpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmmgd32.dll" Mmhamoho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbeknj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebagmn32.dll" Dfgmhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fiaeoang.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpknlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcfkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmebbjme.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhmjkaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebbgbdkh.dll" Oqmmpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahdaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qqbecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfohbd32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbnnqb32.dll" Pamiog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpbefoai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbpnanch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghmkjedk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmlnoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdakgibq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aifone32.dll" Aepojo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obobnb32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll" Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdpojm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngogde32.dll" Nlphkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpclqkhh.dll" Afdgfelo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qndigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apoldh32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmfejo32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olgmcmgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibedepbh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milokblc.dll" Pkpagq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdlkiepd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npgihn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfokakc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eogffk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minceo32.dll" Lbeknj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ioaifhid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlfik32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhmjkaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdgkco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 808 wrote to memory of 2008 808 e94cb26812885cf7642b70e683547aa0_NeikiAnalytics.exe 28 PID 808 wrote to memory of 2008 808 e94cb26812885cf7642b70e683547aa0_NeikiAnalytics.exe 28 PID 808 wrote to memory of 2008 808 e94cb26812885cf7642b70e683547aa0_NeikiAnalytics.exe 28 PID 808 wrote to memory of 2008 808 e94cb26812885cf7642b70e683547aa0_NeikiAnalytics.exe 28 PID 2008 wrote to memory of 2552 2008 Penfelgm.exe 29 PID 2008 wrote to memory of 2552 2008 Penfelgm.exe 29 PID 2008 wrote to memory of 2552 2008 Penfelgm.exe 29 PID 2008 wrote to memory of 2552 2008 Penfelgm.exe 29 PID 2552 wrote to memory of 2640 2552 Qjknnbed.exe 30 PID 2552 wrote to memory of 2640 2552 Qjknnbed.exe 30 PID 2552 wrote to memory of 2640 2552 Qjknnbed.exe 30 PID 2552 wrote to memory of 2640 2552 Qjknnbed.exe 30 PID 2640 wrote to memory of 2696 2640 Qjmkcbcb.exe 31 PID 2640 wrote to memory of 2696 2640 Qjmkcbcb.exe 31 PID 2640 wrote to memory of 2696 2640 Qjmkcbcb.exe 31 PID 2640 wrote to memory of 2696 2640 Qjmkcbcb.exe 31 PID 2696 wrote to memory of 2676 2696 Qnigda32.exe 32 PID 2696 wrote to memory of 2676 2696 Qnigda32.exe 32 PID 2696 wrote to memory of 2676 2696 Qnigda32.exe 32 PID 2696 wrote to memory of 2676 2696 Qnigda32.exe 32 PID 2676 wrote to memory of 2504 2676 Afdlhchf.exe 33 PID 2676 wrote to memory of 2504 2676 Afdlhchf.exe 33 PID 2676 wrote to memory of 2504 2676 Afdlhchf.exe 33 PID 2676 wrote to memory of 2504 2676 Afdlhchf.exe 33 PID 2504 wrote to memory of 2884 2504 Amndem32.exe 34 PID 2504 wrote to memory of 2884 2504 Amndem32.exe 34 PID 2504 wrote to memory of 2884 2504 Amndem32.exe 34 PID 2504 wrote to memory of 2884 2504 Amndem32.exe 34 PID 2884 wrote to memory of 2500 2884 Adhlaggp.exe 35 PID 2884 wrote to memory of 2500 2884 Adhlaggp.exe 35 PID 2884 wrote to memory of 2500 2884 Adhlaggp.exe 35 PID 2884 wrote to memory of 2500 2884 Adhlaggp.exe 35 PID 2500 wrote to memory of 2880 2500 Affhncfc.exe 36 PID 2500 wrote to memory of 2880 2500 Affhncfc.exe 36 PID 2500 wrote to memory of 2880 2500 Affhncfc.exe 36 PID 2500 wrote to memory of 2880 2500 Affhncfc.exe 36 PID 2880 wrote to memory of 292 2880 Ampqjm32.exe 37 PID 2880 wrote to memory of 292 2880 Ampqjm32.exe 37 PID 2880 wrote to memory of 292 2880 Ampqjm32.exe 37 PID 2880 wrote to memory of 292 2880 Ampqjm32.exe 37 PID 292 wrote to memory of 500 292 Ambmpmln.exe 38 PID 292 wrote to memory of 500 292 Ambmpmln.exe 38 PID 292 wrote to memory of 500 292 Ambmpmln.exe 38 PID 292 wrote to memory of 500 292 Ambmpmln.exe 38 PID 500 wrote to memory of 1652 500 Apajlhka.exe 39 PID 500 wrote to memory of 1652 500 Apajlhka.exe 39 PID 500 wrote to memory of 1652 500 Apajlhka.exe 39 PID 500 wrote to memory of 1652 500 Apajlhka.exe 39 PID 1652 wrote to memory of 1452 1652 Afkbib32.exe 40 PID 1652 wrote to memory of 1452 1652 Afkbib32.exe 40 PID 1652 wrote to memory of 1452 1652 Afkbib32.exe 40 PID 1652 wrote to memory of 1452 1652 Afkbib32.exe 40 PID 1452 wrote to memory of 2332 1452 Aiinen32.exe 41 PID 1452 wrote to memory of 2332 1452 Aiinen32.exe 41 PID 1452 wrote to memory of 2332 1452 Aiinen32.exe 41 PID 1452 wrote to memory of 2332 1452 Aiinen32.exe 41 PID 2332 wrote to memory of 2164 2332 Aepojo32.exe 42 PID 2332 wrote to memory of 2164 2332 Aepojo32.exe 42 PID 2332 wrote to memory of 2164 2332 Aepojo32.exe 42 PID 2332 wrote to memory of 2164 2332 Aepojo32.exe 42 PID 2164 wrote to memory of 784 2164 Bpfcgg32.exe 43 PID 2164 wrote to memory of 784 2164 Bpfcgg32.exe 43 PID 2164 wrote to memory of 784 2164 Bpfcgg32.exe 43 PID 2164 wrote to memory of 784 2164 Bpfcgg32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\e94cb26812885cf7642b70e683547aa0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e94cb26812885cf7642b70e683547aa0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:500 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:784 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:556 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:692 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe34⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe35⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe36⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe39⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1052 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe41⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe42⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe43⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe44⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe45⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe46⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe47⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe48⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe49⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe50⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe51⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe52⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe53⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe54⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe55⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe56⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe57⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe58⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe59⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe60⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe61⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe65⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe66⤵PID:1400
-
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe67⤵PID:1860
-
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe68⤵PID:1656
-
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe69⤵PID:2484
-
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1836 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe71⤵PID:2568
-
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe72⤵PID:1700
-
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2024 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe74⤵PID:2584
-
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe75⤵PID:1180
-
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe76⤵PID:2608
-
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe77⤵PID:2952
-
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe78⤵PID:1708
-
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe79⤵PID:2092
-
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe80⤵PID:2804
-
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe81⤵PID:1932
-
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe82⤵PID:2840
-
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe83⤵PID:1768
-
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe84⤵PID:1320
-
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe85⤵PID:1300
-
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe86⤵PID:2616
-
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe87⤵PID:1820
-
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe88⤵PID:2920
-
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe89⤵PID:1424
-
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe90⤵PID:2576
-
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe91⤵PID:1548
-
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe92⤵PID:2612
-
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe93⤵PID:940
-
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe94⤵PID:304
-
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe95⤵PID:1720
-
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe96⤵
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2772 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe98⤵
- Modifies registry class
PID:324 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe99⤵PID:988
-
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe100⤵PID:2448
-
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe101⤵PID:2428
-
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe102⤵PID:1724
-
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe103⤵PID:904
-
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe104⤵PID:1744
-
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe105⤵PID:1868
-
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe106⤵PID:2180
-
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe107⤵PID:1776
-
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2488 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe109⤵PID:1764
-
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe110⤵PID:2976
-
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe111⤵PID:2644
-
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe112⤵PID:540
-
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe113⤵PID:1636
-
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe114⤵PID:2768
-
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe115⤵PID:2160
-
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe116⤵PID:840
-
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe117⤵PID:1792
-
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe118⤵PID:1512
-
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe119⤵PID:2300
-
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe120⤵PID:1760
-
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe121⤵PID:2388
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-